hacktricks/todo/hardware-hacking/i2c.md

# I2C

<details>

<summary><strong>Jifunze AWS hacking kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>

Njia nyingine za kusaidia HackTricks:

* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA USAJILI**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.

</details>

## Bus Pirate

Ili kujaribu ikiwa Bus Pirate inafanya kazi, unganisha +5V na VPU na 3.3V na ADC na ufikie bus pirate (Kutumia Tera Term kwa mfano) na tumia amri `~`:
```bash
# Use command
HiZ>~
Disconnect any devices
Connect (Vpu to +5V) and (ADC to +3.3V)
Space to continue
# Press space
Ctrl
AUX OK
MODE LED OK
PULLUP H OK
PULLUP L OK
VREG OK
ADC and supply
5V(4.96) OK
VPU(4.96) OK
3.3V(3.26) OK
ADC(3.27) OK
Bus high
MOSI OK
CLK OK
MISO OK
CS OK
Bus Hi-Z 0
MOSI OK
CLK OK
MISO OK
CS OK
Bus Hi-Z 1
MOSI OK
CLK OK
MISO OK
CS OK
MODE and VREG LEDs should be on!
Any key to exit
#Press space
Found 0 errors.
```
Kama unavyoona katika amri ya awali ilisema kwamba ilipata makosa 0. Hii ni muhimu sana kujua kwamba inafanya kazi baada ya kununua au baada ya kuflash firmware.

Kuunganisha na pirate ya basi unaweza kufuata nyaraka:

![](<../../.gitbook/assets/image (484).png>)

Katika kesi hii ninaenda kuunganisha na EPROM: ATMEL901 24C256 PU27:

![](<../../.gitbook/assets/image (964).png>)

Kuzungumza na pirate ya basi nilitumia Tera Term iliyounganishwa na bandari ya COM ya pirate na Setup --> Serial Port --> Kasi ya 115200.\
Katika mawasiliano yafuatayo unaweza kupata jinsi ya kujiandaa pirate ya basi kuzungumza I2C na jinsi ya kuandika na kusoma kutoka kumbukumbu (Maoni huonekana kwa kutumia "#", usitarajie sehemu hiyo katika mawasiliano):
```bash
# Check communication with buspirate
i
Bus Pirate v3.5
Community Firmware v7.1 - goo.gl/gCzQnW [HiZ 1-WIRE UART I2C SPI 2WIRE 3WIRE KEYB LCD PIC DIO] Bootloader v4.5
DEVID:0x0447 REVID:0x3046 (24FJ64GA00 2 B8)
http://dangerousprototypes.com

# Check voltages
I2C>v
Pinstates:
1.(BR)  2.(RD)  3.(OR)  4.(YW)  5.(GN)  6.(BL)  7.(PU)  8.(GR)  9.(WT)  0.(Blk)
GND     3.3V    5.0V    ADC     VPU     AUX     SCL     SDA     -       -
P       P       P       I       I       I       I       I       I       I
GND     3.27V   4.96V   0.00V   4.96V   L       H       H       L       L

#Notice how the VPU is in 5V becausethe EPROM needs 5V signals

# Get mode options
HiZ>m
1. HiZ
2. 1-WIRE
3. UART
4. I2C
5. SPI
6. 2WIRE
7. 3WIRE
8. KEYB
9. LCD
10. PIC
11. DIO
x. exit(without change)

# Select I2C
(1)>4
I2C mode:
1. Software
2. Hardware

# Select Software mode
(1)>1
Set speed:
1. ~5kHz
2. ~50kHz
3. ~100kHz
4. ~240kHz

# Select communication spped
(1)> 2
Clutch disengaged!!!
To finish setup, start up the power supplies with command 'W'
Ready

# Start communication
I2C>W
POWER SUPPLIES ON
Clutch engaged!!!

# Get macros
I2C>(0)
0.Macro menu
1.7bit address search
2.I2C sniffer

#Get addresses of slaves connected
I2C>(1)
Searching I2C address space. Found devices at:
0xA0(0x50 W) 0xA1(0x50 R)

# Note that each slave will have a write address and a read address
# 0xA0 ad 0xA1 in the previous case

# Write "BBB" in address 0x69
I2C>[0xA0 0x00 0x69 0x42 0x42 0x42]
I2C START BIT
WRITE: 0xA0 ACK
WRITE: 0x00 ACK
WRITE: 0x69 ACK
WRITE: 0x42 ACK
WRITE: 0x42 ACK
WRITE: 0x42 ACK
I2C STOP BIT

# Prepare to read from address 0x69
I2C>[0xA0 0x00 0x69]
I2C START BIT
WRITE: 0xA0 ACK
WRITE: 0x00 ACK
WRITE: 0x69 ACK
I2C STOP BIT

# Read 20B from address 0x69 configured before
I2C>[0xA1 r:20]
I2C START BIT
WRITE: 0xA1 ACK
READ: 0x42  ACK 0x42  ACK 0x42  ACK 0x20  ACK 0x48  ACK 0x69  ACK 0x20  ACK 0x44  ACK 0x72  ACK 0x65  ACK 0x67  ACK 0x21  ACK 0x20  ACK 0x41  ACK 0x41  ACK 0x41  ACK 0x00  ACK 0xFF  ACK 0xFF  ACK 0xFF
NACK
```
### Mchukuzi

Katika hali hii tutachunguza mawasiliano ya I2C kati ya arduino na EPROM iliyotangulia, unahitaji tu kuwasiliana na vifaa vyote na kisha unganisha pirate wa basi kwenye pins za SCL, SDA na GND:

![](<../../.gitbook/assets/image (166).png>)
```bash
I2C>m
1. HiZ
2. 1-WIRE
3. UART
4. I2C
5. SPI
6. 2WIRE
7. 3WIRE
8. KEYB
9. LCD
10. PIC
11. DIO
x. exit(without change)

(1)>4
I2C mode:
1. Software
2. Hardware

(1)>1
Set speed:
1. ~5kHz
2. ~50kHz
3. ~100kHz
4. ~240kHz

(1)>1
Clutch disengaged!!!
To finish setup, start up the power supplies with command 'W'
Ready

# EVEN IF YOU ARE GOING TO SNIFF YOU NEED TO POWER ON!

I2C>W
POWER SUPPLIES ON
Clutch engaged!!!

# Start sniffing, you can see we sniffed a write command

I2C>(2)
Sniffer
Any key to exit
[0xA0+0x00+0x69+0x41+0x41+0x41+0x20+0x48+0x69+0x20+0x44+0x72+0x65+0x67+0x21+0x20+0x41+0x41+0x41+0x00+]
```
<details>

<summary><strong>Jifunze AWS hacking kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>

Njia nyingine za kusaidia HackTricks:

* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za kuhack kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.

</details>
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA 2024-04-07 03:36:12 +00:00			`# I2C`

Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00			`<details>`

Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			`<summary><strong>Jifunze AWS hacking kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`Njia nyingine za kusaidia HackTricks:`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA 2024-04-07 03:36:12 +00:00			`* Ikiwa unataka kuona kampuni yako ikitangazwa kwenye HackTricks au kupakua HackTricks kwa PDF Angalia [MIPANGO YA USAJILI](https://github.com/sponsors/carlospolop)!`
			`* Pata [bidhaa rasmi za PEASS & HackTricks](https://peass.creator-spring.com)`
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			`* Gundua [Familia ya PEASS](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [NFTs](https://opensea.io/collection/the-peass-family)`
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA 2024-04-07 03:36:12 +00:00			`* Jiunge na 💬 [Kikundi cha Discord](https://discord.gg/hRep4RUj7f) au kikundi cha [telegram](https://t.me/peass) au tufuate kwenye Twitter 🐦 [@carlospolopm](https://twitter.com/hacktricks\_live).`
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			`* Shiriki mbinu zako za udukuzi kwa kuwasilisha PRs kwa [HackTricks](https://github.com/carlospolop/hacktricks) na [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) repos za github.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`

Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA 2024-04-07 03:36:12 +00:00			`## Bus Pirate`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			Ili kujaribu ikiwa Bus Pirate inafanya kazi, unganisha +5V na VPU na 3.3V na ADC na ufikie bus pirate (Kutumia Tera Term kwa mfano) na tumia amri `~`:
GitBook: [#3052] No subject 2022-03-11 23:33:08 +00:00			```bash
			`# Use command`
			`HiZ>~`
			`Disconnect any devices`
			`Connect (Vpu to +5V) and (ADC to +3.3V)`
			`Space to continue`
			`# Press space`
			`Ctrl`
			`AUX OK`
			`MODE LED OK`
			`PULLUP H OK`
			`PULLUP L OK`
			`VREG OK`
			`ADC and supply`
			`5V(4.96) OK`
			`VPU(4.96) OK`
			`3.3V(3.26) OK`
			`ADC(3.27) OK`
			`Bus high`
			`MOSI OK`
			`CLK OK`
			`MISO OK`
			`CS OK`
			`Bus Hi-Z 0`
			`MOSI OK`
			`CLK OK`
			`MISO OK`
			`CS OK`
			`Bus Hi-Z 1`
			`MOSI OK`
			`CLK OK`
			`MISO OK`
			`CS OK`
			`MODE and VREG LEDs should be on!`
			`Any key to exit`
			`#Press space`
			`Found 0 errors.`
			```
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			`Kama unavyoona katika amri ya awali ilisema kwamba ilipata makosa 0. Hii ni muhimu sana kujua kwamba inafanya kazi baada ya kununua au baada ya kuflash firmware.`
GitBook: [#3052] No subject 2022-03-11 23:33:08 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			`Kuunganisha na pirate ya basi unaweza kufuata nyaraka:`
GitBook: [#3046] No subject 2022-03-08 23:18:28 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			`![](<../../.gitbook/assets/image (484).png>)`
GitBook: [#3046] No subject 2022-03-08 23:18:28 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			`Katika kesi hii ninaenda kuunganisha na EPROM: ATMEL901 24C256 PU27:`
GitBook: [#3046] No subject 2022-03-08 23:18:28 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			`![](<../../.gitbook/assets/image (964).png>)`
GitBook: [#3046] No subject 2022-03-08 23:18:28 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			`Kuzungumza na pirate ya basi nilitumia Tera Term iliyounganishwa na bandari ya COM ya pirate na Setup --> Serial Port --> Kasi ya 115200.\`
			`Katika mawasiliano yafuatayo unaweza kupata jinsi ya kujiandaa pirate ya basi kuzungumza I2C na jinsi ya kuandika na kusoma kutoka kumbukumbu (Maoni huonekana kwa kutumia "#", usitarajie sehemu hiyo katika mawasiliano):`
GitBook: [#3046] No subject 2022-03-08 23:18:28 +00:00			```bash
			`# Check communication with buspirate`
			`i`
			`Bus Pirate v3.5`
			`Community Firmware v7.1 - goo.gl/gCzQnW [HiZ 1-WIRE UART I2C SPI 2WIRE 3WIRE KEYB LCD PIC DIO] Bootloader v4.5`
			`DEVID:0x0447 REVID:0x3046 (24FJ64GA00 2 B8)`
			`http://dangerousprototypes.com`

			`# Check voltages`
			`I2C>v`
			`Pinstates:`
			`1.(BR) 2.(RD) 3.(OR) 4.(YW) 5.(GN) 6.(BL) 7.(PU) 8.(GR) 9.(WT) 0.(Blk)`
			`GND 3.3V 5.0V ADC VPU AUX SCL SDA - -`
			`P P P I I I I I I I`
			`GND 3.27V 4.96V 0.00V 4.96V L H H L L`

			`#Notice how the VPU is in 5V becausethe EPROM needs 5V signals`

			`# Get mode options`
			`HiZ>m`
			`1. HiZ`
			`2. 1-WIRE`
			`3. UART`
			`4. I2C`
			`5. SPI`
			`6. 2WIRE`
			`7. 3WIRE`
			`8. KEYB`
			`9. LCD`
			`10. PIC`
			`11. DIO`
			`x. exit(without change)`

			`# Select I2C`
			`(1)>4`
			`I2C mode:`
Translated to Swahili 2024-02-11 02:13:58 +00:00			`1. Software`
			`2. Hardware`
GitBook: [#3046] No subject 2022-03-08 23:18:28 +00:00
			`# Select Software mode`
			`(1)>1`
			`Set speed:`
Translated to Swahili 2024-02-11 02:13:58 +00:00			`1. ~5kHz`
			`2. ~50kHz`
			`3. ~100kHz`
			`4. ~240kHz`
GitBook: [#3046] No subject 2022-03-08 23:18:28 +00:00
			`# Select communication spped`
			`(1)> 2`
			`Clutch disengaged!!!`
			`To finish setup, start up the power supplies with command 'W'`
			`Ready`

			`# Start communication`
			`I2C>W`
			`POWER SUPPLIES ON`
			`Clutch engaged!!!`

			`# Get macros`
			`I2C>(0)`
Translated to Swahili 2024-02-11 02:13:58 +00:00			`0.Macro menu`
			`1.7bit address search`
			`2.I2C sniffer`

GitBook: [#3046] No subject 2022-03-08 23:18:28 +00:00			`#Get addresses of slaves connected`
			`I2C>(1)`
			`Searching I2C address space. Found devices at:`
			`0xA0(0x50 W) 0xA1(0x50 R)`

			`# Note that each slave will have a write address and a read address`
fix mess 2 2022-05-01 12:49:36 +00:00			`# 0xA0 ad 0xA1 in the previous case`
GitBook: [#3046] No subject 2022-03-08 23:18:28 +00:00
			`# Write "BBB" in address 0x69`
			`I2C>[0xA0 0x00 0x69 0x42 0x42 0x42]`
			`I2C START BIT`
			`WRITE: 0xA0 ACK`
			`WRITE: 0x00 ACK`
			`WRITE: 0x69 ACK`
			`WRITE: 0x42 ACK`
			`WRITE: 0x42 ACK`
			`WRITE: 0x42 ACK`
			`I2C STOP BIT`

			`# Prepare to read from address 0x69`
			`I2C>[0xA0 0x00 0x69]`
			`I2C START BIT`
			`WRITE: 0xA0 ACK`
			`WRITE: 0x00 ACK`
			`WRITE: 0x69 ACK`
			`I2C STOP BIT`

			`# Read 20B from address 0x69 configured before`
			`I2C>[0xA1 r:20]`
			`I2C START BIT`
			`WRITE: 0xA1 ACK`
			`READ: 0x42 ACK 0x42 ACK 0x42 ACK 0x20 ACK 0x48 ACK 0x69 ACK 0x20 ACK 0x44 ACK 0x72 ACK 0x65 ACK 0x67 ACK 0x21 ACK 0x20 ACK 0x41 ACK 0x41 ACK 0x41 ACK 0x00 ACK 0xFF ACK 0xFF ACK 0xFF`
			`NACK`
			```
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			`### Mchukuzi`
GitBook: [#3046] No subject 2022-03-08 23:18:28 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			`Katika hali hii tutachunguza mawasiliano ya I2C kati ya arduino na EPROM iliyotangulia, unahitaji tu kuwasiliana na vifaa vyote na kisha unganisha pirate wa basi kwenye pins za SCL, SDA na GND:`
GitBook: [#3046] No subject 2022-03-08 23:18:28 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			`![](<../../.gitbook/assets/image (166).png>)`
GitBook: [#3046] No subject 2022-03-08 23:18:28 +00:00			```bash
			`I2C>m`
			`1. HiZ`
			`2. 1-WIRE`
			`3. UART`
			`4. I2C`
			`5. SPI`
			`6. 2WIRE`
			`7. 3WIRE`
			`8. KEYB`
			`9. LCD`
			`10. PIC`
			`11. DIO`
			`x. exit(without change)`

			`(1)>4`
			`I2C mode:`
Translated to Swahili 2024-02-11 02:13:58 +00:00			`1. Software`
			`2. Hardware`
GitBook: [#3046] No subject 2022-03-08 23:18:28 +00:00
			`(1)>1`
			`Set speed:`
Translated to Swahili 2024-02-11 02:13:58 +00:00			`1. ~5kHz`
			`2. ~50kHz`
			`3. ~100kHz`
			`4. ~240kHz`
GitBook: [#3046] No subject 2022-03-08 23:18:28 +00:00
			`(1)>1`
			`Clutch disengaged!!!`
			`To finish setup, start up the power supplies with command 'W'`
			`Ready`

			`# EVEN IF YOU ARE GOING TO SNIFF YOU NEED TO POWER ON!`

			`I2C>W`
			`POWER SUPPLIES ON`
			`Clutch engaged!!!`

			`# Start sniffing, you can see we sniffed a write command`

			`I2C>(2)`
			`Sniffer`
			`Any key to exit`
			`[0xA0+0x00+0x69+0x41+0x41+0x41+0x20+0x48+0x69+0x20+0x44+0x72+0x65+0x67+0x21+0x20+0x41+0x41+0x41+0x00+]`
			```
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00			`<details>`

Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA 2024-04-07 03:36:12 +00:00			`<summary><strong>Jifunze AWS hacking kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`Njia nyingine za kusaidia HackTricks:`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA 2024-04-07 03:36:12 +00:00			`* Ikiwa unataka kuona kampuni yako ikitangazwa kwenye HackTricks au kupakua HackTricks kwa PDF Angalia [MIPANGO YA KUJIUNGA](https://github.com/sponsors/carlospolop)!`
			`* Pata [bidhaa rasmi za PEASS & HackTricks](https://peass.creator-spring.com)`
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			`* Gundua [Familia ya PEASS](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [NFTs](https://opensea.io/collection/the-peass-family) za kipekee`
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA 2024-04-07 03:36:12 +00:00			`* Jiunge na 💬 [Kikundi cha Discord](https://discord.gg/hRep4RUj7f) au kikundi cha [telegram](https://t.me/peass) au tufuate kwenye Twitter 🐦 [@carlospolopm](https://twitter.com/hacktricks\_live).`
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			`* Shiriki mbinu zako za kuhack kwa kuwasilisha PRs kwa [HackTricks](https://github.com/carlospolop/hacktricks) na [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) repos za github.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`