Skip to content

Extract firmware from flash memory

To analyse a device’s firmware, you’ll first need to obtain the firmware. If you’re lucky, the device manufacturer has made the firmware available for download. If it’s not available, or if you don’t trust that what’s on the website is what’s on your device, you can extract the firmware from flash memory. This post outlines how to extract firmware from flash memory on a D-Link DCS-932L internet enabled security camera.

Locating the flash memory chip

An IoT device such as my security camera typically has a number of chips, each with a specific purpose. After I opened my camera, I found this:

D-Link DCS-932L PCB and chips

This device contains:

  1. Ralink RT5350F System on Chip (SoC). This is the CPU plus various network functions (ethernet, USB, wireless)
  2. ESMT M12L2561616A memory. This is the working RAM.
  3. MX25L3205D flash memory. The firmware is here.

The SoC loads the firmware from the flash memory into working RAM and boots the operating system.

The flash memory chip is SOP-8 form factor – 8 pins, 1.27mm pitch. I have limited soldering abilities so I could not confidently work with a chip this small. Ideally I want to work with the chip without removing it from the board.

SOP-8 test clip

You can work with the flash memory chip without removing it from the board by attaching an SOP-8 test clip. This fits over the legs of the chip, making an electrical contact. You can then communicate with the chip while it is attached to the board.

SOP-8 test clip attached to the flash chip

You have the option of sending signals directly to the chip or attaching it to the programmer board and interfacing via USB. The latter is far easier but if you’re interested in accessing these at a low level, Ben Eater demonstrated the technique with a TV Guardian device from the 1980s in a very informative and accessible video.

I don’t want to read the data sheet for this or program my own interface so I’m using the programmer over USB.

Extract the firmware from flash memory via USB programmer

You can connect the flash chip to a laptop with the USB programmer.

Setup to extract firmware from flash memory. The setup includes the device being tested with the test clip attached to the flash chip. This attaches to a programmer USB board and is connected to a laptop.

Then access the contents of the Flash ROM using flashrom:

sudo flashrom --programmer ch341a_spi -r flashrom.bin

This reads from the attached ch341 programmer and writes the contents to a file called flashrom.bin. flashrom will attempt to autodetect the chip but if it can’t, it will give a list of candidates for you to choose:

Found Macronix flash chip "MX25L3205(A)" (4096 kB, SPI) on ch341a_spi.
Found Macronix flash chip "MX25L3205D/MX25L3208D" (4096 kB, SPI) on ch341a_spi.
Found Macronix flash chip "MX25L3206E/MX25L3208E" (4096 kB, SPI) on ch341a_spi.
Found Macronix flash chip "MX25L3273E" (4096 kB, SPI) on ch341a_spi.
Multiple flash chip definitions match the detected chip(s): "MX25L3205(A)", "MX25L3205D/MX25L3208D", "MX25L3206E/MX25L3208E", "MX25L3273E"
Please specify which chip definition to use with the -c <chipname> option.

The -c option specifies the chip type to be read. Mine is the MX25L3205D.

sudo flashrom --programmer ch341a_spi -c "MX25L3205D/MX25L3208D" -r flashrom.bin

This takes around a minute to run and gives me a 4194304 byte (4MB) file.

Unpack the firmware with binwalk

The 4MB bin file is a binary dump of the contents of the flash chip. It’s not a particular file format. Fortunately, binwalk can find known file formats in a binary file and carve them out.

binwalk -e flashrom.bin

This extracts a LZMA archive from the bin at location 0x50040. Using the -e (for extract) option will write this archive to a file named 50040. You could then use binwalk -e on 50040 to extract its contents and so on. It is often easier to use binwalk‘s recursive option (-M, --matryoshka):

binwalk -eM flashrom.bin

This unpacks recursively down to a directory named cpio-root that contains the device filesystem:

ls -l cpio-root
Contents of file system is shown.

There is other stuff in the firmware including the bootloader and the ‘Emergency Room’ recovery application but often we’re most interested in the device file system. It contains lots of juicy nuggets including the /etc/passwd and /etc/shadow files, configuration and defaults and installed applications.

In the next post we’ll look at how we can use information from the firmware to access a root shell on the device.

Published inhardware

One Comment

  1. […] the first part of a teardown of a D-Link DCS-932L internet enabled security camera, I looked at extracting firmware from flash memory. In this second part, I look at connecting to UART and using the root shell to have a rummage about […]

Leave a Reply

Your email address will not be published. Required fields are marked *