Extracting a UART Password via SPI Flash Instruction Tracing

We could try to find this loading using static analysis, but remember that I’m not comfortable reverse engineering this firmware, and I want to demonstrate a more dynamic approach.

Perhaps this is a "two types of people" situation, but I would absolutely not do that; once you dump the flash you can analyse and inspect it carefully at your leisure as it is otherwise inert, but messing around with the device itself presents a very real risk of accidentally bricking it.

It’s too bad Saleae prices are so high now. Their original models launched at a very affordable price point but that’s long gone.

In the past they’ve offered discounts to students and contractors if you know where to look and how to ask: https://blog.saleae.com/saleae-discounts/ If anyone is considering one, it’s worth a try to see if they still honor this.

The alternative logic analyzers mentioned in this article look interesting, but the software side leaves a lot to be desired. Some people get along okay with PulseView (or forks, like in this article) but I never enjoy using it.

Interesting that someone else had previously found it too -- I wonder how they got hold of it?

https://github.com/up-n-atom/SWTG118AS/commit/514483b9c9e4d6...

I know a community who invested in an Arm sbc to do photo management with a locked bootloader running a locked Linux kernel where the developers have walked away (Ukraine war)

Its the "Monument" device. The users would love it if somebody unlocked things this way.

Very nice!

An 8051 with XIP SPI flash - that must be ancient tech.

do you know the SPI clock frequency? I am trying to figure out the sampling rate required to reliably capture the trace. That determines the tier of logic analyzer needed I guess.