Firmware Extraction & Analysis
Many patents require both hardware and certain algorithmic features which are often implemented in firmware. Based on an understanding of various embedded systems and their operations, TechPats’ firmware analysis capability can extract a target device’ firmware and analyze it against claim elements of a patent. This helps our clients unlock system level patents in areas where it would have been difficult to do so previously.
Test plans usually have multiple phases to help TechPats’ clients manage risks and costs. Each phase is designed to investigate details of a target device being analyzed gradually to achieve the final goal. At each phase, findings and insights obtained will be used to fine tune and adjust next phase.
Firmware analysis would take the following general approach:
- Identification of firmware module
- Extraction of firmware module (or downloading if applicable)
- Disassembly of extracted firmware module
- Assessment of analysis feasibility of extracted and disassembled firmware module
- Assessment of JTAG connection feasibility
- Static analysis of disassembled firmware module
- Modification of disassembled firmware module
- Reprogramming the target device with modified firmware module
- Dynamic analysis of disassembled firmware module
Review of a patent would tell if certain claimed features would be implemented across different levels of a design: circuit, logic and firmware. Once firmware level investigation is found to be necessary, identification of firmware module would be attempted. A firmware module could be available for download or may reside in an on-board non-volatile memory (NOR Flash or NAND Flash memory). TechPats can extract firmware modules from any non-volatile memory devices.
Once a firmware module has been obtained (through extraction or downloading), disassembly of the firmware module is done. Using industry standard disassembly/debug tools such as IDA Pro are used for this task. This allows TechPats to obtain assembly level firmware modules for multiple processor targets (ARM, MIPS, x86, etc) and some DSPs. Any open source codes, if available and applicable, will be obtained and used to complement and augment this task.
Feasibility of firmware analysis depends upon many factors such as encryption, code obfuscation, presence of readable and meaningful strings, among others. By checking these risk factors early on (as soon as firmware module extraction and disassembly have been done), feasibility of a system level analysis will be known at the earliest possible phase of a project helping a client to manage risks and make appropriate decision in a timely manner. If required, feasibility of JTAG connection is also investigated. Potential risk with this is use of secure JTAG which would require a password to connect to the target system through JTAG interface.
Static analysis of disassembled codes would involve identifying relevant codes and modules in the disassembled codes and analyzing them. Using industry standard disassembly/debug tools such as IDA Pro are used for this task.
If necessary, a firmware module could be modified to allow easy analysis and stepping through a number of breakpoints. TechPats has the expertise to analyze and insert necessary breakpoints to a target firmware module and reprogram a target device for dynamic analysis.