Glitches + Gadgets (Hydra, GoodFET, Proxmark)

swisskyrepo · Jan 7, 2024 · 8a5e389 · 8a5e389
1 parent 60cb3bd
commit 8a5e389
Show file tree

Hide file tree

Showing 22 changed files with 339 additions and 53 deletions.
diff --git a/docs/assets/hydra-spi.png b/docs/assets/hydra-spi.png
diff --git a/docs/assets/image.png → docs/assets/image_flipper_cover.png b/docs/assets/image.png → docs/assets/image_flipper_cover.png
diff --git a/docs/debug-interfaces/spi.md b/docs/debug-interfaces/spi.md
diff --git a/docs/debug-interfaces/uart.md b/docs/debug-interfaces/uart.md
@@ -1,5 +1,7 @@
 # UART
+
 ## Table of contents
+
   * [What is it ?](#what-is-it-)
   * [Identifying UART ports](#identifying-uart-ports)
     * [Using a multimeter](#using-a-multimeter)
@@ -14,6 +16,7 @@
    * [Examples](#examples)
 
 ## What is it ?
+
 UART stands for Universal asynchronous receiver transmitter. Used for serial communications over a computer or peripheral device serial port.
 
 UART peripherals are commonly integrated in many embedded devices. UART communication makes use of baud rate to maintain synchronism between two devices. The baud rate is the rate at which information is transferred in a communication channel. 
@@ -25,6 +28,7 @@ Generally, the line is held high (at a logical 1 value) while UART is in idle st
 We call the most common configuration **8N1**: eight data bits, no parity, and 1 stop bit.
 
 ## Identifying UART ports
+
 A UART pinout has **four** ports: 
 
 * **TX** (Transmit)

diff --git a/docs/firmware/firmware-dumping.md b/docs/firmware/firmware-dumping.md
@@ -1,19 +1,17 @@
 # Firmware Dumping
 
-## Summary
+## Flash Memory Types
 
-* [Send a new firmware into the microcontroller](#send-a-new-firmware-into-the-microcontroller)
-* [Dump firmware using debug port](#dump-firmware-using-debug-port)
-* [Convert ihex to elf](#convert-ihex-to-elf)
-* [Over-the-air updates](#over-the-air-updates)
-* [Explore firmware](#explore-firmware)
-* [Type of firmware](#type-of-firmware)
-* [Check entropy](#check-entropy)
-* [Unsquashfs](#unsquashfs)
-* [Encrypted firmware](#encrypted-firmware)
+* NOR Flash (SOIC8 package)
+    * SPI Flash
+    * Mostly error "Fault-free" memory
+    * Used for embedded device that need fast execution, but low storage capacity
+* NAND Flash (TSOP48 package)
+* eMMC Flash (BGA{153} package)
+* UFS Universal Flash Storage
 
 
-## Send a new firmware into the microcontroller
+## Flash a new firmware into the microcontroller
 
 * Using [avrdudes/avrdude](https://github.com/avrdudes/avrdude)
     ```powershell
@@ -26,14 +24,15 @@
     # default
     $ avrdude -c usbasp -p m328p -C /etc/avrdude.conf -U flash:w:hardcodedPassword.ino.arduino_standard.hex
     ```
+
 * Using [raspberrypi/picotool](https://github.com/raspberrypi/picotool)
     ```ps1
     # extension indicates the type (bin, uf2)
     picotool load firmware.bin
     ```
 
 
-## Dump firmware using debug port
+## Dump flash using debug port
 
 * Using [avrdudes/avrdude](https://github.com/avrdudes/avrdude)
     ```powershell
@@ -84,6 +83,19 @@
         ```
 
 
+## Dump Flash via SPI
+
+```ps1
+flashrom -p serprog:dev=/dev/ttyACM0,spispeed=160k -r dump_spi.bin -c "MX25L6406E/MX25L6408E"
+```
+
+* Using HydraBus: [hydrabus/hydrafw/hydra_spi_dump.py](https://github.com/hydrabus/hydrafw/blob/master/contrib/hydra_spi_dump/hydra_spi_dump.py)
+    ```ps1
+    ./hydra_spi_dump.py firmware.bin 1024 0x000000 fast
+    ```
+
+
+
 ## Convert ihex to elf
 
 > The Intel HEX is a transitional file format for microcontrollers, (E)PROMs, and other devices. The documentation states that HEXs can be converted to binary files and programmed into a configuration device.
@@ -182,3 +194,8 @@ sudo unsquashfs -f -d /media/seagate /tmp/file.squashfs
 ![](https://images.squarespace-cdn.com/content/v1/5894c269e4fcb5e65a1ed623/1581004558438-UJV08PX8O5NVAQ6Z8HXI/ke17ZwdGBToddI8pDm48kHSRIhhjdVQ3NosuzDMrTulZw-zPPgdn4jUwVcJE1ZvWQUxwkmyExglNqGp0IvTJZamWLI2zvYWH8K3-s\_4yszcp2ryTI0HqTOaaUohrI8PIYASqlw8FVQsXpiBs096GedrrOfpwzeSClfgzB41Jweo/Picture2.png?format=1000w)
 
 * [MINDSHARE: DEALING WITH ENCRYPTED ROUTER FIRMWARE](https://www.zerodayinitiative.com/blog/2020/2/6/mindshare-dealing-with-encrypted-router-firmware)
+
+
+## References
+
+* [Extracting Firmware from Embedded Devices (SPI NOR Flash) - Flashback Team - 9 sept. 2022](https://www.youtube.com/watch?v=nruUuDalNR0)
diff --git a/docs/firmware/firmware-reverse-engineering.md b/docs/firmware/firmware-reverse-engineering.md
@@ -142,6 +142,9 @@ $ uefi-firmware-parser --test ~/firmware/*
 ~/firmware/O990-A03.exe.hdr: DellPFS
 ```
 
+
 ## References
 
-* [Loader un binaire Arduino dans IDA - Posted on January 26, 2014 by thanatos](https://thanat0s.trollprod.org/2014/01/loader-un-binaire-arduino-dans-ida/)
+* [Loader un binaire Arduino dans IDA - Posted on January 26, 2014 by thanatos](https://thanat0s.trollprod.org/2014/01/loader-un-binaire-arduino-dans-ida/)
+* [REcon 2014 - Reverse Engineering Flash Memory For Fun and Benefit - Matt Oh](https://youtu.be/nTPfKT61730)
+* [Reverse Engineering Flash Memory for Fun and Benefit - Jeong Wook (Matt) Oh](https://www.blackhat.com/docs/us-14/materials/us-14-Oh-Reverse-Engineering-Flash-Memory-For-Fun-And-Benefit-WP.pdf)
diff --git a/docs/gadgets/bus-pirate.md b/docs/gadgets/bus-pirate.md
@@ -2,7 +2,8 @@
 
 ![MOSI-MISO](https://iotmyway.files.wordpress.com/2018/05/mode-guide.png)
 
-### Update Bus Pirate
+
+## Update Bus Pirate
 
 ```powershell
 git clone https://github.com/BusPirate/Bus_Pirate.git
@@ -12,8 +13,13 @@ sudo ./pirate-loader_lnx --dev=/dev/ttyACM0 --hex=../BPv4-firmware-v6.3-r2151.he
 
 ```powershell
 # Identify EEPROM chip
-sudo flashrom –p buspirate_spi:dev=/dev/ttyUSB0
+sudo flashrom -p buspirate_spi:dev=/dev/ttyUSB0
 
 # Dump firmware using a bus pirate (SPI)
-sudo flashrom –p Buspirate_spi:dev=/dev/ttyUSB0,spispeed=1M –c (Chip name)  –r (Name.bin)
-```
+sudo flashrom -p Buspirate_spi:dev=/dev/ttyUSB0,spispeed=1M -c (Chip name)  -r (Name.bin)
+```
+
+
+## References
+
+* [Bus Pirate Unboxing - Toolkit - Hacker Warehouse - 4 juin 2018](https://youtu.be/lP8vMvBu3Bg)
diff --git a/docs/gadgets/flipper-zero.md b/docs/gadgets/flipper-zero.md
@@ -1,16 +1,16 @@
 # Flipper Zero
 
-![FlipperZero](../assets/image.png)
+![FlipperZero](../assets/image_flipper_cover.png)
 
-### **Firmwares**
+## **Firmwares**
 
 * [Flipper Zero Firmware](https://github.com/flipperdevices/flipperzero-firmware)
 * [Flipper Zero Unleashed Firmware](https://github.com/Eng1n33r/flipperzero-firmware)
 * [Flipper Zero FW RogueMaster](https://github.com/RogueMaster/flipperzero-firmware-wPlugins)
 
 * [Awesome FlipperZero](https://github.com/djsime1/awesome-flipperzero)
 
-#### Firmware Update - PC
+### Firmware Update - PC
 
 1. Update to the latest firmware using [https://flipperzero.one/update](https://flipperzero.one/update)
 2. Download and install qFlipper
@@ -21,22 +21,20 @@
 7. On the Flipper Zero, once booted, press down, and left until you are on the 'Browser' screen. Scroll down until you see the 'update' directory and click on it.
 8. You should now see the contents you uploaded and an 'update' option. Hover over the 'update' option, click the center button on your Flipper, once again on the 'Run in App' option.
 
-#### Firmware Update - WebUpdater
+### Firmware Update - WebUpdater
 
 * [DarkFlippers/unleashed-firmware - Web Update](https://lab.flipper.net/?url=https://unleashedflip.com/fw_extra_apps/flipper-z-f7-update-unlshd-038e.tgz&channel=release-cfw&version=unlshd-038e)
 * [RogueMaster/flipperzero-firmware-wPlugins - Web Update](https://lab.flipper.net/?url=https%3A%2F%2Frogue-master.net%2F%3Ffile%3DRM0322-1504-0.79.2-22158b0.tgz&channel=RM0322-1504-0.79.2-22158b0&version=0.79.2)
 
 
-### Videos
+## Videos
 
 * [Flipper Zero: Want some good news? - Penthertz](https://www.youtube.com/watch?v=tB0eYatvu0k)
 * [Flipper Zero: is this for you? Follow our 1st tests! - Penthertz](https://www.youtube.com/watch?v=W5YYObSBUno)
 
-### Tutorials and Resources
+## Tutorials and Resources
 
 * [Flipper Zero Hacking 101 - pingywon](https://flipper.pingywon.com/flipper/)
 * [Flipper Zero Playground - UberGuidoZ](https://github.com/UberGuidoZ/Flipper)
 * [Flashing Flipper Zero with RogueMaster CFW](https://interestingsoup.com/n00b-guide-flashing-flipper-zero-to-rougemaster/)
-* [Unleashed Firmware - Update firmware](https://github.com/DarkFlippers/unleashed-firmware/blob/dev/documentation/HowToInstall.md)
-
-
+* [Unleashed Firmware - Update firmware](https://github.com/DarkFlippers/unleashed-firmware/blob/dev/documentation/HowToInstall.md)
diff --git a/docs/gadgets/goodfet.md b/docs/gadgets/goodfet.md
@@ -0,0 +1,16 @@
+# GoodFET
+
+* [travisgoodspeed/goodfet](https://github.com/travisgoodspeed/goodfet) - An embedded bus adapter for various microcontrollers and radios.
+* [greatscottgadgets/Facedancer](https://github.com/greatscottgadgets/Facedancer) - modern FaceDancer core for multiple devices-- including GreatFET
+
+
+## Facedancer
+
+The Facedancer21 is the twenty-fourth hardware revision of the GoodFET, owing its heritage to the GoodFET41 and Facedancer20. Unlike the general-purpose GoodFET boards, the only purpose of this board is to allow USB devices to be written in host-side Python, so that one workstation can fuzz-test the USB device drivers of another host. 
+
+
+## References
+
+* [GoodFET](https://goodfet.sourceforge.net/)
+* [Facedancer21 - GoodFET](https://goodfet.sourceforge.net/hardware/facedancer21/)
+* [Black Hat USA 2016 GreatFET Making GoodFET Great Again - 5 oct. 2019](https://youtu.be/IqhWqqvtNlY)
diff --git a/docs/gadgets/hydrabus.md b/docs/gadgets/hydrabus.md
@@ -0,0 +1,44 @@
+# HydraBus
+
+![HydraBUS - Pin Assignment](https://hydrabus.com/wp-content/uploads/2024/01/HydraBus_1_0_HydraFW_Default_PinAssignment_A4-1024x724.jpg)
+
+
+## Features
+
+Support many extensions:
+
+- HydraNFC
+- HydraFlash
+- HydraLINCAN
+
+External interactions:
+
+- UART
+- I2C
+- CAN/LIN Bus
+- SPI Bus
+- SD/SDIO
+- USB Bus
+- ADC / DAC (Analog / Digital)
+- GPIO
+
+
+## Firmware
+
+* [hydrabus/hydrafw](https://github.com/hydrabus/hydrafw) - HydraFW official firmware for HydraBus/HydraNFC
+* [hydrabus/hydrafw_hydranfc_shield_v2](https://github.com/hydrabus/hydrafw_hydranfc_shield_v2) - HydraFW dedicated to HydraBus v1 / HydraNFC Shield v2
+* [bvernoux/blackmagic](https://github.com/bvernoux/blackmagic) - In application debugger for ARM Cortex microcontrollers
+
+Commands examples:
+
+```ps1
+show system/memory/threads
+```
+
+
+## References
+
+* [HydraBus v1.0 Specifications - HydraBus](https://hydrabus.com/hydrabus-1-0-specifications)
+* [HydraBus Assembly Video - Lab401 - 30 may 2017](https://youtu.be/9lFEPG8EG6w)
+* [BlackAlps17: Hydrabus: Lowering the entry fee to the IoT bugfest - Benjamin Vernoux -  2 dec. 2017](https://www.youtube.com/watch?v=theYbzPhYH8)
+* [HydraBus - An Open Source Platform - RMLL Sec 2017](https://archives.pass-the-salt.org/RMLL%20Security%20Tracks/2017/slides/RMLL-Sec-2017-hydrabus.pdf)
diff --git a/docs/gadgets/hydraflash.md b/docs/gadgets/hydraflash.md
@@ -0,0 +1,17 @@
+# HydraFlash
+
+> Designed to dump Flash NAND chips
+
+
+## Usage
+
+* [hydrabus/DumpFlash-Hydrabus](https://github.com/hydrabus/DumpFlash-Hydrabus)
+    ```ps1
+    pip install git+https://github.com/hydrabus/DumpFlash-Hydrabus
+    python2 DumpFlash.py -d /dev/hydrabus -i
+    ```
+
+
+## References
+
+* [Hydrabus NAND Flash shield - hydrabus/HydraFlash](https://github.com/hydrabus/HydraFlash)
diff --git a/docs/gadgets/hydranfc.md b/docs/gadgets/hydranfc.md
@@ -0,0 +1,34 @@
+# HydraNFC
+
+## Features
+
+* Support of microSD (FAT16/FAT32) card up to 32GB
+* Virtual Serial Port access through micro USB with VT100 terminal/shell
+* Basic UID read for Vicinity/ISO15693
+* Basic UID read for ISO14443-A/MIFARE ® card 4 or 7bytes UID
+* Read MIFARE Ultralight® tag content (full dump)
+* Tag Emulation UID ISO14443A & MIFARE Classic® 1K
+* Sniffer mode in an autonomous/stand-alone mode
+* Real-time ISO14443A sniffer mode
+
+
+## Firmware
+
+* [hydrabus/hydrafw_hydranfc_shield_v2](https://github.com/hydrabus/hydrafw_hydranfc_shield_v2) - HydraFW dedicated to HydraBus v1 / HydraNFC Shield v2
+
+Using console, type `nfc` + `Enter` to enter NFC mode dedicated to HydraNFC Shield v2.
+
+```ps1
+> nfc
+NFCv2> nfc-all
+NFCv2> show
+NFCv2> nfc-all scan
+```
+
+
+## References
+
+* [HydraFW HydraNFC v2 guide - Benjamin Vernoux - Jul 4, 2021](https://github.com/hydrabus/hydrafw_hydranfc_shield_v2/wiki/HydraFW-HydraNFC-v2-guide)
+* [HydraNFC Getting Started - Lab401 - 30 mai 2017](https://youtu.be/-bYXXqPaB4s)
+* [HydraBus / HydraNFC unboxing & Assembly - Lab401 - 30 mai 2017](https://youtu.be/D-alGCsmqPU)
+* [HydraNFC - LAB401 product presentation - 17 mai 2018](https://youtu.be/MCmCK9y7Ojk)
diff --git a/docs/gadgets/hydrausb3.md b/docs/gadgets/hydrausb3.md
@@ -0,0 +1,32 @@
+# HydraUSB3
+
+> HydraUSB3 (WCH CH569) open source test firmware / examples / libraries to experiment with streaming / high-speed protocols (USB2 HS, USB3 SS, HSPI, SerDes...)
+
+![HydraUSB3 - Pin Assignment](https://hydrabus.com/wp-content/uploads/2022/09/HydraUSB3_V1_PinAssignment.png)
+
+* [hydrausb3/hydrausb3_fw](https://github.com/hydrausb3/hydrausb3_fw) - Firmware
+* [hydrausb3/hydrausb3_hw](https://github.com/hydrausb3/hydrausb3_hw) - Hardware documentation
+
+> **Warning**
+> It is MANDATORY to buy a “USB 3 Type A male to USB 3 Type A male cable” (the cable shall have Power+Data with USB2 and USB3 SS signals)
+
+
+## Firmware Flashing
+
+**Linux**
+
+* [How to build flash and use examples on Linux with shell](https://github.com/hydrausb3/hydrausb3_fw/wiki/how-to-build-flash-and-use-examples-on-linux)
+* [How to build flash and use examples on Linux with Eclipse IDE](https://github.com/hydrausb3/hydrausb3_fw/wiki/how-to-build-flash-and-use-examples-on-linux-Eclipse-IDE)
+
+**Windows** (requires MSYS2/MINGW64)
+
+* [How to build flash and use examples on Windows with MSYS2/MINGW64 shell](https://github.com/hydrausb3/hydrausb3_fw/wiki/how-to-build-flash-and-use-examples-on-windows)
+* [How to build flash and use examples on Windows with Eclipse IDE](https://github.com/hydrausb3/hydrausb3_fw/wiki/how-to-build-flash-and-use-examples-on-windows-Eclipse-IDE)
+
+
+## References
+
+* [HydraUSB3 v1.0 Specifications - HydraBus](https://hydrabus.com/hydrausb3-v1-0-specifications)
+* [GreHack2022 - Reverse Engineering of advanced RISC-V MCU with USB3 & High Speed peripherals - Benjamin Vernoux](https://github.com/hydrausb3/grehack22)
+* [GreHack22 - SecureDUO](https://github.com/chrisrdlg/gh22_SecureDuo)
+* [WCH CH569 SerDes Reverse Engineering - hydrausb3](https://github.com/hydrausb3/wch-ch569-serdes)
diff --git a/docs/gadgets/logic-analyzer.md b/docs/gadgets/logic-analyzer.md
@@ -0,0 +1,8 @@
+# Logic Analyzer
+
+TODO
+
+
+## References
+
+* []()
diff --git a/docs/gadgets/proxmark.md b/docs/gadgets/proxmark.md
@@ -0,0 +1,9 @@
+# Proxmark
+
+## 
+
+TODO
+
+## References
+
+* []()
diff --git a/docs/gadgets/raspberry-pi.md b/docs/gadgets/raspberry-pi.md
@@ -2,8 +2,11 @@
 
 ### Raspberrypi As Poor Man’s Hardware Hacking Tool
 
-[https://payatu.com/using-rasberrypi-as-poor-mans-hardware-hacking-tool](https://payatu.com/using-rasberrypi-as-poor-mans-hardware-hacking-tool)
-
 * SPI – Serial Peripheral Interface
 * I2C – Inter-IC Communication
 * Debugger – JTAG/SWD
+
+
+## References
+
+* [Raspberry Pi As Poor Man’s Hardware Hacking Tool - Arun-Magesh - December 14, 2018](https://payatu.com/using-rasberrypi-as-poor-mans-hardware-hacking-tool)