-->
Page 1 of 9

ROM + Bootloader Dump

PostPosted: Mon Sep 29, 2014 5:51 am
by 0ff
Hey there,

I couldn't find it in any other dump, but lately I was successful in dumping the boot loader and ROM from the esp8266.
This is basically what's mapped to 0x4000000-0x4010000 in the ram upon execution.

Also attached is a bin that can be loaded into the RAM and executed from there, it will just dump the fw. You have to press any key for it to start dumping.
It can also be flashed, but well you don't need to :)
Note: for flashing to work you need to patch esptool.py, because there's a bug in it with very small images.
Change "blocks = math.ceil(len(image)/esp.ESP_FLASH_BLOCK)" to "blocks = math.ceil(len(image)/(esp.ESP_FLASH_BLOCK*1.0))" in write_flash.
Running from RAM works out of the box.

I didn't include any library from espressif for this (thus the name "barely" and the small size), so there is no watchdog setup or anything.
I did try to write into the boot loader memory (0x4000fa28, where the strings are stored) but the cpu wouldn't let me (no exception, just no change at all).

Maybe someone can disassemble the ROM functions and see, if there's anything interesting?

Regards,
0ff

Re: ROM + Bootloader Dump

PostPosted: Mon Sep 29, 2014 1:38 pm
by wififofum
So you were able to erase the internal "ROM" area?

Re: ROM + Bootloader Dump

PostPosted: Mon Sep 29, 2014 1:43 pm
by 0ff
No, not at all. I was unable to write into the area, it's read-only.
I just don't know yet whether that's by software (I am quite sure) or if it's actually hardwired ROM (though it doesn't look likely).
You can basically tell the processor to deny write-requests to certain areas in the memory, what is suspicious to me is that I'm not running into an exception.

Re: ROM + Bootloader Dump

PostPosted: Mon Sep 29, 2014 3:58 pm
by wififofum
Oh OK I saw "you can also flash it" but misunderstood as applying to the ROM area instead of your dumper.