logoalt Hacker News

BareMetal RAM Dumper – Bare-metal x86 tool for Cold Boot Attack experiments

32 pointsby liffiktoday at 5:37 PM6 commentsview on HN

Comments

Dwedittoday at 7:14 PM

Does it stop EFI from running first? I'd think that EFI would be clobbering a whole lot of RAM.

show 1 reply
Retr0idtoday at 6:01 PM

> successfully tested

Could you elaborate on this? What device did you test on, what was the test procedure, and what was the outcome?

show 2 replies
anyaya1today at 7:46 PM

DevTool ecosystem

liffiktoday at 5:37 PM

Hey security researchers!

I've released BareMetal-RAM-Dumper — a low-level x86 utility for dumping physical RAM directly to disk, designed for Cold Boot Attack research.

What it does: • Custom 512-byte bootloader (no OS needed) • Boots via BIOS Legacy CSM • Switches to Unreal Mode to access 32-bit physical memory • Dumps RAM in 32KB chunks directly to USB drive • BIOS INT 0x15 E820 for safe memory map parsing • Real-time progress indicator

Cold Boot Attack Use Case: Freeze a laptop's RAM to -60°C → quickly reboot from USB → capture full memory contents for forensic analysis & crypto key recovery

How it works: 1. Stage1: 512-byte boot sector (loads Stage2 via INT 0x13) 2. Stage2: Main logic (memory detection, unreal mode, disk writes) 3. Writes to LBA 64+ on boot drive

Warning: This overwrites data starting at sector 64! Use a dedicated blank USB.

Built with pure Assembly (NASM) — no bloat, direct hardware access

GitHub: https://github.com/pIat0n/BareMetal-RAM-Dumper License: AGPL-3.0

Perfect for: Forensic researchers Security auditors testing cold boot resilience Students learning low-level x86 Penetration testers

Feedback & improvements welcome!

show 1 reply