Hardware Hacking with Shikra
Comparing Apples to Oranges (Bus Pirate vs Shikra) this a Hardware Hacking 101 webcast follow up blog post.
I recently did a hardware hacking webcast on hacking a router with the Bus Pirate. The webcast can be found at https://www.blackhillsinfosec.com/webcast-hardware-hacking-101/. In the webcast I made a comment on how long it took to dump the firmware off the chip with the bus pirate (approximately 30 minutes). Well, here is a blog post with the same content but using the Shikra.
If you are not familiar with the Bus Pirate then you need to check out the webcast along with the dangerous prototypes website: http://dangerousprototypes.com/docs/Bus_Pirate.
The Bus Pirate as well as the Shikra are devices that enable a user to interact with different types of protocols. Protocols such as JTAG, SPI, IC2, UART and GPIO via a USB interface.
In the webcast I talk about chip isolation and in the example I remove the chip off of the router so that it was totally isolated. In this blog post we will start at that point with connecting the device. Remember that I placed the chip with the firmware on the breakout board as shown below.
Now we need to examine the pin layouts for both the chip and the Shikra so that we can make the proper connections to interact with chip via the Shikra. Pinouts and information about the Shikra can be found at: https://int3.cc/products/the-shikra. The chip that we have is a MX25L6406E/MX25L6408E. A quick view of the data sheet provided the pinout of the device.
Also, definitions of what each pin is utilized for was also observed.
The Shikra pinout is also needed to determine how to connect the breakout board (chip) to it.
Now that we have the pinouts we can wire them together as shown in the table below.
As like in the webcast, a breadboard with a power supply was utilized to supply the voltage to the chip as well as make the connections in the table above.
Once the connections are made we are ready to dump the firmware. With the Bus Pirate we used the following command:
Sudo flashrom -p buspirate_spi:dev=/dev/ttyUSB0,spispeed=1M -c MX25L6406E/MX25L6408E -r spidump.bin
The flashrom command sets up the type of protocol that the chip on the BusPirate is utilizing. In this case flashrom has a BusPirate_spi specific protocol. The command then identifies the device location (ttyUSB0) and the speed to read the data (note: that any higher speed will become unstable). The -c identifies the type of device to read from and the -r is to write the data to a file
However, with the Shikra we will still use flashrom but the command to use is:
Sudo flashrom -p ft2232_spi:type=232H -c MX25L6406E/MX25L6408E -r spidump.bin
Where the flashrom command sets up the type of protocol that the chip on the Shikra is utilizing (ft2232) and the type, the -c identifies the type of device to read from and the -r is to write the data to a file.
By comparing the two read speeds, it is apparent that the Shikra is much faster at reading the chip. What takes the Bus Pirate 30 minutes to read the contents it only takes the Shikra 3 minutes.
To be fair I used the Bus Pirate version 3.6 for the testing. Dangerous Prototypes has a new board called the Bus Blaster which uses the same ft2232 chip as the Shikra. Who knows… another blog post might be needed for comparison.
Ready to learn more?
Level up your skills with affordable classes from Antisyphon!
Available live/virtual and on-demand