The ESP8266 WiFi module from ESPRESSIF is a commonly used, low cost (less than 2 US$) WiFi module that exists in different PCB layouts. Often used for IoT projects and easily programmable using the Arduino IDE or with Mongoose OS and its web based IDE.  The ESP8266 modules are covered with a metal shield. Under the shield is a WiFi/CPU chip, and a FLASH chip with a serial SPI interface.

How can we dump the firmware and data of the ESP8266 chip?

First, we need access to the FLASH chip.

FLASH Chip

FLASH Chip

With a temperature controlled hot air gun (set to 370°C), the metal shield and FLASH chip can be easily removed.

Hot Air Gun

Hot Air Gun

Place the FLASH chip into a programmer and select in the corresponding software the number which is printed on the chip.

FLASH Programmer

FLASH Programmer

Dump the chip.

FLASH Dump Software

FLASH Dump Software

Now we can extract the content such as the configured WiFi SSID and password that are stored in clear text.

With the binwalk software it is possible to visualize the entropy, which gives an overview where the data is located in the FLASH chip.

FLASH-Entropy

FLASH-Entropy

Cost for the used equipment:

  • Temperature controlled hot air gun CHF 90.-
  • Serial FLASH programmer US$ 97.-

Required time for the complete attack: Just a few minutes.