Gadget M5Core2 + HydraBus Update

2024-01-21 21:43:48 +01:00 · 2024-01-21 21:43:48 +01:00 · 4a47c29293
parent c349f12c5d
commit 4a47c29293
9 changed files with 183 additions and 81 deletions
--- a/docs/assets/hydrabus_pin_assignment.jpg
+++ b/docs/assets/hydrabus_pin_assignment.jpg
--- a/docs/assets/image_bus_pirate.png
+++ b/docs/assets/image_bus_pirate.png
--- a/docs/gadgets/bus-pirate.md
+++ b/docs/gadgets/bus-pirate.md
@ -1,15 +1,20 @@
 # Bus Pirate

-![MOSI-MISO](https://iotmyway.files.wordpress.com/2018/05/mode-guide.png)
+![BusPirate](../assets/image_bus_pirate.png)


-## Update Bus Pirate
+## Firmwares

-```powershell
-git clone https://github.com/BusPirate/Bus_Pirate.git
-cd Bus_Pirate/package/BPv4-firmware/pirate-loader-v4-source/pirate-loader_lnx
-sudo ./pirate-loader_lnx --dev=/dev/ttyACM0 --hex=../BPv4-firmware-v6.3-r2151.hex
-```
+* [BusPirate/Bus_Pirate](https://github.com/BusPirate/Bus_Pirate)
+    ```powershell
+    cd Bus_Pirate/package/BPv4-firmware/pirate-loader-v4-source/pirate-loader_lnx
+    sudo ./pirate-loader_lnx --dev=/dev/ttyACM0 --hex=../BPv4-firmware-v6.3-r2151.hex
+    ```
+
+
+## Examples
+
+Dump firmware over SPI using a Bus Pirate

 ```powershell
 # Identify EEPROM chip
@ -22,4 +27,6 @@ sudo flashrom -p Buspirate_spi:dev=/dev/ttyUSB0,spispeed=1M -c (Chip name)  -r (

 ## References

-* [Bus Pirate Unboxing - Toolkit - Hacker Warehouse - 4 juin 2018](https://youtu.be/lP8vMvBu3Bg)
+* [Bus Pirate Unboxing - Toolkit - Hacker Warehouse - 4 juin 2018](https://youtu.be/lP8vMvBu3Bg)
+* [Bus Pirate 5 REV 10 Hardware](https://hardware.buspirate.com/)
+* [Ph0wn, my first IoT CTF - Part 2 - Sebastien Andrivet - 19 December 2018](https://sebastien.andrivet.com/fr/posts/ph0wn-my-first-iot-ctf-part-2/)
--- a/docs/gadgets/flipper-zero.md
+++ b/docs/gadgets/flipper-zero.md
@ -2,7 +2,7 @@

 ![FlipperZero](../assets/image_flipper_cover.png)

-## **Firmwares**
+## Firmwares

 * [Flipper Zero Firmware](https://github.com/flipperdevices/flipperzero-firmware)
 * [Flipper Zero Unleashed Firmware](https://github.com/Eng1n33r/flipperzero-firmware)
@ -32,9 +32,15 @@
 * [Flipper Zero: Want some good news? - Penthertz](https://www.youtube.com/watch?v=tB0eYatvu0k)
 * [Flipper Zero: is this for you? Follow our 1st tests! - Penthertz](https://www.youtube.com/watch?v=W5YYObSBUno)

+
 ## Tutorials and Resources

 * [Flipper Zero Hacking 101 - pingywon](https://flipper.pingywon.com/flipper/)
 * [Flipper Zero Playground - UberGuidoZ](https://github.com/UberGuidoZ/Flipper)
 * [Flashing Flipper Zero with RogueMaster CFW](https://interestingsoup.com/n00b-guide-flashing-flipper-zero-to-rougemaster/)
-* [Unleashed Firmware - Update firmware](https://github.com/DarkFlippers/unleashed-firmware/blob/dev/documentation/HowToInstall.md)
+* [Unleashed Firmware - Update firmware](https://github.com/DarkFlippers/unleashed-firmware/blob/dev/documentation/HowToInstall.md)
+
+
+## References
+
+* [The Ultimate Guide / CheatSheet to Flipper Zero - Ilias Mavropoulos - 17/01/2024](https://infosecwriteups.com/the-ultimate-guide-cheatsheet-to-flipper-zero-d4c42d79d32c)
--- a/docs/gadgets/hydrabus.md
+++ b/docs/gadgets/hydrabus.md
@ -1,6 +1,6 @@
 # HydraBus

-![HydraBUS - Pin Assignment](https://hydrabus.com/wp-content/uploads/2024/01/HydraBus_1_0_HydraFW_Default_PinAssignment_A4-1024x724.jpg)
+![HydraBUS - Pin Assignment](../assets/hydrabus_pin_assignment.jpg)


 ## Features
@ -16,11 +16,17 @@ External interactions:
 - UART
 - I2C
 - CAN/LIN Bus
+- SUMP
+- JTAG
 - SPI Bus
 - SD/SDIO
 - USB Bus
 - ADC / DAC (Analog / Digital)
 - GPIO
+- NFC
+- Wiegand
+- NAND flash
+- 1-wire,2-wire,3-wire


 ## Firmware
@ -29,16 +35,50 @@ External interactions:
 * [hydrabus/hydrafw_hydranfc_shield_v2](https://github.com/hydrabus/hydrafw_hydranfc_shield_v2) - HydraFW dedicated to HydraBus v1 / HydraNFC Shield v2
 * [bvernoux/blackmagic](https://github.com/bvernoux/blackmagic) - In application debugger for ARM Cortex microcontrollers

-Commands examples:

-```ps1
-show system/memory/threads
-```
+## Commands
+
+* Basic info: `show system`
+    ```ps1> show system
+    HydraFW (HydraBus) v0.11-1-g4d74500 2023-05-09
+    sysTime: 0x000d82dd.
+    cyclecounter: 0x76ac02b9 cycles.
+    cyclecounter64: 0x0000000076ac02cb cycles.
+    10ms delay: 1680035 cycles.
+    ```
+
+* Determine the port name: `ls -l /dev/tty*`
+* Interact witht the HydraBus: `screen /dev/ttyACM0`
+* Switch to SPI mode: `spi`
+* Determine the pin for SPI: `show pins`
+
+
+## Syntax
+
+| Value | Description |
+|-------|-------------|
+| [	 | Chip select (CS) active (low) |
+| ]	 | CS disable (high) |
+| r	 | Read one byte by sending dummy byte (0xff). r:1...255 for bulk reads |
+| hd | Read one byte by sending dummy byte (0xff). hd:1...4294967295 for bulk reads. Displays a hexdump of the result |
+| w	 | Followed by values to write byte(s). w:1...255 for bulk writes |
+| 0b | Write this binary value. Format is 0b00000000 for a byte, but partial bytes are also fine: 0b1001 |
+| 0	 | Write this Octal value. Format is prefixed by a 0 (values from 000 to 077) |
+| "  | Write an ASCII-encoded string |
+| 0h/0x | Write this HEX value. Format is 0h01 or 0x01. Partial bytes are fine: 0xA. A-F can be lower-case or capital letters |
+| 0-255	| Write this decimal value. Any number not preceded by 0x, 0h, or 0b is interpreted as a decimal value |
+
+Examples:
+
+* Read Identification (0x9F): `[ 0x9F r:3 ]`
+* Read Data (0x03) at the address (0x00:3) and read 32 bytes (hd:32) `[ 0x03 0x00:3 hd:32 ]`


 ## References

+* [HydraBus/HydraFW wiki - Benjamin Vernoux - Jan 21, 2021](https://github.com/hydrabus/hydrafw/wiki/)
 * [HydraBus v1.0 Specifications - HydraBus](https://hydrabus.com/hydrabus-1-0-specifications)
 * [HydraBus Assembly Video - Lab401 - 30 may 2017](https://youtu.be/9lFEPG8EG6w)
 * [BlackAlps17: Hydrabus: Lowering the entry fee to the IoT bugfest - Benjamin Vernoux -  2 dec. 2017](https://www.youtube.com/watch?v=theYbzPhYH8)
-* [HydraBus - An Open Source Platform - RMLL Sec 2017](https://archives.pass-the-salt.org/RMLL%20Security%20Tracks/2017/slides/RMLL-Sec-2017-hydrabus.pdf)
+* [HydraBus - An Open Source Platform - RMLL Sec 2017](https://archives.pass-the-salt.org/RMLL%20Security%20Tracks/2017/slides/RMLL-Sec-2017-hydrabus.pdf)
+* [Ph0wn, my first IoT CTF - Part 3 - Sebastien Andrivet - Dec. 19, 2018](https://sebastien.andrivet.com/en/posts/ph0wn-my-first-iot-ctf-part-3/)
--- a/docs/gadgets/m5stack.md
+++ b/docs/gadgets/m5stack.md
@ -0,0 +1,44 @@
+# Evil M5Core2
+
+> Evil-M5Core2 is an easy Evil portal and rogue app deployement software designed to work on M5Stack Core2.
+
+![Evil-M5Core2](https://raw.githubusercontent.com/7h30th3r0n3/Evil-M5Core2/main/Github-Img/menu-1.jpg)
+
+
+## Features
+
+* **WiFi Network Scanning**: Identify and display nearby WiFi networks.
+* **Network Cloning**: Check information and replicate networks for in-depth analysis.
+* **Captive Portal Management**: Create and operate a captive portal to prompt users with a page upon connection.
+* **Credential Handling**: Capture and manage portal credentials.
+* **Remote Web Server**: Monitor the device remotely via a simple web interface that can provide credentials and upload portal that store file on SD card.
+* **Sniffing probes**: Sniff and store on SD near probes.
+* **Karma Attack**: Try a simple Karma Attack on a captured probe.
+* **Automated Karma Attack**: Try Karma Attack on near probe automatically
+
+
+## Firmwares
+
+* Firmware: [7h30th3r0n3/Evil-M5Core2](https://github.com/7h30th3r0n3/Evil-M5Core2)
+
+**Requirements**:
+
+* `M5Stack` boards manager
+* `M5Unified` library
+
+
+**Install**:
+
+* Connect your `M5Core2` to your computer.
+* Open the `Arduino IDE` and load the provided code.
+* Ensure `M5unified` and `adafruit_neopixel` libraries are installed.
+* Ensure `esp32` and `M5stack` board are installed. (Error occur with esp32 `3.0.0-alpha3`, please use esp32 `v2.0.14` and below)
+* Place SD file content needed on the SD card. (IMG startup and sites folder)
+* Upload the script to your `M5Core2` device.
+* Restart the device if needed.
+
+
+## References
+
+* [Evil-M5Core2 v1.1.3 - Serial Command - Github Project](https://github.com/7h30th3r0n3/Evil-M5Core2)
+* [Evil Portal Meets Marauder on M5Stack!! Evil-M5Core2 Is the Best of Both Worlds! - Talking Sasquach - 7 jan 2024](https://youtu.be/jcVm4cysmnE)
--- a/docs/other/links-and-hardware-kits.md
+++ b/docs/other/links-and-hardware-kits.md
@ -34,8 +34,9 @@

 ## Twitch & Streaming

-* [Twitch/virtualabs](https://www.twitch.tv/virtualabs)
-* [VirtuVOD - VOD of twitch.tv/virtualabs](https://www.youtube.com/@VirtuVOD)
+* [Twitch - virtualabs](https://www.twitch.tv/virtualabs)
+* [Youtube - VirtuVOD - VOD of twitch.tv/virtualabs](https://www.youtube.com/@VirtuVOD)
+* [Youtube - WHID We Hack In Disguise](https://www.youtube.com/@whid_ninja)


 ## Books
--- a/docs/protocols/bluetooth.md
+++ b/docs/protocols/bluetooth.md
@ -1,10 +1,8 @@
 # Bluetooth

-### Challenge
+## Bluetooth configuration

-* BLE HackMe (https://www.microsoft.com/store/apps/9N7PNVS9J1B7) - works with nRF Connect (Android), [Introduction\_to\_BLE\_security](http://smartlockpicking.com/slides/HITB\_Cyberweek\_2020\_A\_Practical\_Introduction\_to\_BLE\_security.pdf) / https://github.com/smartlockpicking/BLE\_HackMe
-
-### Bluetooth configuration for Kali Linux
+Configuration for Kali Linux

 ```powershell
 $ sudo apt-get install bluetooth blueman bluez
@ -13,10 +11,10 @@ $ sudo hciconfig hci0 up

 $ sudo hcitool lescan
 00:1A:7D:DA:71:06 Ph0wn Beacon
-25:55:84:20:73:70 (unknown
+25:55:84:20:73:70 (unknown)
 ```

-Apt doesn't have a recent version of bluez, recompile it with the following lines.
+`apt` doesn't have a recent version of bluez, recompile it with the following lines.

 ```powershell
 wget https://www.kernel.org/pub/linux/bluetooth/bluez-5.18.tar.xz
@ -28,42 +26,31 @@ make -j8 && sudo make install
 sudo cp attrib/gatttool /usr/local/bin/
 ```

-### Enumerate services and characteristics
+## BLE - Enumerate services and characteristics

 > BLE is based on specification called General Attribute profile (GATT), that defines how communication/data transfer between client and server.

-```powershell
-sudo apt-get install git build-essential libglib2.0-dev python-setuptools
-git clone https://github.com/IanHarvey/bluepy.git
-cd bluepy
-python setup.py build
-sudo python setup.py install
-git clone git clone https://github.com/hackgnar/bleah
-cd bleah
-python setup.py build
-sudo python setup.py install
+* Using [bettercap/bettercap](https://github.com/bettercap/bettercap)
+    ```powershell
+    sudo bettercap -eval "net.recon off; events.stream off; ble.recon on"
+    ble.show
+    ble.enum 04:52:de:ad:be:ef
+    ```

-sudo bleah -b $MAC -e
-```
+* Using [expliot_framework/expliot](https://expliot.readthedocs.io/en/latest/index.html)
+    ```powershell
+    # List of Services
+    run ble.generic.scan -a <mac address> -s
+    # List of characteristics
+    run ble.generic.scan -a <mac address> -c
+    ```

-Using bettercap
+* Using [hackgnar/bleah](https://github.com/hackgnar/bleah)
+    ```powershell
+    sudo bleah -b $MAC -e
+    ```

-```powershell
-sudo bettercap -eval "net.recon off; events.stream off; ble.recon on"
-ble.show
-ble.enum 04:52:de:ad:be:ef
-```
-
-Using expliot
-
-```powershell
-# List of Services
-run ble.generic.scan -a <mac address> -s
-# List of characteristics
-run ble.generic.scan -a <mac address> -c
-```
-
-Using gatttool, we can enumerate the services and their characteristics, use `sudo gatttool -b $MAC -I` to have an interactive gatttool shell:
+Using [bluez/gatttool](https://manpages.debian.org/unstable/bluez/gatttool.1.en.html), we can enumerate the services and their characteristics, use `sudo gatttool -b $MAC -I` to have an interactive gatttool shell:

 * Services: They are set of provided features and associated behaviors to interact with the peripheral. Each service contains a collection of characteristics.
 * Characteristics: Characteristics are defined attribute types that contain a single logical value
@ -83,7 +70,8 @@ handle = 0x0002, char properties = 0x20, char value handle = 0x0003, uuid = 0000
 handle = 0x0015, char properties = 0x02, char value handle = 0x0016, uuid = 00002a00-0000-1000-8000-00805f9b34fb
 ```

-### Read BLE data
+
+## BLE - Read data

 Read data with gatttool

@ -103,47 +91,50 @@ Characteristic value/descriptor: 44 65 63 72 79 70 74 20 74 68 65 20 6d 65 73 73
 $ gatttool -b $MAC --char-read -a 0x002a|awk -F':' '{print $2}'|tr -d ' '|xxd -r -p;printf '\n'
 ```

-### Read BLE notification/indication
+## BLE - Read notification/indication

 ```powershell
 $ gatttool -b $MAC -a 0x0040 --char-write-req --value=0100 --listen
 $ gatttool -b $MAC -a 0x0044 --char-write-req --value=0200 --listen
 ```

-### Write BLE data

-Write data with bettercap
+## BLE - Write data

-```powershell
-ble.recon on
-ble.write 04:52:de:ad:be:ef 234bfbd5e3b34536a3fe723620d4b78d ffffffffffffffff
-```
+* Using [bettercap/bettercap](https://github.com/bettercap/bettercap)
+    ```powershell
+    ble.recon on
+    ble.write 04:52:de:ad:be:ef 234bfbd5e3b34536a3fe723620d4b78d ffffffffffffffff
+    ```

-Write data with gatttool
+* Using [bluez/gatttool](#)
+    ```powershell
+    $ gatttool -b $MAC --char-write-req -a 0x002c -n $(echo -n "12345678901234567890"|xxd -ps)

-```powershell
-$ gatttool -b $MAC --char-write-req -a 0x002c -n $(echo -n "12345678901234567890"|xxd -ps)
+    # With char-write, we perform a Write Command and don't expect a response from the server
+    # With char-write-req, we perform a Write Request and expect a response from the server
+    $ gatttool -b $MAC -a 0x0050 --char-write-req --value=$(echo -n 'hello' | xxd -p)

-# With char-write, we perform a Write Command and don't expect a response from the server
-# With char-write-req, we perform a Write Request and expect a response from the server
-$ gatttool -b $MAC -a 0x0050 --char-write-req --value=$(echo -n 'hello' | xxd -p)
+    # inside gatttool shell
+    [00:1A:7D:DA:71:06][LE]> char-write-req 0x000c 476f6f64205061646177616e21212121
+    [00:1A:7D:DA:71:06][LE]> char-read-hnd 0x000c
+    Characteristic value/descriptor: 43 6f 6e [...] 2e
+    ```

-# inside gatttool shell
-[00:1A:7D:DA:71:06][LE]> char-write-req 0x000c 476f6f64205061646177616e21212121
-[00:1A:7D:DA:71:06][LE]> char-read-hnd 0x000c
-Characteristic value/descriptor: 43 6f 6e [...] 2e
-```

-### Change Bluetooth MAC
+## Bluetooth MAC
+
+Change the Bluetooth MAC address

 ```powershell
 $ bdaddr -r 11:22:33:44:55:66
 $ gatttool -I -b E8:77:6D:8B:09:96 -t random
 ```

-### Sniff Bluetooth communication

-#### Using Ubertooth
+## Sniff Bluetooth communication
+
+### Using Ubertooth

 :warning: You need 3 ubertooth.

@ -153,16 +144,28 @@ ubertooth-btle -U 1 -A 38 -f  -c bulb_38.pcap
 ubertooth-btle -U 2 -A 39 -f  -c bulb_39.pcap
 ```

-#### Using Micro::Bit
+### Using Micro::Bit

-* https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEF%20CON%2025%20-%20Damien-Cauquil-Weaponizing-the-BBC-MicroBit.pdf
+* [WEAPONIZING THE BBC MICRO:BIT - DAMIEN CAUQUIL / VIRTUALABS - DEF CON 25 - JULY 28, 2017](https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEF%20CON%2025%20-%20Damien-Cauquil-Weaponizing-the-BBC-MicroBit.pdf)

-#### Using Android HCI
+
+### Using Android HCI

 Enable the Bluetooth HCI log on the device via Developer Options—also from the SDK, there is a helpful tool called the **Bluetooth HCI snoop log** (available after version 4.4)

-> It works like a hook in the stack to capture all the HCI packets in a file. For most Android devices, the log file is at /sdcard/btsnoop\_hci.log or /sdcard/oem\_log/btsnoop/
+> It works like a hook in the stack to capture all the HCI packets in a file. For most Android devices, the log file is at `/sdcard/btsnoop_hci.log` or `/sdcard/oem_log/btsnoop/`

 ```powershell
 $ adb pull /sdcard/oem_log/btsnoop/<your log file>.log
 ```
+
+
+## Challenges
+
+* [BLE HackMe](https://www.microsoft.com/store/apps/9N7PNVS9J1B7) - works with nRF Connect (Android), 
+
+
+## References
+
+* [A Practical Introduction to Bluetooth Low Energy security without any special hardware - Slawomir Jasek - 19 November 2020](https://www.smartlockpicking.com/slides/HITB_Cyberweek_2020_A_Practical_Introduction_To_BLE_Security.pdf)
+* [Denial of Pleasure: Attacking Unusual BLE Targets with a Flipper Zero - Matteo Mandolini & Luca Bongiorni](https://www.whid.ninja/blog/denial-of-pleasure-attacking-unusual-ble-targets-with-a-flipper-zero)
--- a/docs/protocols/zigbee.md
+++ b/docs/protocols/zigbee.md
@ -8,7 +8,7 @@
 * [riverloopsec/killerbee](https://github.com/riverloopsec/killerbee) - IEEE 802.15.4/ZigBee Security Research Toolkit


-## ZigBee Default Trust Center Link Key
+## Default Trust Center Link Key

 Zigbee includes several layers of security, including AES-128 encryption, to ensure that data is transmitted securely across the network.

@ -22,6 +22,7 @@ You can use it in Wireshark: Edit > Preferences > Protocols > Zigbee NWK, then "

 Example: [CVE-2020-28952 - Athom Homey Static and Well-known Keys](https://yougottahackthat.com/blog/1260/athom-homey-security-static-and-well-known-keys-cve-2020-28952)

+
 ## References

 * [AN1233: Zigbee Security - Silabs](https://www.silabs.com/documents/public/application-notes/an1233-zigbee-security.pdf)