BareMetal RAM Dumper – Bare-metal x86 tool for Cold Boot Attack experiments

TL;DR

A novel bare-metal x86 tool has been released that can boot from USB and dump system RAM directly to disk, aiding Cold Boot Attack experiments. It operates independently of an OS, using BIOS interrupts to access memory and disk.

A new bare-metal x86 tool has been developed that can boot from a USB drive and directly dump the system’s RAM to storage, bypassing the need for an operating system. This tool, designed specifically for Cold Boot Attack experiments, leverages BIOS interrupts and unreal mode to access and extract data from memory modules before data decay occurs. Its release marks a significant step for security researchers testing physical memory extraction techniques.

The tool operates at the firmware level, booting from a disk or USB drive without requiring an OS. It uses a custom bootloader written in assembly, which initializes BIOS and loads a second stage loader that performs the core memory dumping process. The main logic involves querying the BIOS for the system’s memory map, then iterating through RAM in 32KB chunks. It switches to unreal mode—a mode that allows access to memory above 1MB—to copy data from high memory regions into a buffer, then writes this data directly to the disk using BIOS extended disk services.

Developed with NASM, users can compile the tool and write it to a USB drive using common disk imaging utilities. When booted on a target machine with legacy BIOS enabled, it begins dumping RAM immediately, displaying progress in percentage. The process overwrites data starting at sector 64 on the boot device, so a dedicated, blank USB is recommended to avoid overwriting important data.

At a glance
updateWhen: developing; released recently and teste…
The developmentA new bare-metal tool for x86 systems enables direct RAM dumping via BIOS, supporting Cold Boot Attack research and testing.

Potential Impact on Cold Boot Attack Research

This tool simplifies the process of extracting volatile memory contents from x86 systems, which is critical for security testing and understanding physical attack vectors. By operating independently of an OS, it reduces the complexity and detection surface for attackers or researchers attempting to recover sensitive information, such as encryption keys, from RAM before data decay. Its availability could accelerate research into physical memory attacks and influence security defenses against such threats.

Amazon

USB bootable RAM dump tool

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Background on Cold Boot Attacks and Memory Dumping Tools

Cold Boot Attacks exploit the fact that RAM retains data for a short period after power loss, especially when cooled to very low temperatures. Researchers have long sought methods to quickly dump RAM contents during these attacks, often requiring specialized hardware or complex software setups. Prior approaches typically involved booting into minimal environments or using hardware-based memory acquisition tools. This new bare-metal tool simplifies the process by enabling direct memory access at the firmware level, making it easier to perform such attacks in controlled testing environments.

Developed as an experimental tool, it demonstrates how firmware-level access can be leveraged for security research, highlighting potential vulnerabilities in physical access scenarios. Its release aligns with ongoing efforts to understand and mitigate physical memory extraction threats.

“This tool makes Cold Boot Attack experiments more accessible and straightforward, lowering the barrier for security researchers to test physical memory extraction.”

— an anonymous researcher

Amazon

bare-metal memory extraction device

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Unclear Aspects of the Tool’s Capabilities and Limitations

It is not yet confirmed how widely compatible the tool is across different hardware configurations or BIOS implementations. The effectiveness of the tool in real-world scenarios, especially with systems employing newer firmware or security features like UEFI, remains untested. Additionally, the potential for detection or countermeasures against such firmware-based RAM dumping is still unknown. The scope of its use in practical attack scenarios versus controlled experiments is also unclear.

Amazon

BIOS memory dumping utility

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Next Steps for Development and Security Community Evaluation

Security researchers and hardware vendors are likely to examine the tool’s code and capabilities to assess its potential impact. Future developments may include adapting the tool for UEFI systems or enhancing its compatibility with a broader range of hardware. Meanwhile, the security community will evaluate the threat it poses and consider mitigation strategies. Further testing in diverse environments will determine the practical limits and risks associated with firmware-based RAM dumping.

Amazon

Cold Boot Attack testing hardware

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Key Questions

How does the tool access system memory without an operating system?

It operates at the firmware level, using BIOS interrupts and unreal mode to directly access physical memory regions above 1MB, bypassing the need for an OS.

Can this tool be used on UEFI systems?

Currently, it is designed for legacy BIOS (CSM) boot environments; its compatibility with UEFI systems has not been confirmed and may require modifications.

What are the risks of using this tool?

Using this tool on live systems can overwrite data on the boot device and may cause system instability. It is intended for controlled testing environments only.

Is this tool detectable by security software?

Since it runs independently of an OS and operates at the firmware level, it is unlikely to be detected by conventional security software during operation.

What is the main purpose of this tool?

It is designed primarily for security research and testing, specifically to facilitate Cold Boot Attack experiments by enabling direct RAM dumping.

Source: Hacker News

You May Also Like

Claude Fable 5

OpenAI releases Claude Fable 5, a powerful AI model surpassing previous versions in software engineering, vision, and scientific research, with safety safeguards.

Show HN: Infinite canvas notes in the non-Euclidean Poincaré disk

A new project introduces infinite canvas notes within a non-Euclidean Poincaré disk, enabling novel ways to visualize and organize information.

Show HN: Bramble – Local-first Password Manager

Open source Bramble introduces peer-to-peer cross-device sync for local-first password management, expanding from Chrome extension to mobile apps.

Microsoft builds MacBook Pro rival with NVIDIA-powered Surface Laptop Ultra

Microsoft announced the Surface Laptop Ultra at Computex 2026, featuring NVIDIA RTX graphics, up to 128GB RAM, and a mini-LED display, rivaling MacBook Pro.