Full Report
Recently, the author of this post received an Arcade cabinet as a gift. Different cabinets have emulators for different older consoles, such as NES, Atari and many others. The physical device had already been torn down, allowing other ROMs being played. The author was curious what the actual ROM looked for the games looked like. So, they started reviewing the board for the different components. On the board, next to the chip with the emulator on it, is a Winbond 25Q16VNIQ SPI FLASH chip. This is a super standard chip with a standard SPI FLASH interface, off the shelf tools can be used to communicate with this chip. First, they hooked up an Arduino. They wrote a super simple SPI implementation to send read commands via the GPIO pins. However, this took a ton of time and had many faults in it. The second go was using the swiss army knife tool Bus Pirate. There is an open source tool called FlashROM that can be used to extract EEPROM memory. The SPI flash interface is universal as well. The author hooked up a SOIC clip onto the SPI flash chip. Then, they mapped the pins from the clip onto the bus pirate for SPI. From there, simply using the flashroom interface with the bus pirate configuration dumps the memory! At the very end, they open up the blob in a hex editor to view the dump of the Rampage NES rom. They compare it to the actual Rampage NES rom. The ROM is included twice on the chip for a backup method. Overall, good post from a solid hardware hacker.
Analysis Summary
# Tool/Technique: SPI Flash Extraction
## Overview
SPI Flash Extraction is a hardware reverse engineering technique used to retrieve non-volatile memory (firmware, ROMs, or configuration data) from an embedded system. It involves interfacing directly with an EEPROM chip—in this case, via the Serial Peripheral Interface (SPI) protocol—to "dump" its contents for offline analysis.
## Technical Details
- **Type:** Hardware Reverse Engineering Technique / Data Extraction
- **Platform:** Embedded Systems, IoT Devices, Arcade Cabinets (specifically Winbond 25Q16VNIQ SPI Flash)
- **Capabilities:** Direct memory reading, firmware extraction, and potentially reflashing/modification of stored data.
- **First Seen:** Post dated May 26, 2019.
## MITRE ATT&CK Mapping
- **[TA0009 - Collection]**
- **[T1602 - Data from Configuration Repository]** (Retrieving system data from specialized hardware storage)
- **[TA0007 - Discovery]**
- **[T1614 - System Location Discovery]** (Identifying chipsets and hardware specifications)
- **[TA0003 - Persistence]** (Note: Technique application)
- **[T1495 - Firmware Corruption]** (As a precursor to modifying/uploading malicious firmware)
## Functionality
### Core Capabilities
- **Direct Chip Interfacing:** Using a SOIC-8 clip to connect to the chip pins without desoldering.
- **Protocol Communication:** Mimicking the SPI handshake (CS, CLK, MOSI, MISO) to issue "Read" commands.
- **Memory Dumping:** Transferring the entire bin/blob of memory from the physical chip to a host computer.
### Advanced Features
- **FlashROM Integration:** Compatibility with the open-source `flashrom` utility, which supports hundreds of chip types and various programmers.
- **Hardware Bus Interfacing:** Using specialized intermediate hardware (Bus Pirate) to bridge the gap between PC USB and raw electronic signals.
## Indicators of Compromise
*Note: As this is a hardware analysis technique, physical access is required. Indicators are behavioral or physical rather than network-based.*
- **Physical Indicators:** Scratches on chip pins, presence of a SOIC-8 clip or "test clips," or solder flux on PCB pads.
- **Behavioral Indicators:** Unexpected system reboots or modified splash screens/logic (if the chip was reflashed).
- **File Names:** `dump.bin`, `rom_backup.bin`, `firmware.blob`.
## Associated Threat Actors
- **Hardware Hackers/Researchers**
- **Counterfeiters/IP Pirates**
- **State-sponsored actors** (for supply chain attacks or "implanting" malicious firmware)
## Detection Methods
- **Physical Inspection:** Regularly checking hardware for unauthorized modifications or clip marks on IC pins.
- **Checksum Verification:** Comparing the chip's current MD5/SHA256 hash against a known "Golden Image" or factory-provided hash.
- **Logic Analysis:** Monitoring the SPI bus for unexpected "Read" commands during non-standard operational times.
## Mitigation Strategies
- **Hardware Hardening:** Encasing the PCB in epoxy resin (though "glob-tops" can still be bypassed, it increases difficulty).
- **Firmware Encryption:** Storing encrypted data on the SPI flash so that a raw dump is not immediately human-readable.
- **Secure Boot:** Implementing hardware-based verification that prevents the CPU from executing tampered or modified code found on the SPI flash.
## Related Tools/Techniques
- **Bus Pirate:** A "Swiss Army knife" for hardware protocols (SPI, I2C, UART).
- **Flashrom:** An open-source tool for identifying, reading, writing, and verifying flash chips.
- **SOIC-8 Clip:** A specialized physical clamp used to interface with Small Outline Integrated Circuit chips without soldering.
- **Arduino:** Can be used as a makeshift SPI programmer with custom firmware.