Skip to content

SPI

Serial Peripheral Interface Protocol

Serial Interface

CHIPSEC is a framework for analyzing the security of PC platforms including hardware, system firmware (BIOS/UEFI), and platform components.

https://trmm.net/SPI_flash/

SPI Pins

Shikra Pins:
- SCK: 1
- SDI: 2
- SDO: 3
- CS: 4
- GND: 18

Arduino Nano ICSP:

MOSI(4)
5V(2)

BusPirate IO Header:

  • MOSI: Master data out, slave in (SPI, JTAG), Serial data (1-Wire, I2C, KB), TX* (UART)
  • plugged into the SDI of the slave chip and the SDO of the master chip
  • MISO: Master data in, slave out (SPI, JTAG) RX (UART)
  • plugged into the SDI of the master chip and the SDO of the slave chip
  • CLK Clock signal: (I2C, SPI, JTAG, KB)
  • CS: Chip select (SPI), TMS (JTAG)
  • AUX: Auxiliary IO, frequency probe, pulse-width modulator
  • ADC: Voltage measurement probe (max 6volts)
  • Vpu: Voltage input for on-board pull-up resistors (0-5volts).
  • +3.3v: +3.3 volt switchable power supply
  • +5.0v: +5 volt switchable power supply
  • GND: Ground, connect to ground of test circuit

Finding Pins with a Logic Analyzer

ISP Protocol

ISP Programming with Avrdude

ICP is an SPI-based protocol, where the programmer sends special programming commands to the AVR chip along with data to be written to the flash memory.

Wire Mapping

Write to the chip:

avrdude -c buspirate -P <bus pirate comm port> -p <chipname> -b <baudrate> -U memtype:op:filename[:format]
sudo avrdude -c arduino -p atmega328p -P /dev/ttyACM0 -b115200 -u -V -U flash:w:animals.hex

Read from the Chip:

avrdude -c buspirate -p atmega328 -P <bus pirate comm port> -U flash:r:flash.bin:r

List Chips:

>>> avrdude -c buspirate -p help
avrdude: AVR Part "help" not found.

Valid parts are:
  uc3a0512 = AT32UC3A0512
  c128     = AT90CAN128
  c32      = AT90CAN32
[...]

Testing connection and reading Fuses:

$ avrdude -c buspirate -P /dev/ttyUSB0 -p attiny2313 -v

avrdude: Version 5.10, compiled on Jan 19 2010 at 19:05:56
         Copyright (c) 2000-2005 Brian Dean, http://www.bdmicro.com/
         Copyright (c) 2007-2009 Joerg Wunsch                      

         System wide configuration file is "/etc/avrdude/avrdude.conf"
         User configuration file is "/home/rt/.avrduderc"            
         User configuration file does not exist or is not a regular file, skipping

         Using Port                    : /dev/ttyUSB0
         Using Programmer              : buspirate  
         AVR Part                      : ATtiny2313 
         Chip Erase delay              : 9000 us    
         PAGEL                         : PD4        
         BS2                           : PD6        
         RESET disposition             : possible i/o
         RETRY pulse                   : SCK        
         serial program mode           : yes        
         parallel program mode         : yes        
         Timeout                       : 200        
         StabDelay                     : 100        
         CmdexeDelay                   : 25         
         SyncLoops                     : 32         
         ByteDelay                     : 0          
         PollIndex                     : 3          
         PollValue                     : 0x53       
         Memory Detail                 :            
[...]

ISP Programmer (PIC)

https://blog.rapid7.com/2019/04/30/extracting-firmware-from-microcontrollers-onboard-flash-memory-part-3-microchip-pic-microcontrollers/

3-Pin Protocol

Flashrom

Use Tigart with the 8 pin clip for the common 4 pin SPI uart flash chips. Make sure it is in reset mode

Dumping Flash

Using BusPirate:

flashrom -p buspirate_spi:dev=/dev/ttUSB0,spispeed=1M -c "MX25L3206E/MX25L3208E" -r dump.bin

Using Tigard (flashrom):

>>> sudo flashrom -p ft2232_spi:type=2232H,divisor=4,port=B -r /tmp/router.bin
flashrom v1.2 on Darwin 19.6.0 (x86_64)
flashrom is free software, get the source code at https://flashrom.org

Calibrating delay loop... OK.
Found Winbond flash chip "W25Q64.V" (8192 kB, SPI) on ft2232_spi.
Reading flash... done.

Using Tigard (pyftdi):

#flash_dump.py
from pyftdi.ftdi import Ftdi
import sys, os


Ftdi.show_devices()

if len(sys.argv) < 2:
    print(sys.argv[0] + " [FTDI Device]")
    exit()

ftdi_url = os.environ.get('FTDI_DEVICE', sys.argv[1])

from spiflash.serialflash import SerialFlashManager
flash=SerialFlashManager.get_flash_device(ftdi_url)

print("Flash device: %s @ SPI freq %0.1f MHz" % (flash, flash.spi_frequency/1E6))
print("Reading Flash")
f=open("data.bin","wb")
f.write(flash.read(0,len(flash)))
f.close()
print("Flash Copyed to data.bin")


>>> python3 flash_dump.py ftdi://ftdi:2232:TG110064/2
Available interfaces:
  ftdi://ftdi:2232:TG110064/1   (Tigard V1.1)
  ftdi://ftdi:2232:TG110064/2   (Tigard V1.1)

Flash device: Winbond W25Q64 8 MiB @ SPI freq 30.0 MHz
Reading Flash
Flash Copyed to data.bin

Writing Flash

Using Shikra:

sudo flashrom -p ft2232_spi:type=232H -w spidump.bin