Extracting secured firmware from Freescale Zigbee radios

decapped_MC13224

[Travis Goodspeed] recently tore down the Freescale MC13224 wireless radio chip in an effort to demonstrate how the device’s firmware could be read, even when locked down in “secure” mode. While you might not recognize the Freescale MC13224 radio by name alone, you are certainly familiar with some of its practical applications. Found in the QuahogCon and Ninja Party badges among other consumer goods, the popular Zigbee radio turned out to be a fairly easy conquest.

[Travis] first used acid to decap one of the microcontrollers to see what was going on under the plastic casing. Inside, he discovered a discrete flash memory chip, which he removed and repackaged using a wedge wire bonder. He was easily able to extract the firmware, however decapping and repackaging a flash chip isn’t necessarily the most user-friendly process.

After digging further, he discovered that holding one of the chip’s pins low during boot would allow him to run custom code that recovers the firmware image once the pin is pulled high once again. This far more practical means of firmware recovery can be easily facilitated via a circuit board revision, as [Travis] mentions in his blog.

Comments

  1. Gregg says:

    That’s hardcore, one warranty definitely voided.

    It’s also awesome.

  2. Zee says:

    That is some industrial-espionage grade hacking right there.

  3. uC says:

    >The first method for recovery requires access to some rather–but not terribly–expensive equipment…
    >Then use a wedge wire-bonder to place the chip into a new package.

    I’ve looked into wedge/ball bonding before but have given up once searching for hardware. Anyone have any experience with any manufactures that have ‘easy’ to maintain equipment for similar experimentation?

  4. Alex Parting says:

    Travis, rawks, he is very neighborly :)

  5. Axel Roest says:

    Funny how they write “He was easily able to extract the firmware”, under an image which doesn’t look easy at all!!

    Two Snake Dogs for Travis!

  6. zapa47 says:

    That picture screams “easy”.

  7. Cricri says:

    Ok, so popping caps is dumb and can be done by a 3 years old kid with no skills whatsoever, but on the other hand, THAT is a hell of a hack. Well beyond my skills, but very well done.

  8. Cricri says:

    Sorry, I’m still p*ssed off at the fact that a Youtube video of a cretin popping caps (skills needed: ignore that red is +) made it on HAD not long ago, and more appalling, that many readers found it awesome. I started taking medications and booked a hypnotist for tomorrow, so hopefully I’ll get over it soon.

  9. Saccrolux says:

    Cricri,

    All work and no play makes Cricri a dull boy.

    Lighten up and live a little. Blowing up caps and showing the resultant video isn’t any less productive than watching TV for an hour.

    Sometimes stupid things like that are a nice distraction.

  10. GameboyRMH says:

    Sooo…what am I looking at in this pic?

  11. Shadyman says:

    @GameboyRMH:

    The innards of a Freescale MC13224 ARM7TDMI-and-Zigbee SoC

  12. Eric says:

    What is the benefit of doing this?

    Its interesting to see how he goes about it, but what is the end result?

  13. sickoboi says:

    that’s sick.

  14. wardy says:

    The end results are that he managed to get out all the secrets in the on-board storage without releasing the magic smoke. This chip still works (unless I’m misunderstanding what’s happening in this hack).

    This reminds me of that hack from a year or two ago where they russian guy dissected and gained access to an Infineon encryption IC.

    All we need now is the ability to errode the lids off ICs using regular household chemicals (toothpaste and bug spray perhaps?)

  15. Drone says:

    Didn’t he violate the DMCA by doing this? Uh Oh… Now they’re going to come for him. Or maybe they’ll just stick a GPS tracker on his car or feel up his private parts for awhile.

  16. DoNotHarm says:

    Money well spent…

  17. slaxtrack says:

    I love it !!!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 93,929 other followers