How would I extract flash data from a microcontroller so I can reverse engineer it?

I want to move onto hardware reverse engineering. I know a little bit of electrical engineering, and I have been reverse engineering for half a year now.

With a lot of expensive equipment?

Glad to be of no help .

Woodmann

This is not a simple subject. First off I would get a multi memory reader/writer there are cheap ones out there or how to's to make your own. Then you might be able to pick up an adapter for your multi reader/write but it might require you to de-solder the chip from the board which can be a pain. or you can make your own adapter that slides over the top and then you can read it.

next you need to figure out the machine architecture so you can possible figure out its instruction set, if its not a known instruction set you will have to document it your self. if it is documented you might have to build your own disassembler or you might be lucky and find one online or for IDA Pro.

then after that you have to figure out how the data is stored so you can point it to the proper location where the executable code is located. after that you will then be able to start figuring out what is doing what.

then you might need to build a check sum calculator so that the machine accepts it (this is a maybe but i have ran into it)

Thats what I meant to say .

Woodmann

Ok thank you! Also, thank you woodman for having this wonderful forum

Howdy,

It's not anyones intention to dissuade you from trying. Far from it.

It's just a different area of RCE the requires special equipment to do.
Personally I would love to be able to play with such things.

And your welcome. Stick around and someone might pop
in with other ideas about this.

Woodmann

It's also completely possible that the microcontroller that you have has it's program memory (flash, eeprom, etc.) protected so that you can't read it out. If that's the case, you're basically out of luck unless you pay big bucks to have a company "decap" the chip, and read out the individual cells of the flash part. CAN be done, but is as tedious, time consuming and expensive as it sounds.

I would DEFINITELY try one of the "clamp on" adapters that'll let you read the part in-circuit if you can get one. Also, knowledge is power. If you know what the microcontroller is, go download all the datasheets, and programmer's guides that you can get your hands on. The more you know, the higher the possibility that if you need a break, you might just get one. (Provided that you can read the flash that is )

In the documents you get, search for the word "protection" that should point you to any notes about the part featuring the ability to "blow a security fuse", and stop you from reading it's contents.

OTHERWISE!!!

how about you learn HW-programming & make programs you need yourself?!?!?!

If it is soldered in, that means it can be read/written on the card (most of the time) over its I/O ports. If it is socketed, that's easier (remember E²PROMS?)

There are plenty of non-standard readers/writers that can dump the contents of the memory of a controller. However, there is no specific tool or method to access to or reverse the contents. It takes a lot of reading and hands-on experience on the specific µcontroller you're messing with. Access to 'servicing' manuals is a prerequisite btw, which are usually printed in single copies and kept in a safe.

And there are those "etched-in" firmware. They still can be read by using custom built clamps & readers but the contents cannot be altered. You need to dump, emulate, read, reverse, and burn on a new chip or push in another emulator chip like they do on the .ony consoles.

Anyway, who needs to reverse the µcontrollers in a space shuttle or in an unmanned stealth aircraft?

You might want to look to see if it has JTAG connectors on the specific device you want to reverse. Using a USB JTAG adaptor and software (e.g. OpenOCD) you may be able to read the flash without resorting to more destructive measures.

https://secure.wikimedia.org/wikipedia/en/wiki/JTAG

If you plan to dig even deeper into the logic of the electronics then the Flylogic blog is worth a read.

http://www.flylogic.net/blog/

Depends on the micro-controller you need to grab the data from.
First identify the chip, usually it may be Microchip's PIC or Atmel's AVR, but i guess it can always vary.

Once you got the name of the brand, it's time to find out the model and most important the size in k of that chip, usually each micro-controller has its own limited k in ram, rom..etc.

Once you got all of the data, you should head up to ebay and grab yourself a read/write module that connects to the pc with a usb and grab it's software to get the program's code (in hex).

By knowing the micro-controller's brand and type you will also know which instructions it uses and than use IDA (propbably) to disassemble it, or or you can do it your self (by hand or write a disassemble of your own) and than start analyse the data.

the struct of such microcontrollers execution hex file also includes .code, .data and sometimes .sram..etc, make sure you read the manual of the micro-controller before doing anything.

WOW........

Thanks guys/gals. Even this old bastard learns new things.

Woodmann

Some links you may find useful :-

http://www.cl.cam.ac.uk/~sps32/
http://www.cl.cam.ac.uk/~sps32/mcu_lock.html
http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-630.pdf
http://code.google.com/p/the-bus-pirate/
http://www.lostscrews.com/

Would be interesting to hear how you get on, and your target MCU

Some ideas how microcontrollers and other hardware is reverse engineered:
http://www.flylogic.net/blog/
http://events.ccc.de/congress/2008/Fahrplan/events/2896.en.html

Sometimes there's even an easier option: The manufacturer provides upgrade files so you can just download and get going. Sure, sometimes these are encrypted, but it's fun trying to decrypt them and most of the time they are encrypted by "Roll your own" algorithms which are easily broken (Hi, Gizmondo, remember xor 0xff ? ) or just packaged up unencrypted to make it easier for the updater (Huawei comes to mind on some of there mobile phones).

reminds me of those robot wars robots, all controlled by these microcontrollers with weird architectures i can't dream of learning, and equipment i would probably never invest in buying

Can't dream of learning? I call BS. Anyone can learn it if they put there mind to it. There are beginning kits out there. Start simple and work your way up. You'll soon be creating your own robots.

Either get Arduino + Shields (connect them like lego, spend time more on coding)
or get a NerdKit for a more technical stuff here http://www.nerdkits.com/