Discussion summary
A developer released BareMetal-RAM-Dumper, a tool for Cold Boot Attack experiments on x86 systems. The discussion covers potential adaptations, usability improvements, and technical considerations.
What the discussion says
- The tool is useful for security research and Cold Boot Attacks.
- Some suggest adapting it for UEFI to improve usability.
- Concerns about how early in the boot process the tool can run.
“This would be much more usable if you'd put a file system on the USB stick.”
“The code is trivial and could be easily replicated by an LLM.”
Comments
Hacker News
by anyaya1
I've released BareMetal-RAM-Dumper — a low-level x86 utility for dumping physical RAM directly to disk, designed for Cold Boot Attack research.
What it does: • Custom 512-byte bootloader (no OS needed) • Boots via BIOS Legacy CSM • Switches to Unreal Mode to access 32-bit physical memory • Dumps RAM in 32KB chunks directly to USB drive • BIOS INT 0x15 E820 for safe memory map parsing • Real-time progress indicator
Cold Boot Attack Use Case: Freeze a laptop's RAM to -60°C → quickly reboot from USB → capture full memory contents for forensic analysis & crypto key recovery
How it works: 1. Stage1: 512-byte boot sector (loads Stage2 via INT 0x13) 2. Stage2: Main logic (memory detection, unreal mode, disk writes) 3. Writes to LBA 64+ on boot drive
Warning: This overwrites data starting at sector 64! Use a dedicated blank USB.
Built with pure Assembly (NASM) — no bloat, direct hardware access
GitHub: https://github.com/pIat0n/BareMetal-RAM-Dumper License: AGPL-3.0
Perfect for: Forensic researchers Security auditors testing cold boot resilience Students learning low-level x86 Penetration testers
Feedback & improvements welcome!
by liffik
it might make it more easy for ppl to play with since most modern machines dont come with BIOS anymore.
uefi might trample more ram during its init but its not a lot of memory.
by saidnooneever
> Warning: This overwrites data starting at sector 64! Use a dedicated blank USB.
This would be much more usable if you'd put a file system on the USB stick with a sufficiently large, empty, bianco file.
Note, you don't need to implement a file system driver. Just create it with a big enough file and use that file's starting sector instead of 64. You could even update the file's size with the data written (just one more sector write, and again, you don't need to interpret the file system, just patch one integer in a sector).
I'd recommend ext2 (FAT is not good, because it limits files to 2G, and exFAT is in patent hell). Create with mkfs.ext, add a large file with dd, then save the data as a bunch of "db" lines into your asm source. You'd then assemble the file system along with stage1/2 without the need to interpret what you're writing.
Oh, one more thing: some BIOS checks the first bytes of the boot sector as well (not just the last two bytes), so you should start your boot sector with a short jmp and a nop. Also it's not guaranteed that direction flag is cleared, add a cld after cli.
To get some ideas, here's a boot sector that loads an EFI PE/COFF executable from a FAT file system (without interpreting the fs), sets up long mode and executes it:
https://gitlab.com/bztsrc/easyboot/-/blob/main/src/boot_x86....
(Notes: written for the flatassembler, which uses a very very similar Intel syntax like nasm, and the 2nd stage EFI executable is written in C very carefully so it doesn't matter if it's loaded by this boot sector on BIOS or by the UEFI firmware, the same binary just works everywhere.)
As for developing EFI apps, I don't use EDK2, because it's messy and bloated, instead I've written my own UEFI SDK: https://gitlab.com/bztsrc/posix-uefi it's much easier to use, you might find it useful too.
by skrellm
by Joel_Mckay
by alfiedotwtf
by wmf
by Retr0id
by Dwedit
RAID cards have option ROM that can run before a bootloader has started, that is one way to get something running earlier.
by Dwedit
UEFi has a different interface, not IVT to make BIOS calls and no code to catch them. you would use raw disk access protocols its really easy maybe even easier once u know how to use handles and protocols in uefi to implement this for uefi.
the problem then becomes secureboot, which if enabled will be bypassable only via misconfigurations or exploits. it would refuse to from the usb or an alternate disk image when set up correctly and no exploits are known by the dumper.
for that reason there's i think attacks that can be done by removing the ram sticks and sticking them into specialized device to dump it.
theres some tutorials on how to connect ram sticks to breadboards etc. , but idk if theres other details besides raw talking to the ram and dumping it that would make it less reliable. (not sure how long bits are retained, usually ud wanna reboot and instant dump afaik if its totally off for a while its unrecoverable but i am not really sure on that last part. (so removing it to seat them in another device might make bits decay and data less reliable?)
by saidnooneever
Could you elaborate on this? What device did you test on, what was the test procedure, and what was the outcome?
by Retr0id
The testing procedure was a classic physical Cold Boot Attack:
Froze the RAM modules while the target system was fully operational.
Performed a hard power-off.
Quickly swapped the original system drive with my own prepared drive containing the BareMetal-RAM-Dumper.
Powered the system back on and booted directly into the custom bootloader via Legacy BIOS.
The result: Absolutely successful. The dumper immediately took control, switched to Unreal Mode, and successfully dumped the raw physical memory directly to the disk without any OS interference or data trampling.
P.S. I'm using AI to translate my messages because I don't speak English. Hope everything is clear!
by liffik
by ranger_danger
by floralhangnail
by masa-kozu
To answer @floralhangnail's questions from the perspective of how my dumper operates:
Removing RAM vs. Rebooting: My tool actually doesn't require removing the RAM sticks at all! The attack involves freezing the RAM in place, performing a hard power-off, quickly swapping the main system drive with my prepared USB/drive, and powering back on. So physical obstacles like hot-gluing the RAM or hiding it under the keyboard won't stop this specific reboot-based attack.
BIOS Passwords & Secure Boot: You nailed it—these are your best practical defenses on standard hardware. If a BIOS password prevents booting from external media, or if Secure Boot blocks my unsigned 16-bit bootloader, the time it takes to bypass them means the RAM bits will decay. This is exactly why my dumper targets systems with CSM/Legacy BIOS enabled and boot options accessible.
Condensation & Freezing: You don't freeze the entire laptop. You open the bottom cover and spray inverted canned air (-60°C) directly onto the memory modules. Condensation definitely happens and will eventually short the board, but the hardware usually survives just long enough (the few minutes needed) to complete the raw memory dump to disk.
P.S. I'm using AI to translate my messages because I don't speak English. Hope this clears up the physical attack vector!
by liffik
by memoriyato3
by himata4113
Something like bluetooth beacon paired to discreet BLE jewelry, WiFi signals -if the paired connection suddenly disappears, newly inserted human input devices (mouse jugglers to disable screensavers), unregistered face-detected, minimal gryoscope add-on looking for sudden velocity change, etc
All of these carry significant usability trade-offs, so probably only worthwhile if you are running the Silk Road and actively hiring hitmen.
by 3eb7988a1663
by Retr0id
Now, memory can be cryogenic spray treated (upside-down air-duster) and removed within a minute... the content can be reader dumped for key recovery. This is why systems are bolted to the floor, and locked. It buys time to armadillo a system, and lock the SMART power-cycle tamper detection.
With physical access it is almost impossible to block forensic recovery with collocated keys. TPM and IME would be illegal if they actually worked. lol =3
by Joel_Mckay
Join the discussion
Write your take first — we'll ask for email only when you're ready to publish.
- Hacker News
- DevTool ecosystemby anyaya1
- Hey security researchers!
I've released BareMetal-RAM-Dumper — a low-level x86 utility for dumping physical RAM directly to disk, designed for Cold Boot Attack research.
What it does: • Custom 512-byte bootloader (no OS needed) • Boots via BIOS Legacy CSM • Switches to Unreal Mode to access 32-bit physical memory • Dumps RAM in 32KB chunks directly to USB drive • BIOS INT 0x15 E820 for safe memory map parsing • Real-time progress indicator
Cold Boot Attack Use Case: Freeze a laptop's RAM to -60°C → quickly reboot from USB → capture full memory contents for forensic analysis & crypto key recovery
How it works: 1. Stage1: 512-byte boot sector (loads Stage2 via INT 0x13) 2. Stage2: Main logic (memory detection, unreal mode, disk writes) 3. Writes to LBA 64+ on boot drive
Warning: This overwrites data starting at sector 64! Use a dedicated blank USB.
Built with pure Assembly (NASM) — no bloat, direct hardware access
GitHub: https://github.com/pIat0n/BareMetal-RAM-Dumper License: AGPL-3.0
Perfect for: Forensic researchers Security auditors testing cold boot resilience Students learning low-level x86 Penetration testers
Feedback & improvements welcome!
by liffik - interesting stuff, never tried this specifically. you could try to adapt it to uefi too, edk2 is tricky to work with but not too hard to do it.
it might make it more easy for ppl to play with since most modern machines dont come with BIOS anymore.
uefi might trample more ram during its init but its not a lot of memory.
by saidnooneever - Hi dev,
> Warning: This overwrites data starting at sector 64! Use a dedicated blank USB.
This would be much more usable if you'd put a file system on the USB stick with a sufficiently large, empty, bianco file.
Note, you don't need to implement a file system driver. Just create it with a big enough file and use that file's starting sector instead of 64. You could even update the file's size with the data written (just one more sector write, and again, you don't need to interpret the file system, just patch one integer in a sector).
I'd recommend ext2 (FAT is not good, because it limits files to 2G, and exFAT is in patent hell). Create with mkfs.ext, add a large file with dd, then save the data as a bunch of "db" lines into your asm source. You'd then assemble the file system along with stage1/2 without the need to interpret what you're writing.
Oh, one more thing: some BIOS checks the first bytes of the boot sector as well (not just the last two bytes), so you should start your boot sector with a short jmp and a nop. Also it's not guaranteed that direction flag is cleared, add a cld after cli.
To get some ideas, here's a boot sector that loads an EFI PE/COFF executable from a FAT file system (without interpreting the fs), sets up long mode and executes it:
https://gitlab.com/bztsrc/easyboot/-/blob/main/src/boot_x86....
(Notes: written for the flatassembler, which uses a very very similar Intel syntax like nasm, and the 2nd stage EFI executable is written in C very carefully so it doesn't matter if it's loaded by this boot sector on BIOS or by the UEFI firmware, the same binary just works everywhere.)
As for developing EFI apps, I don't use EDK2, because it's messy and bloated, instead I've written my own UEFI SDK: https://gitlab.com/bztsrc/posix-uefi it's much easier to use, you might find it useful too.
by skrellm - Threadlocker red, checkmate... lol =3by Joel_Mckay
- Phew! Luckily I store all my keys at the 5Gb mark!by alfiedotwtf
- Haters, please stop flagging liffik's comments. I know you don't like AI but this thread was legitimately upvoted onto the front page so at least let the author respond to people.by wmf
- The code in the submitted repo is trivial and could be oneshot by an LLM, even if it wasn't. The potentially interesting thing here is what OP was able to achieve with it, and we're only getting pasted LLM output for that, which isn't very interesting.by Retr0id
- Does it stop EFI from running first? I'd think that EFI would be clobbering a whole lot of RAM.by Dwedit
- Anyway, to get access to RAM before it is clobbered by other software, you need to run your code really really early. By the time the BIOS has decided to let you run code from a USB stick, it could be way too late.
RAID cards have option ROM that can run before a bootloader has started, that is one way to get something running earlier.
by Dwedit - this will work on BIOs systems and possibly systems with CSM mode which emulate legacy BIOS in efi.
UEFi has a different interface, not IVT to make BIOS calls and no code to catch them. you would use raw disk access protocols its really easy maybe even easier once u know how to use handles and protocols in uefi to implement this for uefi.
the problem then becomes secureboot, which if enabled will be bypassable only via misconfigurations or exploits. it would refuse to from the usb or an alternate disk image when set up correctly and no exploits are known by the dumper.
for that reason there's i think attacks that can be done by removing the ram sticks and sticking them into specialized device to dump it.
theres some tutorials on how to connect ram sticks to breadboards etc. , but idk if theres other details besides raw talking to the ram and dumping it that would make it less reliable. (not sure how long bits are retained, usually ud wanna reboot and instant dump afaik if its totally off for a while its unrecoverable but i am not really sure on that last part. (so removing it to seat them in another device might make bits decay and data less reliable?)
by saidnooneever - > successfully tested
Could you elaborate on this? What device did you test on, what was the test procedure, and what was the outcome?
by Retr0id - Sure! The testing was conducted on a specific industrial x86 board (DPX-W250 Rev. A1). I won't go into details about the exact equipment it came from, but it provided a perfect bare-metal environment for this research))))
The testing procedure was a classic physical Cold Boot Attack:
Froze the RAM modules while the target system was fully operational.
Performed a hard power-off.
Quickly swapped the original system drive with my own prepared drive containing the BareMetal-RAM-Dumper.
Powered the system back on and booted directly into the custom bootloader via Legacy BIOS.
The result: Absolutely successful. The dumper immediately took control, switched to Unreal Mode, and successfully dumped the raw physical memory directly to the disk without any OS interference or data trampling.
P.S. I'm using AI to translate my messages because I don't speak English. Hope everything is clear!
by liffik - Not the author, but this is an extremely simple tool that is not written with any device-specific code... it should work on most any x86-based PC device (plain BIOS or a UEFI system with CSM support enabled).by ranger_danger
- Are there any tricks or guides out there to protect from this attack? Obviously not leaving hardware running and unattended, but what else can help protect you if your running laptop is stolen out of your hands? Workstations can be configured to shutdown upon intrusion switch being activated but what about laptops? I guess hot gluing the RAM in would be a physical obstacle. What about a BIOS password being required for booting from external media or having secure boot enabled? There are exploits to bypass those things, but to an attacker not finding out they are up against that until they reboot, I would hope that would slow them down enough that they fail. If half of or all of the RAM is mounted under the keyboard, I think they would have difficulty getting it out in time. Besides spraying the RAM directly, can you freeze an entire laptop while it's still running? Won't condensation cause problems pretty quickly?by floralhangnail
- Just as a side note, memory encryption isn't limited to niche secure hardware anymore. Mainstream x86 CPUs have supported it for years: AMD has SME/TSME (and SEV on the server side), while Intel provides TME/MKTME. The memory controller transparently encrypts DRAM contents with hardware-managed keys, so protection against physical memory extraction attacks is already available on many ordinary PCs and servers.by masa-kozu
- @Retr0id is absolutely right. Hardware-level memory encryption (like AMD SME or Intel TME) is the ultimate silver bullet here. The encryption key is generated by the CPU/memory controller per-boot and is lost the moment power is cut, making the RAM contents useless even if frozen.
To answer @floralhangnail's questions from the perspective of how my dumper operates:
Removing RAM vs. Rebooting: My tool actually doesn't require removing the RAM sticks at all! The attack involves freezing the RAM in place, performing a hard power-off, quickly swapping the main system drive with my prepared USB/drive, and powering back on. So physical obstacles like hot-gluing the RAM or hiding it under the keyboard won't stop this specific reboot-based attack.
BIOS Passwords & Secure Boot: You nailed it—these are your best practical defenses on standard hardware. If a BIOS password prevents booting from external media, or if Secure Boot blocks my unsigned 16-bit bootloader, the time it takes to bypass them means the RAM bits will decay. This is exactly why my dumper targets systems with CSM/Legacy BIOS enabled and boot options accessible.
Condensation & Freezing: You don't freeze the entire laptop. You open the bottom cover and spray inverted canned air (-60°C) directly onto the memory modules. Condensation definitely happens and will eventually short the board, but the hardware usually survives just long enough (the few minutes needed) to complete the raw memory dump to disk.
P.S. I'm using AI to translate my messages because I don't speak English. Hope this clears up the physical attack vector!
by liffik - on AMD/Intel CPUs from the last 5 years you just need to enable hardware memory encryption in the BIOSby memoriyato3
- I just run everything thru a remote controlled power socket so I can remotely shut down everything and also (unintentionally) realized that I can detect when the my case is opened by observing temperature on one of the motherboard sensors so I thought about making that trigger a shutdown. My laptop shuts down power when opened as a feature already.by himata4113
- Have the laptop continually monitor the physical environment - if anything abruptly changes, system automatically locks. If a decryption key is not provided after X seconds, force a reboot.
Something like bluetooth beacon paired to discreet BLE jewelry, WiFi signals -if the paired connection suddenly disappears, newly inserted human input devices (mouse jugglers to disable screensavers), unregistered face-detected, minimal gryoscope add-on looking for sudden velocity change, etc
All of these carry significant usability trade-offs, so probably only worthwhile if you are running the Silk Road and actively hiring hitmen.
by 3eb7988a1663 - Hardware memory encryption, with key randomly generated per-boot within the memory controller.by Retr0id
- Encrypted MMU were very common on enterprise hardware at one time.
Now, memory can be cryogenic spray treated (upside-down air-duster) and removed within a minute... the content can be reader dumped for key recovery. This is why systems are bolted to the floor, and locked. It buys time to armadillo a system, and lock the SMART power-cycle tamper detection.
With physical access it is almost impossible to block forensic recovery with collocated keys. TPM and IME would be illegal if they actually worked. lol =3
by Joel_Mckay
Related stories
Jim's TrueType QR Code Font
github.com · 177 points · 22 comments
Rowboat – Open-source, local-first alternative to Claude Desktop
github.com · 158 points · 45 comments
MacSurf 1.68 – NetSurf on OS 9 Released
github.com · 76 points · 18 comments
Docx-CLI: agents read/edit Word docs using 1/2 the time and tokens
github.com · 64 points · 26 comments
GitHub Freno: cooperative, highly available throttler service
github.com · 40 points · 1 comments
Pure-Python symbolic regression that rediscovered Kepler's law from 8 data point
github.com · 38 points · 12 comments