Main Content

Extracting firmware from devices using JTAG

JTAG is a physical hardware interface that makes it possible, among other things, to extract the firmware image from electronic devices.

The firmware, a program that executes in a dedicated way and with a specific purpose in a microcontroller or microprocessor, is usually stored in a persistent memory device like a NAND/NOR flash or EEPROM.

The extraction process involves reading and copying the firmware image stored in the device’s memory to a file on your computer. This process of extracting the firmware image is also called dumping or snarfing.

But why extract the firmware from an electronic device?

Imagine an electronic device like a router, an IP camera or a hard disk.

Now imagine that you want to understand better how the device works, but you don’t have much information about it. Extracting and analyzing the firmware image can be a viable option to understand its operation.

You may want to improve or change the behavior of the device. Without access to the source code, one possibility is to extract the firmware to make the necessary changes and then update the device.

What if you forgot your credentials and lost access to the device? One possibility to regain access is to extract and change the firmware image.

If you are a security researcher, you may want to extract the firmware of the device to look for vulnerabilities in the software.

And what if the device is very old and is no longer being manufactured or sold by the vendor? You may want to clone it, and extracting the firmware image will be essential in this process.

As we can see, there are many situations that can motivate us to extract the firmware from an electronic device. Even if it’s just for fun!

Firmware extraction techniques
Several techniques can be used to extract the firmware from an electronic device.

But before you start, make sure the firmware image is not available on the manufacturer’s website. Many device manufacturers such as routers and cameras publish updated firmware images on their websites, so that customers can download and update the device. In this case, the effort to extract the firmware is zero!

With physical access to the device, a technique for extracting the firmware is to directly read the device’s storage memory. We can identify and remove the memory chip from the board, solder it on another board and extract the firmware. It works, but can be quite painful and maybe a little risky (there is a possibility of burning the memory chip during the extraction process).

A less risky technique is to simply read the device’s storage memory through a connection to the bootloader or operating system of the device.

For example, with access to the bootloader (via a serial connection), we can try to read the device’s memory and send the data to our machine. Likewise, with access to a command line terminal in the operating system (serial, ssh, etc.) and with privileges, we can try to dump the storage memory of the device and send it to our machine.

As we can see, different techniques can be used to extract the firmware from a device, depending on the situation.

And if none of these techniques are viable, the JTAG interface may be a good option!”

Link to article