What I Am Doing - Part 2 UART Analysis

What I Am Doing - Part 2 UART Analysis

Today I'm playing with a jtagulator device on the same setup as the last article. I have it wired up to the GPIO pins on the raspi that correspond to the UART (I'm cheating a little since I figured out what the pins were last time), and I have it connected to my analysis laptop running Linux. First we wire up the raspi to the jtagulator:

No alt text provided for this image
Raspi Connected to Jtagulator

Next, we double check to make sure the jtagulator is being seen by the OS:

root@rftao:~# lsusb

Bus 002 Device 008: ID 0403:6001 Future Technology Devices International, Ltd FT232 USB-Serial (UART) IC

Next we check dmesg to try to figure out what TTY it's connected to:

root@rftao:~# dmesg

[244830.646726] usb 2-2: New USB device found, idVendor=0403, idProduct=6001, bcdDevice= 6.00

[244830.646740] usb 2-2: Product: FT232R USB UART

[244830.652596] usb 2-2: FTDI USB Serial Device converter now attached to ttyUSB0

I snipped some of the info to keep this short, but we can see its connected to ttyUSB0.

You can use whatever terminal program you like, but I'm using picocom so we setup the connection to the jtagulator:

root@rftao:~# picocom /dev/ttyUSB0 -b 115200

No alt text provided for this image
jtagulator Prompt

Next we setup the voltage for the device by hitting V and then entering 3.3. The raspi 4 is 3.3v. Then we bruteforce the pins. We already know these from the previous article but we will use the jtagulator to figure it out anyway:


No alt text provided for this image
Pin Bruteforcing

This identifies the transmit and receive pins for us as well as the baud rate. I'm not sure why it says 1800 as I know it is 115200 but I'm ignoring that for now. Now we do a UART passthrough and attempt to watch the raspi boot through the jtagulator:

No alt text provided for this image
Capture Boot

So far so good, we can see the entire boot process coming from the raspi. I'll do another article about dumping the firmware as that's a longer topic. However, I asked chatGPT for a python script to help in extracting the firmware and this is what it gave me in about 1 second:

No alt text provided for this image
ChatGPT Firmware Extraction Code

I haven't tested this code out, but it has the interface right and the general flashrom command for dumping.

Next we take a look at the dump file, determine its type, look for useful strings:

No alt text provided for this image
Firmware Strings

I cut out a number of lines to make the image a reasonable size but we can see hints about the architecture, device, and even some of the device config options. Then we do a hexdump using xxd and have a look around. I also edited the lines in this image:

No alt text provided for this image
Firmware Hexdump

We can see another hint, PM_RSTS which is a Broadcom chip register used in Raspberry Pi's. Next we take a look at the entropy of the firmware file which will give us some hints about its structure, compression, etc.:

No alt text provided for this image
Firmware Entropy

IDA Pro doesn't quite know how to open the dump, so will need some tweaks and extraction first. Just for the heck of it I opened the dump in radare2's Iaito, setting the architecture to ARM, and get a little bit of potentially useful information.

No alt text provided for this image
Firmware Disassembly & Graph

I'll leave it there for now, but this gives you a little view into Red Crow labs basic hardware analysis process.

Thanks for listening,

A.

I have often thought of the JTAGulator as dark magic.

回复

要查看或添加评论,请登录

Anthony S. Clark的更多文章

  • The Case Against Industrial Scale Hardware Hacking

    The Case Against Industrial Scale Hardware Hacking

    I've advocated consistently for large scale, intensive, testing of smart hardware. What I haven't spoken much about is…

  • Signal is The Most Secure Chat App

    Signal is The Most Secure Chat App

    Periodically someone will put out a dramatic statement that Signal has been hacked or that Signal is insecure. So far…

    4 条评论
  • The Great Race

    The Great Race

    America is in a race. The opponents in this race are complicated (China, Russia, non-state actors, our own selves) but…

    1 条评论
  • You Can't Automate Hardware RE

    You Can't Automate Hardware RE

    Recently I have been asked: "How can you automate HW RE since there are so many different types of hardware out there?"…

    1 条评论
  • We Hack Robots

    We Hack Robots

    We have gone through several ages in tech. These include, but aren't limited to: The Age of the Internet The Age of…

    1 条评论
  • Penetration Testing is Political

    Penetration Testing is Political

    I've been doing network penetration testing since before it was called that. I've personally compromised well over…

  • Whale Oil, AI, and the Future Focus of Cyber

    Whale Oil, AI, and the Future Focus of Cyber

    There was a point in our history when the world ran on whale oil. It was used to lubricate machinery, provide lighting,…

    2 条评论
  • Chasing Ghosts & The Small Business Gap

    Chasing Ghosts & The Small Business Gap

    I've worked probably 50+ incident investigations in my time and there is a particular psychological phenomenon that…

    1 条评论
  • Jailbroken AI Stack Smashing for Fun & Profit

    Jailbroken AI Stack Smashing for Fun & Profit

    I found a Jailbroken version of the recent Llama 3.1 Instruct model and decided to see how it would do at some basic…

    1 条评论
  • Emulating ARM 64 RaspiOS

    Emulating ARM 64 RaspiOS

    I received several comments and messages requesting I go into more detail about how I got ARM 64 RaspiOS emulated. To…

社区洞察

其他会员也浏览了