Chip Identification + Firmware FileSystem
parent
e3b3caac12
commit
55212924f1
Binary file not shown.
After Width: | Height: | Size: 204 KiB |
|
@ -149,13 +149,16 @@ Under Ubuntu or Debian, a non-root user cannot have access to serial ports such
|
||||||
### Detect the baud rate
|
### Detect the baud rate
|
||||||
|
|
||||||
#### Most common baud rate
|
#### Most common baud rate
|
||||||
|
|
||||||
The most common baud rates for UART are `9600`, `19200`, `38400`, `57600` and `115200`.
|
The most common baud rates for UART are `9600`, `19200`, `38400`, `57600` and `115200`.
|
||||||
|
|
||||||
A table of other used but less common baud rates can be found here: [Here](https://lucidar.me/en/serialib/most-used-baud-rates-table/)
|
A table of other used but less common baud rates can be found here: [Here](https://lucidar.me/en/serialib/most-used-baud-rates-table/)
|
||||||
|
|
||||||
|
|
||||||
#### Autodetect the baud rate using a script
|
#### Autodetect the baud rate using a script
|
||||||
Link: [baudrate.py](https://github.com/devttys0/baudrate/blob/master/baudrate.py)
|
|
||||||
|
* [devttys0/baudrate.py](https://github.com/devttys0/baudrate/blob/master/baudrate.py)
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
# Download the script
|
# Download the script
|
||||||
wget https://raw.githubusercontent.com/devttys0/baudrate/master/baudrate.py
|
wget https://raw.githubusercontent.com/devttys0/baudrate/master/baudrate.py
|
||||||
|
@ -180,7 +183,7 @@ It is possible to get baudrate using the duration of a bit periode, using PulseV
|
||||||
124953.14257153569
|
124953.14257153569
|
||||||
```
|
```
|
||||||
|
|
||||||
The closest common baudrate is : 115200. COnfigure the decoder and you should see ascii chars :
|
The closest common baudrate is : 115200. Configure the decoder and you should see ascii chars :
|
||||||
|
|
||||||
![U-Boot string](../assets/UART_uboot_str.png)
|
![U-Boot string](../assets/UART_uboot_str.png)
|
||||||
|
|
||||||
|
@ -234,6 +237,7 @@ It’s an emulation of serial port over BLE. The UUID of the Nordic UART Service
|
||||||
* **TX Characteristic (UUID: 6E400003-B5A3-F393-E0A9-E50E24DCCA9E)** :
|
* **TX Characteristic (UUID: 6E400003-B5A3-F393-E0A9-E50E24DCCA9E)** :
|
||||||
* If the peer has enabled notifications for the TX Characteristic, the application can send data to the peer as notifications. The application will transmit all data received over UART as notifications.
|
* If the peer has enabled notifications for the TX Characteristic, the application can send data to the peer as notifications. The application will transmit all data received over UART as notifications.
|
||||||
|
|
||||||
|
|
||||||
### Examples
|
### Examples
|
||||||
* [nRF UART 2.0 - Nordic Semiconductor ASA](https://play.google.com/store/apps/details?id=com.nordicsemi.nrfUARTv2)
|
* [nRF UART 2.0 - Nordic Semiconductor ASA](https://play.google.com/store/apps/details?id=com.nordicsemi.nrfUARTv2)
|
||||||
* [UART/Serial Port Emulation over BLE](https://infocenter.nordicsemi.com/index.jsp?topic=%2Fcom.nordic.infocenter.sdk5.v14.0.0%2Fble_sdk_app_nus_eval.html)
|
* [UART/Serial Port Emulation over BLE](https://infocenter.nordicsemi.com/index.jsp?topic=%2Fcom.nordic.infocenter.sdk5.v14.0.0%2Fble_sdk_app_nus_eval.html)
|
||||||
|
|
|
@ -0,0 +1,11 @@
|
||||||
|
# Chip identification
|
||||||
|
|
||||||
|
* Google dork: `filetype:pdf <reference number>`
|
||||||
|
* https://datasheetspdf.com
|
||||||
|
* https://www.alldatasheet.com
|
||||||
|
* https://www.datasheets360.com
|
||||||
|
|
||||||
|
|
||||||
|
## EM/RF shield
|
||||||
|
|
||||||
|
Electromagnetic/Radio Frequency Shield should be removed to see what it is hidding.
|
|
@ -146,7 +146,32 @@ Inspect the assembly with `avr-objdump -m avr -D chest.hex`.\
|
||||||
Emulate : `qemu-system-avr -S -s -nographic -serial tcp::5678,server=on,wait=off -machine uno -bios chest.bin`
|
Emulate : `qemu-system-avr -S -s -nographic -serial tcp::5678,server=on,wait=off -machine uno -bios chest.bin`
|
||||||
|
|
||||||
|
|
||||||
## Explore firmware
|
## Explore Filesystem
|
||||||
|
|
||||||
|
|
||||||
|
### Common Filesystem
|
||||||
|
|
||||||
|
* **SquashFS** : It is a compressed read-only filesystem commonly used in Linux-based Firmware. It provides a good flexibility because it supports creating writable overlay filesystems, allowing changes to be made to the filesystem at runtime.
|
||||||
|
* **CramFS** (Compressed ROM Filesystem) : Simple read-only filesystem, that supports compression.
|
||||||
|
* **ROMFS** (Read-Only Memory Filedystem) : Simple filesystem that is strictly read-only, and do not provide compression support.
|
||||||
|
* **YAFFS/YAFFS2** (Yet Another Flash Filesystem) : This filesystem is specifically designed for NAND Flash memory. In particular, it incorporates ECC management for ensuring data integrity. Filesystem integrity is also maintained by storing metadata redundantly.
|
||||||
|
* **JFFS/JFFS2** (Journalized Flash Filesystem) : This filesystem is also designed for NAND Flash memory. JFFS utilizes a journaling mechanism to track changes to the filesystem, ensuring data consistency and integrity even in the event of sudden power loss or system crashes. It also supports ECC.
|
||||||
|
* **UBIFS** (Unsorted Block Image Filesystem) : UBIFS is a successor to JFFS2 and is optimized for NAND flash memory. It offers improved performance, reliability, and scalability, with features such as compression, encryption, and fast mounting. UBIFS supports multiple partitions.
|
||||||
|
|
||||||
|
|
||||||
|
| Filesystem | RO/RW | Magic | Tool |
|
||||||
|
| ---------- | --- | ----------------------- | ------------ |
|
||||||
|
| SquashFS | RO | sqsh, hsqs, qshs, sqsl | unsquashfs, 7zip |
|
||||||
|
| JFFS(2) | RW | 0x07C0 (v1), 0x72b6(v2) | jefferson |
|
||||||
|
| YAFFS(2) | RW | 0x5941ff53 | unyaffs |
|
||||||
|
| CramFS | RO | 0x28cd3d45 | uncramfs, 7zip |
|
||||||
|
| UBIFS | RW | 0x06101831 | ubi_reader |
|
||||||
|
| RomFS | RO | 0x7275 | / |
|
||||||
|
| CPIO | RO | "070707" | cpio, 7zip |
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
### Tools
|
||||||
|
|
||||||
* [unix/strings](#)
|
* [unix/strings](#)
|
||||||
```ps1
|
```ps1
|
||||||
|
@ -175,17 +200,17 @@ Emulate : `qemu-system-avr -S -s -nographic -serial tcp::5678,server=on,wait=off
|
||||||
3708 0xE7C ARM executable code, 16-bit (Thumb), little endian, at least 522 valid instructions
|
3708 0xE7C ARM executable code, 16-bit (Thumb), little endian, at least 522 valid instructions
|
||||||
```
|
```
|
||||||
|
|
||||||
* [squashfs-tools/unsquashfs](#)
|
|
||||||
```powershell
|
|
||||||
sudo unsquashfs -f -d /media/seagate /tmp/file.squashfs
|
|
||||||
```
|
|
||||||
|
|
||||||
* [onekey-sec/unblob](https://github.com/onekey-sec/unblob)
|
* [onekey-sec/unblob](https://github.com/onekey-sec/unblob)
|
||||||
```ps1
|
```ps1
|
||||||
docker run --rm --pull always -v /path/to/extract-dir/on/host:/data/output -v /path/to/files/on/host:/data/input ghcr.io/onekey-sec/unblob:latest /data/input/path/to/file
|
docker run --rm --pull always -v /path/to/extract-dir/on/host:/data/output -v /path/to/files/on/host:/data/input ghcr.io/onekey-sec/unblob:latest /data/input/path/to/file
|
||||||
docker run --rm --pull always ghcr.io/onekey-sec/unblob:latest --help
|
docker run --rm --pull always ghcr.io/onekey-sec/unblob:latest --help
|
||||||
```
|
```
|
||||||
|
|
||||||
|
* [squashfs-tools/unsquashfs](https://github.com/plougher/squashfs-tools)
|
||||||
|
```powershell
|
||||||
|
sudo unsquashfs -f -d /media/seagate /tmp/file.squashfs
|
||||||
|
```
|
||||||
|
|
||||||
* [onekey-sec/jefferson](https://github.com/onekey-sec/jefferson/) - JFFS2 filesystem extraction tool
|
* [onekey-sec/jefferson](https://github.com/onekey-sec/jefferson/) - JFFS2 filesystem extraction tool
|
||||||
```ps1
|
```ps1
|
||||||
pip install jefferson
|
pip install jefferson
|
||||||
|
@ -193,6 +218,21 @@ Emulate : `qemu-system-avr -S -s -nographic -serial tcp::5678,server=on,wait=off
|
||||||
jefferson file.jffs2 -d jffs2
|
jefferson file.jffs2 -d jffs2
|
||||||
```
|
```
|
||||||
|
|
||||||
|
* [whataday/unyaffs](https://github.com/whataday/unyaffs) - YAFFS2 filesystem extraction tool
|
||||||
|
```ps1
|
||||||
|
unyaffs [-l <layout>] [-t] [-v] [-V] <image_file_name> [<base dir>]
|
||||||
|
-l <layout> set flash memory layout
|
||||||
|
layout=0: detect chunk and spare size (default)
|
||||||
|
layout=1: 2K chunk, 64 byte spare size
|
||||||
|
layout=2: 4K chunk, 128 byte spare size
|
||||||
|
layout=3: 8K chunk, 256 byte spare size
|
||||||
|
layout=4: 16K chunk, 512 byte spare size
|
||||||
|
-t list image contents
|
||||||
|
-v verbose output
|
||||||
|
-V print version
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
## Write new firmware
|
## Write new firmware
|
||||||
|
|
||||||
* Repack firmware
|
* Repack firmware
|
||||||
|
|
|
@ -0,0 +1,6 @@
|
||||||
|
# Memory Programmer
|
||||||
|
|
||||||
|
|
||||||
|
![RT809H](../assets/memory-programmer-rt809h.jpg)
|
||||||
|
|
||||||
|
RT809H with multiple adapters/sockets for eMMC/NAND Flash
|
|
@ -0,0 +1,19 @@
|
||||||
|
# Electronic Components
|
||||||
|
|
||||||
|
## Resistors
|
||||||
|
|
||||||
|
## Capacitors
|
||||||
|
|
||||||
|
## Transistors
|
||||||
|
|
||||||
|
## Inductors
|
||||||
|
|
||||||
|
|
||||||
|
## Integrated Circuit (IC) microchip
|
||||||
|
|
||||||
|
### Microcontroller Unit (MCU)
|
||||||
|
|
||||||
|
### System-on-Chip (SoC)
|
||||||
|
|
||||||
|
### Trusted Platform Module (TPM)
|
||||||
|
|
|
@ -30,7 +30,7 @@ SPI mainly involves four lines or wires:
|
||||||
|
|
||||||
## Dump Firmware via SPI
|
## Dump Firmware via SPI
|
||||||
|
|
||||||
Dump using a Raspberry Pi
|
### Dump using a Raspberry Pi
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
sudo raspi-confi > Interface > SPI(P4)
|
sudo raspi-confi > Interface > SPI(P4)
|
||||||
|
@ -49,12 +49,22 @@ An ESP8266 and ESP32 have several SPI busses available in hardware, SPI0 is hook
|
||||||
$ python ./esptool.py read_flash --spi-connection HSPI 0 0x400000 flash_dump.bin
|
$ python ./esptool.py read_flash --spi-connection HSPI 0 0x400000 flash_dump.bin
|
||||||
```
|
```
|
||||||
|
|
||||||
Dump with HydraBus
|
### Dump with HydraBus
|
||||||
|
|
||||||
```ps1
|
```ps1
|
||||||
flashrom --programmer serprog:dev=/dev/ttyACM0,spispeed=2M -c "MX25L12833F" --progress -r /tmp/image.bin
|
flashrom --programmer serprog:dev=/dev/ttyACM0,spispeed=2M -c "MX25L12833F" --progress -r /tmp/image.bin
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Dump with BusPirate
|
||||||
|
|
||||||
|
```ps1
|
||||||
|
flashrom -p buspirate_spi:dev=/dev/ttyUSB0
|
||||||
|
flashrom -p buspirate_spi:dev=/dev/ttyUSB0 -c W25Q64.V
|
||||||
|
|
||||||
|
flashrom -p buspirate_spi:dev=/dev/ttyUSB0 -c W25Q64.V -r firmware.bin
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
## SPIFFS
|
## SPIFFS
|
||||||
|
|
||||||
|
|
|
@ -14,6 +14,7 @@
|
||||||
</div>
|
</div>
|
||||||
<br>
|
<br>
|
||||||
<script async src="https://static.addtoany.com/menu/page.js"></script>
|
<script async src="https://static.addtoany.com/menu/page.js"></script>
|
||||||
|
<script defer src="https://cloud.umami.is/script.js" data-website-id="49aad71c-7d98-4635-8bd5-b6799c8874f8"></script>
|
||||||
</div>
|
</div>
|
||||||
{% endblock %}
|
{% endblock %}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue