Skip to content

Commit

Permalink
Gadgets - Raspberry Pi + Arduino + Logic Analyzer
Browse files Browse the repository at this point in the history
  • Loading branch information
swisskyrepo committed Jan 11, 2024
1 parent 8a5e389 commit 663bdb0
Showing 13 changed files with 195 additions and 83 deletions.
4 changes: 3 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
# 🔌 Hardware All The Things

An alternative display version is available at [Hardware All The Things - Web version](https://swisskyrepo.github.io/HardwareAllTheThings/).

## Welcome to the Hardware wiki!

Welcome to our comprehensive Hardware Security Wiki, a curated collection of valuable payloads and bypass techniques tailored for Hardware and IoT Security. This repository serves as a dynamic and collaborative space, encouraging contributions from security enthusiasts and professionals alike.
@@ -18,6 +20,6 @@ Our goal is to foster a community-driven platform where individuals can share, l
We believe in the power of community and collective knowledge. Therefore, we warmly invite you to contribute your unique payloads, bypass techniques, and innovative strategies to enrich our repository.
Your contributions help keep this project alive and kicking, ensuring that we can continue to bring you the latest and greatest in hardware and IoT security.

You can also share the project and contribute with a Github Sponsorship.
[![Tweet](https://img.shields.io/twitter/url/http/shields.io.svg?style=social)](https://twitter.com/intent/tweet?text=Hardware%20All%20The%20Things,%20a%20curated%20collection%20of%20valuable%20payloads%20and%20bypass%20techniques%20tailored%20for%20Hardware%20and%20IoT%20Security%20-%20by%20@pentest_swissky&url=https://swisskyrepo.github.io/HardwareAllTheThings/)

[![Sponsor](https://img.shields.io/static/v1?label=Sponsor&message=%E2%9D%A4&logo=GitHub&link=https://github.com/sponsors/swisskyrepo)](https://github.com/sponsors/swisskyrepo)
2 changes: 1 addition & 1 deletion docs/README.md
Original file line number Diff line number Diff line change
@@ -18,6 +18,6 @@ Our goal is to foster a community-driven platform where individuals can share, l
We believe in the power of community and collective knowledge. Therefore, we warmly invite you to contribute your unique payloads, bypass techniques, and innovative strategies to enrich our repository.
Your contributions help keep this project alive and kicking, ensuring that we can continue to bring you the latest and greatest in hardware and IoT security.

You can also share the project and contribute with a Github Sponsorship.
[![Tweet](https://img.shields.io/twitter/url/http/shields.io.svg?style=social)](https://twitter.com/intent/tweet?text=Hardware%20All%20The%20Things,%20a%20curated%20collection%20of%20valuable%20payloads%20and%20bypass%20techniques%20tailored%20for%20Hardware%20and%20IoT%20Security%20-%20by%20@pentest_swissky&url=https://swisskyrepo.github.io/HardwareAllTheThings/)

[![Sponsor](https://img.shields.io/static/v1?label=Sponsor&message=%E2%9D%A4&logo=GitHub&link=https://github.com/sponsors/swisskyrepo)](https://github.com/sponsors/swisskyrepo)
Binary file added docs/assets/rpi-gpio.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
11 changes: 7 additions & 4 deletions docs/debug-interfaces/jtag.md
Original file line number Diff line number Diff line change
@@ -1,12 +1,13 @@
# JTAG

### Summary
## Summary

* JTAG Pins
* JTAGEnum
* References

### JTAG Pins

## JTAG Pins

> Allows testing, debugging, firmware manipulation and boundary scanning
@@ -30,11 +31,13 @@ $ avarice --program --file test.elf --part atmega128 --jtag /dev/ttyUSB0 :4444
$ avrdude -p m128 -c jtagmkI –P /dev/ttyUSB0 -U flash:r:”/home/avr/flash.bin":r
```

### Enumeration methods

## Enumeration methods

For enumeration methods see [Enumeration/JTAG](/enumeration/jtag/)

### References

## References

* [JTAGulator vs. JTAGenum, Tools for Identifying JTAG Pins in IoT Devices by Dylan Ayrey](https://www.praetorian.com/blog/jtagulator-vs-jtagenum-tools-for-identifying-jtag-pins-in-iot-devices?edition=2019)
* [JTAG PIN Identification - February 21, 2017](https://just2secure.blogspot.com/2017/02/jtag-pin-identification.html)
38 changes: 21 additions & 17 deletions docs/debug-interfaces/uart.md
Original file line number Diff line number Diff line change
@@ -1,20 +1,5 @@
# UART

## Table of contents

* [What is it ?](#what-is-it-)
* [Identifying UART ports](#identifying-uart-ports)
* [Using a multimeter](#using-a-multimeter)
* [Using a logic analyzer](#using-a-logic-analyzer)
* [Connect to serial port](#connect-to-serial-port)
* [WARNING](#warning)
* [Examples](#examples)
* [Connection using a USB to TTL](#connection-using-a-usb-to-ttl)
* [Detect the baud rate](#detect-the-baud-rate)
* [Interact with UART](#interact-with-uart)
* [UART over BLE](#uart-over-ble)
* [Examples](#examples)

## What is it ?

UART stands for Universal asynchronous receiver transmitter. Used for serial communications over a computer or peripheral device serial port.
@@ -27,6 +12,7 @@ Generally, the line is held high (at a logical 1 value) while UART is in idle st

We call the most common configuration **8N1**: eight data bits, no parity, and 1 stop bit.


## Identifying UART ports

A UART pinout has **four** ports:
@@ -51,37 +37,47 @@ Keep in mind that some devices **emulate** UART ports by programming the General
It is advised to capture the communication at **4 times the baudrate speed**, to avoid decoding issues.

### Using a multimeter

#### GNR pin

First identify the GRN pin, by using the multimeter in continuity mode.

Place the black probe on any grounded metallic surface, be it a part of the tested PCB or not. Then place the red probe on each of the ports. When you hear a beeping sound, you found a GND pin.

#### VCC pin

Turn the multimeter to the DC voltage mode in and set it up to 20V of voltage. Keep the black probe on a grounded surface. Place the red probe on a suspected pin and turn on the device.

If the multimeter measures a constant voltage of either 3.3V or 5V, you've found the VCC pin.

#### TX pin

Keep the multimeter mode at DC voltage of 20V or less, and leave the black probe in a grounded surface. Move the red probe to the suspected pin and power cycle the device. If the voltage fluctuates for a few seconds and then stabilizes at the VCC value, you've most likely found the TX pin.

This behavior happens because, during bootup, the device sends serial data through that TX pin for debugging purposes. Once it finishes booting, the UART line goes idle.

#### Rx pin

If you've already identified the rest of the UART pins, the nearby fourth pin is most likely the RX pin.

Otherwise, you can identify it because it has the lowest voltage fluctuation and lowest overall value of all the UART pins.


### Using a logic analyzer

A logic analyzer is an electronic instrument that captures and displays multiple signals from a digital system or digital circuit.

To find the UART pins we will connect the pins to a logic analyzer and look for data being transmitted.


#### Hardware setup

Make sure any system you're testing is **powered off** when you connect the logic analyzer's probes to it **to avoid short-circuiting**.

* Connect the suspected TX pin to any channel of the logic analyzer.
* Connect one of your logic analyzer's GND pins to the PCB that you're testing GND pins so they **share a common ground**.


#### Software setup

##### PulseView / Sigrok
@@ -128,31 +124,36 @@ Now try with the popular baud rates with both the suspected pins and try to comp


## Connect to serial port

### WARNING
It's not a big deal if you confuse the UART RX and TX ports with each other, because you can easily swap the wires connecting to them without any consequences. But confusing the VCC with the GND and connecting wires to them incorrectly **might fry the circuit**.

### Examples

![](http://remotexy.com/img/help/help-esp8266-firmware-update-usbuart.png)

![](https://vanhunteradams.com/Protocols/UART/uart_hardware.png)

### Connection using a USB to TTL

Once the ports are connected, plug the adapter into your computer. You now need to find the **device file descriptor**. To do that enter the following command : `sudo dmesg`.

Typically, it will be assigned to `/dev/ttyUSB0` **if you don't have any other peripheral devices attached**.

Under Ubuntu or Debian, a non-root user cannot have access to serial ports such as ttyS0 or ttyUSB0 if he is not a member of the **dialout** group ! The equivalent group on Arch based distributions is **uucp**. In other words, you just have to add yourself to this group to have access.

Ubuntu or Debian: `sudo usermod -a -G dialout $USER`
* Ubuntu or Debian: `sudo usermod -a -G dialout $USER`
* Arch based: `sudo usermod -a -G uucp $USER`

Arch based: `sudo usermod -a -G uucp $USER`

### Detect the baud rate

#### Most common baud rate
The most common baud rates for UART are `9600`, `19200`, `38400`, `57600` and `115200`.

A table of other used but less common baud rates can be found here: [Here](https://lucidar.me/en/serialib/most-used-baud-rates-table/)


#### Autodetect the baud rate using a script
Link: [baudrate.py](https://github.com/devttys0/baudrate/blob/master/baudrate.py)
```bash
@@ -166,6 +167,7 @@ pip2.7 install serial
python2.7 baudrate.py -p /dev/ttyUSB0
```


#### Using PulseView

It is possible to get baudrate using the duration of a bit periode, using PulseView or any other bus analysis tools :
@@ -183,6 +185,7 @@ The closest common baudrate is : 115200. COnfigure the decoder and you should se
![U-Boot string](../assets/UART_uboot_str.png)

### Interact with UART

Different command line tools to interact with UART:
```powershell
cu -l /dev/ttyUSB0 -s 115200
@@ -211,6 +214,7 @@ with open('/home/audit/Documents/IOT/passwords.lst', 'r') as f:
time.sleep(10)
```


## UART over BLE

It’s an emulation of serial port over BLE. The UUID of the Nordic UART Service is `6E400001-B5A3-F393-E0A9-E50E24DCCA9E`. This service exposes two characteristics: one for transmitting and one for receiving.
8 changes: 7 additions & 1 deletion docs/enumeration/jtag.md
Original file line number Diff line number Diff line change
@@ -9,10 +9,12 @@ There are several tools and ways to enumerate JTAG pins. Here are few:
* [Using an Arduino Pro Micro](#jtagenum-with-arduino-or-raspberry-pi)
* [Using an Raspberry Pi Pico](#searching-jtag-pins-with-raspberry-pi-pico)


## Searching JTAG pins with Raspberry PI Pico

* Raspberry Pi Pico: [https://github.com/racerxdl/JTAGscan](https://github.com/racerxdl/JTAGscan) made by [szymonh](https://github.com/szymonh/) adapted to RP2040 by [racerxdl](https://github.com/racerxdl/JTAGscan)


### How does it work?

JTAGscan iterates over all defined pins (currently for RP2040, the first 16 pins) searching for TMS, TCK, TDO and TDI.
@@ -22,6 +24,7 @@ It has two approaches:
* Try reading `IDCODE` - Only requires TMS, TCK and TDO so it's faster. Unfortunately not all devices support `IDCODE` command (although most of them do). This doesn't find the TDI pin.
* Shifting bits in `BYPASS` mode. This can find all pins, but it is slower (since not only you have one more pin to iterate over, but also need to shift "enough" bits through the JTAG Chain).


### Hardware suggestions

Any raspberry pi pico board should work fine for scanning JTAG ports. Make sure you check the VCC of the target to see if it is 3.3V. Being other voltage level will require a level-shifter to avoid damage.
@@ -30,6 +33,7 @@ It is also recommended to use series 33 Ohm resistors in series with every teste

![RP2040 Board with 33 Ohm series resistor](../assets/rp2040-jtagscan-resistors.png)


### Programming the PiPico

1. Go to `Releases` and download the `jtagscan-xxxx.zip`
@@ -38,6 +42,7 @@ It is also recommended to use series 33 Ohm resistors in series with every teste
4. A new "disk" should appear in your machine. Drag the `uf2` file to the disk
5. The raspberry pi pico should reboot and be recognized as a usb-serial converter


### Using

Open the detected serial port in your favorite serial terminal application (for example, [PuTTY](https://www.putty.org/))
@@ -108,7 +113,8 @@ Arduino PIN Layout

![](https://3.bp.blogspot.com/-OmjCNFWbnf0/WKx4NEjfb9I/AAAAAAAADy8/-qz5Of4iDbcT5mtonl6st1hVGrmsGUs4gCLcB/s640/FOUND.png)

### References

## References

* [JTAGulator vs. JTAGenum, Tools for Identifying JTAG Pins in IoT Devices by Dylan Ayrey](https://www.praetorian.com/blog/jtagulator-vs-jtagenum-tools-for-identifying-jtag-pins-in-iot-devices?edition=2019)
* [JTAG PIN Identification - February 21, 2017](https://just2secure.blogspot.com/2017/02/jtag-pin-identification.html)
88 changes: 60 additions & 28 deletions docs/firmware/firmware-dumping.md
Original file line number Diff line number Diff line change
@@ -19,6 +19,7 @@
$ avrdude -p m328p -c usbasp -P /dev/ttyUSB0 -b 9600 -U flash:w:flash_raw.bin
# send ihex firmware
$ avrdude -c arduino -p atmega328p -P /dev/ttyUSB* -b115200 -u -V -U flash:w:CHALLENGE.hex
$ avrdude -c usbasp -p m328p -F -U flash:r:dump.hex:i
# default
@@ -54,6 +55,7 @@
```powershell
sudo openocd -f /home/maki/tools/hardware/openocd/tcl/interface/stlink-v2-1.cfg -f /home/maki/tools/hardware/openocd/tcl/target/nrf51.cfg -f dump_fw.cfg
```
* Using [raspberrypi/picotool](https://github.com/raspberrypi/picotool)
* Build PicoTool, you will need the pico-sdk
```ps1
@@ -85,17 +87,25 @@
## Dump Flash via SPI
```ps1
flashrom -p serprog:dev=/dev/ttyACM0,spispeed=160k -r dump_spi.bin -c "MX25L6406E/MX25L6408E"
```
* Using [flashrom/flashroom](https://github.com/flashrom/flashrom)
```ps1
sudo apt-get install build-essential pciutils usbutils libpci-dev libusb-dev libftdi1 libftdi-dev zlib1g-dev subversion libusb-1.0-0-dev
svn co svn://flashrom.org/flashrom/trunk flashrom
cd flashrom
make
flashrom -p ft232_spi:type:232h -r spidump.bin
flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=512 -r spi_dump.bin
flashrom -p serprog:dev=/dev/ttyACM0,spispeed=160k -r dump_spi.bin -c "MX25L6406E/MX25L6408E"
```
* Using HydraBus: [hydrabus/hydrafw/hydra_spi_dump.py](https://github.com/hydrabus/hydrafw/blob/master/contrib/hydra_spi_dump/hydra_spi_dump.py)
```ps1
./hydra_spi_dump.py firmware.bin 1024 0x000000 fast
```
## Convert ihex to elf
> The Intel HEX is a transitional file format for microcontrollers, (E)PROMs, and other devices. The documentation states that HEXs can be converted to binary files and programmed into a configuration device.
@@ -137,32 +147,53 @@ Inspect the assembly with `avr-objdump -m avr -D chest.hex`.\
Emulate : `qemu-system-avr -S -s -nographic -serial tcp::5678,server=on,wait=off -machine uno -bios chest.bin`


## Over-the-air updates
## Explore firmware

TODO
* strings
```ps1
$ strings file.bin
$ strings -e l file.bin
The strings -e flag specifies the encoding of the characters. -el specifies little-endian characters 16-bits wide (e.g. UTF-16)
## Explore firmware
$ strings -tx file.bin
The -t flag will return the offset of the string within the file. -tx will return it in hex format, T-to in octal and -td in decimal.
```
```powershell
$ binwalk -Me file.bin
$ strings file.bin
* dd
```ps1
$ dd if=firmware.bin of=firmware.chunk bs=1 skip=$((0x200)) count=$((0x400-0x200))
If we wanted to run it a little faster, we could increase the block size:
$ dd if=firmware.bin of=firmware.chunk bs=$((0x100)) skip=$((0x200/0x100)) count=$(((0x400-0x200)/0x100))
```
* binwalk
```powershell
$ binwalk -Me file.bin
$ binwalk -Y dump.elf
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
3708 0xE7C ARM executable code, 16-bit (Thumb), little endian, at least 522 valid instructions
```
$ strings -e l file.bin
The strings -e flag specifies the encoding of the characters. -el specifies little-endian characters 16-bits wide (e.g. UTF-16)
* Unsquashfs
```powershell
sudo unsquashfs -f -d /media/seagate /tmp/file.squashfs
```
$ strings -tx file.bin
The -t flag will return the offset of the string within the file. -tx will return it in hex format, T-to in octal and -td in decimal.
$ dd if=firmware.bin of=firmware.chunk bs=1 skip=$((0x200)) count=$((0x400-0x200))
If we wanted to run it a little faster, we could increase the block size:
$ dd if=firmware.bin of=firmware.chunk bs=$((0x100)) skip=$((0x200/0x100)) count=$(((0x400-0x200)/0x100))
## Write new firmware
$ binwalk -Y dump.elf
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
3708 0xE7C ARM executable code, 16-bit (Thumb), little endian, at least 522 valid instructions
```
* Repack firmware
```ps1
mksquashfs4 squashfs-root myrootfs {options}
dd if=myrootfs of=dump/bin bs=1 seek=<offset> conv=notrunc
```
* Flashrom write
```ps1
flashrom -p ft2232_spi:type=232H -w dump.bin
```
## Type of firmware
@@ -182,11 +213,6 @@ $ binwalk -E fw
```


## Unsquashfs

```powershell
sudo unsquashfs -f -d /media/seagate /tmp/file.squashfs
```


## Encrypted firmware
@@ -196,6 +222,12 @@ sudo unsquashfs -f -d /media/seagate /tmp/file.squashfs
* [MINDSHARE: DEALING WITH ENCRYPTED ROUTER FIRMWARE](https://www.zerodayinitiative.com/blog/2020/2/6/mindshare-dealing-with-encrypted-router-firmware)


## Over-the-air updates

TODO


## References

* [Extracting Firmware from Embedded Devices (SPI NOR Flash) - Flashback Team - 9 sept. 2022](https://www.youtube.com/watch?v=nruUuDalNR0)
* [Extracting Firmware from Embedded Devices (SPI NOR Flash) - Flashback Team - 9 sept. 2022](https://www.youtube.com/watch?v=nruUuDalNR0)
* [Real Hardware Hacking for S$30 or Less - Joe FitzPatrick - 31 march 2020](https://youtu.be/wVPochUgTvw)
Loading

0 comments on commit 663bdb0

Please sign in to comment.