Main Content

Extracting Flash Memory over SPI

So I’m playing around with a device right now and I’m currently pulling out the contents of its flash memory over SPI – so I figured I’d write a few notes about how to do just that!

Here’s what I’m playing with, in case you’re curious:

A network device undergoing memory extraction, using a Bus Pirate

Introduction

So the first question is likely, how do I know which chip is the flash memory? Well in this particular case the target chip is labelled – so it was fairly simple to determine what it was and find a datasheet for it.

Here’s a close up of what I’m working on:

A shot of the target board, without test-clips, showing the target chip near the centre

With a little zoom or some good eyes, you should be able to see that the target chip is labelled 25Q32CSIG. With some very good eyes you’ll be able to see a small circle engraved in the chip which indicates pin 1.

Armed with that information you should be able to find a suitable datasheet for the pinout. Which has the following layout:

CS   1 - 8  VCC
SO 2 - 7 Hold
WP 3 - 6 SCLK
VSS 4 - 5 SI

For reading this chip with SPI and a BusPirate we don’t need all of the pins, but generally we map: CS -> CS, MISO -> SO, GND -> VSS, 3V3- > VCC, CLK -> SCLK, MOSI -> SI. This gives us the following pins populated:

CS     1 - 8   3V3
MISO 2 - 7 Empty
Empty 3 - 6 CLK
GND 4 - 5 MOSI

If you connect up your target flash chip with you bus pirate, you’ll end up with something like the first photograph in the article. There’s no need to power the device itself, the BusPirate will power the chip to extract data.

The next thing you’ll need is flashrom, with a BusPirate configuration which should look something like this:

Flashrom reading data from the chip through a BusPirate

You can see from the above I’ve set the BusPirate device to /dev/ttyUSB0 – your device may be named differently to mine – especially if you have multiple serial USB devices – so check dmesg/dev when you first plug your BusPirate in for the device name. Additionally I’ve used the -r flag to specify an output filename.

Wait a few minutes and you’ll end up with a file called flash.bin with your memory contents!

If you’d like to take a look at the contents, then binwalk is probably a useful tool to carve out pieces of data. Here’s what mine looks like:

The flash memory contents displayed in binwalk

A little messy but it works – you can also use the -e flag to extract the known file types, but you probably want to use -C and supply a directory name to extract to, as the default is the current working directory and it can get a little messy.

That’s it! That’s a simple guide on how to extract flash memory with SPI and a BusPirate! Have fun 🙂