# I2C {% hint style="success" %} Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! * **Join the** 馃挰 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 馃惁 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %} ## Bus Pirate Para probar que un Bus Pirate est谩 funcionando, conecta +5V con VPU y 3.3V con ADC y accede al bus pirate (usando Tera Term, por ejemplo) y utiliza el comando `~`: ```bash # Use command HiZ>~ Disconnect any devices Connect (Vpu to +5V) and (ADC to +3.3V) Space to continue # Press space Ctrl AUX OK MODE LED OK PULLUP H OK PULLUP L OK VREG OK ADC and supply 5V(4.96) OK VPU(4.96) OK 3.3V(3.26) OK ADC(3.27) OK Bus high MOSI OK CLK OK MISO OK CS OK Bus Hi-Z 0 MOSI OK CLK OK MISO OK CS OK Bus Hi-Z 1 MOSI OK CLK OK MISO OK CS OK MODE and VREG LEDs should be on! Any key to exit #Press space Found 0 errors. ``` Como puedes ver en la l铆nea de comando anterior, dec铆a que no encontr贸 errores. Esto es muy 煤til para saber que est谩 funcionando despu茅s de comprarlo o despu茅s de flashear un firmware. Para conectarte con el bus pirate, puedes seguir la documentaci贸n: ![](<../../.gitbook/assets/image (484).png>) En este caso, voy a conectarme a un EPROM: ATMEL901 24C256 PU27: ![](<../../.gitbook/assets/image (964).png>) Para hablar con el bus pirate, utilic茅 Tera Term conectado al puerto COM del bus pirate con una Configuraci贸n --> Puerto Serial --> Velocidad de 115200.\ En la siguiente comunicaci贸n, puedes encontrar c贸mo preparar el bus pirate para hablar I2C y c贸mo escribir y leer de la memoria (Los comentarios aparecen usando "#", no esperes esa parte en la comunicaci贸n): ```bash # Check communication with buspirate i Bus Pirate v3.5 Community Firmware v7.1 - goo.gl/gCzQnW [HiZ 1-WIRE UART I2C SPI 2WIRE 3WIRE KEYB LCD PIC DIO] Bootloader v4.5 DEVID:0x0447 REVID:0x3046 (24FJ64GA00 2 B8) http://dangerousprototypes.com # Check voltages I2C>v Pinstates: 1.(BR) 2.(RD) 3.(OR) 4.(YW) 5.(GN) 6.(BL) 7.(PU) 8.(GR) 9.(WT) 0.(Blk) GND 3.3V 5.0V ADC VPU AUX SCL SDA - - P P P I I I I I I I GND 3.27V 4.96V 0.00V 4.96V L H H L L #Notice how the VPU is in 5V becausethe EPROM needs 5V signals # Get mode options HiZ>m 1. HiZ 2. 1-WIRE 3. UART 4. I2C 5. SPI 6. 2WIRE 7. 3WIRE 8. KEYB 9. LCD 10. PIC 11. DIO x. exit(without change) # Select I2C (1)>4 I2C mode: 1. Software 2. Hardware # Select Software mode (1)>1 Set speed: 1. ~5kHz 2. ~50kHz 3. ~100kHz 4. ~240kHz # Select communication spped (1)> 2 Clutch disengaged!!! To finish setup, start up the power supplies with command 'W' Ready # Start communication I2C>W POWER SUPPLIES ON Clutch engaged!!! # Get macros I2C>(0) 0.Macro menu 1.7bit address search 2.I2C sniffer #Get addresses of slaves connected I2C>(1) Searching I2C address space. Found devices at: 0xA0(0x50 W) 0xA1(0x50 R) # Note that each slave will have a write address and a read address # 0xA0 ad 0xA1 in the previous case # Write "BBB" in address 0x69 I2C>[0xA0 0x00 0x69 0x42 0x42 0x42] I2C START BIT WRITE: 0xA0 ACK WRITE: 0x00 ACK WRITE: 0x69 ACK WRITE: 0x42 ACK WRITE: 0x42 ACK WRITE: 0x42 ACK I2C STOP BIT # Prepare to read from address 0x69 I2C>[0xA0 0x00 0x69] I2C START BIT WRITE: 0xA0 ACK WRITE: 0x00 ACK WRITE: 0x69 ACK I2C STOP BIT # Read 20B from address 0x69 configured before I2C>[0xA1 r:20] I2C START BIT WRITE: 0xA1 ACK READ: 0x42 ACK 0x42 ACK 0x42 ACK 0x20 ACK 0x48 ACK 0x69 ACK 0x20 ACK 0x44 ACK 0x72 ACK 0x65 ACK 0x67 ACK 0x21 ACK 0x20 ACK 0x41 ACK 0x41 ACK 0x41 ACK 0x00 ACK 0xFF ACK 0xFF ACK 0xFF NACK ``` ### Sniffer En este escenario vamos a esnifar la comunicaci贸n I2C entre el arduino y la EPROM anterior, solo necesitas comunicar ambos dispositivos y luego conectar el bus pirate a los pines SCL, SDA y GND: ![](<../../.gitbook/assets/image (166).png>) ```bash I2C>m 1. HiZ 2. 1-WIRE 3. UART 4. I2C 5. SPI 6. 2WIRE 7. 3WIRE 8. KEYB 9. LCD 10. PIC 11. DIO x. exit(without change) (1)>4 I2C mode: 1. Software 2. Hardware (1)>1 Set speed: 1. ~5kHz 2. ~50kHz 3. ~100kHz 4. ~240kHz (1)>1 Clutch disengaged!!! To finish setup, start up the power supplies with command 'W' Ready # EVEN IF YOU ARE GOING TO SNIFF YOU NEED TO POWER ON! I2C>W POWER SUPPLIES ON Clutch engaged!!! # Start sniffing, you can see we sniffed a write command I2C>(2) Sniffer Any key to exit [0xA0+0x00+0x69+0x41+0x41+0x41+0x20+0x48+0x69+0x20+0x44+0x72+0x65+0x67+0x21+0x20+0x41+0x41+0x41+0x00+] ``` {% hint style="success" %} Aprende y practica Hacking en AWS:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ Aprende y practica Hacking en GCP: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Apoya a HackTricks * Revisa los [**planes de suscripci贸n**](https://github.com/sponsors/carlospolop)! * **脷nete al** 馃挰 [**grupo de Discord**](https://discord.gg/hRep4RUj7f) o al [**grupo de telegram**](https://t.me/peass) o **s铆guenos** en **Twitter** 馃惁 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Comparte trucos de hacking enviando PRs a los** [**HackTricks**](https://github.com/carlospolop/hacktricks) y [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repositorios de github.
{% endhint %}