GitBook: [#3046] No subject

SUMMARY.md

@@ -626,7 +626,10 @@
 * [More Tools](todo/more-tools.md)
 * [MISC](todo/misc.md)
 * [Pentesting DNS](todo/pentesting-dns.md)
-* [Hardware Hacking](todo/hardware-hacking.md)
+* [Hardware Hacking](todo/hardware-hacking/README.md)
+  * [I2C](todo/hardware-hacking/i2c.md)
+  * [UART](todo/hardware-hacking/uart.md)
+  * [Radio](todo/hardware-hacking/radio.md)
 
 ***
 

radio-hacking/pentesting-ble-bluetooth-low-energy.md

@@ -8,7 +8,7 @@ BLE devices communicate is by sending **advertising packets** (**beacons**), the
 
 The listening device, also called a central device, can respond to an advertising packet with a **SCAN request** sent specifically to the advertising device. The **response** to that scan uses the same structure as the **advertising** packet with additional information that couldn’t fit on the initial advertising request, such as the full device name.
 
-![](<../../.gitbook/assets/image (201).png>)
+![](<../.gitbook/assets/image (201) (2).png>)
 
 The preamble byte synchronizes the frequency, whereas the four-byte access address is a **connection identifier**, which is used in scenarios where multiple devices are trying to establish connections on the same channels. Next, the Protocol Data Unit (**PDU**) contains the **advertising data**. There are several types of PDU; the most commonly used are ADV\_NONCONN\_IND and ADV\_IND. Devices use the **ADV\_NONCONN\_IND** PDU type if they **don’t accept connections**, transmitting data only in the advertising packet. Devices use **ADV\_IND** if they **allow connections** and **stop sending advertising** packets once a **connection** has been **established**.
 

todo/hardware-hacking/README.md

@@ -8,7 +8,7 @@ Generally, the line is held high (at a logical 1 value) while UART is in the idl
 
 We call the most common configuration 8N1: eight data bits, no parity, and one stop bit. For example, if we wanted to send the character C, or 0x43 in ASCII, in an 8N1 UART configuration, we would send the following bits: 0 (the start bit); 0, 1, 0, 0, 0, 0, 1, 1 (the value of 0x43 in binary), and 0 (the stop bit).
 
-![](<../.gitbook/assets/image (648).png>)
+![](<../../.gitbook/assets/image (648).png>)
 
 Hardware tools to communicate with UART:
 

todo/hardware-hacking/i2c.md

@@ -0,0 +1,169 @@
+# I2C
+
+
+
+
+
+## Bus Pirate
+
+To connect with the bus pirate you can follow the docs:
+
+![](<../../.gitbook/assets/image (307).png>)
+
+In this case I'm going to connect to an EPROM: ATMEL901 24C256 PU27:
+
+![](<../../.gitbook/assets/image (465).png>)
+
+To talk with bus pirate I used Tera Term connected to the pirate bus COM port with a Setup --> Serial Port --> Speed of 115200.\
+In the following communication you can find how to prepare the bus pirate to talk I2C and how to write and read from the memory (Comments appear using "#", don't expect that part in the communication):
+
+```bash
+# Check communication with buspirate
+i
+Bus Pirate v3.5
+Community Firmware v7.1 - goo.gl/gCzQnW [HiZ 1-WIRE UART I2C SPI 2WIRE 3WIRE KEYB LCD PIC DIO] Bootloader v4.5
+DEVID:0x0447 REVID:0x3046 (24FJ64GA00 2 B8)
+http://dangerousprototypes.com
+
+# Check voltages
+I2C>v
+Pinstates:
+1.(BR)  2.(RD)  3.(OR)  4.(YW)  5.(GN)  6.(BL)  7.(PU)  8.(GR)  9.(WT)  0.(Blk)
+GND     3.3V    5.0V    ADC     VPU     AUX     SCL     SDA     -       -
+P       P       P       I       I       I       I       I       I       I
+GND     3.27V   4.96V   0.00V   4.96V   L       H       H       L       L
+
+#Notice how the VPU is in 5V becausethe EPROM needs 5V signals
+
+# Get mode options
+HiZ>m
+1. HiZ
+2. 1-WIRE
+3. UART
+4. I2C
+5. SPI
+6. 2WIRE
+7. 3WIRE
+8. KEYB
+9. LCD
+10. PIC
+11. DIO
+x. exit(without change)
+
+# Select I2C
+(1)>4
+I2C mode:
+ 1. Software
+ 2. Hardware
+
+# Select Software mode
+(1)>1
+Set speed:
+ 1. ~5kHz
+ 2. ~50kHz
+ 3. ~100kHz
+ 4. ~240kHz
+
+# Select communication spped
+(1)> 2
+Clutch disengaged!!!
+To finish setup, start up the power supplies with command 'W'
+Ready
+
+# Start communication
+I2C>W
+POWER SUPPLIES ON
+Clutch engaged!!!
+
+# Get macros
+I2C>(0)
+ 0.Macro menu
+ 1.7bit address search
+ 2.I2C sniffer
+ 
+#Get addresses of slaves connected
+I2C>(1)
+Searching I2C address space. Found devices at:
+0xA0(0x50 W) 0xA1(0x50 R)
+
+# Note that each slave will have a write address and a read address
+## 0xA0 ad 0xA1 in the previous case
+
+# Write "BBB" in address 0x69
+I2C>[0xA0 0x00 0x69 0x42 0x42 0x42]
+I2C START BIT
+WRITE: 0xA0 ACK
+WRITE: 0x00 ACK
+WRITE: 0x69 ACK
+WRITE: 0x42 ACK
+WRITE: 0x42 ACK
+WRITE: 0x42 ACK
+I2C STOP BIT
+
+# Prepare to read from address 0x69
+I2C>[0xA0 0x00 0x69]
+I2C START BIT
+WRITE: 0xA0 ACK
+WRITE: 0x00 ACK
+WRITE: 0x69 ACK
+I2C STOP BIT
+
+# Read 20B from address 0x69 configured before
+I2C>[0xA1 r:20]
+I2C START BIT
+WRITE: 0xA1 ACK
+READ: 0x42  ACK 0x42  ACK 0x42  ACK 0x20  ACK 0x48  ACK 0x69  ACK 0x20  ACK 0x44  ACK 0x72  ACK 0x65  ACK 0x67  ACK 0x21  ACK 0x20  ACK 0x41  ACK 0x41  ACK 0x41  ACK 0x00  ACK 0xFF  ACK 0xFF  ACK 0xFF
+NACK
+```
+
+### Sniffer
+
+In this scenario we are going to sniff the I2C communication between the arduino and the previous EPROM, you just need to communicate both devices and then connect the bus pirate to the SCL, SDA and GND pins:
+
+![](<../../.gitbook/assets/image (201).png>)
+
+```bash
+I2C>m
+1. HiZ
+2. 1-WIRE
+3. UART
+4. I2C
+5. SPI
+6. 2WIRE
+7. 3WIRE
+8. KEYB
+9. LCD
+10. PIC
+11. DIO
+x. exit(without change)
+
+(1)>4
+I2C mode:
+ 1. Software
+ 2. Hardware
+
+(1)>1
+Set speed:
+ 1. ~5kHz
+ 2. ~50kHz
+ 3. ~100kHz
+ 4. ~240kHz
+
+(1)>1
+Clutch disengaged!!!
+To finish setup, start up the power supplies with command 'W'
+Ready
+
+# EVEN IF YOU ARE GOING TO SNIFF YOU NEED TO POWER ON!
+
+I2C>W
+POWER SUPPLIES ON
+Clutch engaged!!!
+
+# Start sniffing, you can see we sniffed a write command
+
+I2C>(2)
+Sniffer
+Any key to exit
+[0xA0+0x00+0x69+0x41+0x41+0x41+0x20+0x48+0x69+0x20+0x44+0x72+0x65+0x67+0x21+0x20+0x41+0x41+0x41+0x00+]
+```

todo/hardware-hacking/radio.md

@@ -0,0 +1,8 @@
+# Radio
+
+## Synchronize with radio channel
+
+With [**SigDigger** ](https://github.com/BatchDrake/SigDigger)synchronize with the channel you want to hear, configure "Baseband audio preview" option, configure the bandwith to get all the info being sent and then set the Tuner to the level before the noise is really starting to increase:
+
+![](<../../.gitbook/assets/image (389).png>)
+

todo/hardware-hacking/uart.md

@@ -0,0 +1,71 @@
+# UART
+
+## Basic Information
+
+It's important to note that in this protocol you need to connect the TX of one device to the RX of the other!
+
+## Bus Pirate
+
+In this scenario we are going to sniff the UART communication of the Arduino that is sending all the prints of the program to the Serial Monitor.
+
+```bash
+UART>m
+1. HiZ
+2. 1-WIRE
+3. UART
+4. I2C
+5. SPI
+6. 2WIRE
+7. 3WIRE
+8. KEYB
+9. LCD
+10. PIC
+11. DIO
+x. exit(without change)
+
+(1)>3
+Set serial port speed: (bps)
+ 1. 300
+ 2. 1200
+ 3. 2400
+ 4. 4800
+ 5. 9600
+ 6. 19200
+ 7. 38400
+ 8. 57600
+ 9. 115200
+10. BRG raw value
+
+(1)>5
+Data bits and parity:
+ 1. 8, NONE *default
+ 2. 8, EVEN
+ 3. 8, ODD
+ 4. 9, NONE
+(1)>
+Stop bits:
+ 1. 1 *default
+ 2. 2
+(1)>
+Receive polarity:
+ 1. Idle 1 *default
+ 2. Idle 0
+(1)>
+Select output type:
+ 1. Open drain (H=Hi-Z, L=GND)
+ 2. Normal (H=3.3V, L=GND)
+
+(1)>
+Clutch disengaged!!!
+To finish setup, start up the power supplies with command 'W'
+Ready
+UART>W
+POWER SUPPLIES ON
+Clutch engaged!!!
+UART>(2)
+Raw UART input
+Any key to exit
+Escritura inicial completada:
+AAA Hi Dreg! AAA
+waiting a few secs to repeat....
+```