ESP32 Firmwares + BLE + Zigbee
parent
b118b6412d
commit
c93ee39b5c
Before Width: | Height: | Size: 812 KiB After Width: | Height: | Size: 812 KiB |
Binary file not shown.
After Width: | Height: | Size: 45 KiB |
Binary file not shown.
After Width: | Height: | Size: 152 KiB |
|
@ -30,3 +30,4 @@ sudo flashrom -p Buspirate_spi:dev=/dev/ttyUSB0,spispeed=1M -c (Chip name) -r (
|
|||
* [Bus Pirate Unboxing - Toolkit - Hacker Warehouse - 4 juin 2018](https://youtu.be/lP8vMvBu3Bg)
|
||||
* [Bus Pirate 5 REV 10 Hardware](https://hardware.buspirate.com/)
|
||||
* [Ph0wn, my first IoT CTF - Part 2 - Sebastien Andrivet - 19 December 2018](https://sebastien.andrivet.com/fr/posts/ph0wn-my-first-iot-ctf-part-2/)
|
||||
* [Hardware Hacking: Plunder With a Bus Pirate - Brian Berg - February 15, 2024](https://trustedsec.com/blog/hardware-hacking-plunder-with-a-bus-pirate)
|
|
@ -1,15 +1,30 @@
|
|||
# ESP32
|
||||
|
||||
![ESP32](../assets/esp32-pinout.png)
|
||||
|
||||
|
||||
## Tools
|
||||
|
||||
* [espressif/esptool](https://github.com/espressif/esptool) - Espressif SoC serial bootloader utility
|
||||
* [jmswrnr/esp32knife](https://github.com/jmswrnr/esp32knife) - Tools for ESP32 firmware dissection
|
||||
|
||||
* [scientifichackers/ampy](https://github.com/scientifichackers/ampy) - Utility to interact with a MicroPython board over a serial connection
|
||||
* [ESPWebTool](https://esp.huhn.me/) - Flash your ESP32 or ESP8266 through your browser.
|
||||
|
||||
## Flashing
|
||||
|
||||
The ESP32 microprocessor uses the Xtensa instruction set, use `Tensilica Xtensa 32-bit little-endian` in Ghidra.
|
||||
|
||||
* Flash a new firmware with `espressif/esptool`
|
||||
```ps1
|
||||
esptool.py -p /dev/ttyUSB0 -b 460800 --before default_reset --after hard_reset --chip esp32 write_flash --flash_mode dio --flash_size 2MB --flash_freq 40m 0x1000 build/bootloader/bootloader.bin 0x8000 build/partition_table/partition-table.bin 0x10000 build/ble_ctf.bin
|
||||
esptool.py -p /dev/ttyS5 -b 115200 --after hard_reset write_flash --flash_mode dio --flash_freq 40m --flash_size detect 0x8000 build/partition_table/partition-table.bin 0x1000 build/bootloader/bootloader.bin 0x10000 build/esp32-wifi-penetration-tool.bin
|
||||
```
|
||||
|
||||
* Flash a new firmware with `scientifichackers/ampy` (MicroPython)
|
||||
```ps1
|
||||
ampy --port /dev/ttyUSB0 put bla.py
|
||||
```
|
||||
|
||||
* Dump the flash
|
||||
```ps1
|
||||
esptool -p COM7 -b 115200 read_flash 0 0x400000 flash.bin
|
||||
|
@ -27,7 +42,9 @@ The ESP32 microprocessor uses the Xtensa instruction set, use `Tensilica Xtensa
|
|||
esptool -p COM7 -b 115200 write_flash 0x10000 ./patched.part.3.factory.fixed
|
||||
```
|
||||
|
||||
|
||||
## References
|
||||
|
||||
* [ESP32-reversing - BlackVS](https://github.com/BlackVS/ESP32-reversing)
|
||||
|
||||
* [ESP32 Wi-Fi Penetration Tool - GitHub - Exploring possibilities of ESP32 platform to attack on nearby Wi-Fi networks](https://github.com/risinek/esp32-wifi-penetration-tool)
|
||||
* [ESP32 Wi-Fi Penetration Tool - Documentation - Exploring possibilities of ESP32 platform to attack on nearby Wi-Fi networks](https://risinek.github.io/esp32-wifi-penetration-tool/)
|
|
@ -7,8 +7,8 @@
|
|||
* [Flipper Zero Firmware](https://github.com/flipperdevices/flipperzero-firmware)
|
||||
* [Flipper Zero Unleashed Firmware](https://github.com/Eng1n33r/flipperzero-firmware)
|
||||
* [Flipper Zero FW RogueMaster](https://github.com/RogueMaster/flipperzero-firmware-wPlugins)
|
||||
* [Flipper Zero Xtreme-Firmware](https://github.com/Flipper-XFW/Xtreme-Firmware)
|
||||
|
||||
* [Awesome FlipperZero](https://github.com/djsime1/awesome-flipperzero)
|
||||
|
||||
### Firmware Update - PC
|
||||
|
||||
|
@ -27,6 +27,11 @@
|
|||
* [RogueMaster/flipperzero-firmware-wPlugins - Web Update](https://lab.flipper.net/?url=https%3A%2F%2Frogue-master.net%2F%3Ffile%3DRM0322-1504-0.79.2-22158b0.tgz&channel=RM0322-1504-0.79.2-22158b0&version=0.79.2)
|
||||
|
||||
|
||||
## GPIO
|
||||
|
||||
![GPIO Flipper](../assets/flipper-gpio.png)
|
||||
|
||||
|
||||
## Videos
|
||||
|
||||
* [Flipper Zero: Want some good news? - Penthertz](https://www.youtube.com/watch?v=tB0eYatvu0k)
|
||||
|
@ -44,3 +49,4 @@
|
|||
## References
|
||||
|
||||
* [The Ultimate Guide / CheatSheet to Flipper Zero - Ilias Mavropoulos - 17/01/2024](https://infosecwriteups.com/the-ultimate-guide-cheatsheet-to-flipper-zero-d4c42d79d32c)
|
||||
* [djsime1/Awesome FlipperZero - 🐬 A collection of awesome resources for the Flipper Zero device](https://github.com/djsime1/awesome-flipperzero)
|
||||
|
|
|
@ -1,20 +1,34 @@
|
|||
# Bluetooth
|
||||
|
||||
## Tools
|
||||
|
||||
* [bettercap/bettercap](https://github.com/bettercap/bettercap)
|
||||
* [expliot_framework/expliot](https://expliot.readthedocs.io/en/latest/index.html)
|
||||
* [hackgnar/bleah](https://github.com/hackgnar/bleah)
|
||||
* [bluez/gatttool](https://manpages.debian.org/unstable/bluez/gatttool.1.en.html)
|
||||
* [securing/gattacker](https://github.com/securing/gattacker)
|
||||
|
||||
|
||||
## Bluetooth configuration
|
||||
|
||||
Configuration for Kali Linux
|
||||
Requirements and configuration for Kali Linux.
|
||||
|
||||
```powershell
|
||||
$ sudo apt-get install bluetooth blueman bluez
|
||||
$ sudo systemctl start bluetooth
|
||||
$ sudo hciconfig hci0 up
|
||||
```
|
||||
|
||||
Enumerate Bluetooth devices
|
||||
|
||||
```powershell
|
||||
$ sudo hcitool lescan
|
||||
00:1A:7D:DA:71:06 Ph0wn Beacon
|
||||
25:55:84:20:73:70 (unknown)
|
||||
```
|
||||
|
||||
`apt` doesn't have a recent version of bluez, recompile it with the following lines.
|
||||
> [!CAUTION]
|
||||
> `apt` doesn't have a recent version of bluez, recompile it with the following lines.
|
||||
|
||||
```powershell
|
||||
wget https://www.kernel.org/pub/linux/bluetooth/bluez-5.18.tar.xz
|
||||
|
@ -26,6 +40,7 @@ make -j8 && sudo make install
|
|||
sudo cp attrib/gatttool /usr/local/bin/
|
||||
```
|
||||
|
||||
|
||||
## BLE - Enumerate services and characteristics
|
||||
|
||||
> BLE is based on specification called General Attribute profile (GATT), that defines how communication/data transfer between client and server.
|
||||
|
@ -78,19 +93,29 @@ Read data with gatttool
|
|||
```powershell
|
||||
$ sudo gatttool -b $MAC -I
|
||||
[00:1A:7D:DA:71:06][LE]> connect
|
||||
```
|
||||
|
||||
# list characteristics
|
||||
[00:1A:7D:DA:71:06][LE]> characteristics
|
||||
handle: 0x000b, char properties: 0x0a, char value handle: 0x000c, uuid: 4b796c6f-5265-6e49-7342-61644a656469
|
||||
* List characteristics
|
||||
|
||||
# read characteristic at char handle
|
||||
[00:1A:7D:DA:71:06][LE]> char-read-hnd 0x000c
|
||||
Characteristic value/descriptor: 44 65 63 72 79 70 74 20 74 68 65 20 6d 65 73 73 61 67 65 2c 20 77 72 69 74 65 20 74 68 65 20 64 65 63 72 79 70 74 65 64 20 76 61 6c 75 65 20 61 6e 64 20 72 65 61 64 20 62 61 63 6b 20 74 68 65 20 72 65 73 70 6f 6e 73 65 20 74 6f 20 66 6c 61 67 2e 20 45 6e 63 72 79 70 74 65 64 20 6d 65 73 73 61 67 65 3a 20 63 34 64 33 32 38 36 35 37 61 39 64 62 33 64 66 65 39 31 64 33 36 36 36 62 39 34 31 62 33 36 31
|
||||
```powershell
|
||||
[00:1A:7D:DA:71:06][LE]> characteristics
|
||||
handle: 0x000b, char properties: 0x0a, char value handle: 0x000c, uuid: 4b796c6f-5265-6e49-7342-61644a656469
|
||||
```
|
||||
|
||||
# one liner
|
||||
* Read characteristic at char handle
|
||||
|
||||
```powershell
|
||||
[00:1A:7D:DA:71:06][LE]> char-read-hnd 0x000c
|
||||
Characteristic value/descriptor: 44 65 63 72 79 70 74 20 74 68 65 20 6d 65 73 73 61 67 65 2c 20 77 72 69 74 65 20 74 68 65 20 64 65 63 72 79 70 74 65 64 20 76 61 6c 75 65 20 61 6e 64 20 72 65 61 64 20 62 61 63 6b 20 74 68 65 20 72 65 73 70 6f 6e 73 65 20 74 6f 20 66 6c 61 67 2e 20 45 6e 63 72 79 70 74 65 64 20 6d 65 73 73 61 67 65 3a 20 63 34 64 33 32 38 36 35 37 61 39 64 62 33 64 66 65 39 31 64 33 36 36 36 62 39 34 31 62 33 36 31
|
||||
```
|
||||
|
||||
One liner to read a characteristic
|
||||
|
||||
```powershell
|
||||
$ gatttool -b $MAC --char-read -a 0x002a|awk -F':' '{print $2}'|tr -d ' '|xxd -r -p;printf '\n'
|
||||
```
|
||||
|
||||
|
||||
## BLE - Read notification/indication
|
||||
|
||||
```powershell
|
||||
|
@ -144,6 +169,7 @@ ubertooth-btle -U 1 -A 38 -f -c bulb_38.pcap
|
|||
ubertooth-btle -U 2 -A 39 -f -c bulb_39.pcap
|
||||
```
|
||||
|
||||
|
||||
### Using Micro::Bit
|
||||
|
||||
* [WEAPONIZING THE BBC MICRO:BIT - DAMIEN CAUQUIL / VIRTUALABS - DEF CON 25 - JULY 28, 2017](https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEF%20CON%2025%20-%20Damien-Cauquil-Weaponizing-the-BBC-MicroBit.pdf)
|
||||
|
@ -163,9 +189,13 @@ $ adb pull /sdcard/oem_log/btsnoop/<your log file>.log
|
|||
## Challenges
|
||||
|
||||
* [BLE HackMe](https://www.microsoft.com/store/apps/9N7PNVS9J1B7) - works with nRF Connect (Android),
|
||||
* [hackgnar/ble_ctf](https://github.com/hackgnar/ble_ctf) - A Bluetooth low energy capture the flag
|
||||
|
||||
|
||||
## References
|
||||
|
||||
* [A Practical Introduction to Bluetooth Low Energy security without any special hardware - Slawomir Jasek - 19 November 2020](https://www.smartlockpicking.com/slides/HITB_Cyberweek_2020_A_Practical_Introduction_To_BLE_Security.pdf)
|
||||
* [Denial of Pleasure: Attacking Unusual BLE Targets with a Flipper Zero - Matteo Mandolini & Luca Bongiorni](https://www.whid.ninja/blog/denial-of-pleasure-attacking-unusual-ble-targets-with-a-flipper-zero)
|
||||
* [BLE CTF - wiki.elvis.science - Embedded Lab Vienna for IOT & Security](https://wiki.elvis.science/index.php?title=BLE_CTF)
|
||||
* [BLUETOOTH LOW ENERGY CTF - WRITE UP - ECLECTIC KOALA](https://blog.tclaverie.eu/posts/bluetooth-low-energy-ctf---write-up/)
|
||||
* [BLECTF, a "Capture The Flag" hardware platform based on Bluetooth Low Energy BLE + Write-Up - Hacker de Cabecera febrero 04, 2020](https://www.hackerdecabecera.com/2020/02/blectf-capture-flag-hardware-platafom.html)
|
|
@ -2,10 +2,14 @@
|
|||
|
||||
> Zigbee is a specification for a suite of high-level communication protocols using low-power digital radios. It's designed for use in areas like home automation, medical data collection, industrial control systems, and other applications that require secure and reliable wireless communication.
|
||||
|
||||
Zigbee is an IEEE 802.15.4-based, wireless networking standard, which is basically used for two-way communication between sensors and control systems. Zigbee is a short-range wireless communication standard like Bluetooth and Wi-Fi while covering a range of 10 to 100 meters.
|
||||
|
||||
|
||||
## Tools
|
||||
|
||||
* [riverloopsec/killerbee](https://github.com/riverloopsec/killerbee) - IEEE 802.15.4/ZigBee Security Research Toolkit
|
||||
* [APIMote](https://www.attify-store.com/products/apimote) - The ApiMote is a ZigBee security research hardware intended for researchers, students, utility companies, etc. to use for learning about and evaluating the security of IEEE 802.15.4/ZigBee systems as authorized.
|
||||
* [Cognosec/SecBee](https://github.com/Cognosec/SecBee) (archived) - SecBee is a ZigBee security testing tool developed by Cognosec to test ZigBee implementations for security issues
|
||||
|
||||
|
||||
## Default Trust Center Link Key
|
||||
|
@ -28,3 +32,8 @@ Example: [CVE-2020-28952 - Athom Homey Static and Well-known Keys](https://yougo
|
|||
* [AN1233: Zigbee Security - Silabs](https://www.silabs.com/documents/public/application-notes/an1233-zigbee-security.pdf)
|
||||
* [Zigbee Security 101 (Architecture And Security Issues) - February 11, 2023 - dattatray](https://payatu.com/blog/zigbee-security-101/)
|
||||
* [Tout, tout, tout vous saurez tout sur le ZigBee / MISC n°86 - July 2016 - Kovacs Nicolas](https://connect.ed-diamond.com/MISC/misc-086/tout-tout-tout-vous-saurez-tout-sur-le-zigbee)
|
||||
* [ZIGBEE SECURITY: BASICS (PART 2) - Vishruta Rudresh - November 8, 2017](https://research.kudelskisecurity.com/2017/11/08/zigbee-security-basics-part-2/)
|
||||
* [ZIGBEE SECURITY: BASICS (PART 3) - Vishruta Rudresh - November 21, 2017](https://research.kudelskisecurity.com/2017/11/21/zigbee-security-basics-part-3/)
|
||||
* [Understanding Zigbee and Wireless Mesh Networking - Ray Felch - 27 Aug 2021](https://www.blackhillsinfosec.com/understanding-zigbee-and-wireless-mesh-networking/)
|
||||
* [ZigBee Penetration Testing: Strengthen Your IoT Security - RF Security - 12/08/2022](https://www.offensive-wireless.com/zigbee-penetration-testing/)
|
||||
* [pCTF 2011 #32 That's no bluetooth - STALKR - TUESDAY, APRIL 26, 2011](https://blog.stalkr.net/2011/04/pctf-2011-32-thats-no-bluetooth.html)
|
Loading…
Reference in New Issue