Merge pull request #22 from makim0n/main

add pin2pwn attack + ch341a device
pull/23/head
Swissky 2022-11-04 09:47:09 +01:00 committed by GitHub
commit 01c9c49777
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 37 additions and 0 deletions

BIN
docs/assets/ch341a.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 504 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 444 KiB

BIN
docs/assets/spi_pin2pwn.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 56 KiB

23
docs/gadgets/ch341a.md Normal file
View File

@ -0,0 +1,23 @@
# CH341A
![CH341A](../assets/ch341a.png)
### Dump SPI flash
#### ch341eeprom
> https://github.com/plumbum/ch341eeprom
```bash
sudo apt install git make libusb-1.0-0-dev clang
git clone https://github.com/plumbum/ch341eeprom.git
make
./ch341eeprom -v -s 24c05 -r dump.bin
```
#### Flashrom
```bash
sudo flashrom -V --programmer ch341a_spi -r dump.bin
sudo flashrom -V --programmer ch341a_spi -r dump.bin -c W25Q16.V # Specify the chip
```

View File

@ -3,3 +3,17 @@
### AVR Glitch: Modifying Code Execution Paths Using Only Voltage ### AVR Glitch: Modifying Code Execution Paths Using Only Voltage
[https://flawed.net.nz/2017/01/29/avr-glitch-modifying-code-execution-paths-using-only-voltage/](https://flawed.net.nz/2017/01/29/avr-glitch-modifying-code-execution-paths-using-only-voltage/) [https://flawed.net.nz/2017/01/29/avr-glitch-modifying-code-execution-paths-using-only-voltage/](https://flawed.net.nz/2017/01/29/avr-glitch-modifying-code-execution-paths-using-only-voltage/)
### Pin2pwn
[https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20presentations/DEF%20CON%2024%20-%20Brad-Dixon-Pin2Pwn-How-to-Root-An-Embedded-Linux-Box-With-A-Sewing-Needle-UPDATED.pdf](https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20presentations/DEF%20CON%2024%20-%20Brad-Dixon-Pin2Pwn-How-to-Root-An-Embedded-Linux-Box-With-A-Sewing-Needle-UPDATED.pdf)
In the case of an external SPI flash, it is possible for an attacker to short these pins :
![SPI flash example](../assets/spi_pin2pwn.png)
The MCU will not be able to get data from the external flash and then show a stacktrace, get a shell in the bootloader or worst a root shell on the embedded Linux.
Here is a practical example, putting a cable between MOSI and Chip Select :
![SPI flash example](../assets/pin2pwn_practical_example.png)