Not the author, but this is an extremely simple tool that is not written with any device-specific code... it should work on most any x86-based PC device (plain BIOS or a UEFI system with CSM support enabled).
Sure! The testing was conducted on a specific industrial x86 board (DPX-W250 Rev. A1). I won't go into details about the exact equipment it came from, but it provided a perfect bare-metal environment for this research))))
The testing procedure was a classic physical Cold Boot Attack:
Froze the RAM modules while the target system was fully operational.
Performed a hard power-off.
Quickly swapped the original system drive with my own prepared drive containing the BareMetal-RAM-Dumper.
Powered the system back on and booted directly into the custom bootloader via Legacy BIOS.
The result: Absolutely successful. The dumper immediately took control, switched to Unreal Mode, and successfully dumped the raw physical memory directly to the disk without any OS interference or data trampling.
P.S. I'm using AI to translate my messages because I don't speak English. Hope everything is clear!
this will work on BIOs systems and possibly systems with CSM mode which emulate legacy BIOS in efi.
UEFi has a different interface, not IVT to make BIOS calls and no code to catch them. you would use raw disk access protocols its really easy maybe even easier once u know how to use handles and protocols in uefi to implement this for uefi.
the problem then becomes secureboot, which if enabled will be bypassable only via misconfigurations or exploits. it would refuse to from the usb or an alternate disk image when set up correctly and no exploits are known by the dumper.
for that reason there's i think attacks that can be done by removing the ram sticks and sticking them into specialized device to dump it.
theres some tutorials on how to connect ram sticks to breadboards etc. , but idk if theres other details besides raw talking to the ram and dumping it that would make it less reliable. (not sure how long bits are retained, usually ud wanna reboot and instant dump afaik if its totally off for a while its unrecoverable but i am not really sure on that last part. (so removing it to seat them in another device might make bits decay and data less reliable?)
Spot on! That is exactly why I chose the legacy 16-bit method via CSM. It was a deliberate design choice to completely avoid the EFI bootloader and, consequently, bypass Secure Boot entirely.
By relying on Legacy BIOS, the system doesn't check for signed EFI binaries or block the custom boot drive. It drops directly into the 16-bit real mode, allowing me to do the job without dealing with UEFI handles, protocols, or security restrictions. It essentially eliminates the need for any exploits or moving physical RAM sticks to specialized breadboards!
P.S. I'm using AI to translate my messages because I don't speak English. Hope my point is clear!
I've released BareMetal-RAM-Dumper — a low-level x86 utility for dumping
physical RAM directly to disk, designed for Cold Boot Attack research.
What it does:
• Custom 512-byte bootloader (no OS needed)
• Boots via BIOS Legacy CSM
• Switches to Unreal Mode to access 32-bit physical memory
• Dumps RAM in 32KB chunks directly to USB drive
• BIOS INT 0x15 E820 for safe memory map parsing
• Real-time progress indicator
Cold Boot Attack Use Case:
Freeze a laptop's RAM to -60°C → quickly reboot from USB →
capture full memory contents for forensic analysis & crypto key recovery
How it works:
1. Stage1: 512-byte boot sector (loads Stage2 via INT 0x13)
2. Stage2: Main logic (memory detection, unreal mode, disk writes)
3. Writes to LBA 64+ on boot drive
Warning: This overwrites data starting at sector 64! Use a dedicated blank USB.
Built with pure Assembly (NASM) — no bloat, direct hardware access
Good point! I originally went with Legacy BIOS because 16-bit boot support is historically enabled by default on the vast majority of target machines out there. It keeps the bootloader tiny and hardware access as direct as possible. However, as CSM is virtually dead on the newest hardware, adapting it to UEFI is the inevitable next step.
Could you elaborate on this? What device did you test on, what was the test procedure, and what was the outcome?
The testing procedure was a classic physical Cold Boot Attack:
Froze the RAM modules while the target system was fully operational.
Performed a hard power-off.
Quickly swapped the original system drive with my own prepared drive containing the BareMetal-RAM-Dumper.
Powered the system back on and booted directly into the custom bootloader via Legacy BIOS.
The result: Absolutely successful. The dumper immediately took control, switched to Unreal Mode, and successfully dumped the raw physical memory directly to the disk without any OS interference or data trampling.
P.S. I'm using AI to translate my messages because I don't speak English. Hope everything is clear!
UEFi has a different interface, not IVT to make BIOS calls and no code to catch them. you would use raw disk access protocols its really easy maybe even easier once u know how to use handles and protocols in uefi to implement this for uefi.
the problem then becomes secureboot, which if enabled will be bypassable only via misconfigurations or exploits. it would refuse to from the usb or an alternate disk image when set up correctly and no exploits are known by the dumper.
for that reason there's i think attacks that can be done by removing the ram sticks and sticking them into specialized device to dump it.
theres some tutorials on how to connect ram sticks to breadboards etc. , but idk if theres other details besides raw talking to the ram and dumping it that would make it less reliable. (not sure how long bits are retained, usually ud wanna reboot and instant dump afaik if its totally off for a while its unrecoverable but i am not really sure on that last part. (so removing it to seat them in another device might make bits decay and data less reliable?)
By relying on Legacy BIOS, the system doesn't check for signed EFI binaries or block the custom boot drive. It drops directly into the 16-bit real mode, allowing me to do the job without dealing with UEFI handles, protocols, or security restrictions. It essentially eliminates the need for any exploits or moving physical RAM sticks to specialized breadboards!
P.S. I'm using AI to translate my messages because I don't speak English. Hope my point is clear!
I've released BareMetal-RAM-Dumper — a low-level x86 utility for dumping physical RAM directly to disk, designed for Cold Boot Attack research.
What it does: • Custom 512-byte bootloader (no OS needed) • Boots via BIOS Legacy CSM • Switches to Unreal Mode to access 32-bit physical memory • Dumps RAM in 32KB chunks directly to USB drive • BIOS INT 0x15 E820 for safe memory map parsing • Real-time progress indicator
Cold Boot Attack Use Case: Freeze a laptop's RAM to -60°C → quickly reboot from USB → capture full memory contents for forensic analysis & crypto key recovery
How it works: 1. Stage1: 512-byte boot sector (loads Stage2 via INT 0x13) 2. Stage2: Main logic (memory detection, unreal mode, disk writes) 3. Writes to LBA 64+ on boot drive
Warning: This overwrites data starting at sector 64! Use a dedicated blank USB.
Built with pure Assembly (NASM) — no bloat, direct hardware access
GitHub: https://github.com/pIat0n/BareMetal-RAM-Dumper License: AGPL-3.0
Perfect for: Forensic researchers Security auditors testing cold boot resilience Students learning low-level x86 Penetration testers
Feedback & improvements welcome!
it might make it more easy for ppl to play with since most modern machines dont come with BIOS anymore.
uefi might trample more ram during its init but its not a lot of memory.