Extracting firmware from a Winbond SPI EEPROM

I got my hands on a new used router and i was curious to see what was on the firmware. This was also a good opportunity to learn a bit more about hardware hacking and play with my Bus Pirates.  Feel free to correct any of my mistakes as i consider myself newbie with capital letters when it comes to hardware hacking. 

So the first step was opening the router and identifying what i was up against. 

 

IMG 3012

This was a Winbond 25Q128JVFQ serial flash memory. With the help of Google i found its data sheet  here 

The most important parts of the data sheet are shown below.

0840361C 4897 49CC 9455 237B64F3AA2F

 

D9DF4796 D43D 4450 AEA3 6E5C46E47C24

 

The next step was to connect the chip with the Bus Pirate and try to dump the firmware. I won’t go into detail on what each part does as there are a lot of tutorials online but what was needed to be connected in my case were the following six pins:

  • VCC – Power 
    • Chip Pin 2 -> Bus Pirate Pin 3.3v 
  • GND – Ground 
    • Chip Pin 10 -> Bus Pirate Pin GND
  • MISO – Data from the slave unit to the master unit
    • Chip Pin 8 -> Bus Pirate Pin MISO
  • MOSI – Data from the master unit to the slave unit
    • Chip Pin 15 -> Bus Pirate Pin MOSI 
  • SCLK – Clock signal pin
    • Chip Pin 16 -> Bus Pirate Pin SCLK 
  • CS – Slave select
    • Chip Pin 7 -> Bus Pirate Pin CS 

 

Aa

 

Now with the connections made it was time to test if the Bus Pirate can communicate with the chip and identify the firmware. I used flashrom for this process and it identified the correct firmware. 

4

Then it was a matter of dumping the firmware which tools about 30mins.

5

I transferred the firmware file to my IoT vm for further analysis. First thing i did was to run binwalk on the file and it found that it contained a Squashfs filesystem which i extracted with binwalk -e.

IoT

We can verify that this is a Squash filesystem by doing an analysis with unsquashfs -s 

Screenshot at Mar 17 15 56 13

The next part is manually going through the filesystem and finding some interesting files such as config files, passwords etc.

Extracted

If you have problems exporting the filesystem from the firmware file i would recommend using the Firmware Mod Kit which includes many tools for such cases.

For any comments/ suggestions reach out to me on Twitter