I’m currently (at the time of writing this) performing a security assessment of an ESP32-based embedded device for a client. While this assessment is not purely hardware focused, gaining access to the device’s firmware is a primary goal as reversing firmware is often an easy way to identify other vulnerabilities.
The ESP32 supports JTAG and the target device routes the JTAG pins to a client-proprietary breakout. While it’d be completely possible to solder leads onto the breakout’s pads, I was having trouble with shorting due to how close the pads were to each other. Additionally, the ESP32 is a QFN form-factor meaning that, while externally accessible, the pins on the chip are tiny and I’m nowhere near good enough to solder to them directly.
My next thought was something along the lines of “It’d be really nice if this were on a breakout board.” The problem with a breakout board is that, while I could (assuming it’s enabled) get JTAG to work, the ESP32’s peripherals wouldn’t be there including any external storage (in this case, an EEPROM).
There are solutions where I could dump the ESP32’s internal storage via JTAG and external storage via SPI, but I would potentially miss out on any interesting information in RAM as the ESP32 wouldn’t boot correctly without the EEPROM. Or I could breakout everything to breadboards and connect them all up, but that’d take some time and would be subject to smoke-letting should I make certain mistakes.
Instead I found another solution using a standard time-vs-cost trade off… Why spend a lot of time breadboarding everything when I could spend a little money on a development board and replace the necessary components.
Enter the Widora-air ESP32 development shield: https://amzn.to/2H2Ly7s (sorry, I got the last one available on Prime for the moment). This little guy had the primary things I needed in a breakout: A spot for the ESP32, a spot for the EEPROM, and all the ESP32 pins broken out. Additionally, it gave me USB to serial so I didn’t have to wire up UART to monitor what was going on.
I removed the ESP32 and EEPROM from my target device and replaced them onto the Widora-air then wired everything up to my JTAG adapter. I also cloned Espressif’s fork of OpenOCD, which had full support for the ESP32. (I also spent about 10 minutes trying to take this picture).
Everything worked exactly as I hoped as I was able to start carving out ROM and RAM for some vulnerability hunting.
While, I got everything working well enough, there are still missing peripherals and potentially some interesting bits of memory that I’m missing because of that. But due to this little trick, I have a head start and have confirmed JTAG is enabled. Knowing JTAG is enabled makes the prospect of some painstaking soldering to the proprietary breakout feel less daunting.