Pierluigi Paganini February 18, 2020

Go grab a copy of the Gerbers and 3D-printed Case STL files at https://github.com/whid-injector/Focaccia-Board and print through your favorite FAB.

Prologue

Even before the appearance of the word (I)IoT, I was breaking hardware devices, as many of you, with a multitude of debuggers (i.e. stlink, jlink, RS23–2-2USB, etc.). It was always a PITA bringing around a device that does UART-to-USB, another that supports JTAG or SWD, a SPI reader/dumper, etc.

Luckily for all of us, FTDI released the lovely FT232H chipset which does support all of them in one-single-chip. Hurray!

One of the cheapest boards embedding the FT232H on the market is the FT232H CJMCU, which cost less than 10 EUR!

Though, there was still a couple of drawbacks:

• Every-time I had to remember which Pin was doing what. For each of the protocols! (i.e. UART, JTAG, SWD, I2C, SPI).
• There were not Pull-Up resistors on the PCB.
• Some Pins used for a protocol have to be short-circuited to operate with other protocols (i.e. I2C or SWD).
• Too many flying cables when you need to connect to some testing DuPont wires (example below).

During last Xmas holidays I thought: “That’s enough, I am done. I need a proper breakout that will save my time”. And that’s how Focaccia-Board came to life!

Main Features:

• Easy to access Pins for all supported protocols: UART, SPI, I2C, JTAG, SWD.
• Voltage Selector to easily switch from 3.3V to 5V.
• Support for SOP8/SOP16 Clips (in order to dump SPI Flashes without desoldering them from the target device)
• Support for SOP8/SOP16 sockets adapters.
• A multi-purpose breadboard-like set of pin headers/sockets and terminal blocks to help you dealing with flying cables (i.e. lower part of the PCB). Note: this is not wired with the FT232H anyhow, is up to you.

Some Practical Use-Cases

Focaccia-Board Vs Fingbox (UART):

Last year you may remember me disclosing this lovely bug in FingBox ( a super-duper IoT Security Appliance that is supposed to protect your LAN-connected devices from attackers):

In this first use-case, I used Focaccia-Board (from now on a.k.a. F-B) for debugging the UART console, which was easily accessible on the FingBox’s PCB.

As showed below the Uboot output was easily available and lead to enough insights to discover the way to get root.

Focaccia-Board Vs WinkHub (JTAG):

The next use-case is showing how to easily connect to the target device over JTAG in order to live-debug or even dump the entire flash memory.

Once identified the correct JTAG Pinout (i.e. TDI, TDO, TMS, TCK, etc…) and the correct OpenOCD’s config files for both F-B* and the target device, we can run it with the command: 

sudo openocd -f ft232h_jtag-swd.config -f target_device.cfg

*The right config file for F-B is in its Github repo.

Focaccia-Board Vs WHID Injector (SPI Dump):

This time you will see how easy is to use F-B to conduct some Forensics against a Weaponized Mouse containing my beloved WHID-Injector.

Once obtained the suspicious mouse and confirmed it was weaponized, I proceeded in identifying the SPI flash and removing it from the PCB.

Next step was to use the SOP8 socket on the Focaccia-Board to dump the SPI Flash content.

In order to dump the Flash content you have to fire the following command: 

flashrom -p ft2232_spi:type=232H -r spi_dump.bin

(Reminder: In case of Forensics acquistion is always recommended to acquire the Flash content with the WP (Write Protect) Pin disabled (see jumper on the PCB) thus we are 100% that the content of the Flash will not be modified during the operation. And therefore sure that is forensically acceptable as evidence.

Of course we can also use a SOP8 Clip to dump it.

And here the results of the dump and some initial Forensics analysis of it. As you see plenty of artifacts left-over by the attacker.

In some cases is also possible to dump a SPI Flash directly from the PCB of the target device (though, is discouraged, unless you manage to keep the target’s CPU in a reset state and thus unable to talk with the SPI Flash itself).

Focaccia-Board Vs Smartlock (Multi-purpose Breadboard):

At last, an example of how to use the lower part of F-B’s set of pin headers/sockets & terminal blocks against a smartlock during some forensics investigation scenario.

In this case, the FT232H is not involved. I just used the lower part of F-B’s PCB to connect those ugly flying cables that were non-standard DuPont wires.

And after having successfully dumped the firmware we can proceed at extracting some valuable evidences for the forensics case.

Overall

Focaccia-Board is nothing extraordinary. But it saves my time while hacking (I)IoT targets. And that’s enough to be considered a valuable asset in my lab. 🙂 Hope you will enjoy it too!

P.S. I am going to ask WHID-Injector & WHID-Elite manufacturer if interested to bring it to life at the usual affordable price for the folks out there that have no time or capabilities to print the PCB themselves.

#StayTuned & Follow @whid-injector on Twitter!

The original post is available in Medium:

https://medium.com/@LucaBongiorni/hacking-iot-devices-with-focaccia-board-8c4e009ed488

About the author: Luca Bongiorni

Luca is working as Principal Offensive Security Engineer and in his spare time is involved in InfoSec where the main fields of research are: Radio Networks, Hardware Reverse Engineering, Hardware Hacking, Internet of Things and Physical Security. He also loves to share his knowledge and present some cool projects at security conferences around the globe. At the moment is focusing his researches on bypassing biometric access control systems, ICS Security and Air-Gapped Environments.

Pierluigi Paganini

(SecurityAffairs – hacking IoT, Focaccia board)

[adrotate banner=”5″]

[adrotate banner=”13″]