commit
01c9c49777
Binary file not shown.
After Width: | Height: | Size: 504 KiB |
Binary file not shown.
After Width: | Height: | Size: 444 KiB |
Binary file not shown.
After Width: | Height: | Size: 56 KiB |
|
@ -0,0 +1,23 @@
|
||||||
|
# CH341A
|
||||||
|
|
||||||
|
![CH341A](../assets/ch341a.png)
|
||||||
|
|
||||||
|
### Dump SPI flash
|
||||||
|
|
||||||
|
#### ch341eeprom
|
||||||
|
|
||||||
|
> https://github.com/plumbum/ch341eeprom
|
||||||
|
|
||||||
|
```bash
|
||||||
|
sudo apt install git make libusb-1.0-0-dev clang
|
||||||
|
git clone https://github.com/plumbum/ch341eeprom.git
|
||||||
|
make
|
||||||
|
./ch341eeprom -v -s 24c05 -r dump.bin
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Flashrom
|
||||||
|
|
||||||
|
```bash
|
||||||
|
sudo flashrom -V --programmer ch341a_spi -r dump.bin
|
||||||
|
sudo flashrom -V --programmer ch341a_spi -r dump.bin -c W25Q16.V # Specify the chip
|
||||||
|
```
|
|
@ -3,3 +3,17 @@
|
||||||
### AVR Glitch: Modifying Code Execution Paths Using Only Voltage
|
### AVR Glitch: Modifying Code Execution Paths Using Only Voltage
|
||||||
|
|
||||||
[https://flawed.net.nz/2017/01/29/avr-glitch-modifying-code-execution-paths-using-only-voltage/](https://flawed.net.nz/2017/01/29/avr-glitch-modifying-code-execution-paths-using-only-voltage/)
|
[https://flawed.net.nz/2017/01/29/avr-glitch-modifying-code-execution-paths-using-only-voltage/](https://flawed.net.nz/2017/01/29/avr-glitch-modifying-code-execution-paths-using-only-voltage/)
|
||||||
|
|
||||||
|
### Pin2pwn
|
||||||
|
|
||||||
|
[https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20presentations/DEF%20CON%2024%20-%20Brad-Dixon-Pin2Pwn-How-to-Root-An-Embedded-Linux-Box-With-A-Sewing-Needle-UPDATED.pdf](https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20presentations/DEF%20CON%2024%20-%20Brad-Dixon-Pin2Pwn-How-to-Root-An-Embedded-Linux-Box-With-A-Sewing-Needle-UPDATED.pdf)
|
||||||
|
|
||||||
|
In the case of an external SPI flash, it is possible for an attacker to short these pins :
|
||||||
|
|
||||||
|
![SPI flash example](../assets/spi_pin2pwn.png)
|
||||||
|
|
||||||
|
The MCU will not be able to get data from the external flash and then show a stacktrace, get a shell in the bootloader or worst a root shell on the embedded Linux.
|
||||||
|
|
||||||
|
Here is a practical example, putting a cable between MOSI and Chip Select :
|
||||||
|
|
||||||
|
![SPI flash example](../assets/pin2pwn_practical_example.png)
|
Loading…
Reference in New Issue