Nytro Posted November 30, 2019 Report Posted November 30, 2019 Hydrabus Framework Hardware tool security tools hardware ghecko Oct 20 Hi Guys, Before diving into the main subject, I’m a security engineer and I’m fascinated by hardware security assessment. Since I play with some hardware tools like Bus Pirate and Hydrabus, I noticed that no tools bring together all the necessary scripts to interact with hardware protocols. Who has never been frustrated during a hardware security assessment facing a chip or a debug port exposed, and you don’t have the necessary script to dump it, find the baudrate of a UART port or properly communicate with it? That’s why I choose to develop a new framework for the awesome hardware tools Hydrabus 26 named (Hydrabus-Framework)[https://github.com/hydrabus-framework/framework 78]. It provides multiple modules allowing you to work efficiently and save time on any hardware project. This framework works like Metasploit, simply run hbfconsole, select a module using the use command, set the needed options with set and run it with the run command! It will also include a Miniterm to directly interact with the Hydrabus CLI. At the time of this writing, 3 modules are available. Modules hbfmodules.uart.baudrates This module allowing you to detect the baudrate of a UART target. It changes the UART baudrate automatically till finding the correct value. If it finds a valid baudrate, it prompts you to open a Miniterm session using the Hydrabus binary UART bridge. 99 hbfmodules.spi.chip_id The SPI chip_id module allows you to recover the ID of an SPI flash chip, useful to verify if the Hydrabus is correctly interfaced with the target or to identify the family of an unknown chip. It will be improved in the near future to print the manufacturer if finding and the chip name (Like flashrom) 9 hbfmodules.spi.dump_eeprom SPI dump_eeprom is used to dump an SPI flash. With this module, you can easily dump a flash memory and don’t waste your time writing a script to do this. You can rapidly jump to the analyze of the freshly dumped firmware! 15 More modules are coming soon! You can download the latest modules and update the framework by simply running the hbfupdate script. Architecture This framework has been developed with scalability in mind. Indeed, you can add modules without having to modify the framework’s core engine. Each module inherits from the abstract class AModule, providing a solid foundation to start coding your own module. Once the module is created and installed using python setup.py install, you can use it in the framework. Contributing To create a new module, open an issue on hbfmodules.skeleton, I will create a new repository initialized with the hbfmodules.skeleton repository, once you have provided the needed information. You can read more information to contribute to this project on the CONTRIBUTING.md file. Use case: Dumping an SPI flash chip. ghecko % hbfconsole _ ___ _______ _____ ____ _ _ _____ | | | \ \ / / __ \| __ \ /\ | _ \| | | |/ ____| | |__| |\ \_/ /| | | | |__) | / \ | |_) | | | | (___ | __ | \ / | | | | _ / / /\ \ | _ <| | | |\___ \ | | | | | | | |__| | | \ \ / ____ \| |_) | |__| |____) | |_|__|_|__|_| |_____/|_|__\_\/_/____\_\____/ \____/|_____/____ _ __ | ____| __ \ /\ | \/ | ____\ \ / / __ \| __ \| |/ / | |__ | |__) | / \ | \ / | |__ \ \ /\ / / | | | |__) | ' / | __| | _ / / /\ \ | |\/| | __| \ \/ \/ /| | | | _ /| < | | | | \ \ / ____ \| | | | |____ \ /\ / | |__| | | \ \| . \ |_| |_| \_\/_/ \_\_| |_|______| \/ \/ \____/|_| \_\_|\_\ [*] 3 modules loaded, run 'hbfupdate' command to install the latest modules [hbf] > use spi/dump_eeprom [hbf] spi(dump_eeprom)> show options Author: Jordan Ovrè Module name: dump SPI EEPROM, version 0.0.2 Description: Module to dump SPI EEPROM Name Value Required Description ------------ ------------ ---------- -------------------------------------------------------------------------- hydrabus /dev/ttyACM0 True Hydrabus device timeout 1 True Hydrabus read timeout dumpfile True The dump filename sectors 1024 True The number of sector (4096) to read. For example 1024 sector * 4096 = 4MiB start_sector 0 True The starting sector (1 sector = 4096 bytes) spi_device 1 True The hydrabus SPI device (1=SPI1 or 0=SPI2) spi_speed slow True set SPI speed (fast = 10.5MHz, slow = 320kHz, medium = 5MHz) spi_polarity 0 True set SPI polarity (1=high or 0=low) spi_phase 0 True set SPI phase (1=high or 0=low) [hbf] spi(dump_eeprom)> set dumpfile firmware.bin dumpfile ==> firmware.bin [hbf] spi(dump_eeprom)> set spi_speed medium spi_speed ==> medium [hbf] spi(dump_eeprom)> run [*] Starting to read chip... Reading 1024 sectors Dump 4.0MiB Readed: 4.0MiB [✔] Finished dumping to firmware.bin [*] Reset hydrabus to console mode [hbf] spi(dump_eeprom)> binwalk firmware.bin DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 134816 0x20EA0 Certificate in DER format (x509 v3), header length: 4, sequence length: 64 150864 0x24D50 U-Boot version string, "U-Boot 1.1.4 (Nov 26 2012 - 15:58:42)" 151232 0x24EC0 CRC32 polynomial table, big endian 160905 0x27489 Copyright string: "copyright." 262208 0x40040 LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 2465316 bytes 1114112 0x110000 Squashfs filesystem, little endian, version 4.0, compression:lzma, size: 2676149 bytes, 1117 inodes, blocksize: 131072 bytes, created: 2013-11-12 09:49:10 3801091 0x3A0003 POSIX tar archive (GNU), owner user name: "_table.tar.gz" You can find the tools and more details on the official github repository: hydrabus-framework 78 Ghecko. Sursa: https://0x00sec.org/t/hydrabus-framework/17057 Quote
