Skip to content

Micro::bit

Extract source code from firmware

When the source has been build from https://makecode.microbit.org/#editor, the Javascript code is embedded into the firmware.

import bincopy
import lzma
import sys
import subprocess
import json

# split firmware into raw and code
with open(sys.argv[1],'r') as f:
    fwstring = f.read()
    fwsplit = fwstring.split('\n\n')

    with open('fw_raw.hex', 'w') as g:
        g.write(fwsplit[0])
    with open('fw_code.hex', 'w') as g:
        g.write(fwsplit[1])

# Convert ihex to bin
f = bincopy.BinFile()
f.add_ihex_file('fw_code.hex')
binary = f.as_binary()
print("[+] ihex converted to binary")

## Extract code firmware, bruteforce offset
for i in range(200):
    with open('firmware.bin', 'w+b') as g:
        g.write(binary[i:])

    try:
        data = subprocess.run(["lzma", "firmware.bin", "-d", "--stdout"], capture_output=True)
        data = data.stdout.decode().split('}',1)
        data = data[1][1:]
        data = json.loads(data)
        print(data)
        print("\n[+] Javascript code")
        print(data['main.ts'])
    except Exception as e:
        continue

Extract firmware using SWD

Connection

Solder wires on SWD pins:

Connect to an ST-LINK v2:

OpenOCD profile

Official datasheet of the nRF51822:

https://infocenter.nordicsemi.com/pdf/nRF51822_PS_v3.1.pdf

Code section size:

hex(1024*256) = 0x40000 => 0x00040000

init
reset init
halt
dump_image image.bin 0x00000000 0x00040000
exit
$ sudo openocd  -f /home/maki/tools/hardware/openocd/tcl/interface/stlink-v2-1.cfg -f /home/maki/tools/hardware/openocd/tcl/target/nrf51.cfg -f dump_fw.cfg

Python code

Content of image.dd file:

$ strings image.bin
[...]
main.py# Add your Python code here. E.g.
from microbit import *
while True:
    display.scroll('Hello, World!')
    displa
y.show(Image.HEART)
    sleep(1000)
    print("coucou")
    sleep(2000)