Welcome, I'm new to the subject so I'm very much asking for your understanding and help. I need to rip firmware from an IoT device that uses the ESP32-WROOM-32D module. I am very much asking for advice on how to bite this. I've taken the device apart and verified that I can plug into the pinouts...

. It should. The ripping itself can be done with the esptool program: Link . Installing esptool on windows: Link

Baud rate will largely depend on the USB converter used - it is safe to rip at 512 kbps. RX/TX of the converter should work in 3V3 logic. GPIO 0 should be shorted to ground just before ripping. EN should be connected to 3V3 power supply (probably already there - need to check, can be shorted via resistor). .

. Exactly, yes. . I don't use windows, but there I think there is such a thing as Device Manager and you can preview the COM no. when the USB converter is connected?

Ok, thank you. Is there anything I should watch out for when linking? What baud rates does this module operate on? Or how can this be easily calculated? Best regards

Extra, thanks! One more question - could you please advise how to find which addressing to use in the read_flash command to read the firmware? Would it be read_flash 0 0x400000 for 4MB flash or should I limit the range somehow? Additionally, how do I check the COM port? Best regards

Thank you!!! And one more question regarding the earlier connection diagram. What if I would like to have the power source from the wall and not from the UART dongle? Do I still need to connect the EN somewhere? Additionally, I came across a tutorial that talks about pressing a button on the dev board to enter programming mode. Do I need to override this somehow without having a programming board? Is connecting IO0 enough to boot into programming mode? Thank you very much for your help and understanding!

. Do not simply connect the 3V3 from the converter to the circuit. The grounds must remain connected. . Yes, the EN must be connected to 3V3, but it is possible that this is already done in the device. . If GPIO 0 is connected to ground while the ESP32 is booting, the chip will enter programming mode and it will be possible to write or read firmware from the ESP32.

Super! Thank you again! One last (I hope) question: I connected to the device and found out from the esptool flash_id that the flash is 16MB. I used esptool first as a test to read the first 2MB from read_flash and everything worked nicely. Now I have tried to read the whole 16MG but it crashes at 72% and goes no further. Could this be because the range that can be read is smaller than 16MB? What is the best way to check the correct addressing to read_flash?

Interesting, ESP32s with 16MB flash are relatively rare. I have to ask, what kind of IoT device is this? The esptool should handle this size of flash as well. What I can suggest are two options: 1. an additional parameter -fs 16MB when calling esptool or 2. read the firmware in chunks of 2MB or 4MB each and write to separate BIN files - for the individual chunks you need to specify the respective start and start addresses, e.g. 0 0x400000, 0x400001 0x800000, etc. Later, you will also be able to write each part in a similar way from the corresponding start address to another ESP32. At what speed was the 2MB read operation performed?

With speed do you mean baud rate? I set 115200 - checking the port screen this baud rate gave me reasonable output, others I tried gave garbage. Is this a reasonable baud rate for read_flash? Maybe use some other one better? Additionally, as I mentioned - it crashed at 72%, and 72% of 1600000 is 1152000 which is a total of ten times the baud rate set. Is this somehow related to each other? As for the device - it's a hub that connects other iot devices so maybe that's why the larger (custom) flash?

. This is OK. . I don't think so . Try reading the flash in parts as I wrote in a previous post. By the way, what was the form of the whole command from esptool when you tried to read the whole 16MB?

sudo esptool -p /dev/ttyUSB0 -b 115200 read_flash 0 0x1600000 flash.bin - did I mess something up here? I am now trying to read in chunks. What is the best way to then combine them for analysis in Ghidra? Warm regards

. Should be:Code: BashLog in, to see the code Knowledge of the hexadecimal system applies .

Ripping firmware from the ESP32-WROOM-32D IoT module: tools and methods

gigiraffa 3801 15

Treść została przetłumaczona

Zobacz oryginalną wersję tematu

Report a violation of the law

Reply | New topic

#1 19257500 15 Feb 2021 10:22

gigiraffa gigiraffa

Level 4

» | Topic author

Post #1
19257500 15 Feb 2021 10:22

Welcome,

I'm new to the subject so I'm very much asking for your understanding and help.

I need to rip firmware from an IoT device that uses the ESP32-WROOM-32D module. I am very much asking for advice on how to bite this. I've taken the device apart and verified that I can plug into the pinouts: (2) 3V3, (34) RXD0, (35) TXD0, (3) EN, (25) IO0, (38) GND.

What is the best tool to use? Will a simple UART converter do the job?

Warm regards
ADVERTISEMENT
Helpful post

#2 19257510 15 Feb 2021 10:29

Anonymous Anonymous

Level 1

» |

Helpful post
Post #2
19257510 15 Feb 2021 10:29

gigiraffa wrote:
Will a regular UART converter do the job?
.
It should.

The "ripping" itself can be done with the esptool program: Link .

Installing esptool on windows: Link
ADVERTISEMENT
#3 19257628 15 Feb 2021 11:21

gigiraffa gigiraffa

Level 4

» | Topic author Helpful post? (0)

Post #3
19257628 15 Feb 2021 11:21

Ok, thank you.

Is there anything I should watch out for when linking?

What baud rates does this module operate on? Or how can this be easily calculated?

Best regards
Helpful post

#4 19257659 15 Feb 2021 11:34

Anonymous Anonymous

Level 1

» |

Helpful post
Post #4
19257659 15 Feb 2021 11:34

Baud rate will largely depend on the USB converter used - it is safe to rip at 512 kbps. RX/TX of the converter should work in 3V3 logic.
GPIO 0 should be shorted to ground just before ripping.
EN should be connected to 3V3 power supply (probably already there - need to check, can be shorted via resistor).

.
#5 19258377 15 Feb 2021 16:26

gigiraffa gigiraffa

Level 4

» | Topic author Helpful post? (0)

Post #5
19258377 15 Feb 2021 16:26

Extra, thanks!

One more question - could you please advise how to find which addressing to use in the read_flash command to read the firmware? Would it be read_flash 0 0x400000 for 4MB flash or should I limit the range somehow? Additionally, how do I check the COM port?

Best regards
Helpful post

#6 19258465 15 Feb 2021 16:59

Anonymous Anonymous

Level 1

» |

Helpful post
Post #6
19258465 15 Feb 2021 16:59

gigiraffa wrote:
Will it be read_flash 0 0x400000 for 4MB flash
.
Exactly, yes.

gigiraffa wrote:
Additionally, how to check COM port?
.
I don't use windows, but there I think there is such a thing as "Device Manager" and you can preview the COM no. when the USB converter is connected?
ADVERTISEMENT
#7 19259964 16 Feb 2021 09:57

gigiraffa gigiraffa

Level 4

» | Topic author Helpful post? (0)

Post #7
19259964 16 Feb 2021 09:57

Thank you!!!

And one more question regarding the earlier connection diagram. What if I would like to have the power source from the wall and not from the UART dongle? Do I still need to connect the EN somewhere?

Additionally, I came across a tutorial that talks about pressing a button on the dev board to enter programming mode. Do I need to override this somehow without having a programming board? Is connecting IO0 enough to boot into programming mode?

Thank you very much for your help and understanding!
#8 19260159 16 Feb 2021 11:15

Anonymous Anonymous

Level 1

» |

Post #8
19260159 16 Feb 2021 11:15

gigiraffa wrote:
What if I would like to have the power source from the wall and not from the UART dongle?
.
Do not simply connect the 3V3 from the converter to the circuit. The grounds must remain connected.

gigiraffa wrote:
Do I still need to connect the EN somewhere??
.
Yes, the EN must be connected to 3V3, but it is possible that this is already done in the device.

gigiraffa wrote:
Do I need to replace this somehow by not having a programming board? Is connecting IO0 enough to boot this programming mode?
.
If GPIO 0 is connected to ground while the ESP32 is booting, the chip will enter programming mode and it will be possible to write or read firmware from the ESP32.
#9 19260851 16 Feb 2021 16:22

gigiraffa gigiraffa

Level 4

» | Topic author Helpful post? (0)

Post #9
19260851 16 Feb 2021 16:22

Super! Thank you again!

One last (I hope) question: I connected to the device and found out from the esptool flash_id that the flash is 16MB. I used esptool first as a test to read the first 2MB from read_flash and everything worked nicely. Now I have tried to read the whole 16MG but it crashes at 72% and goes no further. Could this be because the range that can be read is smaller than 16MB? What is the best way to check the correct addressing to read_flash?
#10 19261208 16 Feb 2021 18:38

Anonymous Anonymous

Level 1

» |

Post #10
19261208 16 Feb 2021 18:38

Interesting, ESP32s with 16MB flash are relatively rare. I have to ask, what kind of IoT device is this?

The esptool should handle this size of flash as well. What I can suggest are two options:
1. an additional parameter -fs 16MB when calling esptool or
2. read the firmware in chunks of 2MB or 4MB each and write to separate BIN files - for the individual chunks you need to specify the respective start and start addresses, e.g. 0 0x400000, 0x400001 0x800000, etc. Later, you will also be able to write each part in a similar way from the corresponding start address to another ESP32.

At what speed was the 2MB read operation performed?
#11 19261716 16 Feb 2021 21:34

gigiraffa gigiraffa

Level 4

» | Topic author Helpful post? (0)

Post #11
19261716 16 Feb 2021 21:34

With speed do you mean baud rate? I set 115200 - checking the port screen this baud rate gave me reasonable output, others I tried gave garbage. Is this a reasonable baud rate for read_flash? Maybe use some other one better?

Additionally, as I mentioned - it crashed at 72%, and 72% of 1600000 is 1152000 which is a total of ten times the baud rate set. Is this somehow related to each other?

As for the device - it's a hub that connects other iot devices so maybe that's why the larger (custom) flash?
#12 19261974 16 Feb 2021 23:09

Anonymous Anonymous

Level 1

» |

Post #12
19261974 16 Feb 2021 23:09

gigiraffa wrote:
With speed do you mean baud rate? I have set 115200
.
This is OK.

gigiraffa wrote:
Additionally, as I mentioned - it crashed at 72%, and 72% of 1600000 is 1152000 which is a total of ten times the baud rate set. Is this somehow related to each other?
.
I don't think so .

Try reading the flash in parts as I wrote in a previous post. By the way, what was the form of the whole command from esptool when you tried to read the whole 16MB?
ADVERTISEMENT
#13 19262752 17 Feb 2021 12:31

gigiraffa gigiraffa

Level 4

» | Topic author Helpful post? (0)

Post #13
19262752 17 Feb 2021 12:31

sudo esptool -p /dev/ttyUSB0 -b 115200 read_flash 0 0x1600000 flash.bin - did I mess something up here?

I am now trying to read in chunks. What is the best way to then combine them for analysis in Ghidra?

Warm regards
#14 19262758 17 Feb 2021 12:34

Anonymous Anonymous

Level 1

» |

Post #14
19262758 17 Feb 2021 12:34

gigiraffa wrote:
sudo esptool -p /dev/ttyUSB0 -b 115200 read_flash 0 0x1600000 flash.bin - did I break something here?
.
Should be:
Code: Bash
Log in, to see the code

Knowledge of the hexadecimal system applies .
#15 19262840 17 Feb 2021 13:12

gigiraffa gigiraffa

Level 4

» | Topic author Helpful post? (0)

Post #15
19262840 17 Feb 2021 13:12

yes yes, I just grasped that too! but I think it was 6 zeros and not 5 as you stated?

Added after 55 [seconds]: .

Speaking of merging, a simple merge will be ok?
#16 19262861 17 Feb 2021 13:48

Anonymous Anonymous

Level 1

» |

Post #16
19262861 17 Feb 2021 13:48

Yes, it is supposed to be 6 zeros. I have corrected the previous post.

gigiraffa wrote:
As far as merging is concerned a simple merge will be ok?
.
Yes, it won't work because of the checksums.
Create an account, log in here. You will receive points by participating in discussions.
Join this discussion.

Install Elektroda application

Didn't find an answer? Ask Artificial Intelligence

*I agree to send the question to OpenAI, Anthropic PBC, Perplexity AI, Inc., Kagi Inc., Google LLC - owners of language models in order to prepare the best response. The companies may monitor and log information entered into the form.

*I agree to publicly display my question and answer. The question and answer will be publicly available to everyone. The process may take a few minutes. Upon completion, you will be redirected to the page with the answer.

Wait...(2min)

Reply | New topic

Report a violation of the law

Topic summary

The discussion revolves around extracting firmware from an IoT device utilizing the ESP32-WROOM-32D module. The primary tool recommended for this task is the esptool, which can be installed on various operating systems. Users are advised to connect the GPIO 0 to ground during boot to enter programming mode and ensure the EN pin is connected to a 3.3V power supply. The baud rate for communication can be set to 512 kbps or 115200, depending on the USB converter used. When reading firmware, it is suggested to read in chunks, especially for devices with larger flash memory, and to use the correct addressing format in the read_flash command. Issues with reading the entire flash memory at once can be mitigated by specifying the flash size and reading in smaller segments. Additionally, care must be taken to maintain a common ground between the device and the UART converter.
Summary generated by the language model.

Home page
/
Forum
/
Smart Home
/
Smart Home IoT
/
ESP8266 and ESP32
/
Ripping firmware from the ESP32-WROOM-32D IoT module: tools and methods

FAQ

TL;DR: Use esptool to dump ESP32‑WROOM‑32D; 16MB flash is supported with -fs 16MB, and "ESP32s with 16MB flash are relatively rare." If full reads stall, read 2–4MB chunks instead. [Elektroda, khoam, post #19261208]

Why it matters: This helps makers and repair techs back up, debug, or migrate ESP32‑WROOM‑32D firmware safely.

Quick Facts

- Bootloader entry: hold GPIO0 low during boot; then reads/writes are allowed. [Elektroda, khoam, post #19260159]
- Safe ripping speed: 512 kbps when supported; RX/TX must be 3.3V logic. [Elektroda, khoam, post #19257659]
- 4MB dump range: esptool read_flash 0 0x400000. [Elektroda, khoam, post #19258465]
- 16MB handling: add -fs 16MB or read in 2–4MB chunks. [Elektroda, khoam, post #19261208]
- On Windows, find the COM port in Device Manager. [Elektroda, khoam, post #19258465]

What’s the simplest way to dump firmware from an ESP32‑WROOM‑32D?

Use a USB‑UART adapter with esptool. Install esptool and run its read_flash command to pull the firmware image. [Elektroda, khoam, post #19257510]

How should I wire EN, IO0, RX/TX, and power to read flash safely?

Use 3.3V logic on RX/TX. Tie EN to 3V3. Pull GPIO0 to GND just before starting to enter the bootloader. You can safely read at 512 kbps if supported. [Elektroda, khoam, post #19257659]

How do I enter programming mode without a dev board?

Hold GPIO0 to GND during boot to enter programming mode. Then you can read or write firmware. “If GPIO 0 is connected to ground while the ESP32 is booting, the chip will enter programming mode.” [Elektroda, khoam, post #19260159]

Is 115200 a reasonable baud rate for esptool read_flash?

Yes. 115200 baud is acceptable for read_flash and general use. [Elektroda, khoam, post #19261974]

What’s the fastest safe baud rate to rip ESP32 flash?

It depends on your USB‑UART adapter. Reading at 512 kbps is considered safe when the adapter supports it. [Elektroda, khoam, post #19257659]

What read_flash range should I use for a 4MB module?

Use esptool read_flash 0 0x400000 to dump a 4MB flash. [Elektroda, khoam, post #19258465]

What’s the correct command to read a 16MB flash?

Use esptool read_flash 0 0x1000000. “Knowledge of the hexadecimal system applies.” This covers the full 16MB address space. [Elektroda, khoam, post #19262758]

Full 16MB dump stalls around 72%—how do I fix it?

Add -fs 16MB to your esptool command. If it still fails, read in 2MB or 4MB chunks, saving separate BINs. You can later write each chunk at its starting address. [Elektroda, khoam, post #19261208]

How do I read the ESP32 flash in chunks?

Choose 2MB or 4MB chunk sizes. Read 0 to 0x400000 first, then continue from the next start address for subsequent chunks. Save each chunk into its own file. [Elektroda, khoam, post #19261208]

Can I concatenate chunked BINs for Ghidra or flashing?

No. A simple merge will not work due to checksums, so concatenation can break integrity checks. [Elektroda, khoam, post #19262861]

How do I find the right COM port in Windows?

Open Device Manager. Plug in the USB‑UART adapter and note the newly listed COM port number. [Elektroda, khoam, post #19258465]

Can I power the device from the wall while using a USB‑UART adapter?

Yes, but do not connect the adapter’s 3V3 to the device’s 3V3. Keep grounds common. Ensure EN is held at 3V3. [Elektroda, khoam, post #19260159]

Are 16MB ESP32 flashes common?

They are less common. “ESP32s with 16MB flash are relatively rare.” [Elektroda, khoam, post #19261208]

Quick 3‑step: How do I back up ESP32 firmware safely?

Keep grounds connected; if externally powered, don’t tie the adapter’s 3V3; hold EN at 3V3.
Hold GPIO0 at GND and reset to boot into programming mode.
While in this mode, use your serial tool to read or write firmware. [Elektroda, khoam, post #19260159]

Ripping firmware from the ESP32-WROOM-32D IoT module: tools and methods

Didn't find an answer? Ask Artificial Intelligence

Topic summary