BareMetal RAM Dumper – Bare-metal x86 tool for Cold Boot Attack experiments
liffik
59 points
40 comments
July 04, 2026
Related Discussions
Found 5 related stories in 1277.5ms across 14,015 title embeddings via pgvector HNSW
- Show HN: Zeroboot – sub-millisecond VM sandboxes using CoW memory forking adammiribyan · 19 pts · March 17, 2026 · 51% similar
- An Interesting Find: STM32 RDP1 Decryptor carlossless · 79 pts · March 02, 2026 · 50% similar
- Show HN: Sub-millisecond VM sandboxes using CoW memory forking adammiribyan · 106 pts · March 17, 2026 · 49% similar
- Running DOS on Behringers DDX3216 with a DIY x86-Bios from Scratch rasz · 86 pts · June 13, 2026 · 48% similar
- Boot Naked Linux abnercoimbre · 105 pts · June 15, 2026 · 48% similar
Discussion Highlights (8 comments)
liffik
Hey security researchers! I've released BareMetal-RAM-Dumper — a low-level x86 utility for dumping physical RAM directly to disk, designed for Cold Boot Attack research. What it does: • Custom 512-byte bootloader (no OS needed) • Boots via BIOS Legacy CSM • Switches to Unreal Mode to access 32-bit physical memory • Dumps RAM in 32KB chunks directly to USB drive • BIOS INT 0x15 E820 for safe memory map parsing • Real-time progress indicator Cold Boot Attack Use Case: Freeze a laptop's RAM to -60°C → quickly reboot from USB → capture full memory contents for forensic analysis & crypto key recovery How it works: 1. Stage1: 512-byte boot sector (loads Stage2 via INT 0x13) 2. Stage2: Main logic (memory detection, unreal mode, disk writes) 3. Writes to LBA 64+ on boot drive Warning: This overwrites data starting at sector 64! Use a dedicated blank USB. Built with pure Assembly (NASM) — no bloat, direct hardware access GitHub: https://github.com/pIat0n/BareMetal-RAM-Dumper License: AGPL-3.0 Perfect for: Forensic researchers Security auditors testing cold boot resilience Students learning low-level x86 Penetration testers Feedback & improvements welcome!
Retr0id
> successfully tested Could you elaborate on this? What device did you test on, what was the test procedure, and what was the outcome?
Dwedit
Does it stop EFI from running first? I'd think that EFI would be clobbering a whole lot of RAM.
anyaya1
DevTool ecosystem
floralhangnail
Are there any tricks or guides out there to protect from this attack? Obviously not leaving hardware running and unattended, but what else can help protect you if your running laptop is stolen out of your hands? Workstations can be configured to shutdown upon intrusion switch being activated but what about laptops? I guess hot gluing the RAM in would be a physical obstacle. What about a BIOS password being required for booting from external media or having secure boot enabled? There are exploits to bypass those things, but to an attacker not finding out they are up against that until they reboot, I would hope that would slow them down enough that they fail. If half of or all of the RAM is mounted under the keyboard, I think they would have difficulty getting it out in time. Besides spraying the RAM directly, can you freeze an entire laptop while it's still running? Won't condensation cause problems pretty quickly?
wmf
Haters, please stop flagging liffik's comments. I know you don't like AI but this thread was legitimately upvoted onto the front page so at least let the author respond to people.
Joel_Mckay
Threadlocker red, checkmate... lol =3
alfiedotwtf
Phew! Luckily I store all my keys at the 5Gb mark!