This presentations introduces some common protocols used in electronics, and how to sniff/speak them. Then a bit about USB, and some interesting hacks with these things.
Then a bit about openwrt and router hacking.
2. About me
What I do:
I studied electronics from JIIT and have been working at Baseapp Systems, in
Delhi. I do software/system design for embedded systems.
3. Hardware hacking?
● looking at how a consumer product
does what it does
● making something from scratch
● making things do what they were not
meant to do.
4. Outline
● Introduction to some common protocols
used in low level electronics (rs 232, spi, i2c)
● Sniffing/speaking these protocols
● USB protocol, Sniffing USB
● A few interesting hardware hacks
● Router hacking
5. ● Chips follow standard protocols
● You can google most device datasheets
● exception is some chips with limited/restricted distribution
There are a few common protocols you will see in a lot of places
Things follow rules
6. SPI Serial and SPI communication waveforms
Rs 232
Often called just Serial, can be found in many
places
Often used as a debug output in systems, or
even control terminal.
Often used to just transfer readable text, so
you can even read what transfers are going on.
$GPRMC,081836,A,3751.65,S,14507.36,E,
000.0,360.0,130998,011.3,E*62
7. I2C protocolMultiple I2C devices wired together
A sample I2C transaction
● I2c comm. initiated by master, and
there is only 1 master at a time
● All devices have a unique address,
and they respond to only that
● All transfers require
acknowledgement
● Start and stop condition to indicate
start/stop of data
A lot of things, memories, wireless chips, all kinds of
sensors, batteries, ADCs, even some LEDs, speak I2C or
SPI
Also called SMBUS, on PCs
8. Some places where I2c is used
EEPROM Laptop batteries
Various sensors
10. Speaking
Arduino - really quick prototyping
PIC32 Fubarino mini
STM32F4 Discovery
FTDI USB serial chips can also do many
protocols. Can use C/python libraries
11. FTDI chips (FT232h ^)
FT232H (module is pic UM232h)
● Most often used as usb to serial
● Can also do SPI/I2C, GPIO/bitbang
● FTDI provides C libraries for using
these
● Can do JTAG, openOCD or other
debuggers
● code on right -> read 1MB SPI flash
libmpsse, python wrapper over ftdi C libraries(libftdi)
from mpsse import *
MPSSE(SPI0, THIRTY_MHZ, MSB)
Start()
Write("x03x00x00x00")
data = Read(0x100000)
Stop()
Close()
open('flash.bin', 'wb').write(data)
12. Some mcu suggestions
Arduino
1. Has a serial bootloader, so dont
need programmer
2. IDE comes with many ready to use
libraries, not good
3. code written in C++, in IDE, which
is not the best text editor
4. Don’t really need IDE
5. AVR-gcc and clib, avrdude etc.
STM32
1. ARM cortex M0/1/3/4
2. GCC arm compilers are free and/or open source
3. Need programmer/debugger, but discovery kits
come with one, can also use FTDI chip from last
slide as JTAG with Openocd(olimex Tiny-usb jtag
etc.)
4. no ide, free to setup anything
Microchip PICs
1. Series of 8, 16, 32 bit microcontrollers
2. Also have an IDE, based on Netbeans
3. no completely free toolchain. Some code
optimizations are paid features
4. Provide some libraries for USB stack and
peripherals etc
5. Need a programmer, like ICD3, which is a bit
expensive but can program/debug any microchip
PIC
13. Introduction
● USB cable has 4 wires, gnd, 5V, D+, D-
● When you connect a device to a host, host
does ‘enumeration’
● device describes itself to host during this
● You communicate with USB device on
“Endpoints”, which are like port number on
an IP in a network. Descriptors sent on
endpoint 0, which is always present
● After enumeration, host OS may decide to
load a driver for device, depending on
device class, or if not class, then VID/PID
USB
Bus 002 Device 003: ID 0079:0006 DragonRise Inc.
Generic USB Joystick
Device Descriptor:
idVendor 0x0079 DragonRise Inc.
idProduct 0x0006 Generic USB Joystick
bNumConfigurations 1
Configuration Descriptor:
MaxPower 500mA
bNumInterfaces 1
Interface Descriptor:
bNumEndpoints 2
bInterfaceClass 3 Human Interface
bInterfaceSubClass 0 No Subclass
Endpoint Descriptor:
bEndpointAddress 0x81 EP 1 IN
Transfer Type Interrupt
wMaxPacketSize 0x0008 1x 8 bytes
Endpoint Descriptor:
bEndpointAddress 0x01 EP 1 OUT
Transfer Type Interrupt
wMaxPacketSize 0x0008 1x 8 bytes
14. Sniffing USB
USB sniffing
● Linux kernel facility called
‘usbmon’
● Sort of like tcpdump for USB
● wireshark, vusb analyser are
both free/open source
Wireshark
VUSB analyser
15. Talking USB
Libusb
http://libusb.info/ or
http://libusb.org/
You can talk to a device with a
class/subclass or vid/pid not associated
with a driver using this library.
C/C++, python
Microcontrollers:
most of STM32 series
many pic18 and 32
atmega32u4 etc
have USB device, some have host too
Linux USB gadget API
● kernel modules to act as a USB slave(instead of host)
● hardware should support usb peripheral, so most
desktops can’t, but many embedded ones can
● USB serial, ethernet
● USB HID, keyboard, mouse
● PTP (picture transfer protocol, like in camera, or android
phones)
● sound devices, webcam
● File backed storage, mass storage devices
16. USB mass storage device class as an example
Flash
USB controller
Computer
You plug in a USB pen drive
● Enumeration happens on Control endpoint(EP0)
● 2 Endpoints(1 IN, 1 OUT) are set up for
exchanging data
● Data exchanges are wrapped in SCSI
commands(read, write, disk size etc.)
● in linux, kernel loads USB mass storage driver,
which provides a block device interface like
/dev/sdb
● linux reads partition table to detect any
partitions, if present, /dev/sdb1, /dev/sdb2
● OS auto mounter may mount detected partitions
Android mass storage, uses usb gadgetfs driver
in linux. Unmounts microsd partition, makes it
available to gadgetfs.
Mp3 players and other devices do this.
Is a means for firmware update in some
devices.
17. Block devices
MBR - first sector 512 bytes
Valid boot sector signature
Partition table
● only 4 entries, hence 4
primary partitions
● first byte either 0x80 or 0x0,
bootable flag
● used by ibm compatible and
other computers during boot
Some tools for seeing binary data:
● hd, hexdump
● od - read as int uint, chars etc
● strings - show printable characters
in file
● xxd - hex dump to bin or reverse
● file - try to identify type of file
● dd - read parts of one file into
another, everything is a file
18. STM32
USBpendrive
Layers of Host code
● USB host
● usb mass storage
driver, bulk only
transfer, SCSI
● fat32 layer
SPI Oled display
USBdevicetopc
● Do not know, nor needed to know
all layers in detail
● Most of USB stack, and mass
storage driver is from STmicro
● fat32 layer is Chan’s fatfs library ● SPI oled initialization
sequence
● data write sequence
● Character fonts
● handling ‘frame buffer’
● adafruit had released
similar oled, used code
from there
USB device code
● Modify code for USB
CDC(or USB serial)
● Bulk only transfer,
and maximum packet
size(64 bytes, full
speed)
● Custom
class/subclass(0xff)
● Desktop application
uses libusb to
communicate
19. Samsung smart tv:
● ARM based, runs busybox based linux system
● has software packages like widgets/games
and firmware updates
● updates installed via USB pen drive
Some examples
Implemented on Gumstix board
● Linux usb file storage gadget
● TV reads and checks files
● on reading second time, the filesystem
is switched, copying own code onto tv,
which it runs as root
20. Some more examples, CHDK
Canon Hack Development Kit
● (2006) Programmer studies
disassembly of firmware upgrade
for his IXUS camera
● Figures out a way to boot from SD
card
● Dumps firmware of camera by
blinking the LED on camera, and
reading with a light dependant
resistor,
CHDK running on a point and shoot
● Enhancement to camera firmware, doesn’t void
warranty, GPL
● Features, RAW images, settings overrides(shutter
speed, exposure, ISO), exposure/focus bracketing,
● motion detection, HDR, time lapse
● User scripts in Lua, uBasic
● can make really cheap trigger using usb cable
● On screen displays, live histogram
23. Some more examples
Openkinect
● Microsoft was not willing to release
open source/otherwise drivers for
systems other than linux for kinect
● Adafruit(which is DIY/hobbyist
electronics company) launched a
bounty
● they put up dumps of USB traffic
from kinect on windows
● protocol reverse engineered,
libfreenect
PS3 jailbreak
● Buffer overflow in PS3 USB stack
● if device reports smaller descriptor length than
actual, PS3 copies the data into a small allocated
memory, causing overflow
● This allowed the jailbreak creators to run arbitrary
code on the ps3 somehow
24. Router hacking
Routers have always been closed source
● In 2003 linksys releases WRT54G
● turns out it runs linux
● community pressure on linksys to release
source because of linux GPL license
● Many router firmware projects started after
this
linksys later moved to Vxworks, but people got
linux working on new routers too.
Openwrt
Most active router firmware project
Actually a linux distribution for very space
constrained systems, and has router specific
additions
● has a web interface, like in normal routers
● generates images as squashfs/jffs2 filesystem
● these are written on flash chips on routers
● Based on buildroot/uClibc build system
25. TP-link WR841ND
SPI flash chip
Atheros ar9341
SoC
RAM
Serial port
Inside a typical router
OpenWrt buildroot menuconfig
26. OpenWrt flash layout4MB SPI flash
For just dumping flash contents, can desolder chip and read.
(never have to)
Some tools to analyse unknown flash contents:
● Binwalk
● Firmware mod kit - uses binwalk
27. binwalk, firmware-mod-kit
Binwalk scan results
Firmware-mod-kit
● it tries to detect different portions in firmware dump
● extracts them
● you modify them if you want
● repacks them, recreating CRCs or signatures again if need be
28. More examples
Kindle 4 no touch
Create empty file ‘ENABLE_DIAGS’,
restart from menu
● Apart from just breaking consumer stuff, this info is
useful for making hardware
● Many vendors are selling modules with router SoCs
you can use in own projects.
Ex. 8devices.com carambola
Has wifi, runs linux
easier to put in own projects
than these BGA chips
Arduino yun has same
ar9331 chip(also has
atmega32u4), runs openwrt.
Fon Wireless Ltd., runs a paid wifi
sharing network. Their own hardware
runs a OpenWrt derivative
29. A wireless audio receiver
This is a small wifi audio receiver we made.
Based on a router SoCs.
● Carambola2 SoM, wifi, 16MB flash, 64MB ram
● Custom openwrt
● each speaker is an alljoyn audio sink
● devices have master/slave modes, each mode has
a config mode
● in config mode you can connect to device with
phone using wifi AP
● network configuration, DHCP, wifi access point,
switching modes, starting/monitoring services etc
handled by custom scripts in Lua, since openwrt
code was suitable only for a router.
● Modifications to board specific code for kernel, for
LEDs, buttons, etc. hints taken from board specific
code for other routers.
30. Conclusion…
● Devices use standard protocols to communicate
● Logic analyzer is useful
● You can make routers run your own code