Ripping firmware from the ESP32-WROOM-32D IoT module: tools and methods

Question

Welcome,

I'm new to the subject so I'm very much asking for your understanding and help.

I need to rip firmware from an IoT device that uses the ESP32-WROOM-32D module. I am very much asking for advice on how to bite this. I've taken the device apart and verified that I can plug into the pinouts: (2) 3V3, (34) RXD0, (35) TXD0, (3) EN, (25) IO0, (38) GND.

What is the best tool to use? Will a simple UART converter do the job?

Warm regards

khoam · Accepted Answer

. It should. The ripping itself can be done with the esptool program: Link . Installing esptool on windows: Link

khoam · Accepted Answer

Baud rate will largely depend on the USB converter used - it is safe to rip at 512 kbps. RX/TX of the converter should work in 3V3 logic.
GPIO 0 should be shorted to ground just before ripping.
EN should be connected to 3V3 power supply (probably already there - need to check, can be shorted via resistor).

.

khoam · Accepted Answer

. Exactly, yes. . I don't use windows, but there I think there is such a thing as Device Manager and you can preview the COM no. when the USB converter is connected?

gigiraffa · Answer

Ok, thank you. Is there anything I should watch out for when linking? What baud rates does this module operate on? Or how can this be easily calculated? Best regards

gigiraffa · Answer

Extra, thanks!

One more question - could you please advise how to find which addressing to use in the read_flash command to read the firmware? Would it be read_flash 0 0x400000 for 4MB flash or should I limit the range somehow? Additionally, how do I check the COM port?

Best regards

gigiraffa · Answer

Thank you!!!

And one more question regarding the earlier connection diagram. What if I would like to have the power source from the wall and not from the UART dongle? Do I still need to connect the EN somewhere?

Additionally, I came across a tutorial that talks about pressing a button on the dev board to enter programming mode. Do I need to override this somehow without having a programming board? Is connecting IO0 enough to boot into programming mode?

Thank you very much for your help and understanding!

khoam · Answer

. Do not simply connect the 3V3 from the converter to the circuit. The grounds must remain connected. . Yes, the EN must be connected to 3V3, but it is possible that this is already done in the device. . If GPIO 0 is connected to ground while the ESP32 is booting, the chip will enter programming mode and it will be possible to write or read firmware from the ESP32.

gigiraffa · Answer

Super! Thank you again!

One last (I hope) question: I connected to the device and found out from the esptool flash_id that the flash is 16MB. I used esptool first as a test to read the first 2MB from read_flash and everything worked nicely. Now I have tried to read the whole 16MG but it crashes at 72% and goes no further. Could this be because the range that can be read is smaller than 16MB? What is the best way to check the correct addressing to read_flash?

khoam · Answer

Interesting, ESP32s with 16MB flash are relatively rare. I have to ask, what kind of IoT device is this?

The esptool should handle this size of flash as well. What I can suggest are two options:
1. an additional parameter -fs 16MB when calling esptool or
2. read the firmware in chunks of 2MB or 4MB each and write to separate BIN files - for the individual chunks you need to specify the respective start and start addresses, e.g. 0 0x400000, 0x400001 0x800000, etc. Later, you will also be able to write each part in a similar way from the corresponding start address to another ESP32.

At what speed was the 2MB read operation performed?

gigiraffa · Answer

With speed do you mean baud rate? I set 115200 - checking the port screen this baud rate gave me reasonable output, others I tried gave garbage. Is this a reasonable baud rate for read_flash? Maybe use some other one better?

Additionally, as I mentioned - it crashed at 72%, and 72% of 1600000 is 1152000 which is a total of ten times the baud rate set. Is this somehow related to each other?

As for the device - it's a hub that connects other iot devices so maybe that's why the larger (custom) flash?

khoam · Answer

. This is OK. . I don't think so . Try reading the flash in parts as I wrote in a previous post. By the way, what was the form of the whole command from esptool when you tried to read the whole 16MB?

gigiraffa · Answer

sudo esptool -p /dev/ttyUSB0 -b 115200 read_flash 0 0x1600000 flash.bin - did I mess something up here?

I am now trying to read in chunks. What is the best way to then combine them for analysis in Ghidra?

Warm regards

khoam · Answer

. Should be:Code: BashLog in, to see the code Knowledge of the hexadecimal system applies .

gigiraffa · Answer

yes yes, I just grasped that too! but I think it was 6 zeros and not 5 as you stated? Added after 55 : .Speaking of merging, a simple merge will be ok?

khoam · Answer

Yes, it is supposed to be 6 zeros. I have corrected the previous post. . Yes, it won't work because of the checksums.

Ripping firmware from the ESP32-WROOM-32D IoT module: tools and methods

Post #1

Post #2

Post #3

Post #4

Post #5

Post #6

Post #7

Post #8

Post #9

Post #10

Post #11

Post #12

Post #13

Post #14

Post #15

Post #16

Topic summary