BareMetal RAM Dumper – Bare-metal x86 tool for Cold Boot Attack experiments

liffik9 pts1 comments

GitHub - pIat0n/BareMetal-RAM-Dumper: A bare-metal x86 utility to dump physical RAM directly to disk. Built and tested for Cold Boot Attack experiments on frozen memory. · GitHub

/" data-turbo-transient="true" />

Skip to content

Search or jump to...

Search code, repositories, users, issues, pull requests...

-->

Search

Clear

Search syntax tips

Provide feedback

--><br>We read every piece of feedback, and take your input very seriously.

Include my email address so I can be contacted

Cancel

Submit feedback

Saved searches

Use saved searches to filter your results more quickly

-->

Name

Query

To see all available qualifiers, see our documentation.

Cancel

Create saved search

Sign in

/;ref_cta:Sign up;ref_loc:header logged out"}"<br>Sign up

Appearance settings

Resetting focus

You signed in with another tab or window. Reload to refresh your session.<br>You signed out in another tab or window. Reload to refresh your session.<br>You switched accounts on another tab or window. Reload to refresh your session.

Dismiss alert

{{ message }}

pIat0n

BareMetal-RAM-Dumper

Public

Notifications<br>You must be signed in to change notification settings

Fork

Star

main

BranchesTags

Go to file

CodeOpen more actions menu

Folders and files<br>NameNameLast commit message<br>Last commit date<br>Latest commit

History<br>3 Commits<br>3 Commits

LICENSE

LICENSE

README.md

README.md

build.bat

build.bat

stage1.asm

stage1.asm

stage2.asm

stage2.asm

View all files

Repository files navigation

BareMetal RAM Dumper

A simple x86 bare-metal tool designed to boot from a disk/USB and dump the system's RAM directly to the booting medium. It relies on BIOS interrupts to boot and perform disk operations, and enters unreal mode to access memory above the 1MB barrier.

Background: Cold Boot Attacks ❄️

This tool was originally developed and successfully tested for experimenting with Cold Boot Attacks . By freezing a laptop's RAM (down to -60°C) and quickly rebooting from a USB drive containing this tool, it is possible to dump the frozen memory contents to the disk before the data decays, allowing for the extraction of sensitive information like encryption keys.

Features

Custom Bootloader: Boots directly from the BIOS (Legacy CSM). No OS required.

Unreal Mode: Switches temporarily to unreal mode to access and read 32-bit physical memory addresses.

Memory Map parsing: Uses BIOS INT 0x15 E820 to detect valid RAM regions and avoid dumping reserved memory or memory-mapped I/O.

Direct Disk Write: Uses BIOS INT 0x13 AH=0x43 (Extended Write) to write the memory contents directly back to the boot drive starting at LBA 64.

How it Works

stage1.asm is a 512-byte boot sector. It initializes segment registers, sets up the stack, and uses Extended Read (INT 0x13 AH=0x42) to load stage2 from LBA 1 into memory at 0x8000. Then it jumps to stage2.

stage2.asm performs the main logic:

Queries the BIOS for EDD (Enhanced Disk Drive) support.

Gets the memory map using INT 0x15 E820.

Calculates the maximum RAM size.

Loops through RAM in 32KB chunks.

For each chunk, it switches to unreal mode to copy data from high memory into a low memory buffer (0x90000).

Writes the 32KB chunk to disk using Extended Write, starting at LBA 64.

Prints a progress percentage on the screen.

Warning ⚠️

This tool writes raw data directly to the boot drive starting at Sector 64!<br>If you write this to a USB drive containing important data, the RAM dump will overwrite whatever is present at LBA 64 and beyond. Use a dedicated, blank USB flash drive for this purpose.

Building

You will need NASM installed to compile this project.

On Windows, run the provided build script:

build.bat

On Linux, you can run:

boot.bin">nasm -f bin stage1.asm -o stage1.bin<br>nasm -f bin stage2.asm -o stage2.bin<br>cat stage1.bin stage2.bin > boot.bin

Usage

Build the project to generate boot.bin.

Write boot.bin to a USB drive (e.g. using dd on Linux/macOS, or Rufus / Win32DiskImager on Windows).

Note: Make sure your USB drive has enough space to hold your system's RAM.

Example (Linux): sudo dd if=boot.bin of=/dev/sdX bs=512

Boot your target PC from the USB drive (ensure Legacy BIOS / CSM boot is enabled).

Wait for the dump to complete (it will show 100%).

About

A bare-metal x86 utility to dump physical RAM directly to disk. Built and tested for Cold Boot Attack experiments on frozen memory.

Resources

Readme

License

AGPL-3.0 license

Uh oh!

There was an error while loading. Please reload this page.

Activity

Stars

stars

Watchers

watching

Forks

forks

Report repository

Releases

No releases published

Packages

Uh oh!

There was an error while loading. Please reload this page.

Contributors

Uh oh!

There was an error while loading. Please reload this page.

Languages

Assembly<br>94.2%

Batchfile<br>5.8%

You can’t perform that action at this time.

boot memory drive disk stage2 dump

Related Articles