Back to News
Advertisement
Advertisement

⚡ Community Insights

Discussion Sentiment

56% Positive

Analyzed from 1383 words in the discussion.

Trending Topics

#ram#boot#memory#bios#hardware#uefi#attack#physical#system#drive

Discussion (22 Comments)Read Original on HackerNews

wmf13 minutes ago
Haters, please stop flagging liffik's comments. I know you don't like AI but this thread was legitimately upvoted onto the front page so at least let the author respond to people.
Retr0id11 minutes ago
The code in the submitted repo is trivial and could be oneshot by an LLM, even if it wasn't. The potentially interesting thing here is what OP was able to achieve with it, and we're only getting pasted LLM output for that, which isn't very interesting.
liffik2 minutes ago
Guys, it’s just easier for me to communicate via AI because I don’t speak English I’m using a translator right now. Everything I described (including the AI part) is real, and the method works too; I’m just lazy. I used this software on some specific hardware I won't say what kind—but it works perfectly.
floralhangnail37 minutes ago
Are there any tricks or guides out there to protect from this attack? Obviously not leaving hardware running and unattended, but what else can help protect you if your running laptop is stolen out of your hands? Workstations can be configured to shutdown upon intrusion switch being activated but what about laptops? I guess hot gluing the RAM in would be a physical obstacle. What about a BIOS password being required for booting from external media or having secure boot enabled? There are exploits to bypass those things, but to an attacker not finding out they are up against that until they reboot, I would hope that would slow them down enough that they fail. If half of or all of the RAM is mounted under the keyboard, I think they would have difficulty getting it out in time. Besides spraying the RAM directly, can you freeze an entire laptop while it's still running? Won't condensation cause problems pretty quickly?
Retr0id35 minutes ago
Hardware memory encryption, with key randomly generated per-boot within the memory controller.
liffik28 minutes ago
@Retr0id is absolutely right. Hardware-level memory encryption (like AMD SME or Intel TME) is the ultimate silver bullet here. The encryption key is generated by the CPU/memory controller per-boot and is lost the moment power is cut, making the RAM contents useless even if frozen.

To answer @floralhangnail's questions from the perspective of how my dumper operates:

Removing RAM vs. Rebooting: My tool actually doesn't require removing the RAM sticks at all! The attack involves freezing the RAM in place, performing a hard power-off, quickly swapping the main system drive with my prepared USB/drive, and powering back on. So physical obstacles like hot-gluing the RAM or hiding it under the keyboard won't stop this specific reboot-based attack.

BIOS Passwords & Secure Boot: You nailed it—these are your best practical defenses on standard hardware. If a BIOS password prevents booting from external media, or if Secure Boot blocks my unsigned 16-bit bootloader, the time it takes to bypass them means the RAM bits will decay. This is exactly why my dumper targets systems with CSM/Legacy BIOS enabled and boot options accessible.

Condensation & Freezing: You don't freeze the entire laptop. You open the bottom cover and spray inverted canned air (-60°C) directly onto the memory modules. Condensation definitely happens and will eventually short the board, but the hardware usually survives just long enough (the few minutes needed) to complete the raw memory dump to disk.

P.S. I'm using AI to translate my messages because I don't speak English. Hope this clears up the physical attack vector!

Retr0idabout 4 hours ago
> successfully tested

Could you elaborate on this? What device did you test on, what was the test procedure, and what was the outcome?

ranger_dangerabout 1 hour ago
Not the author, but this is an extremely simple tool that is not written with any device-specific code... it should work on most any x86-based PC device (plain BIOS or a UEFI system with CSM support enabled).
Retr0id37 minutes ago
The code in the repo is trivial, that's not really what I was referring to. Getting DRAM cooled and swapped from one system to another is nontrivial, and I assumed most hardware/firmware zeroed memory on boot (to prevent being used to cold-boot-attack itself, without even needing a ln2-cooled board swap.) Those are the interesting aspects, not the code!
liffik19 minutes ago
Ah, I see what you mean! You are totally right, the physical execution is the truly interesting part.

To clarify, I actually didn't swap the RAM modules to another system. Moving cooled RAM is incredibly difficult and leads to rapid data decay. Instead, I left the frozen RAM exactly where it was on the original board. After the hard power-off, I just quickly swapped the system drive for my prepared drive and booted the same machine back up.

Regarding memory zeroing on boot: that is a highly relevant point. Modern systems (especially with TCG MOR enabled) try to scrub memory during POST to prevent exactly this. However, two things help here:

Fast Boot / Board Specifics: Many BIOSes, including the one on the industrial board I tested (DPX-W250), skip full memory checks and zeroing to speed up boot times.

Hard Power-Off: By cutting power abruptly, the OS doesn't get a chance to set any "clean shutdown" flags. Upon reboot, the BIOS just did a quick POST and handed control to my 16-bit bootloader via CSM, leaving the frozen memory completely intact.

P.S. I'm using AI to translate my messages because I don't speak English. Hope this explains the physics of the attack!

liffikabout 1 hour ago
Right
liffikabout 1 hour ago
Sure! The testing was conducted on a specific industrial x86 board (DPX-W250 Rev. A1). I won't go into details about the exact equipment it came from, but it provided a perfect bare-metal environment for this research))))

The testing procedure was a classic physical Cold Boot Attack:

Froze the RAM modules while the target system was fully operational.

Performed a hard power-off.

Quickly swapped the original system drive with my own prepared drive containing the BareMetal-RAM-Dumper.

Powered the system back on and booted directly into the custom bootloader via Legacy BIOS.

The result: Absolutely successful. The dumper immediately took control, switched to Unreal Mode, and successfully dumped the raw physical memory directly to the disk without any OS interference or data trampling.

P.S. I'm using AI to translate my messages because I don't speak English. Hope everything is clear!

Joel_Mckay6 minutes ago
Threadlocker red, checkmate... lol =3
Dweditabout 3 hours ago
Does it stop EFI from running first? I'd think that EFI would be clobbering a whole lot of RAM.
saidnooneeverabout 2 hours ago
this will work on BIOs systems and possibly systems with CSM mode which emulate legacy BIOS in efi.

UEFi has a different interface, not IVT to make BIOS calls and no code to catch them. you would use raw disk access protocols its really easy maybe even easier once u know how to use handles and protocols in uefi to implement this for uefi.

the problem then becomes secureboot, which if enabled will be bypassable only via misconfigurations or exploits. it would refuse to from the usb or an alternate disk image when set up correctly and no exploits are known by the dumper.

for that reason there's i think attacks that can be done by removing the ram sticks and sticking them into specialized device to dump it.

theres some tutorials on how to connect ram sticks to breadboards etc. , but idk if theres other details besides raw talking to the ram and dumping it that would make it less reliable. (not sure how long bits are retained, usually ud wanna reboot and instant dump afaik if its totally off for a while its unrecoverable but i am not really sure on that last part. (so removing it to seat them in another device might make bits decay and data less reliable?)

liffikabout 1 hour ago
Spot on! That is exactly why I chose the legacy 16-bit method via CSM. It was a deliberate design choice to completely avoid the EFI bootloader and, consequently, bypass Secure Boot entirely.

By relying on Legacy BIOS, the system doesn't check for signed EFI binaries or block the custom boot drive. It drops directly into the 16-bit real mode, allowing me to do the job without dealing with UEFI handles, protocols, or security restrictions. It essentially eliminates the need for any exploits or moving physical RAM sticks to specialized breadboards!

P.S. I'm using AI to translate my messages because I don't speak English. Hope my point is clear!

wmfabout 1 hour ago
CSM does not bypass secure boot or any initialization that UEFI performs (because UEFI runs before the CSM).
liffikabout 4 hours ago
Hey security researchers!

I've released BareMetal-RAM-Dumper — a low-level x86 utility for dumping physical RAM directly to disk, designed for Cold Boot Attack research.

What it does: • Custom 512-byte bootloader (no OS needed) • Boots via BIOS Legacy CSM • Switches to Unreal Mode to access 32-bit physical memory • Dumps RAM in 32KB chunks directly to USB drive • BIOS INT 0x15 E820 for safe memory map parsing • Real-time progress indicator

Cold Boot Attack Use Case: Freeze a laptop's RAM to -60°C → quickly reboot from USB → capture full memory contents for forensic analysis & crypto key recovery

How it works: 1. Stage1: 512-byte boot sector (loads Stage2 via INT 0x13) 2. Stage2: Main logic (memory detection, unreal mode, disk writes) 3. Writes to LBA 64+ on boot drive

Warning: This overwrites data starting at sector 64! Use a dedicated blank USB.

Built with pure Assembly (NASM) — no bloat, direct hardware access

GitHub: https://github.com/pIat0n/BareMetal-RAM-Dumper License: AGPL-3.0

Perfect for: Forensic researchers Security auditors testing cold boot resilience Students learning low-level x86 Penetration testers

Feedback & improvements welcome!

saidnooneeverabout 2 hours ago
interesting stuff, never tried this specifically. you could try to adapt it to uefi too, edk2 is tricky to work with but not too hard to do it.

it might make it more easy for ppl to play with since most modern machines dont come with BIOS anymore.

uefi might trample more ram during its init but its not a lot of memory.

liffikabout 1 hour ago
Good point! I originally went with Legacy BIOS because 16-bit boot support is historically enabled by default on the vast majority of target machines out there. It keeps the bootloader tiny and hardware access as direct as possible. However, as CSM is virtually dead on the newest hardware, adapting it to UEFI is the inevitable next step.
anyaya1about 2 hours ago
DevTool ecosystem