ESP32 Firmwares + BLE + Zigbee

pull/24/head
Swissky 2024-02-19 15:19:54 +01:00
parent b118b6412d
commit c93ee39b5c
8 changed files with 80 additions and 17 deletions

View File

Before

Width:  |  Height:  |  Size: 812 KiB

After

Width:  |  Height:  |  Size: 812 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 45 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 152 KiB

View File

@ -30,3 +30,4 @@ sudo flashrom -p Buspirate_spi:dev=/dev/ttyUSB0,spispeed=1M -c (Chip name) -r (
* [Bus Pirate Unboxing - Toolkit - Hacker Warehouse - 4 juin 2018](https://youtu.be/lP8vMvBu3Bg) * [Bus Pirate Unboxing - Toolkit - Hacker Warehouse - 4 juin 2018](https://youtu.be/lP8vMvBu3Bg)
* [Bus Pirate 5 REV 10 Hardware](https://hardware.buspirate.com/) * [Bus Pirate 5 REV 10 Hardware](https://hardware.buspirate.com/)
* [Ph0wn, my first IoT CTF - Part 2 - Sebastien Andrivet - 19 December 2018](https://sebastien.andrivet.com/fr/posts/ph0wn-my-first-iot-ctf-part-2/) * [Ph0wn, my first IoT CTF - Part 2 - Sebastien Andrivet - 19 December 2018](https://sebastien.andrivet.com/fr/posts/ph0wn-my-first-iot-ctf-part-2/)
* [Hardware Hacking: Plunder With a Bus Pirate - Brian Berg - February 15, 2024](https://trustedsec.com/blog/hardware-hacking-plunder-with-a-bus-pirate)

View File

@ -1,15 +1,30 @@
# ESP32 # ESP32
![ESP32](../assets/esp32-pinout.png)
## Tools ## Tools
* [espressif/esptool](https://github.com/espressif/esptool) - Espressif SoC serial bootloader utility * [espressif/esptool](https://github.com/espressif/esptool) - Espressif SoC serial bootloader utility
* [jmswrnr/esp32knife](https://github.com/jmswrnr/esp32knife) - Tools for ESP32 firmware dissection * [jmswrnr/esp32knife](https://github.com/jmswrnr/esp32knife) - Tools for ESP32 firmware dissection
* [scientifichackers/ampy](https://github.com/scientifichackers/ampy) - Utility to interact with a MicroPython board over a serial connection
* [ESPWebTool](https://esp.huhn.me/) - Flash your ESP32 or ESP8266 through your browser.
## Flashing ## Flashing
The ESP32 microprocessor uses the Xtensa instruction set, use `Tensilica Xtensa 32-bit little-endian` in Ghidra. The ESP32 microprocessor uses the Xtensa instruction set, use `Tensilica Xtensa 32-bit little-endian` in Ghidra.
* Flash a new firmware with `espressif/esptool`
```ps1
esptool.py -p /dev/ttyUSB0 -b 460800 --before default_reset --after hard_reset --chip esp32 write_flash --flash_mode dio --flash_size 2MB --flash_freq 40m 0x1000 build/bootloader/bootloader.bin 0x8000 build/partition_table/partition-table.bin 0x10000 build/ble_ctf.bin
esptool.py -p /dev/ttyS5 -b 115200 --after hard_reset write_flash --flash_mode dio --flash_freq 40m --flash_size detect 0x8000 build/partition_table/partition-table.bin 0x1000 build/bootloader/bootloader.bin 0x10000 build/esp32-wifi-penetration-tool.bin
```
* Flash a new firmware with `scientifichackers/ampy` (MicroPython)
```ps1
ampy --port /dev/ttyUSB0 put bla.py
```
* Dump the flash * Dump the flash
```ps1 ```ps1
esptool -p COM7 -b 115200 read_flash 0 0x400000 flash.bin esptool -p COM7 -b 115200 read_flash 0 0x400000 flash.bin
@ -27,7 +42,9 @@ The ESP32 microprocessor uses the Xtensa instruction set, use `Tensilica Xtensa
esptool -p COM7 -b 115200 write_flash 0x10000 ./patched.part.3.factory.fixed esptool -p COM7 -b 115200 write_flash 0x10000 ./patched.part.3.factory.fixed
``` ```
## References ## References
* [ESP32-reversing - BlackVS](https://github.com/BlackVS/ESP32-reversing) * [ESP32-reversing - BlackVS](https://github.com/BlackVS/ESP32-reversing)
* [ESP32 Wi-Fi Penetration Tool - GitHub - Exploring possibilities of ESP32 platform to attack on nearby Wi-Fi networks](https://github.com/risinek/esp32-wifi-penetration-tool)
* [ESP32 Wi-Fi Penetration Tool - Documentation - Exploring possibilities of ESP32 platform to attack on nearby Wi-Fi networks](https://risinek.github.io/esp32-wifi-penetration-tool/)

View File

@ -7,8 +7,8 @@
* [Flipper Zero Firmware](https://github.com/flipperdevices/flipperzero-firmware) * [Flipper Zero Firmware](https://github.com/flipperdevices/flipperzero-firmware)
* [Flipper Zero Unleashed Firmware](https://github.com/Eng1n33r/flipperzero-firmware) * [Flipper Zero Unleashed Firmware](https://github.com/Eng1n33r/flipperzero-firmware)
* [Flipper Zero FW RogueMaster](https://github.com/RogueMaster/flipperzero-firmware-wPlugins) * [Flipper Zero FW RogueMaster](https://github.com/RogueMaster/flipperzero-firmware-wPlugins)
* [Flipper Zero Xtreme-Firmware](https://github.com/Flipper-XFW/Xtreme-Firmware)
* [Awesome FlipperZero](https://github.com/djsime1/awesome-flipperzero)
### Firmware Update - PC ### Firmware Update - PC
@ -27,6 +27,11 @@
* [RogueMaster/flipperzero-firmware-wPlugins - Web Update](https://lab.flipper.net/?url=https%3A%2F%2Frogue-master.net%2F%3Ffile%3DRM0322-1504-0.79.2-22158b0.tgz&channel=RM0322-1504-0.79.2-22158b0&version=0.79.2) * [RogueMaster/flipperzero-firmware-wPlugins - Web Update](https://lab.flipper.net/?url=https%3A%2F%2Frogue-master.net%2F%3Ffile%3DRM0322-1504-0.79.2-22158b0.tgz&channel=RM0322-1504-0.79.2-22158b0&version=0.79.2)
## GPIO
![GPIO Flipper](../assets/flipper-gpio.png)
## Videos ## Videos
* [Flipper Zero: Want some good news? - Penthertz](https://www.youtube.com/watch?v=tB0eYatvu0k) * [Flipper Zero: Want some good news? - Penthertz](https://www.youtube.com/watch?v=tB0eYatvu0k)
@ -44,3 +49,4 @@
## References ## References
* [The Ultimate Guide / CheatSheet to Flipper Zero - Ilias Mavropoulos - 17/01/2024](https://infosecwriteups.com/the-ultimate-guide-cheatsheet-to-flipper-zero-d4c42d79d32c) * [The Ultimate Guide / CheatSheet to Flipper Zero - Ilias Mavropoulos - 17/01/2024](https://infosecwriteups.com/the-ultimate-guide-cheatsheet-to-flipper-zero-d4c42d79d32c)
* [djsime1/Awesome FlipperZero - 🐬 A collection of awesome resources for the Flipper Zero device](https://github.com/djsime1/awesome-flipperzero)

View File

@ -1,20 +1,34 @@
# Bluetooth # Bluetooth
## Tools
* [bettercap/bettercap](https://github.com/bettercap/bettercap)
* [expliot_framework/expliot](https://expliot.readthedocs.io/en/latest/index.html)
* [hackgnar/bleah](https://github.com/hackgnar/bleah)
* [bluez/gatttool](https://manpages.debian.org/unstable/bluez/gatttool.1.en.html)
* [securing/gattacker](https://github.com/securing/gattacker)
## Bluetooth configuration ## Bluetooth configuration
Configuration for Kali Linux Requirements and configuration for Kali Linux.
```powershell ```powershell
$ sudo apt-get install bluetooth blueman bluez $ sudo apt-get install bluetooth blueman bluez
$ sudo systemctl start bluetooth $ sudo systemctl start bluetooth
$ sudo hciconfig hci0 up $ sudo hciconfig hci0 up
```
Enumerate Bluetooth devices
```powershell
$ sudo hcitool lescan $ sudo hcitool lescan
00:1A:7D:DA:71:06 Ph0wn Beacon 00:1A:7D:DA:71:06 Ph0wn Beacon
25:55:84:20:73:70 (unknown) 25:55:84:20:73:70 (unknown)
``` ```
`apt` doesn't have a recent version of bluez, recompile it with the following lines. > [!CAUTION]
> `apt` doesn't have a recent version of bluez, recompile it with the following lines.
```powershell ```powershell
wget https://www.kernel.org/pub/linux/bluetooth/bluez-5.18.tar.xz wget https://www.kernel.org/pub/linux/bluetooth/bluez-5.18.tar.xz
@ -26,6 +40,7 @@ make -j8 && sudo make install
sudo cp attrib/gatttool /usr/local/bin/ sudo cp attrib/gatttool /usr/local/bin/
``` ```
## BLE - Enumerate services and characteristics ## BLE - Enumerate services and characteristics
> BLE is based on specification called General Attribute profile (GATT), that defines how communication/data transfer between client and server. > BLE is based on specification called General Attribute profile (GATT), that defines how communication/data transfer between client and server.
@ -78,19 +93,29 @@ Read data with gatttool
```powershell ```powershell
$ sudo gatttool -b $MAC -I $ sudo gatttool -b $MAC -I
[00:1A:7D:DA:71:06][LE]> connect [00:1A:7D:DA:71:06][LE]> connect
```
# list characteristics * List characteristics
[00:1A:7D:DA:71:06][LE]> characteristics
handle: 0x000b, char properties: 0x0a, char value handle: 0x000c, uuid: 4b796c6f-5265-6e49-7342-61644a656469
# read characteristic at char handle ```powershell
[00:1A:7D:DA:71:06][LE]> char-read-hnd 0x000c [00:1A:7D:DA:71:06][LE]> characteristics
Characteristic value/descriptor: 44 65 63 72 79 70 74 20 74 68 65 20 6d 65 73 73 61 67 65 2c 20 77 72 69 74 65 20 74 68 65 20 64 65 63 72 79 70 74 65 64 20 76 61 6c 75 65 20 61 6e 64 20 72 65 61 64 20 62 61 63 6b 20 74 68 65 20 72 65 73 70 6f 6e 73 65 20 74 6f 20 66 6c 61 67 2e 20 45 6e 63 72 79 70 74 65 64 20 6d 65 73 73 61 67 65 3a 20 63 34 64 33 32 38 36 35 37 61 39 64 62 33 64 66 65 39 31 64 33 36 36 36 62 39 34 31 62 33 36 31 handle: 0x000b, char properties: 0x0a, char value handle: 0x000c, uuid: 4b796c6f-5265-6e49-7342-61644a656469
```
# one liner * Read characteristic at char handle
```powershell
[00:1A:7D:DA:71:06][LE]> char-read-hnd 0x000c
Characteristic value/descriptor: 44 65 63 72 79 70 74 20 74 68 65 20 6d 65 73 73 61 67 65 2c 20 77 72 69 74 65 20 74 68 65 20 64 65 63 72 79 70 74 65 64 20 76 61 6c 75 65 20 61 6e 64 20 72 65 61 64 20 62 61 63 6b 20 74 68 65 20 72 65 73 70 6f 6e 73 65 20 74 6f 20 66 6c 61 67 2e 20 45 6e 63 72 79 70 74 65 64 20 6d 65 73 73 61 67 65 3a 20 63 34 64 33 32 38 36 35 37 61 39 64 62 33 64 66 65 39 31 64 33 36 36 36 62 39 34 31 62 33 36 31
```
One liner to read a characteristic
```powershell
$ gatttool -b $MAC --char-read -a 0x002a|awk -F':' '{print $2}'|tr -d ' '|xxd -r -p;printf '\n' $ gatttool -b $MAC --char-read -a 0x002a|awk -F':' '{print $2}'|tr -d ' '|xxd -r -p;printf '\n'
``` ```
## BLE - Read notification/indication ## BLE - Read notification/indication
```powershell ```powershell
@ -144,6 +169,7 @@ ubertooth-btle -U 1 -A 38 -f -c bulb_38.pcap
ubertooth-btle -U 2 -A 39 -f -c bulb_39.pcap ubertooth-btle -U 2 -A 39 -f -c bulb_39.pcap
``` ```
### Using Micro::Bit ### Using Micro::Bit
* [WEAPONIZING THE BBC MICRO:BIT - DAMIEN CAUQUIL / VIRTUALABS - DEF CON 25 - JULY 28, 2017](https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEF%20CON%2025%20-%20Damien-Cauquil-Weaponizing-the-BBC-MicroBit.pdf) * [WEAPONIZING THE BBC MICRO:BIT - DAMIEN CAUQUIL / VIRTUALABS - DEF CON 25 - JULY 28, 2017](https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEF%20CON%2025%20-%20Damien-Cauquil-Weaponizing-the-BBC-MicroBit.pdf)
@ -163,9 +189,13 @@ $ adb pull /sdcard/oem_log/btsnoop/<your log file>.log
## Challenges ## Challenges
* [BLE HackMe](https://www.microsoft.com/store/apps/9N7PNVS9J1B7) - works with nRF Connect (Android), * [BLE HackMe](https://www.microsoft.com/store/apps/9N7PNVS9J1B7) - works with nRF Connect (Android),
* [hackgnar/ble_ctf](https://github.com/hackgnar/ble_ctf) - A Bluetooth low energy capture the flag
## References ## References
* [A Practical Introduction to Bluetooth Low Energy security without any special hardware - Slawomir Jasek - 19 November 2020](https://www.smartlockpicking.com/slides/HITB_Cyberweek_2020_A_Practical_Introduction_To_BLE_Security.pdf) * [A Practical Introduction to Bluetooth Low Energy security without any special hardware - Slawomir Jasek - 19 November 2020](https://www.smartlockpicking.com/slides/HITB_Cyberweek_2020_A_Practical_Introduction_To_BLE_Security.pdf)
* [Denial of Pleasure: Attacking Unusual BLE Targets with a Flipper Zero - Matteo Mandolini & Luca Bongiorni](https://www.whid.ninja/blog/denial-of-pleasure-attacking-unusual-ble-targets-with-a-flipper-zero) * [Denial of Pleasure: Attacking Unusual BLE Targets with a Flipper Zero - Matteo Mandolini & Luca Bongiorni](https://www.whid.ninja/blog/denial-of-pleasure-attacking-unusual-ble-targets-with-a-flipper-zero)
* [BLE CTF - wiki.elvis.science - Embedded Lab Vienna for IOT & Security](https://wiki.elvis.science/index.php?title=BLE_CTF)
* [BLUETOOTH LOW ENERGY CTF - WRITE UP - ECLECTIC KOALA](https://blog.tclaverie.eu/posts/bluetooth-low-energy-ctf---write-up/)
* [BLECTF, a "Capture The Flag" hardware platform based on Bluetooth Low Energy BLE + Write-Up - Hacker de Cabecera febrero 04, 2020](https://www.hackerdecabecera.com/2020/02/blectf-capture-flag-hardware-platafom.html)

View File

@ -2,10 +2,14 @@
> Zigbee is a specification for a suite of high-level communication protocols using low-power digital radios. It's designed for use in areas like home automation, medical data collection, industrial control systems, and other applications that require secure and reliable wireless communication. > Zigbee is a specification for a suite of high-level communication protocols using low-power digital radios. It's designed for use in areas like home automation, medical data collection, industrial control systems, and other applications that require secure and reliable wireless communication.
Zigbee is an IEEE 802.15.4-based, wireless networking standard, which is basically used for two-way communication between sensors and control systems. Zigbee is a short-range wireless communication standard like Bluetooth and Wi-Fi while covering a range of 10 to 100 meters.
## Tools ## Tools
* [riverloopsec/killerbee](https://github.com/riverloopsec/killerbee) - IEEE 802.15.4/ZigBee Security Research Toolkit * [riverloopsec/killerbee](https://github.com/riverloopsec/killerbee) - IEEE 802.15.4/ZigBee Security Research Toolkit
* [APIMote](https://www.attify-store.com/products/apimote) - The ApiMote is a ZigBee security research hardware intended for researchers, students, utility companies, etc. to use for learning about and evaluating the security of IEEE 802.15.4/ZigBee systems as authorized.
* [Cognosec/SecBee](https://github.com/Cognosec/SecBee) (archived) - SecBee is a ZigBee security testing tool developed by Cognosec to test ZigBee implementations for security issues
## Default Trust Center Link Key ## Default Trust Center Link Key
@ -28,3 +32,8 @@ Example: [CVE-2020-28952 - Athom Homey Static and Well-known Keys](https://yougo
* [AN1233: Zigbee Security - Silabs](https://www.silabs.com/documents/public/application-notes/an1233-zigbee-security.pdf) * [AN1233: Zigbee Security - Silabs](https://www.silabs.com/documents/public/application-notes/an1233-zigbee-security.pdf)
* [Zigbee Security 101 (Architecture And Security Issues) - February 11, 2023 - dattatray](https://payatu.com/blog/zigbee-security-101/) * [Zigbee Security 101 (Architecture And Security Issues) - February 11, 2023 - dattatray](https://payatu.com/blog/zigbee-security-101/)
* [Tout, tout, tout vous saurez tout sur le ZigBee / MISC n°86 - July 2016 - Kovacs Nicolas](https://connect.ed-diamond.com/MISC/misc-086/tout-tout-tout-vous-saurez-tout-sur-le-zigbee) * [Tout, tout, tout vous saurez tout sur le ZigBee / MISC n°86 - July 2016 - Kovacs Nicolas](https://connect.ed-diamond.com/MISC/misc-086/tout-tout-tout-vous-saurez-tout-sur-le-zigbee)
* [ZIGBEE SECURITY: BASICS (PART 2) - Vishruta Rudresh - November 8, 2017](https://research.kudelskisecurity.com/2017/11/08/zigbee-security-basics-part-2/)
* [ZIGBEE SECURITY: BASICS (PART 3) - Vishruta Rudresh - November 21, 2017](https://research.kudelskisecurity.com/2017/11/21/zigbee-security-basics-part-3/)
* [Understanding Zigbee and Wireless Mesh Networking - Ray Felch - 27 Aug 2021](https://www.blackhillsinfosec.com/understanding-zigbee-and-wireless-mesh-networking/)
* [ZigBee Penetration Testing: Strengthen Your IoT Security - RF Security - 12/08/2022](https://www.offensive-wireless.com/zigbee-penetration-testing/)
* [pCTF 2011 #32 That's no bluetooth - STALKR - TUESDAY, APRIL 26, 2011](https://blog.stalkr.net/2011/04/pctf-2011-32-thats-no-bluetooth.html)