Crypto systems can be owned if you manage to get a memory dump, because the crypto key must be in RAM. Here we evaluate possibilities to get the dump and how to restore the key from the dump.


FireWire - all your memory are belong to us


Firewire/i.Link is well known as a way for connecting video devices or external hard-disks to computers. One little known fact is that the Firewire protocol also allows to read and write physical memory on connected machines without further software support. This can be leveraged to escalate privileges or to spy on connected machines. We will present some fun software using FireWire to do things to computers which shouldn't happen.


Restart a running crypto system, boot our modified memtest to scan the RAM. This works, because SDRAM stays mostly valid on short power off.

Device Boot         Start         End      Blocks   Id  System
/dev/sda1               1         185       97664   83  Linux
/dev/sda2             186         937      397056   83  Linux

(hd0) /dev/sda
(hd0,0) /dev/sda1
(hd0,1) /dev/sda2

default 0
timeout 3

title  grml-small
kernel (hd0,1)/linux26 ramdisk_size=100000 init=/etc/init lang=us usb apm=power-off vga=791 nomce BOOT_IMAGE=grml
initrd (hd0,1)/minirt26.gz

title memtest
kernel (hd0,0)/memtest.bin


qemu -cdrom bin/gpxe.iso -serial file:serial.log


key recovery