How to Upload Shroff Rom Camera Chip

IoT security is an heady field that opens up the doors to a lot of interesting research. When yous dive into the rabbit hole of hardware security, y'all'll run across a whole array of engaging and varied challenges: Bluetooth sniffing, Software-Defined Radio, ARM exploitation, reverse technology, and a whole lot of hardware tinkering and breaking. However, knowing where to start can exist disruptive and hard, so nosotros will help you get started past showing you how to dump firmware from IoT device.

I of the basic steps when pentesting an IoT device is to analyze the firmware of the device. In that location are several reasons for doing this, but mainly:

  • Firmware can comprise sensitive information, such equally encryption keys, API keys, and other hardcoded secrets.
  • We could change the firmware and wink the device with our patched code to modify interesting logic in the chip.

Oftentimes, you can detect the firmware for diverse flash chips online past performing simple Google searches; however, the firmware may non always exist available online. This is when things get interesting, as you have to manually extract the firmware from the device by opening it and connecting to the flash chip.

The steps for extracting firmware from an IoT device are relatively simple, but there are a few things along the way that can seem confusing, especially if you oasis't worked with hardware devices all that much. In whatsoever case, even if you are not conducting an cess, extracting and analyzing the firmware of a device tin be a lot of fun. At that place is something near it that feels very cyberpunk'ish. Is that cliche? Absolutely, only c'monday, all security people have a secret love for all things cyberpunk and 1995 hacker stereotypes. In this blog mail, I will guide through the process of dumping firmware from a flash fleck. I will not assume that yous take any previous feel with hardware.

Locating the flash chip in IoT Devices

In this post, we are going to extract the firmware from an SP009 Sricam IP photographic camera. The Sricam IP camera has a number of vulnerabilities that make it an ideal device for learning IoT exploitation. Notation that the same steps nosotros are almost to follow would apply to almost any other device.

The commencement step is to open the device. If you are planning on doing a lot of IoT security inquiry, I'd suggest getting a dainty screwdriver kit. Then, with your shiny new screwdriver kit in hand (or the ane screwdriver yous found in your garage) open the device and examine the unlike fries on the board. This is what the IP camera looks like when opened up:

chips

Device firmware lives in flash memory chips, which frequently take eight pins connecting it to the board. They are too relatively pocket-sized. With those clues alone, we know that the flash memory flake must be the ane on the bottom side of the moving picture above. To brand sure we do a thorough analysis, though, permit'southward place the model and series number for each chip.

  • MXIC Chip, part MX25L12835F. We can find info most it here
  • Grain Media chip, part GM8135S-QC.
  • A MediaTek chip, part MT7601UN.

Subsequently some quick Googling, we determine that the flake with office number labeled MX25L12835F is the flash chip containing the firmware for the device. The documentation too indicates that this is an SPI (Serial Peripheral Interface) chip. SPI is nothing more than a protocol for communications in an embedded organization. SPI allows for fast, synchronous, serial communications between dissimilar components on a board, and each pin serves a dissimilar purpose for SPI communications. You tin can learn a lot about SPI and how it works here.

The next stride is to figure out what each pin on the chip does. Since we have identified the component number for the firmware chip, we can search for the datasheet for the scrap online (linked above). On page 7, we run into a diagram for the chip. We want to look for the following pins and then that we tin can connect to the chip and dump the firmware:

  • CS: Scrap Select
  • MISO: Master In Slave Out (data output)
  • GND: Ground
  • MOSI: Primary Out Slave In (data input)
  • Vcc: Voltage common collector, for powering the fleck.
  • SCLK Series Clock Input

From looking at the datasheet, nosotros identify the following pin numbers:

                CS   ----- PIN #1
MISO ----- PIN #ii
GND ----- Pin #4
MOSI ----- Pin #v
SCLK ----- Pin #6
Vcc ----- PIN #8

Dumping the firmware

Alright, now the question is: how do nosotros know which pivot is which in our device? Well, see that dot on the pinnacle left corner of the chip diagram? Look for that same dot on the fleck to identify pin #1. In the previous motion picture, y'all can see the dot in the top-left corner.

To dump the firmware, nosotros need a microcontroller that tin can communicate with SPI chips. We take a few options, including:

  • The Shikra
  • Attify Bluecoat
  • Adafruit FT232H
  • Hydrabus

In this example, we volition use the Attify Badge.

To make our job more comfortable, we can employ a SOIC (Small-scale Outline Integrated Excursion) clip to make the connections from the flash fleck to our microcontroller. A SOIC clip looks like this:

clip

The way y'all utilize a SOIC clip is relatively simple: await for the red cablevision to identify the end that should brand contact with pin #1 of the SPI chip. We then hook jumper cables on the other end of the SOIC clip according to the pivot numbering nosotros determined above. Each cable, in turn, is continued to our microcontroller using the following SPI configuration:

                Badge        IP Camera
-----------------------
SCK <--------> SCLK
MISO <--------> SI/So (MOSI)
MOSI <--------> SO/SI (MISO)
CS <--------> CS
GND <--------> GND
3.3V <--------> Vcc

The documentation for any microcontrollers you are using should indicate which pins yous can apply for SPI communications. In this example, we determine the higher up connections past locating the pin layout for the Attify Badge. Your connections should look something like this:

connected

Ignore the cables soldered to the chip on the elevation of the camera. Those are connected to a UART chip, which we will encompass in a future post.

I must issue a warning regarding the Vcc pin. You connect the Vcc pin to your board if, and only if, yous decide non to connect your IP Camera (or any other device you lot may exist pentesting for that thing) to a ability source (most probable via a USB cable). If you are connecting your camera to power during this process, y'all MUST Not connect the Vcc pin, as y'all will be supplying the chip with too much ability, which could in plow harm the lath or USB ports on your computer.

Now, I won't lie and tell you lot that the SOIC clip makes everything like shooting fish in a barrel. It is non as easy as hooking the clip on the chip and assume that all the connections are made. Y'all will have to carefully look at the contact pads on the prune and make certain each pad is touching the right pin on the chip. This tin can be a pain, and if you don't have an verbal hand, you could impairment the pins. While this tin can seem annoying at start, this is also what I enjoy nearly working with hardware: it requires a type of patience (physical patience perhaps?) that you don't get to practice when working with software. Just keep at it and have fun.

If you become frustrated with the SOIC clip, you could try using alligator clips instead, which I accept found to exist very useful when working with tiny pins. The same connections using alligator clips expect like this:

connected with alligator clips

Ok, let's become back to work. Adjacent, connect your microcontroller to a calculator and make sure that your device is detected. I like using a Linux VM where I take all my tools for IoT exploitation. Type the post-obit to make sure your microcontroller is listed:

Now we will need to use spiflash.py to dump the firmware. Clone this repo and navigate to libmpsse/src/examples. Adjacent, to dump the firmware from the device, run the post-obit:

                                  $                                    sudo                  python spiflash.py                  -southward                  15000000                  -r                  firmware.bin

Note that if you don't use sudo, the tool may non be able to detect the USB device. The -southward flag indicates the size of the data that we want to dump. The documentation for the chip may also indicate the size of the firmware. In this case, we are using a sufficiently large size to assure we get the entire firmware.

Side by side, clinch that something was dumped from the chip:

If you didn't accept your connections set up correctly, the above would output nothing. If yous do meet a list of garbled characters, and then we can move on to the next footstep.

Next, nosotros volition extract the firmware from our resulting binary using binwalk. Download binwalk and run the post-obit command to extract the firmware:

The output from the above may look something like this:

binwalk

Now navigate to the created folder.

                                  $                                    cd                  _test.bin.extracted/squash-fs

Y'all may not have a squash-fs folder. In that case, the firmware was probably not extracted correctly, peradventure due to a connexion issue. Cheque your connections and run spiflash.py once more. I had to run that a few times earlier I was able to extract the firmware correctly.

Equally you tin see, now you have admission to the entire file organization from the dumped firmware in the squash-fs directory. SquashFS is a compressed file organisation ordinarily used in embedded systems.

file system

At present it is upwards to you equally to what you lot want to do with information technology. Explore scripts, wait for secret strings, etc. You can fifty-fifty modify files and write back to the flash chip using spiflash.py -w.

If that looked like something you'd enjoy doing you can use the list below to find all the materials you need to dump firmware from wink chips:

  • Attify Bluecoat: From Attify
  • SOIC Clip: You can go information technology from Amazon or Ebay
  • Alligator Clips: From Amazon
  • Female/Female Jumper Wires: From Adafruit
  • Screwdriver Kit: From Amazon

You can often find the SP009 Sricam IP photographic camera on eBay, but you may likewise want to practice with one-time routers as well. The best way to get started is to open devices and outset exploring and researching.

Another way to interact with firmware is via JTAG pin, which we will cover in a different blog post. We will continue writing about IoT security and diving deeper into this exciting field in hereafter posts.

carrillosillon.blogspot.com

Source: https://blog.nvisium.com/intro-to-hardware-hacking-dumping-your-first-firmware

0 Response to "How to Upload Shroff Rom Camera Chip"

Post a Comment

Iklan Atas Artikel

Iklan Tengah Artikel 1

Iklan Tengah Artikel 2

Iklan Bawah Artikel