Firmware: the holy grail of most Internet of Things (IoT) security assessments! Sometimes, getting access to a device’s firmware can be as easy as visiting the vendor’s website. Other times, the only option is to dump it directly from the hardware, and this is where things get interesting. Some procedures used for dumping can expose the memory chips to more heat and voltage than they are designed to withstand, which raises the question: can they take it? After putting them to the test, we are sharing our results.
Firmware is usually stored on flash memory chips. These come in all shapes and sizes, but there are two specific kinds we encounter very often in our assessments: SPI flash chips in 8-pin SOP packages and NAND flash chips in 48-pin TSOP packages. We’ll refer to them as SOP8 and TSOP48 chips from now on.
SOP8 chips have smaller capacities than TSOP48 chips. On simpler devices (ex. connected alarm systems), a single SOP8 chip can house both the bootloader and the firmware. On more complex devices, such as routers, the bootloader is often placed on a SOP8 chip, while the rest of the firmware is stored on a TSOP48. SOP8 chips are also frequently used to store a device’s configuration.
Roughly speaking, when it comes to dumping a chip’s content directly from the hardware, there are three options available:
- Abuse a debugging interface left behind by the developers that allows you to access the chip’s content using a debugger. For example, JTAG/SWD, SPI …
- Use a clip to latch on the chip and dump it while on the device’s board.
- When the above options fail, perform a “chip-off”. In layman’s terms, a chip-off boils down to applying enough heat to the board and the chip until the solder melts and the chip is freed. This is often performed using a hot-air station.
Once the chip is free, we can use a test clip or an adapter to try and read it. However, memory chips operate at different voltages, usually either 1.8V, 3.3V or 5V. To choose the correct one, the chip must be identified, for example using its serial number – which is not always readable…
We have performed our fair-share of chip-offs and memory dumps, but every time the moment comes, we can’t help but feel an all-to-familiar pang of stress: will the heat destroy the chip? Are we using the correct voltage or are we about to fry it?
Some manufacturers publish heat resistance results for their memory chips, but these only concern the maximum operating temperatures and often only go up to 150 ℃. To answer our questions, we had something more extreme in mind! We decided to do some practical tests and see once and for all how much heat and voltage these little fellows can take. Will they melt?
Before firing up our hot-air station, we set some ground rules. We bought multiple SOP8 and TSOP48 chips from different manufacturers, operating at different voltages. For each chip, we first wrote data to it and verified we could reliably read it back. Then, on some chips, we applied different amounts of heat, for different amounts of time. On other chips, we performed read and write operations at different voltages. At the end, we tried to read the original data off the chips.
The typical temperature for chip-offs is between 150 ℃ – 250 ℃, for about two minutes. We decided to aim higher, blasting the chips with up to 360 ℃ for between two and five minutes. We also used voltages up to 7V.
Turning on the heat
Time for a quick look at some of our results:
|Type||2 minutes at 250℃||2 minutes at 300℃||5 minutes at 360℃|
|SOP8||OK||OK||Unreadable – structural damage|
It turns out that all the SOP8 and TSOP48 chips we tested survived a 2-minute heat exposure at 300 ℃ without any problems, and we could reliably get the data off them. Determined to break at least one chip, we blasted a SOP8 with 360℃ for 5 minutes, until it finally started melting. The TSOP48 chips were able to withstand even that!
So what about voltage? In our tests, using 5V to read from a 3.3V chip, or 3.3V to read from an 1.8V chip returned garbage data, and using the same voltage mismatches while writing resulted in most of the written data being corrupted. However, switching back to the indicated voltages allowed us to read/write to the chips as intended.
Once again, we refused to give up before the fireworks and supplied 7V to a 3.3V SOP8 chip, with explosive results! Needless to say, the data was vaporized along with the unlucky SOP8 chip.
So, did they melt?
It turns out that these flash memory chips are definitely more resistant than what we initially gave them credit for. We had to apply enough heat to physically melt the plastic in order to make the contents unreadable, which would never be the case in an actual chip-off. Using more voltage than indicated did hinder reading and writing data to the chips, but did not permanently corrupt the data they hold.
Now, before you excitedly start blasting hot air at memory chips, a word of warning. We’ve only tested this for a small amount of chips, and our research can hardly be regarded as academic. Some research (like this article) shows that heat exposure during chip-offs can play a significant role in corrupting flash memory chip contents. So, chip-offs must always be performed under the assumption that the chip (and the board) will be destroyed!
However, our experience and our practical tests seem to suggest the worst-case scenario does not arrive that often. This result is also supported by research.
About the author
Théo Rigas is an IT Security Consultant at NVISO. He has researched the security of connected alarm systems and is currently working on more IoT and embedded device security projects . Outside of his Research work, he performs Web, Mobile and IoT security assessments for NVISO.
These are the memory chips we used for testing (
no some chips were harmed during the tests):
- Macronix MX30LF2G18AC-TI (TSOP48)
- Macronix MX30UF1G18AC-TI (TSOP48)
- Microchip SST25LF020A-33-4I-SAE (SOP8)
- Adesto AT25SF041-SSHD-B (SOP8)
- Microchip SST26VF064B-104I/SM (SOP8)