From vendor update interception to SPI flash dumps and QEMU emulation. Ordered by invasiveness — UART first, chip-off BGA last.
The least invasive method. Monitor the device's update mechanism — many embedded devices pull firmware over unencrypted HTTP or FTP. Intercept the download via ARP spoofing or DNS redirect, capture the binary, and extract with binwalk.
Locate the UART pins on the PCB (TX, RX, GND). Connect at common baud rates (115200, 9600). Many devices drop to a root shell or bootloader (U-Boot) that allows memory dumps via md commands.
For devices with SPI NOR/NAND flash, use a SOIC-8 clip or desolder the chip. Read with flashrom via a Bus Pirate or CH341A programmer. This yields the full flash image including bootloader, kernel, and filesystem.
Identify JTAG or SWD test points on the PCB. Use OpenOCD with an appropriate adapter to halt the CPU and dump memory regions. Effective when UART is locked down but debug interfaces remain enabled.
Some devices expose NFS shares, TFTP servers, or have directory traversal vulnerabilities in their web interfaces. These can be used to pull individual files or entire filesystem trees without physical access.
Last resort. Desolder BGA flash chips using a rework station, read with an appropriate adapter. Destructive to the device but works when all other interfaces are locked down or disabled.