diff --git a/docs/assets/memory-programmer-rt809h.jpg b/docs/assets/memory-programmer-rt809h.jpg new file mode 100755 index 0000000..c713021 Binary files /dev/null and b/docs/assets/memory-programmer-rt809h.jpg differ diff --git a/docs/debug-interfaces/uart.md b/docs/debug-interfaces/uart.md index 1a50267..048add8 100644 --- a/docs/debug-interfaces/uart.md +++ b/docs/debug-interfaces/uart.md @@ -149,13 +149,16 @@ Under Ubuntu or Debian, a non-root user cannot have access to serial ports such ### Detect the baud rate #### Most common baud rate + The most common baud rates for UART are `9600`, `19200`, `38400`, `57600` and `115200`. A table of other used but less common baud rates can be found here: [Here](https://lucidar.me/en/serialib/most-used-baud-rates-table/) #### Autodetect the baud rate using a script -Link: [baudrate.py](https://github.com/devttys0/baudrate/blob/master/baudrate.py) + +* [devttys0/baudrate.py](https://github.com/devttys0/baudrate/blob/master/baudrate.py) + ```bash # Download the script wget https://raw.githubusercontent.com/devttys0/baudrate/master/baudrate.py @@ -180,7 +183,7 @@ It is possible to get baudrate using the duration of a bit periode, using PulseV 124953.14257153569 ``` -The closest common baudrate is : 115200. COnfigure the decoder and you should see ascii chars : +The closest common baudrate is : 115200. Configure the decoder and you should see ascii chars : ![U-Boot string](../assets/UART_uboot_str.png) @@ -234,6 +237,7 @@ It’s an emulation of serial port over BLE. The UUID of the Nordic UART Service * **TX Characteristic (UUID: 6E400003-B5A3-F393-E0A9-E50E24DCCA9E)** : * If the peer has enabled notifications for the TX Characteristic, the application can send data to the peer as notifications. The application will transmit all data received over UART as notifications. + ### Examples * [nRF UART 2.0 - Nordic Semiconductor ASA](https://play.google.com/store/apps/details?id=com.nordicsemi.nrfUARTv2) * [UART/Serial Port Emulation over BLE](https://infocenter.nordicsemi.com/index.jsp?topic=%2Fcom.nordic.infocenter.sdk5.v14.0.0%2Fble_sdk_app_nus_eval.html) diff --git a/docs/enumeration/chip-identification.md b/docs/enumeration/chip-identification.md new file mode 100644 index 0000000..d794fdc --- /dev/null +++ b/docs/enumeration/chip-identification.md @@ -0,0 +1,11 @@ +# Chip identification + +* Google dork: `filetype:pdf ` +* https://datasheetspdf.com +* https://www.alldatasheet.com +* https://www.datasheets360.com + + +## EM/RF shield + +Electromagnetic/Radio Frequency Shield should be removed to see what it is hidding. \ No newline at end of file diff --git a/docs/firmware/firmware-dumping.md b/docs/firmware/firmware-dumping.md index 2b3be2e..ebaf8d4 100644 --- a/docs/firmware/firmware-dumping.md +++ b/docs/firmware/firmware-dumping.md @@ -146,7 +146,32 @@ Inspect the assembly with `avr-objdump -m avr -D chest.hex`.\ Emulate : `qemu-system-avr -S -s -nographic -serial tcp::5678,server=on,wait=off -machine uno -bios chest.bin` -## Explore firmware +## Explore Filesystem + + +### Common Filesystem + +* **SquashFS** : It is a compressed read-only filesystem commonly used in Linux-based Firmware. It provides a good flexibility because it supports creating writable overlay filesystems, allowing changes to be made to the filesystem at runtime. +* **CramFS** (Compressed ROM Filesystem) : Simple read-only filesystem, that supports compression. +* **ROMFS** (Read-Only Memory Filedystem) : Simple filesystem that is strictly read-only, and do not provide compression support. +* **YAFFS/YAFFS2** (Yet Another Flash Filesystem) : This filesystem is specifically designed for NAND Flash memory. In particular, it incorporates ECC management for ensuring data integrity. Filesystem integrity is also maintained by storing metadata redundantly. +* **JFFS/JFFS2** (Journalized Flash Filesystem) : This filesystem is also designed for NAND Flash memory. JFFS utilizes a journaling mechanism to track changes to the filesystem, ensuring data consistency and integrity even in the event of sudden power loss or system crashes. It also supports ECC. +* **UBIFS** (Unsorted Block Image Filesystem) : UBIFS is a successor to JFFS2 and is optimized for NAND flash memory. It offers improved performance, reliability, and scalability, with features such as compression, encryption, and fast mounting. UBIFS supports multiple partitions. + + +| Filesystem | RO/RW | Magic | Tool | +| ---------- | --- | ----------------------- | ------------ | +| SquashFS | RO | sqsh, hsqs, qshs, sqsl | unsquashfs, 7zip | +| JFFS(2) | RW | 0x07C0 (v1), 0x72b6(v2) | jefferson | +| YAFFS(2) | RW | 0x5941ff53 | unyaffs | +| CramFS | RO | 0x28cd3d45 | uncramfs, 7zip | +| UBIFS | RW | 0x06101831 | ubi_reader | +| RomFS | RO | 0x7275 | / | +| CPIO | RO | "070707" | cpio, 7zip | + + + +### Tools * [unix/strings](#) ```ps1 @@ -175,17 +200,17 @@ Emulate : `qemu-system-avr -S -s -nographic -serial tcp::5678,server=on,wait=off 3708 0xE7C ARM executable code, 16-bit (Thumb), little endian, at least 522 valid instructions ``` -* [squashfs-tools/unsquashfs](#) - ```powershell - sudo unsquashfs -f -d /media/seagate /tmp/file.squashfs - ``` - * [onekey-sec/unblob](https://github.com/onekey-sec/unblob) ```ps1 docker run --rm --pull always -v /path/to/extract-dir/on/host:/data/output -v /path/to/files/on/host:/data/input ghcr.io/onekey-sec/unblob:latest /data/input/path/to/file docker run --rm --pull always ghcr.io/onekey-sec/unblob:latest --help ``` +* [squashfs-tools/unsquashfs](https://github.com/plougher/squashfs-tools) + ```powershell + sudo unsquashfs -f -d /media/seagate /tmp/file.squashfs + ``` + * [onekey-sec/jefferson](https://github.com/onekey-sec/jefferson/) - JFFS2 filesystem extraction tool ```ps1 pip install jefferson @@ -193,6 +218,21 @@ Emulate : `qemu-system-avr -S -s -nographic -serial tcp::5678,server=on,wait=off jefferson file.jffs2 -d jffs2 ``` +* [whataday/unyaffs](https://github.com/whataday/unyaffs) - YAFFS2 filesystem extraction tool + ```ps1 + unyaffs [-l ] [-t] [-v] [-V] [] + -l set flash memory layout + layout=0: detect chunk and spare size (default) + layout=1: 2K chunk, 64 byte spare size + layout=2: 4K chunk, 128 byte spare size + layout=3: 8K chunk, 256 byte spare size + layout=4: 16K chunk, 512 byte spare size + -t list image contents + -v verbose output + -V print version + ``` + + ## Write new firmware * Repack firmware diff --git a/docs/gadgets/memory-programmer.md b/docs/gadgets/memory-programmer.md new file mode 100644 index 0000000..5bc2468 --- /dev/null +++ b/docs/gadgets/memory-programmer.md @@ -0,0 +1,6 @@ +# Memory Programmer + + +![RT809H](../assets/memory-programmer-rt809h.jpg) + +RT809H with multiple adapters/sockets for eMMC/NAND Flash \ No newline at end of file diff --git a/docs/other/electronic-components.md b/docs/other/electronic-components.md new file mode 100644 index 0000000..0fff555 --- /dev/null +++ b/docs/other/electronic-components.md @@ -0,0 +1,19 @@ +# Electronic Components + +## Resistors + +## Capacitors + +## Transistors + +## Inductors + + +## Integrated Circuit (IC) microchip + +### Microcontroller Unit (MCU) + +### System-on-Chip (SoC) + +### Trusted Platform Module (TPM) + diff --git a/docs/protocols/spi.md b/docs/protocols/spi.md index c3ffe45..61c982b 100644 --- a/docs/protocols/spi.md +++ b/docs/protocols/spi.md @@ -30,7 +30,7 @@ SPI mainly involves four lines or wires: ## Dump Firmware via SPI -Dump using a Raspberry Pi +### Dump using a Raspberry Pi ```powershell sudo raspi-confi > Interface > SPI(P4) @@ -49,12 +49,22 @@ An ESP8266 and ESP32 have several SPI busses available in hardware, SPI0 is hook $ python ./esptool.py read_flash --spi-connection HSPI 0 0x400000 flash_dump.bin ``` -Dump with HydraBus +### Dump with HydraBus ```ps1 flashrom --programmer serprog:dev=/dev/ttyACM0,spispeed=2M -c "MX25L12833F" --progress -r /tmp/image.bin ``` +### Dump with BusPirate + +```ps1 +flashrom -p buspirate_spi:dev=/dev/ttyUSB0 +flashrom -p buspirate_spi:dev=/dev/ttyUSB0 -c W25Q64.V + +flashrom -p buspirate_spi:dev=/dev/ttyUSB0 -c W25Q64.V -r firmware.bin +``` + + ## SPIFFS diff --git a/overrides/main.html b/overrides/main.html index e34e021..0637782 100644 --- a/overrides/main.html +++ b/overrides/main.html @@ -14,6 +14,7 @@
+ {% endblock %}