JFFS + Update SPI/I2C

swisskyrepo · May 11, 2024 · 6518bbc · 6518bbc
1 parent d05af07
commit 6518bbc
Show file tree

Hide file tree

Showing 6 changed files with 76 additions and 41 deletions.
diff --git a/docs/debug-interfaces/uart.md b/docs/debug-interfaces/uart.md
@@ -186,33 +186,43 @@ The closest common baudrate is : 115200. COnfigure the decoder and you should se
 
 ### Interact with UART
 
-Different command line tools to interact with UART:
-```powershell
-cu -l /dev/ttyUSB0 -s 115200
-microcom -d -s 115200 -p /dev/ttyUSB0
-minicom -b 115200 -o -D /dev/ttyUSB0 # To exit GNU screen, type Control-A k
-screen /dev/ttyUSB0 115200
-miniterm.py /dev/ttyUSB0 115200 | tee ./stuff.log # tee command to save output, useful for parsing
-```
-
-Script to brute force a password protected UART:
-```python
-import serial, time
-port = "/dev/ttyUSB0"
-baud = 115200
-s = serial.Serial(port)
-s.baudrate = baud
-
-with open('/home/audit/Documents/IOT/passwords.lst', 'r') as f:
-    lines = f.readlines()
-
-    for pwd in lines:
-        a = s.write(pwd.strip())
-        print("Pwd: {}".format(pwd.strip()))
-        print("Sent {} bytes".format(a))
-        print("Result: {}".format(s.readline()))
-        time.sleep(10)
-```
+* Command line tools to interact with UART:
+
+    ```powershell
+    cu -l /dev/ttyUSB0 -s 115200
+    microcom -d -s 115200 -p /dev/ttyUSB0
+    minicom -b 115200 -o -D /dev/ttyUSB0 # To exit GNU screen, type Control-A k
+    screen /dev/ttyUSB0 115200
+    ```
+
+* Brute force a password protected UART:
+
+    ```python
+    import serial, time
+    port = "/dev/ttyUSB0"
+    baud = 115200
+    s = serial.Serial(port)
+    s.baudrate = baud
+
+    with open('/home/audit/Documents/IOT/passwords.lst', 'r') as f:
+        lines = f.readlines()
+
+        for pwd in lines:
+            a = s.write(pwd.strip())
+            print("Pwd: {}".format(pwd.strip()))
+            print("Sent {} bytes".format(a))
+            print("Result: {}".format(s.readline()))
+            time.sleep(10)
+    ```
+
+* Interact with HydraBus
+
+    ```ps1
+    uart1> scan
+    uart1> show
+    uart1> speed 38400
+    uart1> bridge
+    ```
 
 
 ## UART over BLE

diff --git a/docs/firmware/firmware-dumping.md b/docs/firmware/firmware-dumping.md
@@ -180,6 +180,12 @@ Emulate : `qemu-system-avr -S -s -nographic -serial tcp::5678,server=on,wait=off
     sudo unsquashfs -f -d /media/seagate /tmp/file.squashfs
     ```
 
+* [onekey-sec/jefferson](https://github.com/onekey-sec/jefferson/) - JFFS2 filesystem extraction tool
+    ```ps1
+    pip install jefferson
+    jefferson filesystem.img -d outdir
+    jefferson file.jffs2 -d jffs2
+    ```
 
 ## Write new firmware
 
@@ -197,10 +203,10 @@ Emulate : `qemu-system-avr -S -s -nographic -serial tcp::5678,server=on,wait=off
 
 ## Type of firmware
 
-* SREC - Motorola S-Record : All S-record file lines start with a capital S.
-* Intel HEX lines all start with a colon.
-* TI-TXT is a Texas Instruments format, usually for the MSP430 series. Memory addresses are prepended with an **@**, and data is represented in hex.
-* Raw NAND dumps
+* `SREC` - Motorola S-Record : All S-record file lines start with a capital S.
+* `Intel HEX` lines all start with a colon.
+* `TI-TXT` is a Texas Instruments format, usually for the MSP430 series. Memory addresses are prepended with an **@**, and data is represented in hex.
+* `Raw` NAND dumps
 
 
 ## Check entropy

diff --git a/docs/gadgets/hydrabus.md b/docs/gadgets/hydrabus.md
@@ -87,14 +87,14 @@ Detailed steps: [hydrafw/Getting-Started-with-HydraBus-flash-and-use-hydrafw-on-
 
 | Value | Description |
 |-------|-------------|
-| [	 | Chip select (CS) active (low) |
-| ]	 | CS disable (high) |
-| r	 | Read one byte by sending dummy byte (0xff). r:1...255 for bulk reads |
-| hd | Read one byte by sending dummy byte (0xff). hd:1...4294967295 for bulk reads. Displays a hexdump of the result |
-| w	 | Followed by values to write byte(s). w:1...255 for bulk writes |
-| 0b | Write this binary value. Format is 0b00000000 for a byte, but partial bytes are also fine: 0b1001 |
-| 0	 | Write this Octal value. Format is prefixed by a 0 (values from 000 to 077) |
-| "  | Write an ASCII-encoded string |
+| [	    | Chip select (CS) active (low) |
+| ]	    | CS disable (high) |
+| r	    | Read one byte by sending dummy byte (0xff). r:1...255 for bulk reads |
+| hd    | Read one byte by sending dummy byte (0xff). hd:1...4294967295 for bulk reads. Displays a hexdump of the result |
+| w	    | Followed by values to write byte(s). w:1...255 for bulk writes |
+| 0b    | Write this binary value. Format is 0b00000000 for a byte, but partial bytes are also fine: 0b1001 |
+| 0	    | Write this Octal value. Format is prefixed by a 0 (values from 000 to 077) |
+| "     | Write an ASCII-encoded string |
 | 0h/0x | Write this HEX value. Format is 0h01 or 0x01. Partial bytes are fine: 0xA. A-F can be lower-case or capital letters |
 | 0-255	| Write this decimal value. Any number not preceded by 0x, 0h, or 0b is interpreted as a decimal value |
 

diff --git a/docs/protocols/bluetooth.md b/docs/protocols/bluetooth.md
@@ -177,12 +177,15 @@ ubertooth-btle -U 2 -A 39 -f  -c bulb_39.pcap
 
 ### Using Android HCI
 
-Enable the Bluetooth HCI log on the device via Developer Options—also from the SDK, there is a helpful tool called the **Bluetooth HCI snoop log** (available after version 4.4)
+Enable the Bluetooth HCI log on the device via Developer Options.
 
 > It works like a hook in the stack to capture all the HCI packets in a file. For most Android devices, the log file is at `/sdcard/btsnoop_hci.log` or `/sdcard/oem_log/btsnoop/`
 
 ```powershell
+$ adb devices
 $ adb pull /sdcard/oem_log/btsnoop/<your log file>.log
+$ adb pull /sdcard/btsnoop_hci.log
+$ adb bugreport filename
 ```
 
 

diff --git a/docs/protocols/i2c.md b/docs/protocols/i2c.md
@@ -22,6 +22,12 @@ I2C (Inter-Integrated Circuit), pronounced "I-squared-C" or "I-two-C", is a popu
     sudo make install
     ```
 
+* HydraBus
+    ```ps1
+    i2c1> show pins
+    i2c1> scan
+    ```
+
 
 ## Read / Write
 

diff --git a/docs/protocols/spi.md b/docs/protocols/spi.md
@@ -30,11 +30,15 @@ SPI mainly involves four lines or wires:
 
 ## Dump Firmware via SPI
 
+Dump using a Raspberry Pi
+
 ```powershell
 sudo raspi-confi > Interface > SPI(P4)
-NOTE: might need a press/hold the reset button
+# NOTE: might need a press/hold the reset button
+
 # check
 sudo flashrom -p linux spi:dev=/dev/spidev0.0,spispeed=1000
+
 # dump
 sudo flashrom -p linux spi:dev=/dev/spidev0.0,spispeed=1000 -r dump.bin
 ```
@@ -45,6 +49,12 @@ An ESP8266 and ESP32 have several SPI busses available in hardware, SPI0 is hook
 $ python ./esptool.py read_flash --spi-connection HSPI 0 0x400000 flash_dump.bin
 ```
 
+Dump with HydraBus
+
+```ps1
+flashrom --programmer serprog:dev=/dev/ttyACM0,spispeed=2M -c "MX25L12833F" --progress -r /tmp/image.bin
+```
+
 
 ## SPIFFS