Extracting a UART Password via SPI Flash Instruction Tracing

Summary

Introduction If you’re tinkering around with embedded devices, having debug access is like having superpowers. It’s worth much more than having a firmware binary in my opinion, as it gives you the ability to step through code, analyze it dynamically, and understand it better. It can also help point you to code regions to analyze during static analysis. Many recent MCUs and SoCs allow manufacturers to restrict debug access, so getting debug access is a common attack vector. But what if you’re not able to reactivate debug access, or if the chip you’re analyzing doesn’t even have debug capabilities? That’s what this blog article is about. I’ll discuss how instruction tracing of an external SPI flash helped me better understand the code flow of firmware running on a simple 8051 core. I originally did this last summer during a group effort on the IoT Hacker Hideout Discord server, where people of different skill levels work together on the same devices. If you’re new to IoT hacking or want to improve your skills, I highly recommend joining the server. Originally, I used the Saleae Logic 8 Pro analyzer, which I’m a huge fan of, but the price point is a huge con for hobbyists. That’s why the new SLogic16U3 got my interest. I’ll use it during this article to test it and see if it fits my needs. The Target The target device is a cheap managed switch based on the RTL8372N. There are many of these devices on the market which all seem to be based on the same reference design and firmware SDK. The device we’re looking at is marketed by the company “GoodTop” as the “GT-ST024M”. The RTL8372N is a Realtek network switch controller chip. It can be configured either through an external bus interface or via its onboard 8051 processor, which runs the management firmware and provides administrative web interface access to the switch. The firmware is located on an external QSPI Flash chip (W25Q16JV). After opening the device enclosure, an unpopulated UART connector catches the eye of any...