How Read Ficm Firmware # Sct X4
JTAG is a concrete hardware interface that makes information technology possible, amidst other things, to extract the firmware image from electronic devices.
The firmware, a programme that executes in a defended way and with a specific purpose in a microcontroller or microprocessor, is usually stored in a persistent memory device like a NAND/NOR wink or EEPROM.
The extraction process involves reading and copying the firmware image stored in the device’s retentiveness to a file on your figurer. This procedure of extracting the firmware paradigm is besides chosen
Simply why extract the firmware from an electronic device?
Imagine an electronic device like a router, an IP camera or a hard disk.
Now imagine that you desire to understand ameliorate how the device works, merely you don’t have much information about information technology. Extracting and analyzing the firmware prototype tin be a feasible option to understand its performance.
You lot may want to meliorate or alter the behavior of the device. Without admission to the source lawmaking, i possibility is to excerpt the firmware to brand the necessary changes and so update the device.
What if you forgot your credentials and lost access to the device? One possibility to regain access is to extract and alter the firmware image.
If yous are a security researcher, yous may want to extract the firmware of the device to look for vulnerabilities in the software.
And what if the device is very old and is no longer being manufactured or sold by the vendor? Yous may want to clone it, and extracting the firmware image will be essential in this process.
Every bit nosotros can see, there are many situations that can motivate us to excerpt the firmware from an electronic device. Fifty-fifty if it’south just for fun!
Several techniques tin can exist used to extract the firmware from an electronic device.
Merely before you first, make certain the firmware image is not available on the manufacturer’s website. Many device manufacturers such every bit routers and cameras publish updated firmware images on their websites, so that customers can download and update the device. In this example, the effort to extract the firmware is naught!
With physical admission to the device, a technique for extracting the firmware is to directly read the device’south storage memory. Nosotros can identify and remove the memory bit from the board, solder it on another lath and excerpt the firmware. It works, simply can be quite painful and peradventure a piddling risky (at that place is a possibility of burning the memory scrap during the extraction process).
A less risky technique is to but read the device’due south storage retentivity through a connectedness to the bootloader or operating system of the device.
For example, with access to the bootloader (via a serial connection), we can effort to read the device’s memory and send the information to our machine. Likewise, with access to a command line terminal in the operating system (series, ssh, etc.) and with privileges, nosotros tin can endeavor to dump the storage memory of the device and transport it to our machine.
Equally we can encounter, different techniques tin can be used to extract the firmware from a device, depending on the situation.
And if none of these techniques are viable, the JTAG interface may be a expert option!
What is the JTAG interface?
In the past, tests on PCBs (Printed Circuit Boards) were done through a system chosen
In this system, the PCB was designed with several test points to exist connected to a test board. And this test lath performed several checks on the connections and electronic components of the board.
As the complexity of a PCB increased, information technology started to get difficult and complicated to design a bed-of-nails for it.
And then some debug and test interfaces integrated into the chips (processor, microcontroller, SoC, FPGA, etc.) started to appear.
Over fourth dimension, JTAG has become one of the about popular interfaces to test electronic circuits, getting other features similar debugging and called-for flash devices.
Currently, this interface is bachelor in most processors and microcontrollers of dissimilar architectures such as ARM, x86, MIPS and PowerPC.
How does the JTAG interface work?
Although there are some variations of the standard, the JTAG interface is commonly implemented by the chip manufacturer via four mandatory pins (TDI,
TMS) and one optional pin (TRST):
(Test Data In): data input.
(Test Data Out): data output.
(Test Clock): clock whose maximum frequency depends on the chip (usually from 10MHz to 100MHz).
(Test Mode Select): pin to control the JTAG land machine.
(Examination Reset): optional pin to reset the JTAG state machine.
The pins of the JTAG interface are internally connected to the chip through a module chosen TAP (Test Access Port).
The TAP interface implements the basic JTAG communication protocol, and several TAPs tin can be connected simultaneously in a daisy concatenation architecture.
The TAP interface implements a finite state machine (16 states) that allows admission to a group of registers (IR,
DR) to instrument the chip. The command of this state car is done through the pins
TCK. Through this land machine, it is possible to select an operation via the
annals (Instruction Register) and laissez passer parameters or bank check the outcome via the
register (Information Register).
The size of the
register and the number of instructions supported is divers past the chip manufacturer. For example, a v-bit
register will support upward to 32 instructions.
Each instruction has its own
(Data Register), which has a variable size. Three instructions are defined by the JTAG standard and must exist implemented past the manufacturer (Bypass,
SAMPLE/PRELOAD). Other instructions are optional, but are as well usually implemented (eg,
Featherbed: instruction that selects a one-bit register that rotates from
TDO, very useful for testing the JTAG interface.
EXTEST: didactics that selects the
(Purlieus Browse Register) to read and change the state of the pins.
SAMPLE/PRELOAD: instruction that selects the
register (Purlieus Scan Register) to read the status of the pins.
- IDCODE: pedagogy that selects the device ID annals (32 bits) that contains the chip ID.
In improver to the instructions defined by the standard, the chip manufacturer tin implement other instructions as needed. In this mode, many manufacturers extend the JTAG interface with debugging and retentivity access functions (eg:
Information well-nigh supported JTAG instructions and the pins on a flake is usually documented in a file called
(Boundary Scan Description Linguistic communication), a subset of VHDL (VHSIC Hardware Clarification Linguistic communication).
For case, here’s a curt excerpt from the STM32F1 BSDL
available on the ST website. Every bit nosotros tin come across in the line 29, the JTAG interface of this microcontroller supports up to 32 instructions (v $.25).
At present that we know a little bit about the JTAG interface, what tin we do with information technology?
The JTAG interface in do
With JTAG we can control the execution of the firmware (stop the execution, inspect the memory, configure breakpoints, execute the code step-by-step, etc). Nosotros can too audit the state of the processor and its registers, read and write to memory and admission whatever I/O device connected to the processor.
Through a feature called
Boundary Scan, the JTAG interface allows access to all the pins of the chip! In this style, we tin individually read and write to each pin, and consequently dispense the peripherals continued to the processor/microcontroller (GPIO, retentivity, flash, etc).
In practice, with the JTAG interface we tin:
- Identify information about the hardware (processor, memory, etc).
- Dump RAM and gain access to sensitive data such as passwords and cryptographic keys.
- Change the behavior of programs at run fourth dimension to obtain privileged access to the system.
- Capture sensitive data from hardware devices, such equally information stored in an EEPROM.
- Activate peripherals and modify their behavior, such as setting or resetting an I/O pin.
- And of form, dump the wink retentiveness to excerpt the firmware of the device!
As nosotros can see, the JTAG interface is perfect for inspecting the execution of the firmware, discover vulnerabilities and exploit the device.
Simply if the JTAG interface is so insecure, why don’t many hardware manufacturers remove or disable the admission to it?
Considering the JTAG interface is very convenient for the development and production of the hardware! Developers use the JTAG interface to debug the firmware running on the device. Also, the JTAG interface is used every bit a tool for programming and testing the device in production.
However, some manufacturers may adopt countermeasures to make it difficult to utilise the JTAG interface in the terminal product, including:
- Obfuscation (cutting tracks, removing resistors, etc).
- Reconfiguration of the JTAG pins in software.
- Encryption and signature validation of the firmware image.
Other manufacturers go further and completely disable the JTAG interface through some fuses (internal $.25 of the bit that, in one case programmed, can no longer exist changed).
Yet, information technology is still possible to re-enable the JTAG interface with techniques such every bit a
silicon die attack.
Afterwards all, security is always a affair of how much time, knowledge and resource yous accept, right?
Now let’s go down to business organisation!
These are the four main steps to extract the firmware from a device using JTAG:
- Identify the JTAG connectedness pins.
- Test the connection with a JTAG adapter.
- Get together information nearly the memory mapping of the flake.
- Extract the firmware from the flash retentivity.
While explaining the process, I will provide a real example, extracting the firmware of the
Footstep one: Identify the JTAG pins
Finding the JTAG interface signals and their pinout can be quite laborious! That’due south because the device manufacturer can hibernate, obfuscate or disable the JTAG interface.
But before you start, practice some research. Possibly someone else has already identified the JTAG interface of your device and published on the Internet.
If y’all can’t find anything on the Internet, accept the board of your device and expect for a group of pins together and not populated through visual inspection. The pins of the JTAG interface may be hidden nether some other component like a capacitor or a battery. Pay attention to the unlike standards of JTAG connectors (2×10, 2×8, 2×7, 2×5, etc).
Download the datasheet of the processor to identify the JTAG pins and exam with a multimeter, oscilloscope or logic analyzer. A brute-strength tool like
can also be very useful!
Sometimes the JTAG interface is quite axiomatic and documented on the Internet, like that of the WRT54G router:
Merely sometimes information technology’s not that obvious, similar the JTAG interface of this Western Digital hard bulldoze:
Therefore, the process of identifying the JTAG interface tin can accept some time and will require a lot of patience!
Step ii: Examination the JTAG connection
With the JTAG pins identified, we can offset the communication procedure with the JTAG interface. For that, we basically need two components: a JTAG adapter and a JTAG communication software.
The JTAG adapter is responsible for the concrete communication with the device through the JTAG interface, usually connecting to the PC via a USB interface.
The JTAG communication software is responsible for communicating with the JTAG interface through the JTAG adapter.
There are several JTAG adapters bachelor on the market, some quite expensive for professional use and others more accessible, some of which are open hardware:
- SEGGER J-Link
- Keil ULINK
- Motorbus Blaster
- Motorcoach Pirate
- Black Magic Probe
In my tests, I am using
Flyswatter from Tin can Tin can Tools. This is my setup:
To communicate with the JTAG interface, there are several software options, many of which are proprietary. Amongst the open source tools, we have
(Open On-Chip Debugger) is an open source tool for communicating with JTAG interfaces. The project has been around for many years, connects easily to GDB and has a very comprehensive support of JTAG adapters and hardware devices.
is a newer tool, simpler but with a more than friendly interface.
In my tests, I volition utilise UrJTAG, which can be hands installed in a Debian-based distribution:
$ sudo apt install -y urjtag $ jtag UrJTAG 0.x #2007 Copyright (C) 2002, 2003 ETC s.r.o. Copyright (C) 2007, 2008, 2009 Kolja Waschk and the respective authors UrJTAG is gratuitous software, covered past the GNU General Public License, and y'all are welcome to alter it and/or distribute copies of information technology under certain conditions. There is admittedly no warranty for UrJTAG. warning: UrJTAG may impairment your hardware! Type "quit" to exit, "help" for help. jtag>
With the JTAG adapter connected to the WRT54G, we tin can use UrJTAG to exam communication with the JTAG interface and extract the device ID using the
instruction (this ID is a unique number assigned by
to each chip model manufactured in the globe).
Every bit we can encounter in the output below (line 7), the device ID of the WRT54G bit is 0x0535217F.
Pace 3: Identify information about flash retentiveness
The next footstep is to analyze the memory address space of the bit to identify the device’s flash retentivity initial address and size.
Visual inspection tin can help to identify the flash memory chip. Searching the Net for information almost the hardware platform or products with similar hardware tin can besides aid, too as the documentation of the chip (SoC, processor, etc).
If you take access to a control line concluding on the device, look in the bootloader or the operating system logs for whatever message regarding the model and address infinite of the flash memory.
Sometimes information technology is necessary to apply some trial and error method or brute force to place the accost of the device’s flash retentivity.
In my case, as I am using a MIPS based router, I tin endeavor the
(a MIPS extension of the JTAG protocol) to place the retentiveness mapping of the chip. From the output beneath, we tin can see that the flash address of the device is 0x1FC00000 (line 19).
With this address, we can employ the
control to collect information about flash memory. From the output below (line nineteen), we can run across that the flash retention size is 4M:
Now we have all we need (flash retentiveness start address and size) to extract the firmware from the device.
To extract the firmware, we just need to use the JTAG communication software to read the memory range identified in the previous footstep and salvage the data to a file.
Depending on the size of the flash memory and the communication speed of the JTAG interface, the process can have several minutes!
With the UrJTAG tool, we can dump the wink retention’s content using the
jtag> readmem 0x1fc00000 0x400000 flash.bin address: 0x1FC00000 length: 0x00400000 reading: addr: 0x20000000 Done.
Later on several minutes, we will have the firmware image extracted from the wink retention of the device!
$ ls -lh flash.bin -rw-r--r-- 1 sprado sprado 4,0M fev 18 22:12 flash.bin
Now nosotros can
analyze the firmware image of the router with binwalk:
$ binwalk --signature wink.bin DECIMAL HEXADECIMAL Clarification -------------------------------------------------------------------------------- 211412 0x339D4 Copyright cord: "Copyright (C) 2000,2001,2002,2003 Broadcom Corporation." 234095 0x3926F Copyright cord: "Copyright 1995-1998 Mark Adler " 239104 0x3A600 CRC32 polynomial tabular array, lilliputian endian 262144 0x40000 TRX firmware header, niggling endian, image size: 3211264 bytes, CRC32: 0xA293EEE4, flags: 0x0, version: 1, header size: 28 bytes, loader offset: 0x1C, linux kernel offset: 0x904, rootfs offset: 0x84800 262172 0x4001C gzip compressed information, maximum compression, from Unix, terminal modified: 1970-01-01 00:00:00 (cipher appointment) 264452 0x40904 LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: -one bytes 804864 0xC4800 Squashfs filesystem, niggling endian, version 3.0, size: 2604183 bytes, 692 inodes, blocksize: 65536 bytes, created: 2011-04-04 xi:37:ten 3473408 0x350000 JFFS2 filesystem, little endian 3604480 0x370000 JFFS2 filesystem, little endian 4001816 0x3D1018 Zlib compressed data, compressed 4002248 0x3D11C8 JFFS2 filesystem, piffling endian 4004760 0x3D1B98 Zlib compressed data, compressed 4005968 0x3D2050 JFFS2 filesystem, little endian 4006772 0x3D2374 Zlib compressed data, compressed 4007356 0x3D25BC Zlib compressed data, compressed 4008168 0x3D28E8 Zlib compressed data, compressed 4009192 0x3D2CE8 Zlib compressed information, compressed 4010552 0x3D3238 Zlib compressed data, compressed 4012236 0x3D38CC JFFS2 filesystem, little endian 4014352 0x3D4110 Zlib compressed data, compressed 4014516 0x3D41B4 JFFS2 filesystem, piddling endian 4015916 0x3D472C Zlib compressed data, compressed 4016672 0x3D4A20 JFFS2 filesystem, footling endian 4038596 0x3D9FC4 JFFS2 filesystem, little endian 4062896 0x3DFEB0 Zlib compressed data, compressed 4063232 0x3E0000 JFFS2 filesystem, little endian
And excerpt the file organization from the paradigm!
$ binwalk --extract --tranquillity flash.bin $ ls _flash.bin.extracted/squashfs-root/ bin boot dev etc jffs lib mnt proc README rom root sbin sys tmp usr var www $ cat _flash.bin.extracted/squashfs-root/etc/passwd root:$1$OZ1ejEbc$IgmRrZz5/bpm8FSTAbTGl1:0:0:root:/root:/bin/ash back up:$1$KhtjZGTI$BhXbTLJ4IwtdqFKbpsa2J0:100:100:support:/tmp:/bin/ash nobody:*:65534:65534:nobody:/var:/bin/false
The JTAG interface is a fantastic tool for doing security research on electronic devices, and today several open up, popular and inexpensive JTAG adapters can facilitate the procedure, requiring but a little knowledge and a lot of free time. Fun is guaranteed!
Delight electronic mail your comments to sergio at embeddedbits.org or
sign up the newsletter
to receive updates.