Changes

Jump to navigation Jump to search
1,688 bytes added ,  01:33, 10 August 2020
**JTAG Port
**Serial Port
**Hardware attack - Remove Flash Memory and read directly (possibly encrypted/obfuscated)**USB data capture - Packet capture firmware update (possibly encrypted/obfuscated)
Initially the radio was opened and wires were soldered to some test points and an interesting PCB footprint that I suspected was JTAG as seen in the video below.
<youtube width="320" height="240">EZP2DVU9IvQ</youtube>
===== Serial Port =====
The serial port turned out to just be control data sent from the CPU board to the transceiver board, explained further below. Removing the flash memory is an option although it is a BGA package so not sure about soldering wires to it so it can be read out. Furthermore, the OMAP-L138 processor seems to have a few protection mechanisms. Encryption of the firmware is one of them so that route might be useless.
If ==== Hardware Attack ==== * Desolder flash memory chip* Re-Ball BGA and clean in preparation for socket* Insert into BGA socket and read contents using [https://www.embeddedcomputers.net/products/FlashcatUSB_XPORT/ FlashCATUSB XPORT] with [https://www.embeddedcomputers.net/products/ParallelAdapters/ BGA-64 (LAE064)] socket Other than the obvious challenge of desoldering and reballing a donor radio BGA, this worked great to get a complete image of the firmware! The firmware on the flash is stripped down not encrypted or obfuscated in any way so it's possible to make use of it immediately. Cost breakdown to bare PCB then perhaps get complete firmware image using this method: '''$330 USD''' * $145 - Replacement Processor board for TH-D74 (eBay)* $40 - [https://www.embeddedcomputers.net/products/FlashcatUSB_XPORT/ FlashcatUSB XPORT]* $145 - [https://www.embeddedcomputers.net/products/ParallelAdapters/ BGA-64 (LAE064)] Socket Having a copy of the firmware for modification and analysis... PRICELESS! ==== USB Data Capture ====This method costs a lot less than the boothardware attack, like $330 less! See the YouTube video below for a walk-up config register values can be tweaked or through. The software tools used are listed below, I am sure other hard coded settings tools would work but this is what I used.  '''''Have a better method? Create an account and update the wiki!''''' (usually using resistorsInsert YouTube video here) to alter  [https://www.hhdsoftware.com/hex-editor Hex Editor Neo] - Allows bitwise operations and other cool features with a 14 day free trial! [https://www.eltima.com/products/usb-port-monitor/ USB Analyzer] - By Eltima Software, it captures USB traffic and lets you easily export the boot procedure and allow further debuggingbinary data. It also comes with a 14 day free trial! [https://github.com/BitBangingBytes/Firmware-Parse-Tool Firmware Parse Tool] - Python program to strip header bytes from USB data captures
====Understand how the radio works====

Navigation menu