{"id":592,"date":"2018-02-13T18:49:16","date_gmt":"2018-02-14T02:49:16","guid":{"rendered":"http:\/\/konukoii.com\/blog\/?p=592"},"modified":"2018-02-20T14:39:29","modified_gmt":"2018-02-20T22:39:29","slug":"lifting-firmware-with-the-bus-pirate","status":"publish","type":"post","link":"https:\/\/konukoii.com\/blog\/2018\/02\/13\/lifting-firmware-with-the-bus-pirate\/","title":{"rendered":"5-Min Tutorial: Lifting Firmware with the Bus Pirate"},"content":{"rendered":"<span class=\"span-reading-time rt-reading-time\" style=\"display: block;\"><span class=\"rt-label rt-prefix\">Reading Time: <\/span> <span class=\"rt-time\"> 5<\/span> <span class=\"rt-label rt-postfix\">minutes<\/span><\/span><p>So lately I've been involved on a lot more Hardware and IoT hacking than usual. Among the most interesting tools I got recently was the awesomely named \"<a href=\"http:\/\/dangerousprototypes.com\/docs\/Bus_Pirate\">Bus Pirate<\/a>\". It is a tool intended to help debug and communicate with hardware (via JTAG, SPI, I2C, UART, etc.) This short tutorial will show you how to lift the firmware from a TP-Link WR841N router using the Bus Pirate.<\/p>\n<p style=\"text-align: right;\"><em>* Recently revived my old Twitter account. Follow me for more hacking content!<\/em><br \/>\n<a class=\"twitter-follow-button\" href=\"http:\/\/twitter.com\/konukoii\" data-show-count=\"false\">Follow @konukoii<\/a><\/p>\n<p><script src=\"http:\/\/platform.twitter.com\/widgets.js\" type=\"text\/javascript\"><\/script><\/p>\n<h3>Opening the WR841N Router<\/h3>\n<p>We will need physical access to the <a href=\"https:\/\/en.wikipedia.org\/wiki\/EEPROM\">EEPROM<\/a> chip inside the router. This chip is a reprogramable memory that contains the firmware (software) that controls the router's usage. In a lot of cases, you will find that these firmware contain small versions of linux running web servers (the router website that greets you when you travel to 192.168.0.1) and other programs needed for your router to work properly. In other words, your router is just a small linux box.<\/p>\n<p>In this specific router model you will want to peel the two upper black plastic peg (closer to the antenna) to uncover two screws. Once you have unscrewed these, you can use a small knife or wedge to separate the top and bottom half of the router's casing.<\/p>\n<p>Once you open it up, you will find the EEPROM chip on the top right corner. If you have any doubts on which is the chip you can always google the labels the chip has. Since these are all off-the-shelf parts, you can quickly find datasheets online detailing their purpose and usage.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-599 size-large\" src=\"http:\/\/konukoii.com\/blog\/wp-content\/uploads\/2018\/02\/tp5_1_Moment-1024x403.jpg\" alt=\"TP-Link Underside - Konukoii\" width=\"1024\" height=\"403\" srcset=\"https:\/\/konukoii.com\/blog\/wp-content\/uploads\/2018\/02\/tp5_1_Moment-1024x403.jpg 1024w, https:\/\/konukoii.com\/blog\/wp-content\/uploads\/2018\/02\/tp5_1_Moment-300x118.jpg 300w, https:\/\/konukoii.com\/blog\/wp-content\/uploads\/2018\/02\/tp5_1_Moment-768x302.jpg 768w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-600 size-large\" src=\"http:\/\/konukoii.com\/blog\/wp-content\/uploads\/2018\/02\/tp4-1024x768.jpg\" alt=\"TP-Link EEPROM - KonukoII\" width=\"1024\" height=\"768\" srcset=\"https:\/\/konukoii.com\/blog\/wp-content\/uploads\/2018\/02\/tp4-1024x768.jpg 1024w, https:\/\/konukoii.com\/blog\/wp-content\/uploads\/2018\/02\/tp4-300x225.jpg 300w, https:\/\/konukoii.com\/blog\/wp-content\/uploads\/2018\/02\/tp4-768x576.jpg 768w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<h3>Connecting the Bus Pirate<\/h3>\n<p>The first thing we need to find out is the pin-out for this specific EEPROM. If you look at the chip closely you will see it is labeled \"Winbond 25Q32FVS1G 1518\". We can quickly google the datasheet for this chip (<a href=\"http:\/\/www.buydisplay.com\/download\/manual\/W25Q128FV_Datasheet.pdf\">link<\/a>) and we find the following diagram:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-607 size-large\" src=\"http:\/\/konukoii.com\/blog\/wp-content\/uploads\/2018\/02\/chip-1024x382.png\" alt=\"W25Q32.V Chip\" width=\"1024\" height=\"382\" srcset=\"https:\/\/konukoii.com\/blog\/wp-content\/uploads\/2018\/02\/chip-1024x382.png 1024w, https:\/\/konukoii.com\/blog\/wp-content\/uploads\/2018\/02\/chip-300x112.png 300w, https:\/\/konukoii.com\/blog\/wp-content\/uploads\/2018\/02\/chip-768x287.png 768w, https:\/\/konukoii.com\/blog\/wp-content\/uploads\/2018\/02\/chip.png 1241w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<p>You are looking to connect the EEPROM to the Bus Pirate as so:<\/p>\n<table style=\"height: 19px;\" width=\"660\">\n<tbody>\n<tr>\n<td><strong>Bus Pirate<\/strong><\/td>\n<td><strong>Flash Chip<\/strong><\/td>\n<td><strong>Description<\/strong><\/td>\n<\/tr>\n<tr>\n<td>CS<\/td>\n<td>#1 CS<\/td>\n<td>Chip Select<\/td>\n<\/tr>\n<tr>\n<td>MISO<\/td>\n<td>#2 DO (IO1)<\/td>\n<td>Master In, Slave Out<\/td>\n<\/tr>\n<tr>\n<td>3V3<\/td>\n<td>#3 WP (IO2)<\/td>\n<td>Write Protect<\/td>\n<\/tr>\n<tr>\n<td>GND<\/td>\n<td>#4 GND<\/td>\n<td>Ground<\/td>\n<\/tr>\n<tr>\n<td>MOSI<\/td>\n<td>#5 DI (IO0)<\/td>\n<td>Master Out, Slave In<\/td>\n<\/tr>\n<tr>\n<td>CLK<\/td>\n<td>#6 CLK<\/td>\n<td>The SPI Clock<\/td>\n<\/tr>\n<tr>\n<td>3V3<\/td>\n<td>#7 HOLD (IO3)<\/td>\n<td>Hold<\/td>\n<\/tr>\n<tr>\n<td>3V3<\/td>\n<td>#8 VCC<\/td>\n<td>Supply<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>The following tricky part is figuring out where to connect what. What I like doing is clipping the SPI Clip to the EEPROM and using the Breakout board on the other end. Then I connect each pin to the corresponding pin on the Bus Pirate. If you are having problems figuring out which line is which consider doing a <a href=\"http:\/\/en-us.fluke.com\/training\/training-library\/test-tools\/digital-multimeters\/How-to-test-for-continuity-with-a-digital-multimeter.html\">continuity test with a multimeter<\/a>.<\/p>\n<p>Here are some images to better explain my setup and how I figured each cable to be connected. Use the picture below to trace each line and find which one you are connecting where. Usually I try to use line #1 (the read line) to be the \/CS line (The leg next to the little circle on the chip). Just go slow and make sure you are connecting each line to the proper place.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-614\" src=\"http:\/\/konukoii.com\/blog\/wp-content\/uploads\/2018\/02\/tp2-1024x768.jpg\" alt=\"Clip - KonukoII\" width=\"1024\" height=\"768\" srcset=\"https:\/\/konukoii.com\/blog\/wp-content\/uploads\/2018\/02\/tp2-1024x768.jpg 1024w, https:\/\/konukoii.com\/blog\/wp-content\/uploads\/2018\/02\/tp2-300x225.jpg 300w, https:\/\/konukoii.com\/blog\/wp-content\/uploads\/2018\/02\/tp2-768x576.jpg 768w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-604\" src=\"http:\/\/konukoii.com\/blog\/wp-content\/uploads\/2018\/02\/tp3-1024x768.jpg\" alt=\"BusPirate Scheme\" width=\"1024\" height=\"768\" srcset=\"https:\/\/konukoii.com\/blog\/wp-content\/uploads\/2018\/02\/tp3-1024x768.jpg 1024w, https:\/\/konukoii.com\/blog\/wp-content\/uploads\/2018\/02\/tp3-300x225.jpg 300w, https:\/\/konukoii.com\/blog\/wp-content\/uploads\/2018\/02\/tp3-768x576.jpg 768w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<p>Notice that the 3,7,8 pins need to be hooked up to the 3v3 port. I soldered up three cables together as so:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-603 size-large\" src=\"http:\/\/konukoii.com\/blog\/wp-content\/uploads\/2018\/02\/tp1-1024x768.jpg\" alt=\"Triple Connector - KonukoII\" width=\"1024\" height=\"768\" srcset=\"https:\/\/konukoii.com\/blog\/wp-content\/uploads\/2018\/02\/tp1-1024x768.jpg 1024w, https:\/\/konukoii.com\/blog\/wp-content\/uploads\/2018\/02\/tp1-300x225.jpg 300w, https:\/\/konukoii.com\/blog\/wp-content\/uploads\/2018\/02\/tp1-768x576.jpg 768w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<p>Believe it or not, you are done with the hardest part!<\/p>\n<h3>Lifting the Firmware<\/h3>\n<p><strong><em>Warnings: <\/em><\/strong><\/p>\n<ul>\n<li><strong><em>For whatever reason I couldn't get the Bus Pirate to work well when using it from a Virtual Machine (VBox), as it would hang during reading. <a href=\"https:\/\/brew.sh\/\">I ended up brew installing flashrom<\/a>.<\/em><\/strong><\/li>\n<li><em><strong>Don't connect the router to power. The BusPirate will provide the power.<\/strong><\/em><\/li>\n<li><em><strong>Since I used mac the location of the buspirate was \/dev\/tty.usbserial-A904055E, but in Linux this would be \/dev\/ttyUSB0. This could change depending on your system, just check \/dev\/ or lsusb for an idea of what it might be called.<\/strong><\/em><\/li>\n<\/ul>\n<p>At this point you should be able to run:<\/p>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\n$ flashrom -p buspirate_spi:dev=\/dev\/tty.usbserial-A904055E\r\n<\/pre>\n<p>This should automatically find and display the chip name. Ultimately, this didn't work for me so instead I ran:<\/p>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\n$ flashrom -L\r\n... snip ...\r\nWinbond W25Q40.V PREW 512 SPI\r\nWinbond W25Q80.V PREW 1024 SPI\r\nWinbond W25Q16.V PREW 2048 SPI\r\nWinbond W25Q32.V PREW 4096 SPI\r\nWinbond W25Q64.V PREW 8192 SPI\r\nWinbond W25Q128.V PREW 16384 SPI\r\n... snip ...\r\n<\/pre>\n<p>This listed all the possible chips that the bus pirate can communicate with. In the list I quickly saw the W25Q32.V, which is the one we are messing with. Now when I ran the following code I could actually see the chip had been found!<\/p>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\n$ flashrom -p buspirate_spi:dev=\/dev\/tty.usbserial-A904055E -c W25Q32.V\r\nflashrom v0.9.9-r1955 on Darwin 17.2.0 (x86_64)\r\nflashrom is free software, get the source code at&amp;amp;amp;nbsp;https:\/\/flashrom.org\r\n\r\nCalibrating delay loop... OK.\r\nBus Pirate firmware 6.1 and older does not support SPI speeds above 2 MHz. Limiting speed to 2 MHz.\r\nIt is recommended to upgrade to firmware 6.2 or newer.\r\nFound Winbond flash chip &quot;W25Q32.V&quot; (4096 kB, SPI) on buspirate_spi.\r\n\r\nNo operations were specified.\r\n<\/pre>\n<p>Lastly to dump the firmware I simply ran the following command. It took a while to actually read all the firmware so feel free to go do something in the meantime:<\/p>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\n$ flashrom -p buspirate_spi:dev=\/dev\/tty.usbserial-A904O66E -c W25Q32.V -r firm.bin\r\nflashrom v0.9.9-r1955 on Darwin 17.2.0 (x86_64)\r\nflashrom is free software, get the source code at https:\/\/flashrom.org\r\n\r\nCalibrating delay loop... OK.\r\nBus Pirate firmware 6.1 and older does not support SPI speeds above 2 MHz. Limiting speed to 2 MHz.\r\nIt is recommended to upgrade to firmware 6.2 or newer.\r\nFound Winbond flash chip &quot;W25Q32.V&quot; (4096 kB, SPI) on buspirate_spi.\r\n\r\nReading flash... Done.\r\n<\/pre>\n<p>Now you should see firm.bin on your working directory!<\/p>\n<h3>Analyzing the Firmware<\/h3>\n<p>You can use a tool called binwalk (which you can apt-get on Linux or brew install on OSX) to automatically extract the firmware.<\/p>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\n$ binwalk -e firmware.bin\r\n<\/pre>\n<p>You will now find a folder called _firmware.bin.extracted with a small linux filesystem inside. Feel free to poke around!<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-601 size-full\" src=\"http:\/\/konukoii.com\/blog\/wp-content\/uploads\/2018\/02\/tp6.png\" alt=\"Binwalk - KonukoII\" width=\"2880\" height=\"478\" srcset=\"https:\/\/konukoii.com\/blog\/wp-content\/uploads\/2018\/02\/tp6.png 2880w, https:\/\/konukoii.com\/blog\/wp-content\/uploads\/2018\/02\/tp6-300x50.png 300w, https:\/\/konukoii.com\/blog\/wp-content\/uploads\/2018\/02\/tp6-768x127.png 768w, https:\/\/konukoii.com\/blog\/wp-content\/uploads\/2018\/02\/tp6-1024x170.png 1024w\" sizes=\"auto, (max-width: 2880px) 100vw, 2880px\" \/><\/p>\n<h3>Moving Forward...<\/h3>\n<p>This is only a very brief dip into hardware hacking. Extracting the firmware from a devices is simply the first step. Afterwards we can start looking for secret keys, passwords, api keys, etc. We could also potentially modify the firmware with a backdoor and the re-install the firmware into the device. I'll come back and post more on these subjects soon, but for now I hope this has been a helpful tutorial and, as always, feel free to contact me with any questions, comments or concerns. Keep on hacking!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>So lately I've been involved on a lot more Hardware and IoT hacking than usual.&#8230;<\/p>\n<div class=\"more-link-wrapper\"><a class=\"more-link\" href=\"https:\/\/konukoii.com\/blog\/2018\/02\/13\/lifting-firmware-with-the-bus-pirate\/\">Read the post<span class=\"screen-reader-text\">5-Min Tutorial: Lifting Firmware with the Bus Pirate<\/span><\/a><\/div>\n","protected":false},"author":1,"featured_media":610,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9,3,121,32],"tags":[33,110,54,31,112,111,26],"class_list":["post-592","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-compsci","category-compsec","category-hardware","category-tutorials","tag-5-min-tutorials","tag-bus-pirate","tag-hacking","tag-hardware","tag-spi","tag-tp-link-wr841n","tag-tutorial","excerpt","zoom","full-without-featured","even","excerpt-0"],"_links":{"self":[{"href":"https:\/\/konukoii.com\/blog\/wp-json\/wp\/v2\/posts\/592","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/konukoii.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/konukoii.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/konukoii.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/konukoii.com\/blog\/wp-json\/wp\/v2\/comments?post=592"}],"version-history":[{"count":17,"href":"https:\/\/konukoii.com\/blog\/wp-json\/wp\/v2\/posts\/592\/revisions"}],"predecessor-version":[{"id":684,"href":"https:\/\/konukoii.com\/blog\/wp-json\/wp\/v2\/posts\/592\/revisions\/684"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/konukoii.com\/blog\/wp-json\/wp\/v2\/media\/610"}],"wp:attachment":[{"href":"https:\/\/konukoii.com\/blog\/wp-json\/wp\/v2\/media?parent=592"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/konukoii.com\/blog\/wp-json\/wp\/v2\/categories?post=592"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/konukoii.com\/blog\/wp-json\/wp\/v2\/tags?post=592"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}