SPI

Serial Peripheral Interface

The bar on top of CS means it's active low - 1 is off, 0 is on.

Acronyms for Transmit: SDO = Serial Data Out SO = Serial Out COPI = Controller Out Peripheral In MOSI = Master Out Slave In

Acronyms for Receive: SDI = Serial Data In SI = Serial In CIPO = Controller In Peripheral Out MISO = Master In Slave Out

Extract content of SPI

Through the bootloader (slow)

MT7620 # md <kernel address>
MT7620 # md 0xbc050000
bc050000: 56190527 d1c425c5 0285d757 dc061100    '..V.%..W.....`.
bc050010: 00000080 00000080 44146a2e 03020505    .........j.D....
bc050020: 5350494d 65704f20 7472576e 6e694c20    MIPS OpenWrt Lin
...

Note that when dumping this way we get the memory address on the left, hex data in the middle, and the ascii representation on the right. This is inefficient as we only get 16 bytes of data (32 hex characters) from each line which has a total of 64 bytes.

To calculate the speed it would take to dump this way we have this formula:

$$\frac{baud rate * 0.1}{4} = bytes/second$$

Bytes per second is arbitrary, so we convert this to seconds per megabyte instead:

$$\frac{1}{bytes * 10^{-6}} = second / MB$$

And lastly calculate the time it would take to dump the memory:

$$\frac{seconds * memory Size}{60} = TimeInMinutes$$

To put this into practice, lets say we are using baud rate 115200 and want to dump a 8 MB SPI.

$$\frac{115200*0.1}{4} = 2880 bytes/second$$

$$\frac{1}{2880*10^{-6}} = 347.2222..second/MB$$

$$\frac{347 * 8}{60} = 46.2666..minutes$$

Dumping a 8 MB SPI flash over the serial interface with baud rate 115200 would take 46 minutes.

Over network with nc (fast)

Dumping over the network with cat and nc we're removing all the unnecessary characters (memory address + ascii) effectively cutting the extraction time in 4, totaling 8 MB in 11½ minutes.

## Setup listener localy
localhost:~$ nc -l 4488 > mtd0 &

## Connect to target and send
localhost:~$ sudo screen /dev/ttyUSB0 115200
target:~$ cat /dev/mtd0 | nc 192.168.101.97 4488

localhost:~$ xxd mtd0 | less

Using Tigard and Flashrom (fastest)

Example of 8-pin SPI flash chip with default layout

Using flashrom version 1.0 and later, this extraction will take around 6 seconds for 8 MB SPI.

1. Confirm the pins of the SPI flash chip with the datasheet and clip in accordingly, connecting the Tigard SPI to the SPI flash chip.

2. Make sure that the Tigard is set to JTAG/SPI-mode

3. Depending on how the power is connected we need to take one of two options, a or b.

4. (option a) VCC is connected serially between SPI and Microcontroller

   1. Disable the microcontroller by controlling RST (reset). Usually RST is active low so pull down the voltage to 0 on this pin. Confirm this in the microcontroller datasheet.

   2. Put Tigard in VTGT mode, supplying no power. Power on the target device normally.

5. (option b) VCC is not serially connected between SPI and Microcontroller

   1. Connect Tigard to SPI VCC and supply power using 1.8/3.3/5V options.

6. Dump the SPI with flashrom

$ flashrom -p ft2232_spi:type=2232H,port=B,divisor=4 -r flashdump.bin
..
Found Winbond flash chip "25Q64.V" (8192 kB, SPI) on ft2232_spi.
Reading flash... done.

$ ls -alh flashdump.bin
-rw-rw-r-- 1 void void 8.0M Nov 21 12:56 flashdump.bin

NOTE: To figure out if VCC is connected serially you can use a multimeter in continuity mode with one probe on the VCC pin of the SPI, and the other on VCC pin of the microcontroller.

If you for some reason need to compile a new or custom version of flashrom the programmer ft2232_spi will not be enabled by default. To enable it compile like this (case sensitive):

$ make CONFIG_FT2232_SPI=yes

---

Pin to Pwn

Pin to Pwn is a glitching/fault injection attack used to disrupt the boot sequence of a device, possibly resulting in the attacker gaining access to U-BOOT and/or kernel shell. This attack is very time sensitive and hard to accomplish, it will take an experienced tester around 5-10 tries to execute the attack before succeeding.

• Using fault injection when kernel is loading into RAM could result in a U-BOOT prompt.

• Using fault injection during the init process could result in a root shell depending on fallback procedure

A device with very fast kernel boot sequence will make it hard to jam the pin in there at the right time. To bypass this we can write code to do the fault injection at the right time, instead of doing it manually.

Shorting flash pins manually using a pin

Logic analyzer showing the boot process of a device

On a serial flash we want to short the Serial Output and Chip Select pins.

Short SO and CS on 8-pin serial flash

On a parallel flash TSOP48 short the Command Latch and Address Latch pins.

Short CL and AL on 48-pin parallel flash

HOWTO:

1. Identify all flash devices. Use datasheet to find interesting pins.

2. Monitor boot process with logic analyzer to see timers.

3. Identify how / when the device fails.

4. Try several times. For an experienced tester it will take 5-10 tries.

5. Reboot the device after every try.

More in-depth information HERE.