Security and consulting company SEC Consult announced the release of an open-source hardware analysis tool dubbed SEC Xtractor

Security firm SEC Consult announced the release of an open-source hardware analysis tool dubbed SEC Xtractor. The tool was initially designed for internal use , and was then adopted for several research projects over the years.

The tool relies on an easy to use and configurable memory reading concept that supports multiple ways to read flash chips (e.g. NAND chips). Both, the firmware and hardware of the tools are completely open-source, this means that researchers can extend their functionalities according to their needs.

The SEC Xtractor tool was initially used as a memory extraction and UART (Universal Asynchronous Receiver/Transmitter) interface project.

The experts decided to develop the tool for the test of embedded devices (hardware and firmware) because many other tools available on the market did not completely respond to their needs.

SEC Xtractor could be used to dump the content of NAND, NOR, SPI and I2C flash memory without the need for soldering chip.

“Most projects concluded without any solution since the chips couldn’t be inserted without soldering. This can be frustrating for those who do not want to solder SMD. Only commercial tools (that are expensive) can read memory in that way. The problem remains that they cannot read every chip. This means that different tools for different flash chips are needed and that every new part must be implemented.” reads the post published by the company.

SEC Xtractor was developed in C, the JTAG brute forcing component was based on the project JTAGenum and the Xmega Bootloader was used.

“Version 1.31 comes with improvements like a boot button and additional labels three years after the initial hardware version. An open-source bootloader was used to program the device via USB. No external programmer is needed to reflash the ATXmega microcontroller . The black color for the main PCB and the NAND/NOR adapters were chosen because the launch was made during Black Hat Europe 2019 Arsenal.” continues the post.

SEC Consult plans to continue to maintain the tool, it published technical details to build the hardware analysis tool on GitHub.

Pierluigi Paganini