Link to this headingSerial Peripheral Interface Protocol

Serial Interface

CHIPSEC is a framework for analyzing the security of PC platforms including hardware, system firmware (BIOS/UEFI), and platform components.

SPI flash Info - TODO

Link to this headingSPI Pins

Shikra Pins:

  • SCK: 1
  • SDI: 2
  • SDO: 3
  • CS: 4
  • GND: 18

Arduino Nano ICSP:

GND(6)RST(5)
MOSI(4)SCLK(3)
5V(2)MISO(1)

BusPirate IO Header:

GND3v3
5VADC
VPUAUX
CLKMOSI/SDI
CSMISO/SDO
  • MOSI: Master data out, slave in (SPI, JTAG), Serial data (1-Wire, I2C, KB), TX* (UART)
    • plugged into the SDI of the slave chip and the SDO of the master chip
  • MISO: Master data in, slave out (SPI, JTAG) RX (UART)
    • plugged into the SDI of the master chip and the SDO of the slave chip
  • CLK Clock signal: (I2C, SPI, JTAG, KB)
  • CS: Chip select (SPI), TMS (JTAG)
  • AUX: Auxiliary IO, frequency probe, pulse-width modulator
  • ADC: Voltage measurement probe (max 6volts)
  • Vpu: Voltage input for on-board pull-up resistors (0-5volts).
  • +3.3v: +3.3 volt switchable power supply
  • +5.0v: +5 volt switchable power supply
  • GND: Ground, connect to ground of test circuit

Link to this headingFinding Pins with a Logic Analyzer

Link to this headingISP Protocol

Link to this headingISP Programming with Avrdude

ICP is an SPI-based protocol, where the programmer sends special programming commands to the AVR chip along with data to be written to the flash memory.

Wire Mapping

Write to the chip:

avrdude -c buspirate -P <bus pirate comm port> -p <chipname> -b <baudrate> -U memtype:op:filename[:format] sudo avrdude -c arduino -p atmega328p -P /dev/ttyACM0 -b115200 -u -V -U flash:w:animals.hex

Read from the Chip:

avrdude -c buspirate -p atmega328 -P <bus pirate comm port> -U flash:r:flash.bin:r

List Chips:

>>> avrdude -c buspirate -p help avrdude: AVR Part "help" not found. Valid parts are: uc3a0512 = AT32UC3A0512 c128 = AT90CAN128 c32 = AT90CAN32 [...]

Testing connection and reading Fuses:

$ avrdude -c buspirate -P /dev/ttyUSB0 -p attiny2313 -v avrdude: Version 5.10, compiled on Jan 19 2010 at 19:05:56 Copyright (c) 2000-2005 Brian Dean, http://www.bdmicro.com/ Copyright (c) 2007-2009 Joerg Wunsch System wide configuration file is "/etc/avrdude/avrdude.conf" User configuration file is "/home/rt/.avrduderc" User configuration file does not exist or is not a regular file, skipping Using Port : /dev/ttyUSB0 Using Programmer : buspirate AVR Part : ATtiny2313 Chip Erase delay : 9000 us PAGEL : PD4 BS2 : PD6 RESET disposition : possible i/o RETRY pulse : SCK serial program mode : yes parallel program mode : yes Timeout : 200 StabDelay : 100 CmdexeDelay : 25 SyncLoops : 32 ByteDelay : 0 PollIndex : 3 PollValue : 0x53 Memory Detail : [...]

Link to this headingISP Programmer (PIC)

Extracting Firmware from Microcontrollers’ Onboard Flash Memory

Link to this heading3-Pin Protocol

Link to this headingFlashrom

Use Tigart with the 8 pin clip for the common 4 pin SPI uart flash chips. Make sure it is in reset mode

Link to this headingDumping Flash

Using BusPirate:

flashrom -p buspirate_spi:dev=/dev/ttUSB0,spispeed=1M -c "MX25L3206E/MX25L3208E" -r dump.bin

Using Tigard (flashrom):

>>> sudo flashrom -p ft2232_spi:type=2232H,divisor=4,port=B -r /tmp/router.bin flashrom v1.2 on Darwin 19.6.0 (x86_64) flashrom is free software, get the source code at https://flashrom.org Calibrating delay loop... OK. Found Winbond flash chip "W25Q64.V" (8192 kB, SPI) on ft2232_spi. Reading flash... done.

Using Tigard (pyftdi):

#flash_dump.py from pyftdi.ftdi import Ftdi import sys, os Ftdi.show_devices() if len(sys.argv) < 2: print(sys.argv[0] + " [FTDI Device]") exit() ftdi_url = os.environ.get('FTDI_DEVICE', sys.argv[1]) from spiflash.serialflash import SerialFlashManager flash=SerialFlashManager.get_flash_device(ftdi_url) print("Flash device: %s @ SPI freq %0.1f MHz" % (flash, flash.spi_frequency/1E6)) print("Reading Flash") f=open("data.bin","wb") f.write(flash.read(0,len(flash))) f.close() print("Flash Copyed to data.bin")
>>> python3 flash_dump.py ftdi://ftdi:2232:TG110064/2 Available interfaces: ftdi://ftdi:2232:TG110064/1 (Tigard V1.1) ftdi://ftdi:2232:TG110064/2 (Tigard V1.1) Flash device: Winbond W25Q64 8 MiB @ SPI freq 30.0 MHz Reading Flash Flash Copyed to data.bin

Link to this headingWriting Flash

Using Shikra:

sudo flashrom -p ft2232_spi:type=232H -w spidump.bin