Micro::bit

Extract source code from firmware

When the source has been build from makecode.microbit.org, the Javascript code is embedded into the firmware.

import bincopy
import lzma
import sys
import subprocess
import json

# split firmware into raw and code
with open(sys.argv[1],'r') as f:
    fwstring = f.read()
    fwsplit = fwstring.split('\n\n')

    with open('fw_raw.hex', 'w') as g:
        g.write(fwsplit[0])
    with open('fw_code.hex', 'w') as g:
        g.write(fwsplit[1])

# Convert ihex to bin
f = bincopy.BinFile()
f.add_ihex_file('fw_code.hex')
binary = f.as_binary()
print("[+] ihex converted to binary")

## Extract code firmware, bruteforce offset
for i in range(200):
    with open('firmware.bin', 'w+b') as g:
        g.write(binary[i:])

    try:
        data = subprocess.run(["lzma", "firmware.bin", "-d", "--stdout"], capture_output=True)
        data = data.stdout.decode().split('}',1)
        data = data[1][1:]
        data = json.loads(data)
        print(data)
        print("\n[+] Javascript code")
        print(data['main.ts'])
    except Exception as e:
        continue

Extract firmware using SWD

Connection

Solder wires on SWD pins:

Connect to an ST-LINK v2:

OpenOCD profile

Official datasheet of the nRF51822: nRF51822_PS_v3.4.pdf

Code section size:

hex(1024*256) = 0x40000 => 0x00040000

init
reset init
halt
dump_image image.bin 0x00000000 0x00040000
exit

sudo openocd  -f /home/maki/tools/hardware/openocd/tcl/interface/stlink-v2-1.cfg -f /home/maki/tools/hardware/openocd/tcl/target/nrf51.cfg -f dump_fw.cfg

Python code

Content of image.dd file:

$ strings image.bin
[...]
main.py# Add your Python code here. E.g.
from microbit import *
while True:
    display.scroll('Hello, World!')
    displa
y.show(Image.HEART)
    sleep(1000)
    print("coucou")
    sleep(2000)

Share this content