Converts a flash dump from an esp8266 device into an ELF executable file for analysis and reverse engineering.
esp-bin2elf will create sections for each of the sections in the flash dump. For convenience, esp-bin2elf also creates a flash section at 0x40200000 (.irom0.text) containing the SDK from flash, a section at 0x40000000 containing the bootrom (.bootrom.text), and includes all SDK symbols.
Tested in IDA Pro with the excellent Xtensa processor plugin from Fredrik Ahlberg.
Once you have your ELF loaded, you can + should leverage the rizzo IDA plugin to identify common functions from the SDK and RTOS examples.
Alternatively, the ELF can be used with Radare2 and/or Cutter.
- Python 3
esptool.py- https://github.com/espressif/esptoolelffile- https://pypi.org/project/elffile/
The original elffile project seems abandoned, but a fork is available here: https://github.com/slorquet/elffile2
- Connect usb cable to esp8266
./dump_flash.sh- This will generate flash_4M.bin
./esp_extract_flash.sh flash_4M.bin out_user_irom.bin- This will generate out_user_irom.bin (User Application), out_user_irom.bin.elf (Elf file)
Feel free to report an issue on github or contact me privately if you prefer.
- Richard Burton for:
- image format details: http://richard.burtons.org/2015/05/17/esp8266-boot-process/
- rBoot: https://github.com/raburton/rboot
- Max Filippov (jcmvbkbc) for bootrom.bin: https://github.com/jcmvbkbc/esp-elf-rom
- Fredrik Ahlberg (themadinventor) for the IDA plugin and esptool.