There are many benefits to interacting directly with Flash memory when you're having a hard time finding the correct JTAG connection points. That's especially true when you're a software reverse engineer who delves into hardware reversing. Some vendors intentionally obfuscate JTAG points or remove them to prevent reverse engineering.
In this talk, we look closely at the process of reverse engineering embedded devices by interacting directly with Flash memory. We also look at reprogramming chips and putting them back on the board. The fun with this method is that you can access the underlying out-of-band data that contains page and block information. As Flash memory is a fragile media, bad blocks or page data contamination are common problems. Whenever you extract data from memory, you should be able to take care of this meta information. When you write back the data, you need to recalculate sums and set the correct flags on these areas. We talk about the chips we've worked on and how we have dealt with the meta information.
The other entertaining part we'll examine is the file system. Embedded systems that interact directly with Flash memory usually use journaling file systems to avoid repeating write operations on specific pages. The journaling file system is interesting as it contains the entire history of file operations. You can just mount the file system directly from your Linux box or you can write a simple parser to check the history of the file system operations. This feature might give reverse engineers a good view of how Flash memory is programmed and used.
Matt is a security researcher at HP. In the past, one of his main research subjects was patch analysis. He released DarunGrim as an opensource project (http://darungrim.org) and it is one of the popular patch analysis tools. Currently, his research interests include, but are not limited to, smart appliances and payment device security.