In the last blog, we discussed the components that are used in hardware hacking, the discovery phase and how to pull information off a device leveraging a UART port and the Das U-Boot boot loader. However, in some cases we aren’t able to leverage interfaces, either because they were not built into the IoT device or the UART interface is not interactive. In these cases, all hope is not lost; we can leverage the Serial Peripheral Interface (SPI) to access the flash.
Attack
In Introduction to Hardware Hacking Part 1, we conducted discovery and found that the IoT device is using a Winbond W25Q16JV flash memory chip. We also found the data sheet for it: https://www.winbond.com/resource-files/w25q16jv%20spi%20revd%2008122016.pdf
This gave us the pin out for the chip. The dot on the corner denotes the first pin.
Now that we have information about the chip, we can check to see if Flashrom supports the model.
And luckily, it does support our chip.
Now, we will connect our Bus Pirate to the chip. The pin out will be:
Connecting the clips are the hardest part of this process. Next, we will use Flashrom to dump the flash.
First, let’s check to see if Flashrom can identify the chip.
sudo flashrom -p buspirate_spi:/dev/ttyUSB0
*Note: your device might not be USB0
There seems to be an issue identifying the chip. Because of this, we will need to remove the chip from the board.
Now, let’s try that again:
*Note: Connecting was not fun.
Great! Now, we will dump the flash.
sudo flashrom -p buspirate_spi:dev=/dev/ttyUSB0 -c “W25Q16.V” -r dump.bin
Now, we can use binwalk to read and extract the items within the bin file.
Again, we should have a folder with any data that could be extracted by binwalk. In my experience, this does not always work. I tend to spend more time and get more value out of reviewing the string’s output.
As always, thanks for reading. Subscribe to our newsletter below to be notified when we publish future blog posts.