**Extracting a UART Password via SPI Flash Instruction Tracing**

As a journalist covering the world of embedded devices, I've often found that having debug access can be akin to having superpowers. However, many modern MCUs and SoCs come with restricted debug access, making it difficult for security researchers and hackers to analyze firmware behavior.

In this article, we'll explore an innovative technique for extracting a UART password from an external SPI flash using instruction tracing via SPI flash sniffing. This method proves that even without traditional debugging methods, hardware-level techniques can provide valuable insights into firmware behavior.

**Background**

The target device is a cheap managed switch based on the RTL8372N chip, which has been widely adopted in IoT devices due to its low cost and ease of use. However, this device's management firmware can be challenging to analyze due to the lack of debug access.

After connecting to the UART console and finding that it requires a password, we decided to take a closer look at the SPI flash chip, where the firmware resides. Our goal was to find a way to extract the password without relying on traditional debugging methods.

**Instruction Tracing via SPI Flash Sniffing**

Using an external logic analyzer, specifically the SLogic16U3, we were able to capture the QSPI communication between the RTL8372N chip and the SPI flash. This allowed us to create an instruction trace of the firmware's code flow.

We then used this trace to identify the locations where the password is loaded from the flash. By comparing two separate traces – one taken while booting normally, and another taken while typing in a wrong password – we were able to pinpoint the exact addresses where the password validation logic resided.

**Analyzing the Firmware**

Once we had identified the relevant locations in the firmware, we used Ghidra, a reverse engineering tool, to analyze the code. We discovered that the password is stored in an external memory area (DAT_EXT) and is XOR-decrypted before being compared against a stored password.

To extract the password, we created a print-out gadget in assembly language, which dumped the 11 bytes of the encrypted password to UART. However, this required us to modify the firmware's checksum, as well as change some code to avoid triggering the security checks.

**Results**

After successfully booting the modified firmware and running our gadget, we were able to dump the XORed password bytes to UART. By applying a simple XOR operation with 0x5a, we recovered the plaintext password.

**Conclusion**

This article demonstrates that creative hardware-level techniques can provide valuable insights into firmware behavior even when traditional debugging methods are not available. Instruction tracing via SPI flash sniffing proved to be an effective technique in extracting the UART password from the RTL8372N chip's firmware.

As a journalist, I'm always excited to share innovative techniques and tools that can help security researchers and hackers better understand embedded systems. The SLogic16U3 logic analyzer, specifically, shows great promise for hobbyists and professionals alike, offering an affordable alternative to the more expensive Saleae Logic analyzer.