Firmware#

Firmware extraction and reverse engineering. The operator dumps the binary off the target, identifies what is on it (boot ROM, bootloader, app, file system, secrets), opens it in a disassembler, and reads enough of the result to understand behavior or find a foothold. Firmware analysis is half art and half ritual; the workflow below is the ritual.

Extraction#

Method

Note

JTAG / SWD dump

Halt the CPU, dump_image from OpenOCD. The cleanest extraction when the debug port is open.

SPI flash dump (in-circuit)

SOIC-8 clip onto the flash chip, CH341A or BusPirate on the other end, flashrom -r dump.bin. Pulls the app and any external file system in one shot.

SPI flash dump (chip-off)

Desolder the flash, drop it in a socket, dump. The fallback when in-circuit dumping fails (shared SPI lines, hidden chip select).

eMMC dump

eMMC is just MMC; pads onto a microSD adapter, or through an eMMC programmer (Easy-JTAG, ufi-box).

Vendor firmware download

OEM update file from the support site, OTA capture, or USB DFU. The least invasive option; sometimes encrypted or signed.

USB DFU (Device Firmware Update)

The standard USB class for firmware updates; dfu-util -U reads back when the device permits.

Bootloader leak

UART bootloader, recovery mode, or vendor command interface that dumps flash without removing it.

Triage#

Tool

Effect

file

Identify the container (raw, ELF, U-Boot uImage, FIT, NK.bin).

binwalk

Walk the file looking for signatures (file systems, compressed regions, key material, certificates).

binwalk -e

Extract embedded file systems (SquashFS, CramFS, JFFS2, YAFFS, FAT).

strings

First-pass triage; the operator’s fastest signal on what the firmware does.

xxd | less

Eyeball the structure when nothing else identifies it.

cpu_rec

Identify the CPU architecture of an unknown raw blob by entropy and instruction frequency.

unblob

Modern alternative to binwalk from ONEKEY; better extraction accuracy.

Disassembly#

Tool

Note

Ghidra

NSA-released, free, multi-architecture. Decompiler is included. The operator’s default for free firmware RE.

IDA Pro + Hex-Rays

The commercial standard. Best decompiler, best multi-architecture support, expensive.

Binary Ninja

Mid-tier commercial; competitive decompiler and a Python API that is more pleasant than Ghidra’s.

radare2 / rizin / Cutter

Free, terminal-first (Cutter is the GUI front-end). Steep learning curve.

angr

Symbolic execution; useful for finding inputs that reach a target basic block.

Workflow#

The operator’s standard sequence on a fresh dump:

  1. file dump.bin to identify the container.

  2. binwalk dump.bin to spot embedded file systems and sub-images.

  3. strings dump.bin | head -200 for first-pass intent (URLs, credentials, version strings, debug messages).

  4. If a file system extracts cleanly, walk it for credentials, keys, init scripts, vendor binaries.

  5. Identify the CPU architecture (vendor doc, cpu_rec, or reading the reset vector).

  6. Load into Ghidra with the right loader, base address, and architecture; let the analysis run.

  7. Locate main (start at reset vector, follow the bootloader if present).

  8. Rename functions, types, and globals as understanding accumulates; the operator’s notes become the artifact.

References#