Firmware
-
Dumping the decrypted content
Dumping the decrypted firmware of the WODE is "easy" if you know where to start.
Basically, the "RETAIL" WODE is based on top of an old "KAMIKAZE" release of OpenWRT.
Before getting hold of the "OPENWODE.RAR" archive, OpenWRT commit B517F82 was used to build a
cross-compilation of GCC for the WODE's MCU which then ended up in creation of a memory dumper running within the WODE's Linux Kernel.
​
After soldering a connector to port "J6" and connecting UART to it, it was possible to get into the WODE's Linux Kernel terminal.
​
Further investigation showed that doing a "cat" on "/proc/iomem" of the BusyBox CPIO-ROOT filesystem resulted in telling where the SDRAM area is located. But this is not only possible for the SDRAM area. Instead, it is also possible to dump the BOOTROM and bootloader. One can also (partially) dump the "APB" areas of the MCU.
​
When it comes to the OTP area, this is NOT possible because U-Boot sets the "READ-PROTECTION" bit on the OTP READ-PROT field upon bootup. Once this is done, reading from the OTP data area will only return zero hex bytes ("0x00").
​
Fig. 1: WODE Serial port (UART)
-
Dumping the encrypted content of the SPI-NOR flash
Dumping the encrypted firmware of the SPI-NOR flash was done using a modified CH341A programmer and the FLASHROM tool running under Linux.
Fig. 2: Dumping the bare desoldered SPI-NOR flash using a modified CH341A programmer