Chip Identification + Firmware FileSystem

pull/25/head
Swissky 2024-09-06 21:50:21 +02:00
parent e3b3caac12
commit 55212924f1
8 changed files with 101 additions and 10 deletions

Binary file not shown.

After

Width:  |  Height:  |  Size: 204 KiB

View File

@ -149,13 +149,16 @@ Under Ubuntu or Debian, a non-root user cannot have access to serial ports such
### Detect the baud rate
#### Most common baud rate
The most common baud rates for UART are `9600`, `19200`, `38400`, `57600` and `115200`.
A table of other used but less common baud rates can be found here: [Here](https://lucidar.me/en/serialib/most-used-baud-rates-table/)
#### Autodetect the baud rate using a script
Link: [baudrate.py](https://github.com/devttys0/baudrate/blob/master/baudrate.py)
* [devttys0/baudrate.py](https://github.com/devttys0/baudrate/blob/master/baudrate.py)
```bash
# Download the script
wget https://raw.githubusercontent.com/devttys0/baudrate/master/baudrate.py
@ -180,7 +183,7 @@ It is possible to get baudrate using the duration of a bit periode, using PulseV
124953.14257153569
```
The closest common baudrate is : 115200. COnfigure the decoder and you should see ascii chars :
The closest common baudrate is : 115200. Configure the decoder and you should see ascii chars :
![U-Boot string](../assets/UART_uboot_str.png)
@ -234,6 +237,7 @@ Its an emulation of serial port over BLE. The UUID of the Nordic UART Service
* **TX Characteristic (UUID: 6E400003-B5A3-F393-E0A9-E50E24DCCA9E)** :
* If the peer has enabled notifications for the TX Characteristic, the application can send data to the peer as notifications. The application will transmit all data received over UART as notifications.
### Examples
* [nRF UART 2.0 - Nordic Semiconductor ASA](https://play.google.com/store/apps/details?id=com.nordicsemi.nrfUARTv2)
* [UART/Serial Port Emulation over BLE](https://infocenter.nordicsemi.com/index.jsp?topic=%2Fcom.nordic.infocenter.sdk5.v14.0.0%2Fble_sdk_app_nus_eval.html)

View File

@ -0,0 +1,11 @@
# Chip identification
* Google dork: `filetype:pdf <reference number>`
* https://datasheetspdf.com
* https://www.alldatasheet.com
* https://www.datasheets360.com
## EM/RF shield
Electromagnetic/Radio Frequency Shield should be removed to see what it is hidding.

View File

@ -146,7 +146,32 @@ Inspect the assembly with `avr-objdump -m avr -D chest.hex`.\
Emulate : `qemu-system-avr -S -s -nographic -serial tcp::5678,server=on,wait=off -machine uno -bios chest.bin`
## Explore firmware
## Explore Filesystem
### Common Filesystem
* **SquashFS** : It is a compressed read-only filesystem commonly used in Linux-based Firmware. It provides a good flexibility because it supports creating writable overlay filesystems, allowing changes to be made to the filesystem at runtime.
* **CramFS** (Compressed ROM Filesystem) : Simple read-only filesystem, that supports compression.
* **ROMFS** (Read-Only Memory Filedystem) : Simple filesystem that is strictly read-only, and do not provide compression support.
* **YAFFS/YAFFS2** (Yet Another Flash Filesystem) : This filesystem is specifically designed for NAND Flash memory. In particular, it incorporates ECC management for ensuring data integrity. Filesystem integrity is also maintained by storing metadata redundantly.
* **JFFS/JFFS2** (Journalized Flash Filesystem) : This filesystem is also designed for NAND Flash memory. JFFS utilizes a journaling mechanism to track changes to the filesystem, ensuring data consistency and integrity even in the event of sudden power loss or system crashes. It also supports ECC.
* **UBIFS** (Unsorted Block Image Filesystem) : UBIFS is a successor to JFFS2 and is optimized for NAND flash memory. It offers improved performance, reliability, and scalability, with features such as compression, encryption, and fast mounting. UBIFS supports multiple partitions.
| Filesystem | RO/RW | Magic | Tool |
| ---------- | --- | ----------------------- | ------------ |
| SquashFS | RO | sqsh, hsqs, qshs, sqsl | unsquashfs, 7zip |
| JFFS(2) | RW | 0x07C0 (v1), 0x72b6(v2) | jefferson |
| YAFFS(2) | RW | 0x5941ff53 | unyaffs |
| CramFS | RO | 0x28cd3d45 | uncramfs, 7zip |
| UBIFS | RW | 0x06101831 | ubi_reader |
| RomFS | RO | 0x7275 | / |
| CPIO | RO | "070707" | cpio, 7zip |
### Tools
* [unix/strings](#)
```ps1
@ -175,17 +200,17 @@ Emulate : `qemu-system-avr -S -s -nographic -serial tcp::5678,server=on,wait=off
3708 0xE7C ARM executable code, 16-bit (Thumb), little endian, at least 522 valid instructions
```
* [squashfs-tools/unsquashfs](#)
```powershell
sudo unsquashfs -f -d /media/seagate /tmp/file.squashfs
```
* [onekey-sec/unblob](https://github.com/onekey-sec/unblob)
```ps1
docker run --rm --pull always -v /path/to/extract-dir/on/host:/data/output -v /path/to/files/on/host:/data/input ghcr.io/onekey-sec/unblob:latest /data/input/path/to/file
docker run --rm --pull always ghcr.io/onekey-sec/unblob:latest --help
```
* [squashfs-tools/unsquashfs](https://github.com/plougher/squashfs-tools)
```powershell
sudo unsquashfs -f -d /media/seagate /tmp/file.squashfs
```
* [onekey-sec/jefferson](https://github.com/onekey-sec/jefferson/) - JFFS2 filesystem extraction tool
```ps1
pip install jefferson
@ -193,6 +218,21 @@ Emulate : `qemu-system-avr -S -s -nographic -serial tcp::5678,server=on,wait=off
jefferson file.jffs2 -d jffs2
```
* [whataday/unyaffs](https://github.com/whataday/unyaffs) - YAFFS2 filesystem extraction tool
```ps1
unyaffs [-l <layout>] [-t] [-v] [-V] <image_file_name> [<base dir>]
-l <layout> set flash memory layout
layout=0: detect chunk and spare size (default)
layout=1: 2K chunk, 64 byte spare size
layout=2: 4K chunk, 128 byte spare size
layout=3: 8K chunk, 256 byte spare size
layout=4: 16K chunk, 512 byte spare size
-t list image contents
-v verbose output
-V print version
```
## Write new firmware
* Repack firmware

View File

@ -0,0 +1,6 @@
# Memory Programmer
![RT809H](../assets/memory-programmer-rt809h.jpg)
RT809H with multiple adapters/sockets for eMMC/NAND Flash

View File

@ -0,0 +1,19 @@
# Electronic Components
## Resistors
## Capacitors
## Transistors
## Inductors
## Integrated Circuit (IC) microchip
### Microcontroller Unit (MCU)
### System-on-Chip (SoC)
### Trusted Platform Module (TPM)

View File

@ -30,7 +30,7 @@ SPI mainly involves four lines or wires:
## Dump Firmware via SPI
Dump using a Raspberry Pi
### Dump using a Raspberry Pi
```powershell
sudo raspi-confi > Interface > SPI(P4)
@ -49,12 +49,22 @@ An ESP8266 and ESP32 have several SPI busses available in hardware, SPI0 is hook
$ python ./esptool.py read_flash --spi-connection HSPI 0 0x400000 flash_dump.bin
```
Dump with HydraBus
### Dump with HydraBus
```ps1
flashrom --programmer serprog:dev=/dev/ttyACM0,spispeed=2M -c "MX25L12833F" --progress -r /tmp/image.bin
```
### Dump with BusPirate
```ps1
flashrom -p buspirate_spi:dev=/dev/ttyUSB0
flashrom -p buspirate_spi:dev=/dev/ttyUSB0 -c W25Q64.V
flashrom -p buspirate_spi:dev=/dev/ttyUSB0 -c W25Q64.V -r firmware.bin
```
## SPIFFS

View File

@ -14,6 +14,7 @@
</div>
<br>
<script async src="https://static.addtoany.com/menu/page.js"></script>
<script defer src="https://cloud.umami.is/script.js" data-website-id="49aad71c-7d98-4635-8bd5-b6799c8874f8"></script>
</div>
{% endblock %}