Difference between revisions of "Facedancer"
Jump to navigation
Jump to search
m (→Why?) |
m (→Raspdancer) |
||
| (14 intermediate revisions by the same user not shown) | |||
| Line 5: | Line 5: | ||
* http://goodfet.sourceforge.net/hardware/facedancer11/ |
* http://goodfet.sourceforge.net/hardware/facedancer11/ |
||
* http://goodfet.sourceforge.net/tutorial/ |
* http://goodfet.sourceforge.net/tutorial/ |
||
| − | == |
+ | ==Making== |
| + | I met Travis at Troopers2013 and he was very kind of giving me one Facedancer11 PCB. |
||
| + | <br>I soldered the elements by reflow with solder paste in a kitchen pan, on a cooking paper and with good ventilation. |
||
| + | ==Installation== |
||
<source lang=bash> |
<source lang=bash> |
||
sudo apt-get install python-sqlite python-serial gcc-msp430 |
sudo apt-get install python-sqlite python-serial gcc-msp430 |
||
| Line 31: | Line 34: | ||
board=facedancer11 mcu=msp430f2619 make clean reinstall installinfo |
board=facedancer11 mcu=msp430f2619 make clean reinstall installinfo |
||
</source> |
</source> |
||
| + | |||
==Usages== |
==Usages== |
||
===goodfet.monitor listapps=== |
===goodfet.monitor listapps=== |
||
| Line 80: | Line 84: | ||
==Scapy support== |
==Scapy support== |
||
http://rmspeers.com/archives/252 |
http://rmspeers.com/archives/252 |
||
| + | ==Raspdancer== |
||
| − | + | Merging Facedancer & Raspberry Pi |
|
| − | ===Why?=== |
||
| + | <br>See dedicated page: [[Raspdancer]] |
||
| − | Facedancer11 is a one-purpose version of the flexible GoodFET board. |
||
| − | <br>It was well designed to move all the intelligence into the host controller, not in the embedded uC. |
||
| − | <br>Facedancer11 hardware can be seen as: |
||
| − | USBconn -- FT232RL -- MSP430F2618TPM -- MAX3420E -- USBconn |
||
| − | where the first two chips are only converting busses: |
||
| − | USBconn -- FT232RL -- MSP430F2618TPM -- MAX3420E -- USBconn |
||
| − | USB <> UART <> SPI ... (USB) |
||
| − | BoM view (excluding taxes, Farnell prices): |
||
| − | USBconn -- FT232RL -- MSP430F2618TPM -- MAX3420E -- USBconn |
||
| − | USBconn + 5.45€ + 13.03€ + 8.27€ + USBconn |
||
| − | So 18.48€ to talk SPI over UART over USB while the Raspberry-Pi has natively SPI, hmmm. |
||
| − | <br>Bus speed view: yes there is a kind of bottleneck there... |
||
| − | USBconn -- FT232RL -- MSP430F2618TPM -- MAX3420E -- USBconn |
||
| − | 12MB/s 115200bauds 26MHz |
||
| − | <br>Let's try to make a RPi extension board with only the MAX3420E. |
||
| − | <br>And to save a few cents and construction pain let's replace the USB connector by a USB cable from a cannibalized mouse. |
||
| − | <br>So: |
||
| − | RPI-MODA-256M -- MAX3420E -- USBcable |
||
| − | From a BoM point of view this becomes (depending on what you add to the RPi, nice casing etc): |
||
| − | RPI-MODA-256M -- MAX3420E -- USBcable |
||
| − | 27.66€ + 8.27€ |
||
| − | Bus speed view: |
||
| − | RPI-MODA-256M -- MAX3420E -- USBcable |
||
| − | 26MHz |
||
| − | And we get a fully autonomous facedancer which can be even powered over USB and controlled remotely |
||
| − | |||
| − | ===Schematics=== |
||
| − | <pre> |
||
| − | MAX Signal RPi Signal |
||
| − | P3 Vcc P17 3v3 \ 0.1uF -- GND |
||
| − | P4 Vcc P17 3v3 / |
||
| − | P5 GND P25 GND |
||
| − | P6 GND P25 GND |
||
| − | P10 -RES P15 GPIO22 |
||
| − | P11 SCLK P23 SCLK |
||
| − | P12 -SS P24 CE0 |
||
| − | P13 MISO P21 MISO |
||
| − | P14 MOSI P19 MOSI |
||
| − | P17 INT currently not connected, could be e.g. P13=GPIO27 |
||
| − | P18 GND P25 GND |
||
| − | P19 GND P25 GND ---------- USB conn GND |
||
| − | P20 D- ----------- R33 -- USB conn D- |
||
| − | P21 D+ ----------- R33 -- USB conn D+ |
||
| − | P22 Vcc P17 3v3 \ 1uF -- GND |
||
| − | P23 Vcc P17 3v3 / |
||
| − | P24 VBCOMP ------------------ USB conn VBUS -- 1uF -- GND |
||
| − | P26 XI ------------Xtal1- 18pF -- GND |
||
| − | P27 XO ------------Xtal2- 18pF -- GND |
||
| − | </pre> |
||
| − | |||
| − | ===Code=== |
||
| − | Just replace the GoodFET.py library by: |
||
| − | <source lang=python> |
||
| − | #!/usr/bin/env python |
||
| − | # (C) 2013 Philippe Teuwen <phil at teuwen.org> |
||
| − | |||
| − | import spi |
||
| − | import RPi.GPIO as GPIO |
||
| − | |||
| − | class GoodFET: |
||
| − | data="" |
||
| − | def __init__(self, *args, **kargs): |
||
| − | GPIO.setmode(GPIO.BOARD) |
||
| − | # pin15=GPIO22 is linked to MAX3420 -RST |
||
| − | GPIO.setup(15, GPIO.OUT, initial=GPIO.LOW) |
||
| − | GPIO.output(15,GPIO.HIGH) |
||
| − | spi.openSPI(speed=26000000) |
||
| − | def __del__(self): |
||
| − | spi.closeSPI() |
||
| − | GPIO.output(15,GPIO.LOW) |
||
| − | GPIO.output(15,GPIO.HIGH) |
||
| − | GPIO.cleanup() |
||
| − | def writecmd(self, app, verb, count=0, data=[]): |
||
| − | if verb: # ignore all but R/W cmd |
||
| − | return |
||
| − | if isinstance(data,str): |
||
| − | data = [ord(x) for x in data] |
||
| − | data = tuple(data) |
||
| − | data = spi.transfer(data) |
||
| − | self.data = "".join([chr(x) for x in data]) |
||
| − | def serInit(self): |
||
| − | pass |
||
| − | </source> |
||
Latest revision as of 15:11, 26 April 2013
Links
- http://travisgoodspeed.blogspot.be/2012/07/emulating-usb-devices-with-python.html
- http://travisgoodspeed.blogspot.be/2012/10/emulating-usb-dfu-to-capture-firmware.html
- http://blog.opensecurityresearch.com/2012/11/solder-time-facedancer11-and-goodfet41.html
- http://goodfet.sourceforge.net/hardware/facedancer11/
- http://goodfet.sourceforge.net/tutorial/
Making
I met Travis at Troopers2013 and he was very kind of giving me one Facedancer11 PCB.
I soldered the elements by reflow with solder paste in a kitchen pan, on a cooking paper and with good ventilation.
Installation
sudo apt-get install python-sqlite python-serial gcc-msp430
svn co https://goodfet.svn.sourceforge.net/svnroot/goodfet
cd goodfet/trunk/client/
sudo make link
cd goodfet/trunk/firmware/
goodfet.bsl --dumpinfo |tee info.txt
Mine:
MSP430 Bootstrap Loader Version: 1.39-goodfet-8 Transmit default password ... @1000 aa 55 ff 3f cd ab aa 55 34 12 ff ff aa 55 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 20 84 fe 16 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 08 10 00 80 01 00 11 80 9b 0b c2 0d 2a 80 f5 06 40 08 fe 08 ff ff ff ff ff ff ff ff 01 08 82 8f 8a 8e 7b 8d b3 86
My uC was a msp430f2619 so:
cp lib/msp430f2617.c lib/msp430f2619.c
board=facedancer11 mcu=msp430f2619 make clean reinstall installinfo
Usages
goodfet.monitor listapps
GoodFET with f26f MCU Clocked at 0x8f82 Build Date: 2013-03-28 23:38 Firmware apps: Monitor SPI MAXUSB
goodfet.monitor testleds
Flashing LEDs Flashed 1 LED.
goodfet.maxusb info
First connect target USB
Connected to MAX342x Rev. 4
goodfet.maxusbftdi
goodfet.maxusbftdi
On target:
cat /dev/ttyUSB0
Or, as sometimes previous command sends only one char at a time:
screen /dev/ttyUSB0 [...] GoodFET emulates FTDI properly, if you can read this! [...]
goodfet.maxusbmass
dd if=/dev/zero of=test.img bs=512 count=10000
/sbin/mkfs.vfat test.img
mkdir test
sudo mount -o loop test.img test
echo hello |sudo tee test/hello.txt
sudo umount test
goodfet.maxusbmass test.img
goodfet.maxusbhid
On target, chars are typed in an OS-dependent way:
Python does USB HID on Linux!
goodfet.maxusbdfu
Emulating Ubertooth device to capture firmware:
goodfet.maxusbdfu FFFF 0004
On target:
./ubertooth-dfu --write bluetooth_rxtx.dfu Checking firmware signature ............................................................................................ Write complete
Scapy support
http://rmspeers.com/archives/252
Raspdancer
Merging Facedancer & Raspberry Pi
See dedicated page: Raspdancer