Go grab a copy of the Gerbers and 3D-printed Case STL files at https://github.com/whid-injector/Focaccia-Board and print through your favorite FAB.
Even before the appearance of the word (I)IoT, I was breaking hardware devices, as many of you, with a multitude of debuggers (i.e. stlink, jlink, RS23–2-2USB, etc.). It was always a PITA bringing around a device that does UART-to-USB, another that supports JTAG or SWD, a SPI reader/dumper, etc.
Luckily for all of us, FTDI released the lovely FT232H chipset which does support all of them in one-single-chip. Hurray!
One of the cheapest boards embedding the FT232H on the market is the FT232H CJMCU, which cost less than 10 EUR!
During last Xmas holidays I thought: “That’s enough, I am done. I need a proper breakout that will save
Last year you may remember me disclosing this lovely bug in FingBox ( a super-duper IoT Security Appliance that is supposed to protect your LAN-connected devices from attackers):
In this first use-case, I used Focaccia-Board (from now on a.k.a. F-B) for debugging the UART console, which was easily accessible on the FingBox’s PCB.
As showed below the Uboot output was easily available and lead to enough insights to discover the way to get root.
The next use-case is showing how to easily connect to the target device over JTAG in order to live-debug or even dump the entire flash memory.
Once identified the correct JTAG Pinout (i.e. TDI, TDO, TMS, TCK, etc…) and the correct OpenOCD’s config files for both F-B* and the target device, we can run it with the command:
sudo openocd -f ft232h_jtag-swd.config -f target_device.cfg
*The right config file for F-B is in its Github repo.
This time you will see how easy is to use F-B to conduct some Forensics against a Weaponized Mouse containing my beloved WHID-Injector.
Once obtained the suspicious mouse and confirmed it was weaponized, I proceeded in identifying the SPI flash and removing it from the PCB.
Next step was to use the SOP8 socket on the Focaccia-Board to dump the SPI Flash content.
In order to dump the Flash content you have to fire the following command:
flashrom -p ft2232_spi:type=232H -r spi_dump.bin
(Reminder: In case of Forensics acquistion is always recommended to acquire the Flash content with the WP (Write Protect) Pin disabled (see jumper on the PCB) thus we are 100% that the content of the Flash will not be modified during the operation. And therefore sure that is forensically acceptable as evidence.
Of course we can also use a SOP8 Clip to dump it.
And here the results of the dump and some initial Forensics analysis of it. As you see plenty of artifacts left-over by the attacker.
In some cases is also possible to dump a SPI Flash directly from the PCB of the target device (though, is discouraged, unless you manage to keep the target’s CPU in a reset state and thus unable to talk with the SPI Flash itself).
At last, an example of how to use the lower part of F-B’s set of pin headers/sockets & terminal blocks against a smartlock during some forensics investigation scenario.
In this case, the FT232H is not involved. I just used the lower part of F-B’s PCB to connect those ugly flying cables that were non-standard DuPont wires.
And after having successfully dumped the firmware we can proceed at extracting some valuable evidences for the forensics case.
Focaccia-Board is nothing extraordinary. But it saves my time while hacking (I)IoT targets. And that’s enough to be considered a valuable asset in my lab. 🙂 Hope you will enjoy it too!
P.S. I am going to ask WHID-Injector & WHID-Elite manufacturer if interested to bring it to life at the usual affordable price for the folks out there that have no time or capabilities to print the PCB themselves.
#StayTuned & Follow @whid-injector on Twitter!
The original post is available in Medium:
About the author: Luca Bongiorni
Luca is working as
(SecurityAffairs – hacking IoT, Focaccia board)