BareMetal RAM Dumper – Bare-metal x86 tool for Cold Boot Attack experiments
Summary
A bare-metal x86 tool for dumping system RAM to a boot medium via cold boot attacks, useful for security research and experiments.
View Cached Full Text
Cached at: 07/04/26, 06:41 PM
pIat0n/BareMetal-RAM-Dumper
Source: https://github.com/pIat0n/BareMetal-RAM-Dumper
BareMetal RAM Dumper
A simple x86 bare-metal tool designed to boot from a disk/USB and dump the system’s RAM directly to the booting medium. It relies on BIOS interrupts to boot and perform disk operations, and enters unreal mode to access memory above the 1MB barrier.
Background: Cold Boot Attacks ❄️
This tool was originally developed and successfully tested for experimenting with Cold Boot Attacks. By freezing a laptop’s RAM (down to -60°C) and quickly rebooting from a USB drive containing this tool, it is possible to dump the frozen memory contents to the disk before the data decays, allowing for the extraction of sensitive information like encryption keys.
Features
- Custom Bootloader: Boots directly from the BIOS (Legacy CSM). No OS required.
- Unreal Mode: Switches temporarily to unreal mode to access and read 32-bit physical memory addresses.
- Memory Map parsing: Uses BIOS
INT 0x15 E820to detect valid RAM regions and avoid dumping reserved memory or memory-mapped I/O. - Direct Disk Write: Uses BIOS
INT 0x13 AH=0x43(Extended Write) to write the memory contents directly back to the boot drive starting at LBA 64.
How it Works
stage1.asmis a 512-byte boot sector. It initializes segment registers, sets up the stack, and uses Extended Read (INT 0x13 AH=0x42) to loadstage2from LBA 1 into memory at0x8000. Then it jumps tostage2.stage2.asmperforms the main logic:- Queries the BIOS for EDD (Enhanced Disk Drive) support.
- Gets the memory map using
INT 0x15 E820. - Calculates the maximum RAM size.
- Loops through RAM in 32KB chunks.
- For each chunk, it switches to unreal mode to copy data from high memory into a low memory buffer (
0x90000). - Writes the 32KB chunk to disk using Extended Write, starting at LBA 64.
- Prints a progress percentage on the screen.
Warning ⚠️
This tool writes raw data directly to the boot drive starting at Sector 64! If you write this to a USB drive containing important data, the RAM dump will overwrite whatever is present at LBA 64 and beyond. Use a dedicated, blank USB flash drive for this purpose.
Building
You will need NASM installed to compile this project.
On Windows, run the provided build script:
build.bat
On Linux, you can run:
nasm -f bin stage1.asm -o stage1.bin
nasm -f bin stage2.asm -o stage2.bin
cat stage1.bin stage2.bin > boot.bin
Usage
- Build the project to generate
boot.bin. - Write
boot.binto a USB drive (e.g. usingddon Linux/macOS, or Rufus / Win32DiskImager on Windows).- Note: Make sure your USB drive has enough space to hold your system’s RAM.
- Example (Linux):
sudo dd if=boot.bin of=/dev/sdX bs=512
- Boot your target PC from the USB drive (ensure Legacy BIOS / CSM boot is enabled).
- Wait for the dump to complete (it will show 100%).
Similar Articles
usbliter8- Apple A12/A13 bootrom exploit
This paper details a novel bootROM vulnerability in Apple A12/A13 SoCs, exploiting a hardware bug in the USB controller and a configuration flaw to achieve boot-chain compromise. A proof-of-concept is provided.
Arbitrary code execution in objdump -g
A security vulnerability in objdump -g allows arbitrary code execution via a crafted FR30 object file due to a missing bounds check in the FR30 relocation handler, with a single-shot exploit that defeats ASLR and other mitigations.
mmo-chip: Multiplayer CMOS Standard Cell Chips Reverse Engineering Tool
mmo-chip is an open-source tool for reverse-engineering CMOS standard cell chips from die photographs, offering die viewer, cell annotation, and Verilog netlist extraction.
HDD Firmware Hacking Part 1
The author details the process of dumping, analyzing, and modifying HDD firmware to introduce a delay for an Xbox 360 exploit, covering hardware and software techniques without AI assistance.
A Windows Kernel in a Browser Tab, Part I: Cold Boot, Fast Boot, and Four Megabytes
The article describes nanokrnl, a 64-bit Windows kernel written in Rust, and nanox, a 65KB WebAssembly emulator that boots it directly in long mode in a browser, achieving a running OS in about four megabytes.