Difference between revisions of "Facedancer"
Jump to navigation
Jump to search
m (→Code) |
m (→Raspdancer) |
||
(17 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
==Links== |
==Links== |
||
* http://travisgoodspeed.blogspot.be/2012/07/emulating-usb-devices-with-python.html |
* http://travisgoodspeed.blogspot.be/2012/07/emulating-usb-devices-with-python.html |
||
+ | * http://travisgoodspeed.blogspot.be/2012/10/emulating-usb-dfu-to-capture-firmware.html |
||
* http://blog.opensecurityresearch.com/2012/11/solder-time-facedancer11-and-goodfet41.html |
* http://blog.opensecurityresearch.com/2012/11/solder-time-facedancer11-and-goodfet41.html |
||
* http://goodfet.sourceforge.net/hardware/facedancer11/ |
* http://goodfet.sourceforge.net/hardware/facedancer11/ |
||
+ | * http://goodfet.sourceforge.net/tutorial/ |
||
− | |||
+ | ==Making== |
||
− | ==Merging Facedancer & R-Pi== |
||
+ | I met Travis at Troopers2013 and he was very kind of giving me one Facedancer11 PCB. |
||
− | ===Why?=== |
||
+ | <br>I soldered the elements by reflow with solder paste in a kitchen pan, on a cooking paper and with good ventilation. |
||
− | Facedancer11 is a one-purpose version of the flexible GoodFET board. |
||
+ | ==Installation== |
||
− | <br>It was well designed to move all the intelligence into the host controller, not in the embedded uC. |
||
+ | <source lang=bash> |
||
− | <br>Facedancer11 hardware can be seen as: |
||
+ | sudo apt-get install python-sqlite python-serial gcc-msp430 |
||
− | USBconn -- FT232RL -- MSP430F2618TPM -- MAX3420E -- USBconn |
||
+ | svn co https://goodfet.svn.sourceforge.net/svnroot/goodfet |
||
− | where the first two chips are only converting busses: |
||
+ | cd goodfet/trunk/client/ |
||
− | USBconn -- FT232RL -- MSP430F2618TPM -- MAX3420E -- USBconn |
||
+ | sudo make link |
||
− | USB <> UART <> SPI ... (USB) |
||
+ | cd goodfet/trunk/firmware/ |
||
− | BoM view (excluding taxes, Farnell prices): |
||
+ | goodfet.bsl --dumpinfo |tee info.txt |
||
− | USBconn -- FT232RL -- MSP430F2618TPM -- MAX3420E -- USBconn |
||
+ | </source> |
||
− | USBconn + 5.45€ + 13.03€ + 8.27€ + USBconn |
||
+ | Mine: |
||
− | So 18.48€ to talk SPI over UART over USB while the Raspberry-Pi has natively SPI, hmmm. |
||
− | <br>Bus speed view: yes there is a kind of bottleneck there... |
||
− | USBconn -- FT232RL -- MSP430F2618TPM -- MAX3420E -- USBconn |
||
− | 12MB/s 115200bauds 26MHz |
||
− | <br>Let's try to make a RPi extension board with only the MAX3420E. And to save a few cents and construction pain let's replace the USB connector by a USB cable from a cannibalized mouse. So: |
||
− | RPI-MODA-256M -- MAX3420E -- USBcable |
||
− | From a BoM point of view this becomes (depending on what you add to the RPi, nice casing etc): |
||
− | RPI-MODA-256M -- MAX3420E -- USBcable |
||
− | 27.66€ + 8.27€ |
||
− | Bus speed view: |
||
− | RPI-MODA-256M -- MAX3420E -- USBcable |
||
− | 26MHz |
||
− | And we get a fully autonomous facedancer which can be even powered over USB and controlled remotely |
||
− | |||
− | ===Schematics=== |
||
− | TODO |
||
<pre> |
<pre> |
||
+ | MSP430 Bootstrap Loader Version: 1.39-goodfet-8 |
||
− | x |
||
+ | Transmit default password ... |
||
− | x |
||
+ | @1000 |
||
− | P3 Vcc P1 3v3 -- 0.1uF -- GND |
||
+ | aa 55 ff 3f cd ab aa 55 34 12 ff ff aa 55 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |
||
− | P4 Vcc P1 3v3 / |
||
+ | ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |
||
− | P5 GND \ P |
||
+ | ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |
||
− | P6 GND / |
||
+ | ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 20 84 fe 16 ff ff ff ff |
||
− | x |
||
+ | ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 08 10 00 80 01 00 11 80 9b 0b c2 0d 2a 80 f5 06 40 08 fe 08 ff ff ff ff ff ff ff ff 01 08 82 8f |
||
− | x |
||
+ | 8a 8e 7b 8d b3 86 |
||
+ | </pre> |
||
+ | My uC was a msp430f2619 so: |
||
+ | <source lang=bash> |
||
+ | cp lib/msp430f2617.c lib/msp430f2619.c |
||
+ | board=facedancer11 mcu=msp430f2619 make clean reinstall installinfo |
||
+ | </source> |
||
+ | ==Usages== |
||
− | x |
||
+ | ===goodfet.monitor listapps=== |
||
− | P10 -RST P15-GPIO22 |
||
+ | GoodFET with f26f MCU |
||
− | P11 SCLK |
||
+ | Clocked at 0x8f82 |
||
− | P12 -CS |
||
+ | Build Date: 2013-03-28 23:38 |
||
− | P13 MISO |
||
+ | Firmware apps: |
||
− | P14 MOSI |
||
+ | Monitor |
||
− | x |
||
+ | SPI |
||
− | x |
||
+ | MAXUSB |
||
− | |||
− | (P17 INT) |
||
− | P18 GND |
||
− | P19 GND |
||
− | P20 -- 33 -- USB D- |
||
− | P21 -- 33 -- USB D+ |
||
− | P22 Vcc -- 1uF -- GND |
||
− | P23 Vcc |
||
− | P24 USB VBUS -- 1uF -- GND |
||
− | |||
− | x |
||
− | P26 XTal -- 18pF -- GND |
||
− | P27 XTal -- 18pF -- GND |
||
− | x |
||
− | x |
||
− | x |
||
− | x |
||
− | x |
||
− | </pre> |
||
− | ===Code=== |
||
− | Just replace the GoodFET.py library by: |
||
− | <source lang=python> |
||
− | #!/usr/bin/env python |
||
− | # (C) 2013 Philippe Teuwen <phil at teuwen.org> |
||
+ | ===goodfet.monitor testleds=== |
||
− | import spi |
||
+ | Flashing LEDs |
||
− | import RPi.GPIO as GPIO |
||
+ | Flashed 1 LED. |
||
+ | ===goodfet.maxusb info=== |
||
+ | First connect target USB |
||
+ | Connected to MAX342x Rev. 4 |
||
+ | ===goodfet.maxusbftdi=== |
||
+ | goodfet.maxusbftdi |
||
+ | On target: |
||
+ | cat /dev/ttyUSB0 |
||
+ | Or, as sometimes previous command sends only one char at a time: |
||
+ | screen /dev/ttyUSB0 |
||
+ | [...] |
||
+ | GoodFET emulates FTDI properly, if you can read this! |
||
+ | [...] |
||
+ | ===goodfet.maxusbmass=== |
||
+ | <source lang=bash> |
||
+ | dd if=/dev/zero of=test.img bs=512 count=10000 |
||
+ | /sbin/mkfs.vfat test.img |
||
+ | mkdir test |
||
+ | sudo mount -o loop test.img test |
||
+ | echo hello |sudo tee test/hello.txt |
||
+ | sudo umount test |
||
+ | goodfet.maxusbmass test.img |
||
− | class GoodFET: |
||
− | data="" |
||
− | def __init__(self, *args, **kargs): |
||
− | GPIO.setmode(GPIO.BOARD) |
||
− | # pin15=GPIO22 is linked to MAX3420 -RST |
||
− | GPIO.setup(15, GPIO.OUT, initial=GPIO.LOW) |
||
− | GPIO.output(15,GPIO.HIGH) |
||
− | spi.openSPI(speed=26000000) |
||
− | def __del__(self): |
||
− | spi.closeSPI() |
||
− | GPIO.output(15,GPIO.LOW) |
||
− | GPIO.output(15,GPIO.HIGH) |
||
− | GPIO.cleanup() |
||
− | def writecmd(self, app, verb, count=0, data=[]): |
||
− | if verb: # ignore all but R/W cmd |
||
− | return |
||
− | if isinstance(data,str): |
||
− | data = [ord(x) for x in data] |
||
− | data = tuple(data) |
||
− | data = spi.transfer(data) |
||
− | self.data = "".join([chr(x) for x in data]) |
||
− | def serInit(self): |
||
− | pass |
||
</source> |
</source> |
||
+ | ===goodfet.maxusbhid=== |
||
+ | On target, chars are typed in an OS-dependent way: |
||
+ | Python does USB HID on Linux! |
||
+ | ===goodfet.maxusbdfu=== |
||
+ | Emulating Ubertooth device to capture firmware: |
||
+ | goodfet.maxusbdfu FFFF 0004 |
||
+ | On target: |
||
+ | ./ubertooth-dfu --write bluetooth_rxtx.dfu |
||
+ | Checking firmware signature |
||
+ | ............................................................................................ |
||
+ | Write complete |
||
+ | ==Scapy support== |
||
+ | http://rmspeers.com/archives/252 |
||
+ | ==Raspdancer== |
||
+ | Merging Facedancer & Raspberry Pi |
||
+ | <br>See dedicated page: [[Raspdancer]] |
Latest revision as of 14:11, 26 April 2013
Links
- http://travisgoodspeed.blogspot.be/2012/07/emulating-usb-devices-with-python.html
- http://travisgoodspeed.blogspot.be/2012/10/emulating-usb-dfu-to-capture-firmware.html
- http://blog.opensecurityresearch.com/2012/11/solder-time-facedancer11-and-goodfet41.html
- http://goodfet.sourceforge.net/hardware/facedancer11/
- http://goodfet.sourceforge.net/tutorial/
Making
I met Travis at Troopers2013 and he was very kind of giving me one Facedancer11 PCB.
I soldered the elements by reflow with solder paste in a kitchen pan, on a cooking paper and with good ventilation.
Installation
sudo apt-get install python-sqlite python-serial gcc-msp430
svn co https://goodfet.svn.sourceforge.net/svnroot/goodfet
cd goodfet/trunk/client/
sudo make link
cd goodfet/trunk/firmware/
goodfet.bsl --dumpinfo |tee info.txt
Mine:
MSP430 Bootstrap Loader Version: 1.39-goodfet-8 Transmit default password ... @1000 aa 55 ff 3f cd ab aa 55 34 12 ff ff aa 55 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 20 84 fe 16 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 08 10 00 80 01 00 11 80 9b 0b c2 0d 2a 80 f5 06 40 08 fe 08 ff ff ff ff ff ff ff ff 01 08 82 8f 8a 8e 7b 8d b3 86
My uC was a msp430f2619 so:
cp lib/msp430f2617.c lib/msp430f2619.c
board=facedancer11 mcu=msp430f2619 make clean reinstall installinfo
Usages
goodfet.monitor listapps
GoodFET with f26f MCU Clocked at 0x8f82 Build Date: 2013-03-28 23:38 Firmware apps: Monitor SPI MAXUSB
goodfet.monitor testleds
Flashing LEDs Flashed 1 LED.
goodfet.maxusb info
First connect target USB
Connected to MAX342x Rev. 4
goodfet.maxusbftdi
goodfet.maxusbftdi
On target:
cat /dev/ttyUSB0
Or, as sometimes previous command sends only one char at a time:
screen /dev/ttyUSB0 [...] GoodFET emulates FTDI properly, if you can read this! [...]
goodfet.maxusbmass
dd if=/dev/zero of=test.img bs=512 count=10000
/sbin/mkfs.vfat test.img
mkdir test
sudo mount -o loop test.img test
echo hello |sudo tee test/hello.txt
sudo umount test
goodfet.maxusbmass test.img
goodfet.maxusbhid
On target, chars are typed in an OS-dependent way:
Python does USB HID on Linux!
goodfet.maxusbdfu
Emulating Ubertooth device to capture firmware:
goodfet.maxusbdfu FFFF 0004
On target:
./ubertooth-dfu --write bluetooth_rxtx.dfu Checking firmware signature ............................................................................................ Write complete
Scapy support
http://rmspeers.com/archives/252
Raspdancer
Merging Facedancer & Raspberry Pi
See dedicated page: Raspdancer