Hi Guys,
Before diving into the main subject, I’m a security engineer and I’m fascinated by hardware security assessment.
Since I play with some hardware tools like Bus Pirate and Hydrabus, I noticed that no tools bring together all the necessary scripts to interact with hardware protocols.
Who has never been frustrated during a hardware security assessment facing a chip or a debug port exposed, and you don’t have the necessary script to dump it, find the baudrate of a UART port or properly communicate with it?
That’s why I choose to develop a new framework for the awesome hardware tools Hydrabus named (Hydrabus-Framework)[https://github.com/hydrabus-framework/framework].
It provides multiple modules allowing you to work efficiently and save time on any hardware project.
This framework works like Metasploit, simply run hbfconsole, select a module using the use command, set the needed options with set and run it with the run command!
It will also include a Miniterm to directly interact with the Hydrabus CLI.
At the time of this writing, 3 modules are available.
Modules
hbfmodules.uart.baudrates
This module allowing you to detect the baudrate of a UART target.
It changes the UART baudrate automatically till finding the correct value. If it finds a valid baudrate, it prompts you to open a Miniterm session using the Hydrabus binary UART bridge.
hbfmodules.spi.chip_id
The SPI chip_id module allows you to recover the ID of an SPI flash chip, useful to verify if the Hydrabus is correctly interfaced with the target or to identify the family of an unknown chip.
It will be improved in the near future to print the manufacturer if finding and the chip name (Like flashrom)
hbfmodules.spi.dump_eeprom
SPI dump_eeprom is used to dump an SPI flash.
With this module, you can easily dump a flash memory and don’t waste your time writing a script to do this.
You can rapidly jump to the analyze of the freshly dumped firmware!
More modules are coming soon!
You can download the latest modules and update the framework by simply running the hbfupdate script.
Architecture
This framework has been developed with scalability in mind. Indeed, you can add modules without having to modify the framework’s core engine.
Each module inherits from the abstract class AModule, providing a solid foundation to start coding your own module.
Once the module is created and installed using python setup.py install, you can use it in the framework.
Contributing
To create a new module, open an issue on hbfmodules.skeleton, I will create a new repository initialized with the hbfmodules.skeleton repository, once you have provided the needed information.
You can read more information to contribute to this project on the CONTRIBUTING.md file.
Use case: Dumping an SPI flash chip.
ghecko % hbfconsole
_ ___ _______ _____ ____ _ _ _____
| | | \ \ / / __ \| __ \ /\ | _ \| | | |/ ____|
| |__| |\ \_/ /| | | | |__) | / \ | |_) | | | | (___
| __ | \ / | | | | _ / / /\ \ | _ <| | | |\___ \
| | | | | | | |__| | | \ \ / ____ \| |_) | |__| |____) |
|_|__|_|__|_| |_____/|_|__\_\/_/____\_\____/ \____/|_____/____ _ __
| ____| __ \ /\ | \/ | ____\ \ / / __ \| __ \| |/ /
| |__ | |__) | / \ | \ / | |__ \ \ /\ / / | | | |__) | ' /
| __| | _ / / /\ \ | |\/| | __| \ \/ \/ /| | | | _ /| <
| | | | \ \ / ____ \| | | | |____ \ /\ / | |__| | | \ \| . \
|_| |_| \_\/_/ \_\_| |_|______| \/ \/ \____/|_| \_\_|\_\
[*] 3 modules loaded, run 'hbfupdate' command to install the latest modules
[hbf] > use spi/dump_eeprom
[hbf] spi(dump_eeprom)> show options
Author: Jordan Ovrè
Module name: dump SPI EEPROM, version 0.0.2
Description: Module to dump SPI EEPROM
Name Value Required Description
------------ ------------ ---------- --------------------------------------------------------------------------
hydrabus /dev/ttyACM0 True Hydrabus device
timeout 1 True Hydrabus read timeout
dumpfile True The dump filename
sectors 1024 True The number of sector (4096) to read. For example 1024 sector * 4096 = 4MiB
start_sector 0 True The starting sector (1 sector = 4096 bytes)
spi_device 1 True The hydrabus SPI device (1=SPI1 or 0=SPI2)
spi_speed slow True set SPI speed (fast = 10.5MHz, slow = 320kHz, medium = 5MHz)
spi_polarity 0 True set SPI polarity (1=high or 0=low)
spi_phase 0 True set SPI phase (1=high or 0=low)
[hbf] spi(dump_eeprom)> set dumpfile firmware.bin
dumpfile ==> firmware.bin
[hbf] spi(dump_eeprom)> set spi_speed medium
spi_speed ==> medium
[hbf] spi(dump_eeprom)> run
[*] Starting to read chip...
Reading 1024 sectors
Dump 4.0MiB
Readed: 4.0MiB
[✔] Finished dumping to firmware.bin
[*] Reset hydrabus to console mode
[hbf] spi(dump_eeprom)> binwalk firmware.bin
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
134816 0x20EA0 Certificate in DER format (x509 v3), header length: 4, sequence length: 64
150864 0x24D50 U-Boot version string, "U-Boot 1.1.4 (Nov 26 2012 - 15:58:42)"
151232 0x24EC0 CRC32 polynomial table, big endian
160905 0x27489 Copyright string: "copyright."
262208 0x40040 LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 2465316 bytes
1114112 0x110000 Squashfs filesystem, little endian, version 4.0, compression:lzma, size: 2676149 bytes, 1117 inodes, blocksize: 131072 bytes, created: 2013-11-12 09:49:10
3801091 0x3A0003 POSIX tar archive (GNU), owner user name: "_table.tar.gz"
You can find the tools and more details on the official github repository: hydrabus-framework
Ghecko.