Extracting a UART Password via SPI Flash Instruction Tracing
2 months ago
- #embedded-security
- #hardware-hacking
- #reverse-engineering
- Introduction to extracting a UART password via SPI flash instruction tracing on an embedded device.
- Discussion on the importance of debug access in embedded device tinkering and alternative methods when debug access is restricted.
- Target device: a managed switch based on the RTL8372N with an external QSPI Flash chip (W25Q16JV).
- Challenge: UART console requires a password not found in firmware strings, necessitating deeper analysis.
- Use of Ghidra for reverse engineering, complicated by the 8051 architecture's code banking mechanism.
- Innovative approach: sniffing QSPI communication to trace instruction execution without debug access.
- Comparison of logic analyzers (Saleae Logic 8 Pro vs. SLogic16U3) for capturing high-speed SPI communication.
- Detailed process of connecting the logic analyzer, capturing traces, and analyzing them to find the password check logic.
- Development of a Python script to convert flash addresses to 8051 banked memory format and analyze traces.
- Discovery of the password through dynamic analysis, including writing and injecting a gadget to dump the XORed password from memory.
- Conclusion on the effectiveness of SPI flash instruction tracing as a technique for firmware analysis without debug access.