mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-27 07:01:09 +00:00
238 lines
7.1 KiB
Markdown
238 lines
7.1 KiB
Markdown
<details>
|
||
|
||
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks云 ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 推特 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||
|
||
- 你在一家**网络安全公司**工作吗?想要在HackTricks中**宣传你的公司**吗?或者你想要**获取PEASS的最新版本或下载HackTricks的PDF**吗?请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
|
||
|
||
- 发现我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品——[**The PEASS Family**](https://opensea.io/collection/the-peass-family)
|
||
|
||
- 获取[**官方PEASS和HackTricks周边**](https://peass.creator-spring.com)
|
||
|
||
- **加入**[**💬**](https://emojipedia.org/speech-balloon/) [**Discord群组**](https://discord.gg/hRep4RUj7f)或[**电报群组**](https://t.me/peass),或者**关注**我在**Twitter**上的[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**。**
|
||
|
||
- **通过向[hacktricks repo](https://github.com/carlospolop/hacktricks)和[hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)提交PR来分享你的黑客技巧**。
|
||
|
||
</details>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
# 总线海盗
|
||
|
||
要测试总线海盗是否工作正常,将+5V与VPU连接,将3.3V与ADC连接,并访问总线海盗(例如使用Tera Term),然后使用命令`~`:
|
||
```bash
|
||
# Use command
|
||
HiZ>~
|
||
Disconnect any devices
|
||
Connect (Vpu to +5V) and (ADC to +3.3V)
|
||
Space to continue
|
||
# Press space
|
||
Ctrl
|
||
AUX OK
|
||
MODE LED OK
|
||
PULLUP H OK
|
||
PULLUP L OK
|
||
VREG OK
|
||
ADC and supply
|
||
5V(4.96) OK
|
||
VPU(4.96) OK
|
||
3.3V(3.26) OK
|
||
ADC(3.27) OK
|
||
Bus high
|
||
MOSI OK
|
||
CLK OK
|
||
MISO OK
|
||
CS OK
|
||
Bus Hi-Z 0
|
||
MOSI OK
|
||
CLK OK
|
||
MISO OK
|
||
CS OK
|
||
Bus Hi-Z 1
|
||
MOSI OK
|
||
CLK OK
|
||
MISO OK
|
||
CS OK
|
||
MODE and VREG LEDs should be on!
|
||
Any key to exit
|
||
#Press space
|
||
Found 0 errors.
|
||
```
|
||
正如你在前面的命令行中看到的,它显示找到了0个错误。这对于在购买后或刷写固件后知道它是否工作非常有用。
|
||
|
||
要连接到Bus Pirate,可以按照文档操作:
|
||
|
||
![](<../../.gitbook/assets/image (307) (2).png>)
|
||
|
||
在这种情况下,我要连接到一个EPROM:ATMEL901 24C256 PU27:
|
||
|
||
![](<../../.gitbook/assets/image (465) (2) (1).png>)
|
||
|
||
我使用Tera Term与Pirate Bus的COM端口连接,设置为串口速度115200。
|
||
|
||
在下面的通信中,你可以找到如何准备Bus Pirate进行I2C通信以及如何从存储器中写入和读取的步骤(注释使用"#",请不要期望在通信中看到这部分):
|
||
```bash
|
||
# Check communication with buspirate
|
||
i
|
||
Bus Pirate v3.5
|
||
Community Firmware v7.1 - goo.gl/gCzQnW [HiZ 1-WIRE UART I2C SPI 2WIRE 3WIRE KEYB LCD PIC DIO] Bootloader v4.5
|
||
DEVID:0x0447 REVID:0x3046 (24FJ64GA00 2 B8)
|
||
http://dangerousprototypes.com
|
||
|
||
# Check voltages
|
||
I2C>v
|
||
Pinstates:
|
||
1.(BR) 2.(RD) 3.(OR) 4.(YW) 5.(GN) 6.(BL) 7.(PU) 8.(GR) 9.(WT) 0.(Blk)
|
||
GND 3.3V 5.0V ADC VPU AUX SCL SDA - -
|
||
P P P I I I I I I I
|
||
GND 3.27V 4.96V 0.00V 4.96V L H H L L
|
||
|
||
#Notice how the VPU is in 5V becausethe EPROM needs 5V signals
|
||
|
||
# Get mode options
|
||
HiZ>m
|
||
1. HiZ
|
||
2. 1-WIRE
|
||
3. UART
|
||
4. I2C
|
||
5. SPI
|
||
6. 2WIRE
|
||
7. 3WIRE
|
||
8. KEYB
|
||
9. LCD
|
||
10. PIC
|
||
11. DIO
|
||
x. exit(without change)
|
||
|
||
# Select I2C
|
||
(1)>4
|
||
I2C mode:
|
||
1. Software
|
||
2. Hardware
|
||
|
||
# Select Software mode
|
||
(1)>1
|
||
Set speed:
|
||
1. ~5kHz
|
||
2. ~50kHz
|
||
3. ~100kHz
|
||
4. ~240kHz
|
||
|
||
# Select communication spped
|
||
(1)> 2
|
||
Clutch disengaged!!!
|
||
To finish setup, start up the power supplies with command 'W'
|
||
Ready
|
||
|
||
# Start communication
|
||
I2C>W
|
||
POWER SUPPLIES ON
|
||
Clutch engaged!!!
|
||
|
||
# Get macros
|
||
I2C>(0)
|
||
0.Macro menu
|
||
1.7bit address search
|
||
2.I2C sniffer
|
||
|
||
#Get addresses of slaves connected
|
||
I2C>(1)
|
||
Searching I2C address space. Found devices at:
|
||
0xA0(0x50 W) 0xA1(0x50 R)
|
||
|
||
# Note that each slave will have a write address and a read address
|
||
# 0xA0 ad 0xA1 in the previous case
|
||
|
||
# Write "BBB" in address 0x69
|
||
I2C>[0xA0 0x00 0x69 0x42 0x42 0x42]
|
||
I2C START BIT
|
||
WRITE: 0xA0 ACK
|
||
WRITE: 0x00 ACK
|
||
WRITE: 0x69 ACK
|
||
WRITE: 0x42 ACK
|
||
WRITE: 0x42 ACK
|
||
WRITE: 0x42 ACK
|
||
I2C STOP BIT
|
||
|
||
# Prepare to read from address 0x69
|
||
I2C>[0xA0 0x00 0x69]
|
||
I2C START BIT
|
||
WRITE: 0xA0 ACK
|
||
WRITE: 0x00 ACK
|
||
WRITE: 0x69 ACK
|
||
I2C STOP BIT
|
||
|
||
# Read 20B from address 0x69 configured before
|
||
I2C>[0xA1 r:20]
|
||
I2C START BIT
|
||
WRITE: 0xA1 ACK
|
||
READ: 0x42 ACK 0x42 ACK 0x42 ACK 0x20 ACK 0x48 ACK 0x69 ACK 0x20 ACK 0x44 ACK 0x72 ACK 0x65 ACK 0x67 ACK 0x21 ACK 0x20 ACK 0x41 ACK 0x41 ACK 0x41 ACK 0x00 ACK 0xFF ACK 0xFF ACK 0xFF
|
||
NACK
|
||
```
|
||
## Sniffer(嗅探器)
|
||
|
||
在这个场景中,我们将嗅探Arduino和之前的EPROM之间的I2C通信,您只需要将两个设备连接起来,然后将Bus Pirate连接到SCL、SDA和GND引脚:
|
||
|
||
![](<../../.gitbook/assets/image (201) (2) (1).png>)
|
||
```bash
|
||
I2C>m
|
||
1. HiZ
|
||
2. 1-WIRE
|
||
3. UART
|
||
4. I2C
|
||
5. SPI
|
||
6. 2WIRE
|
||
7. 3WIRE
|
||
8. KEYB
|
||
9. LCD
|
||
10. PIC
|
||
11. DIO
|
||
x. exit(without change)
|
||
|
||
(1)>4
|
||
I2C mode:
|
||
1. Software
|
||
2. Hardware
|
||
|
||
(1)>1
|
||
Set speed:
|
||
1. ~5kHz
|
||
2. ~50kHz
|
||
3. ~100kHz
|
||
4. ~240kHz
|
||
|
||
(1)>1
|
||
Clutch disengaged!!!
|
||
To finish setup, start up the power supplies with command 'W'
|
||
Ready
|
||
|
||
# EVEN IF YOU ARE GOING TO SNIFF YOU NEED TO POWER ON!
|
||
|
||
I2C>W
|
||
POWER SUPPLIES ON
|
||
Clutch engaged!!!
|
||
|
||
# Start sniffing, you can see we sniffed a write command
|
||
|
||
I2C>(2)
|
||
Sniffer
|
||
Any key to exit
|
||
[0xA0+0x00+0x69+0x41+0x41+0x41+0x20+0x48+0x69+0x20+0x44+0x72+0x65+0x67+0x21+0x20+0x41+0x41+0x41+0x00+]
|
||
```
|
||
<details>
|
||
|
||
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks云 ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 推特 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||
|
||
- 你在一家**网络安全公司**工作吗?想要在HackTricks中看到你的**公司广告**吗?或者你想要**获取PEASS的最新版本或下载HackTricks的PDF**吗?请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
|
||
|
||
- 发现我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品——[**The PEASS Family**](https://opensea.io/collection/the-peass-family)
|
||
|
||
- 获取[**官方PEASS和HackTricks周边产品**](https://peass.creator-spring.com)
|
||
|
||
- **加入** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord群组**](https://discord.gg/hRep4RUj7f) 或者 [**Telegram群组**](https://t.me/peass),或者在**Twitter**上**关注**我 [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
||
|
||
- **通过向[hacktricks仓库](https://github.com/carlospolop/hacktricks)和[hacktricks-cloud仓库](https://github.com/carlospolop/hacktricks-cloud)提交PR来分享你的黑客技巧**。
|
||
|
||
</details>
|