381
edits
Changes
m
:::;- [https://github.com/openocd-org/openocd OpenOCD (Open On-Chip Debugger)]:::;- [https://www.picotech.com/products/oscilloscope PicoScope. The modern alternative to the traditional benchtop oscilloscope.]:::;- [https://buspirate.com/ BusPirate - universal bus interface device for I2C and SPI.]:::;- [https://github.com/travisgoodspeed/goodfet GoodFET JTAG adapter]:::;- [https://mouser.com/new/segger/seggerjlink/ J-Link In-Circuit Debugger]:::;- [https://github.com/grandideastudio/jtagulator JTAGulator is an open source hardware tool that assists in identifying OCD interfaces from test points, vias, component pads, or connectors on a target device.] =====Logic Analyzer=====:: [https://hardwear.io/netherlands-2024/speakers/sasha-sheremetov.php hardwear.io - Hacking NAND Memory Pinout using Logic Analyzer.]:: '''Abstract:''':: This presentation is about analysis of technological pinout of NAND memory in such devices as microSD, eMMC and other monolithic chips using a logic analyzer.:: YouTube video: https://www.youtube.com/watch?v=sgl9Sfu79Lc
Remove Ezp2023+ and add XGECU T48 TL866 II Plus
:* [https://en.wikipedia.org/wiki/1-Wire One-Wire]
::- 1-Wire is a wired half-duplex serial bus designed by Dallas Semiconductor that provides low-speed (16.3 kbit/s) data communication and supply voltage over a single conductor.
::: '''[Example]''' Genuine Dell laptop power supplies use the 1-Wire protocol to send transmit data via over the third wire to the laptop computer 's embedded controller, providing information about power, current , and voltage ratings.::: The laptop will embedded controller then refuse charging if the adapter does not meet requirementsverifies that a compatible power supply is connected, allowing all VRM phases to operate at maximum duty cycle.
::: Emulating the [https://github.com/orgua/OneWireHub/blob/main/examples/DS2502_DELLCHG/DS2502_DELLCHG.ino DS2502 TO-92-3 1-wire Dell charger ID EEPROM.]
=====External ROM=====
: In case of an external rom ROM you can always try to read it with a programmer and try to dump the contents this way for later static analysis.
=====Internal ROM=====
When your target chip has a built-in ROM and the chip is locked you are out of luck trying to easily read the firmware in most cases.<br>
Here is where it comes handy to know of different methods widely used to attack these chips in order to retrieve the firmware for later static analysis or even live debugging.
::* 1. Decapsulation
:::;- [https://www.youtube.com/watch?v=T1rRgb9N9s4 '''RECESSIM video:''' Nitric Acid and Microscopes. Decapsulating IC's.]
::* 2. Bootloader hacking
:::;- [https://0xinfection.github.io/reversing/reversing-for-everyone.pdf Great resources on reserve reverse engineering]
::* 3. Fault injection & Glitching Attacks
:::;- VCC glitching (Crowbar Circuits)
::::: [https://www.youtube.com/watch?v=IOD5voFTAz8 '''RECESSIM video:''' Hacking into a Locked Microchip - Reverse Engineer shows you how it's done.]
::::: [https://eprint.iacr.org/2016/810.pdf Example paper 1. Fault Injection using Crowbars on Embedded Systems.]
::::: [https://arxiv.org/pdf/1903.08102 Example paper 2. Injecting Software Vulnerabilities with Voltage Glitching.]
::::: [https://cardis.org/cardis2013/proceedings/CARDIS2013_16.pdf Example paper 3. Glitch it if you can: parameter search strategies for successful fault injection.]
::::: [https://www.researchgate.net/publication/353922465_The_Forgotten_Threat_of_Voltage_Glitching_A_Case_Study_on_Nvidia_Tegra_X2_SoCs Example paper 4. The Forgotten Threat of Voltage Glitching: A Case Study on Nvidia Tegra X2 SoCs]
::::: [https://www.aisec.fraunhofer.de/en/FirmwareProtection.html Example paper 5. Using Optical Fault Injection and Race Conditions to Bypass STM32F0 Series Debug Interface Protections]
:::::- [https://github.com/racerxdl/stm32f0-pico-dump RPi Pico Implementation Exploiting Race Conditions to Iteratively Read Firmware]
:::;- Clock glitching (Oscillator Circuits)
::::: [https://caslab.io/publications/durand2021ultra.pdf Example paper 1. Ultra Freezing Attacks and Clock Glitching of Clock Oscillator Circuits]
:::;- [https://github.com/newaetech/chipshouter-picoemp PicoEMP]
======Atmel SAM4C32 Glitching (Crowbar Circuit)======: > [[:ATSAM4C32|Full in-depth wiki page can be found here.]] : Atmel SAM4C32 reset low period during early start-up process somewhere in the bootloader showing vulnerable time for glitch.<br>: After glitching the chip, JTAG comes online serving a command prompt which allows to dump the firmware of the chip protected by Atmel's Security Bit Feature called GPNVM.<br>: [[File:Atmel SAM4 series glitch.png|none|thumb|Atmel SAM4C32 glitching. Yellow VDDCORE, Purple RST..]]: Credits to [https://www.0x01team.com/hw_security/bypassing-microchip-atmel-sam-e70-s70-v70-v71-security/ 0x01 Team] and [https://www.youtube.com/watch?v=IOD5voFTAz8 RECESSIM] for finding the reset low period being connected to the glitch timebase. ====Debugging =========Debugging Hardware / Tools=====
::* Tools that are used to find debug ports, OCD interfaces, serial port I/O.
====Non-intrusive methods====
=====[Vector] Factory debug/programming ports=====
::* JTAG (primarily used for testing and debugging electronic circuits)
:::- Finding a unpopulated or populated JTAG port on the PCB.
:::; <pre style="font-weight: normal;">Signing an OTA update package involves applying a digital signature using cryptographic methods. This process serves several critical purposes. 1. Authenticity. 2. Integrity.</pre>
====Off the shelf extraction hardware Programmers / Flash Utilities & Nand Flash Controllers =========Programmers===========SOP16 / 8 / VSOP8 / WSON8 / PDIP8 / SO8 / TSSOP8 / UFDFPN8======:: ➤ CH341A programmer:::;- [https://www.onetransistor.eu/2017/08/ch341a-mini-programmer-schematic.html CH341A Mini Programmer Schematic and Drivers blogpost.]:: ➤ XGECU T48 TL866 II Plus:::;- Budget friendly high speed 30mhz programmer supports a wide range of chips (EEPROM/Flash/MCU/BIOS/SPI/NOR/NAND/EMMC) including high-capacity nand (up to 256gb).<br> Adjustable VCC/VPP voltages (1.8-6.5v up to 25v), logic testing and pin diagnostics. Broad OS support from Win XP to Win11.=====Flash Utilities=====:: ➤ flashrom (cheap stuffSupport: SPI/BIOS/EC):::;- [https://github.com/flashrom/flashrom flashrom] - is a utility for identifying, reading, writing, verifying and erasing flash chips. It is designed to flash BIOS/EFI/coreboot/firmware/optionROM images on mainboards, network/graphics/storage controller cards, and various other programmer devices. =====Nand Flash Controllers=====Listing of nand flash/nand controller interface chips and programming & off the shelf hardware(cheap stuff).<br>Since the search engine is broken @ the usual suspects: DHgate, Gearbest, Banggood, Aliexpress or various other China stores. I use a search query like for example '''“TSOP48 usb pcb controller flash disk site:aliexpress.com”''' in image search mode.======BGA-153 Nand Flash======
:: ➤ ['''UFS'''] JMicron JMS901 USB 3 (single channel nand supported)
:: ➤ ['''eMMC'''] Alcor Micro AU6438 USB 2.0 (single channel nand supported)
======TSOP48 ======
:: ➤ Innostor IS917 [https://flash-extractor.com/library/IS/IS917/ click here for details (Flash-extractor library)]
:: ➤ Silicon Motion Sm3281n [https://flash-extractor.com/library/SM/SM3281/SM3281N%20BB__2c_a4_08_32__1x8 click here for details (Flash-extractor library)]
:: ➤ Chipsbank CBM2099E [https://flash-extractor.com/library/CBM/CBM2099/ click here for details (Flash-extractor library)]
=====SOP16 / 8 / VSOP8 / WSON8 / PDIP8 / SO8 / TSSOP8 / UFDFPN8=====:: ➤ CH341A programmer:::;- [https://www.onetransistor.eu/2017/08/ch341a-mini-programmer-schematic.html CH341A Mini Programmer Schematic and Drivers blogpost.]:: ➤ Ezp2023+ programmer with appropriate SOP16 SOP8 adapter :::;- '''Important note:''' limited NOR Flash and NAND Flash support! Might need 1.8v adapter, buggy software. [https://www.onetransistor.eu/2023/12/how-to-use-ezp2023-usb-programmer.html Read more here.] =====Nand Controller firmwares & datasheets=====
USBDev.ru is a great resource.
====The final chapter ====
Analyzing dumped data.You might also find the [[Software_Tools#|software category interesting.]]::* ToolsAnalyzing & unpacking firmware blobs
:::;- [https://github.com/onekey-sec/unblob Unblob]
:::;- [https://github.com/ReFirmLabs/binwalk Binwalk]
:::;- [https://github.com/attify/firmware-analysis-toolkit Firmware Analysis Tools (FAT)]
:::;- [https://github.com/fkie-cad/FACT_core FACT (Firmware Analysis and Comparison Tool)]
::* Disassemblers
:::;- [[Software_Tools#Interactive_Disassemblers_.28static_analysis.29|Interactive Disassemblers (static analysis)]]