381
edits
Changes
m
:::;- [https://github.com/openocd-org/openocd OpenOCD (Open On-Chip Debugger)]:::;- [https://www.picotech.com/products/oscilloscope PicoScope. The modern alternative to the traditional benchtop oscilloscope.]:::;- [https://buspirate.com/ BusPirate - universal bus interface device for I2C and SPI.]:::;- [https://github.com/travisgoodspeed/goodfet GoodFET JTAG adapter]:::;- [https://mouser.com/new/segger/seggerjlink/ J-Link In-Circuit Debugger]:::;- [https://github.com/grandideastudio/jtagulator JTAGulator is an open source hardware tool that assists in identifying OCD interfaces from test points, vias, component pads, or connectors on a target device.] =====Logic Analyzer=====:: [https://hardwear.io/netherlands-2024/speakers/sasha-sheremetov.php hardwear.io - Hacking NAND Memory Pinout using Logic Analyzer.]:: '''Abstract:''':: This presentation is about analysis of technological pinout of NAND memory in such devices as microSD, eMMC and other monolithic chips using a logic analyzer.:: YouTube video: https://www.youtube.com/watch?v=sgl9Sfu79Lc
Remove Ezp2023+ and add XGECU T48 TL866 II Plus
:* [https://en.wikipedia.org/wiki/1-Wire One-Wire]
::- 1-Wire is a wired half-duplex serial bus designed by Dallas Semiconductor that provides low-speed (16.3 kbit/s) data communication and supply voltage over a single conductor.
::: '''[Example]''' Genuine Dell laptop power supplies use the 1-Wire protocol to send transmit data via over the third wire to the laptop computer 's embedded controller, providing information about power, current , and voltage ratings.::: The laptop will embedded controller then refuse charging if the adapter does not meet requirementsverifies that a compatible power supply is connected, allowing all VRM phases to operate at maximum duty cycle.
::: Emulating the [https://github.com/orgua/OneWireHub/blob/main/examples/DS2502_DELLCHG/DS2502_DELLCHG.ino DS2502 TO-92-3 1-wire Dell charger ID EEPROM.]
=====Internal ROM=====
When your target chip has an a built-in ROM and the chip is locked you are out of luck trying to easily read the firmware in most cases.<br>
Here is where it comes handy to know of different methods widely used to attack these chips in order to retrieve the firmware for later static analysis or even live debugging.
::::: [https://cardis.org/cardis2013/proceedings/CARDIS2013_16.pdf Example paper 3. Glitch it if you can: parameter search strategies for successful fault injection.]
::::: [https://www.researchgate.net/publication/353922465_The_Forgotten_Threat_of_Voltage_Glitching_A_Case_Study_on_Nvidia_Tegra_X2_SoCs Example paper 4. The Forgotten Threat of Voltage Glitching: A Case Study on Nvidia Tegra X2 SoCs]
::::: [https://www.aisec.fraunhofer.de/en/FirmwareProtection.html Example paper 5. Using Optical Fault Injection and Race Conditions to Bypass STM32F0 Series Debug Interface Protections]
:::::- [https://github.com/racerxdl/stm32f0-pico-dump RPi Pico Implementation Exploiting Race Conditions to Iteratively Read Firmware]
:::;- Clock glitching (Oscillator Circuits)
::::: [https://caslab.io/publications/durand2021ultra.pdf Example paper 1. Ultra Freezing Attacks and Clock Glitching of Clock Oscillator Circuits]
: Credits to [https://www.0x01team.com/hw_security/bypassing-microchip-atmel-sam-e70-s70-v70-v71-security/ 0x01 Team] and [https://www.youtube.com/watch?v=IOD5voFTAz8 RECESSIM] for finding the reset low period being connected to the glitch timebase.
====Debugging =========Debugging Hardware / Tools=====
::* Tools that are used to find debug ports, OCD interfaces, serial port I/O.
====Non-intrusive methods====
:::; <pre style="font-weight: normal;">Signing an OTA update package involves applying a digital signature using cryptographic methods. This process serves several critical purposes. 1. Authenticity. 2. Integrity.</pre>
====Programmers / Flash Utilities & Nand Flash Controllers ====
=====Programmers=====
======SOP16 / 8 / VSOP8 / WSON8 / PDIP8 / SO8 / TSSOP8 / UFDFPN8======
:: ➤ CH341A programmer
:::;- [https://www.onetransistor.eu/2017/08/ch341a-mini-programmer-schematic.html CH341A Mini Programmer Schematic and Drivers blogpost.]
:: ➤ Ezp2023+ programmer with appropriate SOP16 SOP8 adapter XGECU T48 TL866 II Plus:::;- '''Important note:''' limited Budget friendly high speed 30mhz programmer supports a wide range of chips (EEPROM/Flash/MCU/BIOS/SPI/NOR Flash and /NAND Flash support! Might need /EMMC) including high-capacity nand (up to 256gb).<br> Adjustable VCC/VPP voltages (1.8v adapter8-6.5v up to 25v), buggy softwarelogic testing and pin diagnostics. Broad OS support from Win XP to Win11. =====Flash Utilities=====:: ➤ flashrom (Support: SPI/BIOS/EC):::;- [https://wwwgithub.onetransistorcom/flashrom/flashrom flashrom] - is a utility for identifying, reading, writing, verifying and erasing flash chips.euIt is designed to flash BIOS/EFI/coreboot/firmware/2023optionROM images on mainboards, network/12graphics/how-to-use-ezp2023-usb-storage controller cards, and various other programmerdevices.html Read more here.]
=====Nand Flash Controllers=====
Listing of nand flash controller interface chips & off the shelf hardware (cheap stuff).<br>
Since the search engine is broken @ the usual suspects: DHgate, Gearbest, Banggood, Aliexpress or various other China stores. I use a search query like for example '''“TSOP48 usb pcb controller flash disk site:aliexpress.com”''' in image search mode.
======BGA-153======
:: ➤ ['''UFS'''] JMicron JMS901 USB 3 (single channel nand supported)
====The final chapter ====
Analyzing dumped data.You might also find the [[Software_Tools#|software category interesting.]]::* ToolsAnalyzing & unpacking firmware blobs
:::;- [https://github.com/onekey-sec/unblob Unblob]
:::;- [https://github.com/ReFirmLabs/binwalk Binwalk]
:::;- [https://github.com/attify/firmware-analysis-toolkit Firmware Analysis Tools (FAT)]
:::;- [https://github.com/fkie-cad/FACT_core FACT (Firmware Analysis and Comparison Tool)]
::* Disassemblers
:::;- [[Software_Tools#Interactive_Disassemblers_.28static_analysis.29|Interactive Disassemblers (static analysis)]]