ESP8266 Community Forum

- Mon Sep 29, 2014 5:51 am #1009 Hey there,

I couldn't find it in any other dump, but lately I was successful in dumping the boot loader and ROM from the esp8266.
This is basically what's mapped to 0x4000000-0x4010000 in the ram upon execution.

Also attached is a bin that can be loaded into the RAM and executed from there, it will just dump the fw. You have to press any key for it to start dumping.
It can also be flashed, but well you don't need to
Note: for flashing to work you need to patch esptool.py, because there's a bug in it with very small images.
Change "blocks = math.ceil(len(image)/esp.ESP_FLASH_BLOCK)" to "blocks = math.ceil(len(image)/(esp.ESP_FLASH_BLOCK*1.0))" in write_flash.
Running from RAM works out of the box.

I didn't include any library from espressif for this (thus the name "barely" and the small size), so there is no watchdog setup or anything.
I did try to write into the boot loader memory (0x4000fa28, where the strings are stored) but the cpu wouldn't let me (no exception, just no change at all).

Maybe someone can disassemble the ROM functions and see, if there's anything interesting?

Regards,
0ff

You do not have the required permissions to view the files attached to this post.

- Mon Sep 29, 2014 1:38 pm #1027 So you were able to erase the internal "ROM" area?

- Mon Sep 29, 2014 1:43 pm #1028 No, not at all. I was unable to write into the area, it's read-only.
I just don't know yet whether that's by software (I am quite sure) or if it's actually hardwired ROM (though it doesn't look likely).
You can basically tell the processor to deny write-requests to certain areas in the memory, what is suspicious to me is that I'm not running into an exception.

- Mon Sep 29, 2014 3:58 pm #1037 Oh OK I saw "you can also flash it" but misunderstood as applying to the ROM area instead of your dumper.