Use this forum to chat about hardware specific topics for the ESP8266 (peripherals, memory, clocks, JTAG, programming)

User avatar
By 0ff
#1009 Hey there,

I couldn't find it in any other dump, but lately I was successful in dumping the boot loader and ROM from the esp8266.
This is basically what's mapped to 0x4000000-0x4010000 in the ram upon execution.

Also attached is a bin that can be loaded into the RAM and executed from there, it will just dump the fw. You have to press any key for it to start dumping.
It can also be flashed, but well you don't need to :)
Note: for flashing to work you need to patch esptool.py, because there's a bug in it with very small images.
Change "blocks = math.ceil(len(image)/esp.ESP_FLASH_BLOCK)" to "blocks = math.ceil(len(image)/(esp.ESP_FLASH_BLOCK*1.0))" in write_flash.
Running from RAM works out of the box.

I didn't include any library from espressif for this (thus the name "barely" and the small size), so there is no watchdog setup or anything.
I did try to write into the boot loader memory (0x4000fa28, where the strings are stored) but the cpu wouldn't let me (no exception, just no change at all).

Maybe someone can disassemble the ROM functions and see, if there's anything interesting?

Regards,
0ff
You do not have the required permissions to view the files attached to this post.
User avatar
By 0ff
#1028 No, not at all. I was unable to write into the area, it's read-only.
I just don't know yet whether that's by software (I am quite sure) or if it's actually hardwired ROM (though it doesn't look likely).
You can basically tell the processor to deny write-requests to certain areas in the memory, what is suspicious to me is that I'm not running into an exception.