Extracting Flash Memory over SPI
Author: HollyGraceful Published: 06 August 2021 Last Updated: 03 July 2023
So I’m playing around with a device right now and I’m currently pulling out the contents of its flash memory over SPI – so I figured I’d write a few notes about how to do just that!
Here’s what I’m playing with, in case you’re curious:
So the first question is likely, how do I know which chip is the flash memory? Well in this particular case the target chip is labelled – so it was fairly simple to determine what it was and find a datasheet for it.
Here’s a close up of what I’m working on:
With a little zoom or some good eyes, you should be able to see that the target chip is labelled 25Q32CSIG. With some very good eyes you’ll be able to see a small circle engraved in the chip which indicates pin 1.
Armed with that information you should be able to find a suitable datasheet for the pinout. Which has the following layout:
CS 1 - 8 VCC SO 2 - 7 Hold WP 3 - 6 SCLK VSS 4 - 5 SI
For reading this chip with SPI and a BusPirate we don’t need all of the pins, but generally we map: CS -> CS, MISO -> SO, GND -> VSS, 3V3- > VCC, CLK -> SCLK, MOSI -> SI. This gives us the following pins populated:
CS 1 - 8 3V3 MISO 2 - 7 Empty Empty 3 - 6 CLK GND 4 - 5 MOSI
If you connect up your target flash chip with you bus pirate, you’ll end up with something like the first photograph in the article. There’s no need to power the device itself, the BusPirate will power the chip to extract data.
The next thing you’ll need is flashrom, with a BusPirate configuration which should look something like this:
You can see from the above I’ve set the BusPirate device to /dev/ttyUSB0 – your device may be named differently to mine – especially if you have multiple serial USB devices – so check dmesg/dev when you first plug your BusPirate in for the device name. Additionally I’ve used the -r flag to specify an output filename.
Wait a few minutes and you’ll end up with a file called flash.bin with your memory contents!
If you’d like to take a look at the contents, then binwalk is probably a useful tool to carve out pieces of data. Here’s what mine looks like:
A little messy but it works – you can also use the -e flag to extract the known file types, but you probably want to use -C and supply a directory name to extract to, as the default is the current working directory and it can get a little messy.
That’s a simple guide on how to extract flash memory with SPI and a BusPirate! Have fun :)