Changes

Basics Embedded devices or smart devices store their code in a ROM or flash memory chip primarily because these types of memory are non-volatile and permanent even after power loss.<br>The data is stored even after the system is turned off in contrast to volatile memory that needs to stay powered on. A prime example of this is if you put your computer in hibernate S4 or (modern standby) S0.<br>The RAM memory will stay powered to keep everything in the memory active so that if you press the power button the system will be back up in seconds, if you disconnect the power the hibernated session will be gone because RAM is volatile memory. This wiki page will provide a basic explanation of embedded and smart devices and their ways of storing code in modern electronicsand provide some great resources in regard of the extraction techniques.<br>Techniques and data shared Some in-depth information regarding the extraction process can subject will be find shared heretoo.

Reverse engineering code stored in ROM firmware is a practice that serves multiple purposes across various fields, particularly in technology and security. One of the primary reasons for reverse engineering firmware is to identify and mitigate security vulnerabilities. As IoT devices and embedded systems become more prevalent, ensuring their security is crucial. By analyzing the firmware, security researchers can uncover weaknesses in the code that could be exploited by malicious actors locally or even remotely which could pose a high risk to many users. Below, we will explore the reasons why individuals and organizations engage in this process.:* '''Security audits'''::- '''White hats''' - good guys, safeguarding systems & data to prevent hackers from getting in.::- '''Grey hats''' - in between good and bad.::- '''Black hats''' - abusing vulnerabilities to earn money or do damage, or other illicit services.:* '''Industrial hardware repair'''::- Repair shops::- Technical department in a company doing repairs locally:* '''Recovery in mission critical failure mode (back-up a day keeps the Dr away)'''::- Data recovery companies

:* Chip Internal ROM (embedded inside the microcontrollermost often also known as a '''SoC''' system-on-a-chip)

: Also known as general-purpose ports (GPIO).:* [https://en.wikipedia.org/wiki/Bit_banging Bit-Banging]::- Bit-banging is the process of emulating a protocol in software instead of relying on a hardware peripheral to do the same things.:* [https://en.wikipedia.org/wiki/I2C I2C]::- I2C is a two-wire serial communication protocol using a serial data line (SDA) and a serial clock line (SCL). ::: The protocol supports multiple target devices on a communication bus and can also support multiple controllers that send and receive commands and data.:::: '''Pinout''':::: VCC (1.5V up to 5V):::: SCL (I2C Clock):::: SDA (I2CData):::: GND (Ground):* [https://en.wikipedia.org/wiki/Serial_Peripheral_Interface SPI]::- SPI is a synchronous, full duplex main-subnode-based interface.::: The data from the main or the subnode is synchronized on the rising or falling clock edge. Both main and subnode can transmit data at the same time. ::: The SPI interface can be either 3-wire (Single SPI mode), 4-wire (Dual SPI mode) or 6-wire (Quad SPI mode).:::: '''Pinout Dual SPImode''':::: MOSI (Master Out Slave In):::: MISO (Master In Slave Out):::: SCLK (Serial Clock):::: SS/CS (Slave Select):* [https://en.wikipedia.org/wiki/Parallel_Peripheral_Interface Parallel Interface]::- A parallel I/O port is a mechanism that allows the software to interact with external devices. It is called parallel because multiple signals can be accessed all at once.:* [https://en.wikipedia.org/wiki/Serial_Peripheral_Interface#Microwire Microwire]::: Microwire, often spelled μWire, is essentially a predecessor of SPI and a trademark of National Semiconductor. ::: It's a strict subset of SPI: half-duplex, and using SPI mode 0. Microwire chips tend to need slower clock rates than newer SPI versions; perhaps 2 MHz vs. 20 MHz.::: Some Microwirechips also support a three-wire mode.:* [https://en.wikipedia.org/wiki/Serial_Peripheral_Interface#Intelligent_SPI_controllers QSPI - Intelligent SPI controllers]::- The QSPIperipheral provides support for communicating with an external flash memory device using SPI.:* [https://en.wikipedia.org/wiki/1-Wire One-Wire]::- 1-Wire is a wired half-duplex serial bus designed by Dallas Semiconductor that provides low-speed (16.3 kbit/s) data communication and supply voltage over a single conductor.::: Genuine Dell laptop power supplies use the 1-Wire protocol to send data via the third wire to the laptop computer about power, current and voltage ratings.::: The laptop will then refuse charging if the adapter does not meet requirements.::: Emulating the [https://github.com/orgua/OneWireHub/blob/main/examples/DS2502_DELLCHG/DS2502_DELLCHG.ino DS2502 TO-92-3 1-wire Dell charger ID EEPROM.] =====Programming=====::* In-circuit programming:::: Allows programmable devices, such as microcontrollers, to be programmed while they are installed in a complete system, facilitating firmware updates without removing the chip.::* Out-of-circuit programming:::: Refers to the process of programming microcontrollers or integrated circuits while they are removed from their final application circuit, typically using specialized programming equipment.

::* In-circuit programming::* Out-case of-circuit programmingan external rom you can always try to read it with a programmer and try to dump the contents this way for later static analysis.

:::;- VCC glitching(Crowbar Circuits)::::: [https://eprint.iacr.org/2016/810.pdf Example paper 1. Fault Injection using Crowbars on Embedded Systems.]::::: [https://arxiv.org/pdf/1903.08102 Example paper 2. Injecting Software Vulnerabilities with Voltage Glitching.]::::: [https://cardis.org/cardis2013/proceedings/CARDIS2013_16.pdf Example paper 3. Glitch it if you can: parameter search strategies for successful fault injection.]::::: [https://www.researchgate.net/publication/353922465_The_Forgotten_Threat_of_Voltage_Glitching_A_Case_Study_on_Nvidia_Tegra_X2_SoCs Example paper 4. The Forgotten Threat of Voltage Glitching: A Case Study on Nvidia Tegra X2 SoCs]:::;- Clock glitching(Oscillator Circuits)::::: [https://caslab.io/publications/durand2021ultra.pdf Example paper 1. Ultra Freezing Attacks and Clock Glitching of Clock Oscillator Circuits]::::: [https://scispace.com/pdf/high-speed-clock-glitching-bscq4pp5j1.pdf Example paper 2. High Speed Clock Glitching]::::: [https://machiry.github.io/files/glitchresistor.pdf Example paper 3. Glitching Demystified: Analyzing Control-flow-based Glitching Attacks and Defenses]::::: [https://eprint.iacr.org/2023/1647.pdf Example paper 4. Attacking Glitch Detection Circuits]::::: [https://eprint.iacr.org/2024/1939.pdf Example paper 5. Machine Learning-Based Detection of Glitch Attacks in Clock Signal Data]

 ====Debugging Tools====::* Debugging Toolsthat are used to find debug ports, OCD interfaces, serial port I/O.

:::;- [https://www.picotech.com/products/oscilloscope PicoScope. The modern alternative to the traditional benchtop oscilloscopesoscilloscope.]

=====[Vector] Network based[over-the-air (OTA) programming]=====::* Network stack - > WLAN / BT firmware bugs(OSI layer 1. physical)::::- Example 1. Broadcom Wi-Fi SoC remote heap overflow [https://www.exploit-db.com/exploits/41805 CVE 2017-0561]::::- Example 2. Qualcomm Wi-Fi stack based buffer overflow [https://app.opencve.io/cve/CVE-2022-33279 CVE-2022-33279]::::- Example 3. node-bluetooth remote buffer overflow [https://github.com/advisories/GHSA-cxx3-36qc-m6qm CVE-2023-26110]

:::: Promiscuous mode eavesdropping is needed to audit software code because it allows the monitoring of all network traffic, enabling auditors to detect:::: unauthorized data access and vulnerabilities that may not be visible through standard monitoring methods.:::; <pre style="font-weight: normal;">Promiscuous mode eavesdropping is a network monitoring technique where a network interface card (NIC) captures all packets on the network segment, regardless of their destination address. This allows authorized or unauthorized users to intercept sensitive data transmitted over the network.</pre>::* Network stack - > MiTM (Man-in-the-middle) methods:::;- SSL stripping::::: '''Mitmproxy''' is your swiss-army knife for debugging, testing, privacy measurements, and penetration testing.:::::: [https://mitmproxy.org/ Click here for more details.]::::: '''Exploitation of Trust''' by OSI layer 7 local client modifications to do '''cert pinning''' (local pentesting).:::::: Github example [https://github.com/Fuzion24/JustTrustMe/blob/master/app/src/main/java/just/trust/me/Main.java click here.]::* Local - > Cryptographic checksums:::: A cryptographic checksum is a mathematical value generated by a cryptographic algorithm to verify the integrity of data, ensuring that it has not been altered during transmission or storage.:::; <pre style="font-weight: normal;">Not only are OTA updates after being downloaded over TCP+TLS by a device cryptographically checked to make sure the authenticity and integrity is accounted for, if this was not the case it could install a malicious update or simply brick million of devices. TCP already ensures data integrity through checksums and error detection mechanisms so by adding even more checks it's redundance is high.</pre>

::* Local :: A cryptographic signed package is a digital package that includes a cryptographic signature, ensuring the package’s authenticity, integrity, and origin from a trusted entity.:::: This signature verifies that the package has not been altered since it was signed.:::; <pre style="font- weight: normal;">Signing an OTA update package involves applying a digital signature using cryptographic methods. This process serves several critical purposes. 1. Authenticity. 2. Integrity.</pre> Cryptographic checksums

=====SOP16 / 8 / VSOP8 / WSON8/ PDIP8 / SO8 / TSSOP8 / UFDFPN8=====:: ➤ CH341A programmer:::;- [https://www.onetransistor.eu/2017/08/ch341a-mini-programmer-schematic.html CH341A Mini ProgrammerSchematic and Drivers blogpost.]:: ➤ Ezp2023+ programmer with appropriate SOP16 SOP8 adapter (:::;- '''Important note: ''' limited NOR Flash and NAND Flash support! Might need 1.8v adapter, buggy software). [https://www.onetransistor.eu/2023/12/how-to-use-ezp2023-usb-programmer.html Read more here.]