Practical Reverse Engineering Part 4 — Dumping the Flash
Practical Reverse Engineering Part 4 Dumping the Flash
Reverse engineering is the process of analyzing a system or device to understand its structure, function, behavior, or vulnerabilities. Reverse engineering can be applied to various fields, such as software, hardware, cryptography, malware, or forensics. In this article, we will focus on reverse engineering flash memory, which is a type of non-volatile memory that can store data even when the power is off.
Introduction
What is flash memory and why reverse engineer it?
Flash memory is a type of electrically erasable programmable read-only memory (EEPROM) that can be erased and rewritten in blocks or sectors. Flash memory is widely used in various devices, such as smartphones, tablets, laptops, cameras, USB drives, memory cards, or embedded systems. Flash memory can store various types of data, such as firmware, operating system, applications, configuration settings, user data, encryption keys, or passwords.
Reverse engineering flash memory can have different purposes and benefits, depending on the context and the goal of the analysis. Some possible reasons for reverse engineering flash memory are:
To recover lost or deleted data from a damaged or corrupted device.
To extract sensitive or confidential information from a stolen or seized device.
To discover hidden features or functionalities of a device.
To identify vulnerabilities or backdoors in a device.
To modify or customize a device's behavior or performance.
To clone or emulate a device's functionality.
To learn from a device's design or implementation.
What are the challenges and risks of reverse engineering flash?
Reverse engineering flash memory is not an easy task. It requires technical skills, specialized tools, and careful planning. Some of the challenges and risks of reverse engineering flash are:
The flash memory may be encrypted, compressed, obfuscated, or protected by checksums or digital signatures.
The flash memory may be embedded in a chip or soldered on a board, making it difficult to access physically.
The flash memory may have a proprietary or unknown interface or protocol, making it hard to communicate with it.
The flash memory may have a limited number of erase/write cycles, making it prone to wear out or damage.
The flash memory may have anti-tampering mechanisms that can detect unauthorized access or modification and trigger self-destruction or data wiping.
The flash memory may contain personal or private data that can violate ethical or legal boundaries if accessed without consent.
What are the tools and techniques for reverse engineering flash?
Reverse engineering flash memory involves various tools and techniques that can be classified into two categories: software and hardware. Software tools and techniques are used to analyze the flash memory contents logically, while hardware tools and techniques are used to access the flash memory physically. Some of the common tools and techniques for reverse engineering flash are:
Software tools and techniques:
Hex editors: To view and edit the raw binary data of the flash memory.
Disassemblers: To convert the machine code of the flash memory into human-readable assembly code.
Decompilers: To convert the assembly code of the flash memory into high-level source code.
Debuggers: To execute and monitor the flash memory code step by step.
Emulators: To simulate the flash memory environment and functionality.
Extractors: To extract specific data or files from the flash memory.
Decryptors: To decrypt encrypted data or files from the flash memory.
Decompressors: To decompress compressed data or files from the flash memory.
Parsers: To parse structured data or files from the flash memory.
Analyzers: To analyze the flash memory data or files for patterns, anomalies, or vulnerabilities.
Hardware tools and techniques:
Screwdrivers, pliers, cutters, tweezers, etc.: To open and disassemble the device containing the flash memory.
Soldering iron, desoldering pump, hot air gun, etc.: To remove or attach the flash memory chip or wires from or to the board.
Flash memory readers or programmers: To read or write data to or from the flash memory chip via a standard interface (e.g., SPI, I2C, JTAG, etc.).
Oscilloscope, logic analyzer, multimeter, etc.: To measure and monitor the electrical signals of the flash memory chip or interface.
Microscope, camera, scanner, etc.: To magnify and capture the image of the flash memory chip or board.
Laser cutter, focused ion beam (FIB), chemical etching, etc.: To cut or remove layers of material from the flash memory chip or board.
Scanning electron microscope (SEM), scanning probe microscope (SPM), etc.: To visualize and manipulate the nanoscale structures of the flash memory chip.
Methodology
Step 1: Identify the flash memory type and interface
The first step in reverse engineering flash memory is to identify its type and interface. The type of flash memory determines its characteristics, such as capacity, speed, endurance, architecture, etc. The interface of flash memory determines how it communicates with other components, such as controller, processor, bus, etc. Identifying the type and interface of flash memory can help to choose the appropriate tools and techniques for accessing and analyzing it.
To identify the type and interface of flash memory, one can use various methods, such as:
Reading the label or markings on the flash memory chip or board.
Searching online for datasheets or specifications of the flash memory chip or board.
Tracing the connections or signals of the flash memory chip or board.
Probing or testing the pins or pads of the flash memory chip or board.
Some of the common types of flash memory are:
NOR flash: A type of flash memory that has a parallel interface and allows random access to any address. NOR flash is typically used for storing code that needs to be executed directly by a processor (e.g., BIOS, bootloader, firmware).
NAND flash: A type of flash memory that has a serial interface and allows sequential access to blocks or pages. NAND flash is typically used for storing data that needs to be read or written in large chunks (e.g., operating system, applications, user data).
eMMC: A type of embedded NAND flash that has an MMC interface and integrates a controller that manages wear leveling, bad block management, error correction, etc. eMMC is typically used for storing data in mobile devices (e.g., smartphones, tablets).
UFS: A type of embedded NAND flash that has a SCSI interface and provides higher performance and lower power consumption than eMMC. UFS is typically used for storing data in high-end mobile devices (e.g., smartphones).
SD card: A type of removable NAND flash that has an SD interface and conforms to a standard specification that defines its physical and logical characteristics. SD card is typically used for storing data in portable devices (e.g., cameras).
Step 2: Access the flash memory pins or pads
The second step in reverse engineering flash memory is to access its pins or pads. The pins or pads of flash memory are the points where electrical signals can be sent or received. Accessing the pins or pads of flash memory can enable reading or writing data to or from it using a reader or programmer.
To access the pins or pads of flash memory, one can use various methods, such as:
Soldering wires or clips to the pins or pads of flash memory chip or board.
Using a test socket or adapter that matches the package of flash memory chip.
Using a custom-made probe or needle that contacts the pins or pads of flash memory chip.
Some of the challenges and risks of accessing the pins or pads of flash memory are:
The flash memory chip may be embedded in a chip-on-board (COB) or system-in-package (SIP) module, making it hard to locate or expose its pins or pads.
The flash memory chip may have a ball grid array (BGA) or land grid array (LGA) package, making it difficult to solder or clip its pins or pads.
The flash memory chip may have a very small pitch or size, making it challenging to contact its pins or pads without shorting or damaging them.
The flash memory chip may have a proprietary pinout or layout, making it unclear which pins or pads are used for data, clock, power, etc.
Step 3: Connect the flash memory to a reader or programmer
The third step in reverse engineering flash memory is to connect it to a reader or programmer. A reader or programmer is a device that can communicate with flash memory via its interface and protocol. Connecting flash memory to a reader or programmer can allow dumping or modifying its contents.
To connect flash memory to a reader or programmer, one can use various methods, such as:
Using a commercial off-the-shelf (COTS) reader or programmer that supports the type and interface of flash memory.
Using a general-purpose input/output (GPIO) device that can emulate the interface and protocol of flash memory (e.g., Raspberry Pi, Arduino, Bus Pirate).
Using a custom-made hardware that can interface with flash memory (e.g., FPGA, CPLD, microcontroller).
Some of the challenges and risks of connecting flash memory to a reader or programmer are:
The flash memory may have a non-standard interface or protocol that is not compatible with existing readers or programmers.
The flash memory may have a high-speed interface that requires special hardware or software to handle it.
The flash memory may have a low-power interface that requires careful voltage and current regulation to avoid damage.
The flash memory may have security features that prevent unauthorized access or modification (e.g., password protection, write protection, encryption).
Step 4: Dump the flash memory contents
The fourth step in reverse engineering flash memory is to dump its contents. Dumping flash memory contents means reading and saving all the data stored in it. Dumping flash memory contents can enable analyzing and modifying it offline.
To dump flash memory contents, one can use various methods, such as:
Using software tools that can communicate with the reader or programmer and send commands to read data from flash memory.
Using hardware tools that can capture and decode the signals between the reader or programmer and flash memory.
Using physical tools that can directly sense and measure the charge state of the floating gate cells in flash memory.
Step 5: Analyze the flash memory dump
The fifth step in reverse engineering flash memory is to analyze its dump. Analyzing flash memory dump means interpreting and understanding the data stored in it. Analyzing flash memory dump can reveal various information, such as code, data, files, encryption keys, passwords, etc.
To analyze flash memory dump, one can use various methods, such as:
Using hex editors to view and edit the raw binary data of the flash memory dump.
Using disassemblers or decompilers to convert the machine code or assembly code of the flash memory dump into high-level source code.
Using debuggers or emulators to execute and monitor the code of the flash memory dump step by step.
Using extractors or decryptors to extract or decrypt specific data or files from the flash memory dump.
Using parsers or analyzers to parse or analyze structured data or files from the flash memory dump.
Some of the challenges and risks of analyzing flash memory dump are:
The flash memory dump may be encrypted, compressed, obfuscated, or protected by checksums or digital signatures that require reverse engineering or breaking.
The flash memory dump may be fragmented, corrupted, or incomplete that require recovery or reconstruction.
The flash memory dump may have a proprietary or unknown format or structure that require identification or parsing.
The flash memory dump may contain personal or private data that can violate ethical or legal boundaries if accessed without consent.
Case study: Reverse engineering a smart card with flash EEPROM
Background information on smart cards and flash EEPROM
A smart card is a type of embedded system that consists of a microcontroller and a memory chip embedded in a plastic card. A smart card can communicate with a reader via physical contact or wireless connection. A smart card can perform various functions, such as authentication, identification, payment, access control, etc.
A flash EEPROM is a type of flash memory that can be erased and rewritten electrically in small units (e.g., bytes or words). A flash EEPROM is typically used for storing code or data that needs to be updated frequently (e.g., configuration settings, encryption keys, counters, etc.).
In this case study, we will reverse engineer a smart card with flash EEPROM using scanning electron microscopy (SEM). SEM is a type of microscope that uses a beam of electrons to scan the surface of a sample and produce a high-resolution image. SEM can also be used to manipulate or modify the sample at nanoscale level.
Sample preparation and SEM imaging
The first step in reverse engineering the smart card with flash EEPROM is to prepare the sample and image it using SEM. The sample preparation involves opening and disassembling the smart card and exposing the backside of the flash EEPROM chip. The SEM imaging involves scanning and capturing the image of the flash EEPROM chip using passive voltage contrast (PVC) mode.
To prepare the sample, we use the following methods:
We use a cutter to cut open the plastic card and remove the microcontroller and the memory chip from it.
We use a hot air gun to desolder the memory chip from the microcontroller board.
We use a polishing tool to grind and polish the backside of the memory chip until we reach the tunnel oxide layer of the floating gate transistors.
We use a wet etching acid to remove any remaining silicon dioxide from the backside of the memory chip.
To image the sample using SEM, we use the following methods:
We mount the sample on a conductive holder and insert it into the SEM chamber.
We set up the SEM parameters (e.g., accelerating voltage, magnification, focus, etc.) and select PVC mode.
We scan and capture the image of the sample using PVC mode. PVC mode allows us to distinguish between '0' and '1' bit values stored in individual memory cells based on their charge state. A '0' bit value corresponds to a charged floating gate transistor that appears bright in PVC mode. A '1' bit value corresponds to an uncharged floating gate transistor that appears dark in PVC mode.
Memory cell identification and bit value extraction
The second step in reverse engineering the smart card with flash EEPROM is to identify the memory cells and extract their bit values. The memory cells are the basic units of storage in flash EEPROM. Each memory cell consists of a floating gate transistor that can store one bit of data. The bit value of a memory cell depends on whether its floating gate is charged or uncharged.
To identify the memory cells and extract their bit values, we use the following methods:
We use an image processing tool to enhance and segment the SEM image of the sample.
We use an image analysis tool to locate and label the memory cells in the SEM image based on their shape and size.
We use an image recognition tool to classify and assign the bit values to the memory cells in the SEM image based on their brightness and contrast.
Memory dump reconstruction and verification
The third step in reverse engineering the smart card with flash EEPROM is to reconstruct and verify the memory dump. The memory dump is the complete data stored in flash EEPROM. The memory dump can be reconstructed by arranging the bit values of the memory cells in a logical order. The memory dump can be verified by comparing it with a known or expected data.
To reconstruct and verify the memory dump, we use the following methods:
We use a data conversion tool to convert the bit values of the memory cells into hexadecimal values.
We use a data organization tool to arrange the hexadecimal values of the memory cells into rows and columns according to the flash EEPROM architecture and layout.
We use a data comparison tool to compare the hexadecimal values of the memory dump with a reference data or a checksum value.
Conclusion
Summary of the main points
In this article, we have presented a practical methodology for reverse engineering flash memory using scanning electron microscopy (SEM). We have explained what flash memory is and why reverse engineer it. We have described the challenges and risks of reverse engineering flash. We have outlined the tools and techniques for reverse engineering flash. We have demonstrated the methodology on a case study of reverse engineering a smart card with flash EEPROM. We have shown how to prepare and image the sample using SEM, how to identify and extract the bit values of the memory cells, and how to reconstruct and verify the memory dump.
Future work and recommendations
The methodology presented in this article can be improved or extended in various ways. Some possible future work and recommendations are:
To apply the methodology to other types or interfaces of flash memory (e.g., NAND, eMMC, UFS, SD card).
To automate or optimize the sample preparation and SEM imaging process using advanced tools or techniques (e.g., laser cutter, FIB, PVC automation).
To enhance or refine the memory cell identification and bit value extraction process using machine learning or artificial intelligence algorithms (e.g., neural networks, deep learning).
To analyze or modify the flash memory dump using software tools or techniques (e.g., hex editors, disassemblers, decompilers, debuggers, emulators).
To evaluate or compare the performance or accuracy of the methodology with other methods or tools for reverse engineering flash (e.g., SPM, GPIO, FPGA).
To consider or address the ethical or legal implications of reverse engineering flash (e.g., privacy, consent, ownership, liability).
FAQs
Here are some frequently asked questions about reverse engineering flash:
Q: What is reverse engineering flash?
A: Reverse engineering flash is the process of analyzing a flash memory device to understand its structure, function, behavior, or vulnerabilities.
Q: Why reverse engineer flash?
A: Reverse engineering flash can have different purposes and benefits, such as recovering lost data, extracting sensitive information, discovering hidden features, identifying vulnerabilities, modifying device behavior, cloning device functionality, or learning from device design.
Q: How to reverse engineer flash?
A: Reverse engineering flash involves various tools and