Jump to content
Nytro

Hydrabus Framework

Recommended Posts

 
0a6ae7a596a5fd33b9ed9a76031f17f5ba3b9130

Hi Guys,

Before diving into the main subject, I’m a security engineer and I’m fascinated by hardware security assessment.
Since I play with some hardware tools like Bus Pirate and Hydrabus, I noticed that no tools bring together all the necessary scripts to interact with hardware protocols.
Who has never been frustrated during a hardware security assessment facing a chip or a debug port exposed, and you don’t have the necessary script to dump it, find the baudrate of a UART port or properly communicate with it?
That’s why I choose to develop a new framework for the awesome hardware tools Hydrabus 26 named (Hydrabus-Framework)[https://github.com/hydrabus-framework/framework 78].
It provides multiple modules allowing you to work efficiently and save time on any hardware project.

This framework works like Metasploit, simply run hbfconsole, select a module using the use command, set the needed options with set and run it with the run command!
It will also include a Miniterm to directly interact with the Hydrabus CLI.

At the time of this writing, 3 modules are available.

Modules

hbfmodules.uart.baudrates

This module allowing you to detect the baudrate of a UART target.
It changes the UART baudrate automatically till finding the correct value. If it finds a valid baudrate, it prompts you to open a Miniterm session using the Hydrabus binary UART bridge.

asciicast 99

hbfmodules.spi.chip_id

The SPI chip_id module allows you to recover the ID of an SPI flash chip, useful to verify if the Hydrabus is correctly interfaced with the target or to identify the family of an unknown chip.
It will be improved in the near future to print the manufacturer if finding and the chip name (Like flashrom)

asciicast 9

hbfmodules.spi.dump_eeprom

SPI dump_eeprom is used to dump an SPI flash.
With this module, you can easily dump a flash memory and don’t waste your time writing a script to do this.
You can rapidly jump to the analyze of the freshly dumped firmware!

asciicast 15

More modules are coming soon!

You can download the latest modules and update the framework by simply running the hbfupdate script.

Architecture

This framework has been developed with scalability in mind. Indeed, you can add modules without having to modify the framework’s core engine.

Each module inherits from the abstract class AModule, providing a solid foundation to start coding your own module.
Once the module is created and installed using python setup.py install, you can use it in the framework.

Contributing

To create a new module, open an issue on hbfmodules.skeleton, I will create a new repository initialized with the hbfmodules.skeleton repository, once you have provided the needed information.
You can read more information to contribute to this project on the CONTRIBUTING.md file.

Use case: Dumping an SPI flash chip.

ghecko % hbfconsole                  

      _    ___     _______  _____            ____  _    _  _____           
     | |  | \ \   / /  __ \|  __ \     /\   |  _ \| |  | |/ ____|          
     | |__| |\ \_/ /| |  | | |__) |   /  \  | |_) | |  | | (___            
     |  __  | \   / | |  | |  _  /   / /\ \ |  _ <| |  | |\___ \           
     | |  | |  | |  | |__| | | \ \  / ____ \| |_) | |__| |____) |          
     |_|__|_|__|_|  |_____/|_|__\_\/_/____\_\____/ \____/|_____/____  _  __
     |  ____|  __ \     /\   |  \/  |  ____\ \        / / __ \|  __ \| |/ /
     | |__  | |__) |   /  \  | \  / | |__   \ \  /\  / / |  | | |__) | ' / 
     |  __| |  _  /   / /\ \ | |\/| |  __|   \ \/  \/ /| |  | |  _  /|  <  
     | |    | | \ \  / ____ \| |  | | |____   \  /\  / | |__| | | \ \| . \ 
     |_|    |_|  \_\/_/    \_\_|  |_|______|   \/  \/   \____/|_|  \_\_|\_\
 
    
[*] 3 modules loaded, run 'hbfupdate' command to install the latest modules
[hbf] > use spi/dump_eeprom
[hbf] spi(dump_eeprom)> show options                                                                             
Author: Jordan Ovrè
Module name: dump SPI EEPROM, version 0.0.2
Description: Module to dump SPI EEPROM

Name          Value         Required    Description
------------  ------------  ----------  --------------------------------------------------------------------------
hydrabus      /dev/ttyACM0  True        Hydrabus device
timeout       1             True        Hydrabus read timeout
dumpfile                    True        The dump filename
sectors       1024          True        The number of sector (4096) to read. For example 1024 sector * 4096 = 4MiB
start_sector  0             True        The starting sector (1 sector = 4096 bytes)
spi_device    1             True        The hydrabus SPI device (1=SPI1 or 0=SPI2)
spi_speed     slow          True        set SPI speed (fast = 10.5MHz, slow = 320kHz, medium = 5MHz)
spi_polarity  0             True        set SPI polarity (1=high or 0=low)
spi_phase     0             True        set SPI phase (1=high or 0=low)

[hbf] spi(dump_eeprom)> set dumpfile firmware.bin 
dumpfile ==> firmware.bin
[hbf] spi(dump_eeprom)> set spi_speed medium
spi_speed ==> medium
[hbf] spi(dump_eeprom)> run
[*] Starting to read chip...
Reading 1024 sectors
Dump 4.0MiB
Readed: 4.0MiB   
[✔] Finished dumping to firmware.bin
[*] Reset hydrabus to console mode
[hbf] spi(dump_eeprom)> binwalk firmware.bin

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
134816        0x20EA0         Certificate in DER format (x509 v3), header length: 4, sequence length: 64
150864        0x24D50         U-Boot version string, "U-Boot 1.1.4 (Nov 26 2012 - 15:58:42)"
151232        0x24EC0         CRC32 polynomial table, big endian
160905        0x27489         Copyright string: "copyright."
262208        0x40040         LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 2465316 bytes
1114112       0x110000        Squashfs filesystem, little endian, version 4.0, compression:lzma, size: 2676149 bytes, 1117 inodes, blocksize: 131072 bytes, created: 2013-11-12 09:49:10
3801091       0x3A0003        POSIX tar archive (GNU), owner user name: "_table.tar.gz"

You can find the tools and more details on the official github repository: hydrabus-framework 78

Ghecko.

 

 

Sursa: https://0x00sec.org/t/hydrabus-framework/17057

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...