top of page

Boot and Loot: Dumping Firmware via U-Boot

  • Writer: Victor Hanna
    Victor Hanna
  • 1 day ago
  • 3 min read

Updated: 8 minutes ago

Harvest Firmware Before Linux Even Wakes Up
Penetration Testing Sydney

What is U-Boot?


U-Boot (short for Universal Bootloader) is an open-source bootloader commonly used in embedded Linux systems. It's responsible for initializing hardware and booting the OS. U-Boot often includes powerful commands for memory inspection, file transfer, and flashing firmware—making it a goldmine for hackers when exposed.

If you hit U-Boot early enough, you can dump the entire firmware before the OS even knows you're there.

Why Hackers Love U-Boot Access


  • Pre-kernel control: No userspace, no login prompts, no defenses.

  • Direct memory access: Read flash memory, RAM, and bootloader code.

  • No exploits needed: Just serial access and timing.


Tools You’ll Need


  • A USB-to-serial adapter (e.g., CH340, FTDI CP2102)

  • Terminal emulator: minicom, screen, or picocom

  • A target device with exposed UART pins

  • Patience and a steady hand during boot


Step 1: Connect to UART


  1. Locate TX, RX, GND pins on the target board.

  2. Connect:


    • TX → RX

    • RX → TX

    • GND → GND


  • Penetration Testing Sydney
    FTDI connection to target

  1. Open terminal:


  • Use a terminal like minicom

  • Try common baud rates: 115200, 57600, 38400, etc.


Penetration Testing Sydney
Execute minicom utility

Step 2: Interrupt Boot and Enter U-Boot


As the device powers on:

  • Watch the terminal closely.

  • Capitalise on your moment went it arises. There will be a clear indication for your chance to pounce, simply follow the prompt where it directs you


Penetration Testing Sydney

Step 3: Identify Flash Memory Location


Once you have been afforded a u-boot prompt we can commence recon and determine the memory location of the much sort after loot.



Penetration Testing Sydney
The address (0xbc050000) likely points to the start of your firmware image.

Using printenv, which will help you determine the bootcmd parameter, which ultimately points to the bootm command which takes the memory address of the image as its first argument, allowing it to find and load the operating system.


Step 4: Deteriming the size of the flash device


Thankfully for us being eagled eye afforded a valuable piece of information during the boot process and just prior to the u-boot escape sequence, namely the flash chip used to store the firmware image.



Penetration Testing Sydney
W25Q128BV chip identified

NOTE: You can also infer the sizing of the flash chip within the product id, W25Q128BV (128Mbit = 16MB)


This can also be verified by the datasheet:



Penetration Testing Sydney
Datasheet Excerpt

Step 5: Loading and Dumping the firmware from RAM


What we know:


Chip: W25Q128BV
Flash size: 16MB = 0x01000000
Firmware start (from bootcmd): 0xBC050000

We want to dump the firmware starting at 0xBC050000 to the end of the flash, which ends at:


Flash end = 0xBC000000 + 0x01000000 = 0xBD000000

So the dump size is:


0xBD000000 - 0xBC050000 = 0x00FB0000 (15.6875 MB)

  1. Copy the firmware to RAM (at a safe buffer like 0x81000000):

    At this stage we have a few options (if available via the bootloader)

cp.b 0xBC050000 0x81000000 0x00FB0000

or alternatively


cp2ram 0xBC050000 0x81000000 0x00FB0000

We can now use minicom's logging feature to capture output over UART and redirect to a file on our host device


  1. Start the Logging Feature:
CTRL + A, L and choose a output filename e.g. firmware_dump_over_uboot.log

Penetration Testing Sydney

On the target, run the md.b command:


md.b 0xbc050000 0x1000000

(Waiting patiently for the dump to end)


  1. On the host, we now cleanup and rebuild the binary:



Penetration Testing Sydney
Dump and Convert

  1. Analyze Firmware using binwalk

    Penetration Testing Sydney
    Dump Exposes SQUASHFS filesystem

Final Thought


Embedded devices guard secrets behind soldered shields and locked-down bootloaders, the humble UART—paired with the raw power of U-Boot—becomes your covert channel.


Mastering firmware dumping over serial isn’t just a hack; it’s a critical skill that bridges hardware and software, giving you insight into how the device truly operates.


Whether you're a pentester mapping out attack surfaces, a reverse engineer uncovering vulnerabilities, or a digital archaeologist chasing zero-days buried in silicon—this method gives you access where there was none. It’s slow, it’s gritty, but it’s the kind of edge that turns curiosity into control.

תגובות


אי אפשר יותר להגיב על הפוסט הזה. לפרטים נוספים יש לפנות לבעל/ת האתר.
bottom of page