Leveraging UART, SPI and JTAG for firmware extraction

Back to the list of Speakers and Sessions
This workshop aims to teach methods to obtain a firmware running on a IOT device by probing the circuit board. Accessing flash memory using common protocols such as UART, SPI and JTAG will be covered

The classic firmware update procedure was to download the latest version from the manufacturer then upload it to your device which allowed easy access for inspection. In today's IOT devices, firmware may update itself directly using HTTPS. This allows for timely security updates but removes the end user access to the binary.

Fortunately, there are ways to extract a firmware from the flash chip on a circuit board using common protocols. In this workshop, we will learn:

  • how to disassemble a device
  • locate UART, SPI and JTAG ports
  • use a programmer to connect to them
  • how to read and write NOR and NAND flash memory
Participants should bring:

10 kits will be provided at the workshop to experiment with, come early.

Each kit contains:

  • 1 TPLink AC1200
  • 1 Bus Pirate
  • 1 Soic 8 pins clip
  • 1 NSEC 2018 badge
  • cables and connectors

TPLink WDR3600 or WDR4300 (similar models with UART, SPI and JTAG interfaces available)Adapter c232hm-ddhsl-0 or bus pirate recommended. Other similar adapters will also work.Linux computer recommended although other operating systems may be used if the attendee know how to install and operate the suggested software or similar software on his favorite operating system.

Participants must know or have:
  • Basic knowledge in electrical engineering is assumed. Attendees would have to know the concepts of voltage, current and resistance.
  • Previous experience with serial ports would be helpful although not required
  • The workshop would be given using a Linux computer. A Linux laptop is then suggested although the software used in the workshop (or similar) should work on other operating systems.
  • Experience with a regular serial port (UART) would be helpful

Marc-André Labonté ,

Marc-andre Labonte was a system administrator for more than a decade at the McGill Genome Center while it was known as the McGill University and Genome Quebec Innovation Center. There, he took part in the design, deployment, operation and maintenance of the data center as it went through multiple upgrade cycles to accommodate ever powerful high throughput genome sequencers coming to market.

Then, he joined the ETTIC team at Desjardins in 2016 as infrastructure penetration tester. Currently doing vulnerability research on IOT devices, he also presented "Automated contact tracing experiment on ESP Vroom32" workshop at NSEC in 2021. His work is motivated by curiosity and a strong sense of personal privacy in a world of connected devices and data hungry organizations.