treesummaryrefslogcommitdiff
path: root/pres.adoc
blob: 14a6a0c4234f73a4bd493a3dc8d0b64050b72417 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185

= Ourosboros Flash Reader
:revealjsdir: ./reveal.js-5.2.1/

Patrick Schönberger

16.07.2025

== Structure

- Problem
- Solution
- Implementation

== Problem

== Solution

== Implementation

structure: start with a problem and reproduce the work leading to the working solution

access smart home hw on crime scenes
many shelly devices are based on esp32/esp8266
they dont contain any usable data but contain identifiable user data
this can be used to inquire about the user account
so we need to extract the content of the esp's flash memory
we then also need to extract filesystems from the memory
do it read-only, verifiably
existing solutions (esptool, mos) can also write and erase memory
they are also complex, making understanding and changing the code time consuming
what about writing a custom extraction tool?
what is the bare minimum needed to talk to the esp?
- two modes: bootmode and runmode
- decided by GPIO0 at start
- the esp as well as the shelly devices expose uart pins (tx/rx)
- in runmode they output logging information
- in bootmode they listen to a custom serial protocol
so we need a serial connection and the ability to enter boot mode!
what can the serial protocol do?
- sync
- write ram/flash/registers
- configuration etc.
- on the esp32 it can read flash, but not on esp8266, esp32c3, esp32c6
how do other tools read flash?
- we cant directly read flash, but we can write ram
- write a program, load it into ram, run it and then talk to it instead
- flash loader/stub
- esptool uses two different variants, c based and rust based
- the c based one is older and getting replaced, but it is also dramatically simpler and also supports the esp8266
- so we use the c based one and customize it (remove write and erase flash commands)
technically this means we do have write access until the flash loader is activated
the extraction tool is also small and runs a fixed number of commands
-> as sure as we can be
how does the serial protocol work?
- data is encoded using SLIP frames
- the host sends a request and the target (esp) sends a response
- steps to read flash:
  - sync
  - identify chip
  - read mac
  - (change baud)
  - upload stub
  - read flash
modifying the flash loader
- stub consists of 6 .c files:
  - miniz.c         // compression
  - slip.c          // slip
  - stub_commands.c // handle commands
  - stub_flasher.c  // main program
  - stub_io.c       // serial communication
  - stub_write_flash.c // write flash
- so we remove stub_write_flash.c and modify stub_commands.c
- additionally simplify the makefile
compiling and uploading the flash loader
- download toolchains
- compile the stub using specific toolchains
- this gives us an elf file
- use a python script to extract the .text and .data sections from the elf
- generate a header file and write the raw bytes to a `const unsigned char[]`
- this header gets compiled with the extraction tool (host)
- at runtime, after the chip is identified, upload .text and .data using MEM_ ram commands
- addresses for the sections and for the entry point are in elf file and get written to header alongside the elf sections
and how do we make the esp enter bootmode?
- wire two gpio pins to RST and GPIO0
- pull both low
  - RST low turns the esp off
  - GPIO0 has to be low when it is turned back on
- pull RST high to turn it on
- pull GPIO0 high after the esp has started
overview:
- bootmode/serial
- serial protocol
- flash loader
differences between esp versions
- identification:
  - ESP32-C3 and later use GET_SECURITY_INFO which contains a chip_id
  - previous models have a register with a magic value identifying the chip
- mac address:
  - different registers
  - esp8266 mac has to be calculated
- different flash loader versions
  - esp8266 has no data section
different hosts:
- linux (usb)
- rpi (gpio)
- esp (gpio)
extracting the file system
- esp8266
- esp32
interesting files
- wifi credentials
- certificates
- jwt token


DEMO!


== cloc

```sh
$ cloc esp-flasher-stub/
      38 text files.
      34 unique files.                              
       5 files ignored.

github.com/AlDanial/cloc v 2.04  T=0.02 s (2259.9 files/s, 199599.0 lines/s)
-----------------------------------------------------------
Language          files       blank     comment        code
-----------------------------------------------------------
Rust                 12         327          78        1863
Logos                14          32           0         249
YAML                  3          34          12         214
Markdown              1          34           0          89
TOML                  4           8           2          61
-----------------------------------------------------------
SUM:                 34         435          92        2476
-----------------------------------------------------------

$ cloc esp-hal
     742 text files.
     718 unique files.                                          
      35 files ignored.

github.com/AlDanial/cloc v 2.04  T=0.36 s (1978.1 files/s, 522278.6 lines/s)
-----------------------------------------------------------
Language          files       blank     comment        code
-----------------------------------------------------------
Rust                492       18739       26120      115809
Linker Script        51         499        1404       11315
Markdown             66        2014          12        5262
TOML                 43         505         412        4481
Logos                44         229          15        1105
YAML                 13         151          67        1054
Jinja Template        3          52           0         255
JSON                  2           0           0          48
CSV                   3           0           0          21
SVG                   1           0           0           4
-----------------------------------------------------------
SUM:                718       22189       28030      139354
-----------------------------------------------------------

$ cloc esptool-legacy-flasher-stub/
      63 text files.
      60 unique files.                              
       4 files ignored.

github.com/AlDanial/cloc v 2.04  T=0.06 s (952.9 files/s, 535446.8 lines/s)
-----------------------------------------------------------
Language          files       blank     comment        code
-----------------------------------------------------------
Linker Script        32         787        1188       18751
C                     6        1284         636        7689
C/C++ Header          8         463         557        1687
make                  1          36          33         130
YAML                  4          19           0         114
Python                2          25          21          80
Markdown              3          58           0          76
Bourne Shell          2           9           8          23
TOML                  1           1           0          20
Jinja Template        1           4           2          14
-----------------------------------------------------------
SUM:                 60        2686        2445       28584
-----------------------------------------------------------
```
generated by ps-cgit (a fork of cgit), using a theme by hackitude