Thursday, September 11, 2014

Hardware Hacking: I2C Injection with the Bus Pirate

Hardware Hacking

Embedded hardware hacking seems to be all the rage these days so I thought I would poke around at a few concepts and see what's doing with embedded hardware. I decided to set up a simple experiment to test some concepts that I think will be helpful to understand in the future when analyzing embedded systems, namely sniffing traffic and message injection.

The Experiment

I decided to create a simple lab involving an Arduino Uno, in this case a SparkFun RedBoard, and a BlinkM LED that can be controlled over I2C. The Arduino would have a simple sketch that will update the color of the BlinkM and using a Bus Pirate I would then sniff traffic that is occurring between the BlinkM and the Arduino. I would also like to study the process involved in using the Bus Pirate to inject messages to take control of the BlinkM and have it change to a different color. I'm not blowing anyone's skirt up with this, but I gotta start out somewhere.


The protocol used in this experiment is I2C. It is a simple two wire interface (TWI) that supports multiple masters and multiple slaves all sharing a serial bus. Aside from a power and ground I2C uses two lines to perform data transfer. The first is the Serial Data Line (SDA) and the second is the Serial Clock Line (SCL). Grossly, to the point of being misleading, simplified, each bit of data is transferred by reading if SDA is pulled high or low when SCL rises. Helpful resources to lean more about I2C can be found here and here. The main points to take away with respect to how components communicate with each other however is that each component has a read address and a write address. Before one component can talk to another, it will write the destination address (be it a read or write address) on the SDA line and then the rest of the data.

Assembling The Circuit

Creating the circuit was a fairly simple exercise. It's not difficult, it just requires some upfront investment in purchasing hardware. It's a far cry from just spinning up a new VM if software hacking is what you're used to. 

First, I plugged in the BlinkM into a breadboard.

I then connected Male to Male (M-M) jumper cables from the ground pin (PWR -) to the GND pin on the RedBoard, the power pin (PWR +) to the 5V header on the RedBoard, the data pin (I2C d) to the A4 header on the RedBoard, and the clock pin (I2C c) to the A5 header on the RedBoard.

With the circuit connected we can now focus on programming controlling the BlinkM with the RedBoard.

Programming the Circuit

Once you give power to the Arduino, you'll probably see the BlinkM light up right away. And if you're like me you'll immediately try to program it and see that it has no effect on the BlinkM and wonder why it's not working. Well, the BlinkM comes out of the box pre-programmed to run a demo script. In order to cease running the script you'll have to send it the Stop Script command documented in the manual for the BlinkM. The easiest way to do that is to load some example code that the makers of the BlinkM provide found here. The BlinkMTester sketch will give you the ability to run some basic commands to control the BlinkM and stopping the script is one option.

With that out of the way we can now program the BlinkM. For my little example I wanted to have the BlinkM change from red to green back and forth at 3 second intervals. 

With the sketch uploaded we can see the Arduino and BlinkM go into action.

The Bus Pirate

Now that we have a functioning circuit that can serve as a test bed, we can use the Bus Pirate to sniff traffic on it. The Bus Pirate is a neat little tool that can serve many different functions. It can sniff traffic over a variety of protocols such as UART, SPI, and I2C and it can also inject traffic as well. 

In order to have the Bus Pirate be able to sniff traffic on our little circuit we need to insert a couple more Male to Male wires on the SDA and SCL lines. We will then connect the MOSI Bus Pirate probe to the BlinkM's SDA line and the CLK Bus Pirate probe to the BlinkM's SCL line. Be wary of where you purchased your Bus Pirate probes because the colors will be completely off if you bought it from SeeedStudio/Adafruit vs Sparkfun. 

Sniffing I2C Traffic

Now, once you've connected to your Bus Pirate using Putty or some other serial terminal you can start sniffing the traffic being passed from the RedBoard to the BlinkM. To do this we will change the Mode of the Bus Pirate so that it is in I2C mode and then drop the Bus Pirate into sniffing mode.

From the screenshot we can see the I2C messages being sent. Each message starts with a [ character and then shows the hexadecimal value of each byte being sent, followed by a + for an ACK or a - for a NACK and is then followed by the end of the message which is the ] character. In this instance the first message sniffed corresponds to the portion of the sketch which is commanding the BlinkM to turn red. 0x12 is the write address of the BlinkM (I know we set the address to be 0x09 in the sketch, but that translates to a 0x12 write address) followed by the hexadecimal ASCII value for the h character (0x68) then followed by the 3 bytes for the hue (0x00), saturation (0x10), and brightness (0x01). Then it's followed by another message that changes the color to blue and then back to red over and over.

This let's us know that we are reading the right messages and validates the data that we think we are sending with the RedBoard. Now for the more interesting part, how to take control of the BlinkM with the Bus Pirate.

Injecting I2C Traffic

Controlling the BlinkM with the Bus Pirate will require us to mimic the message structure but using Bus Pirate syntax. In this case we need to write to the address 0x12 and send the following bytes:
  1. 0x68 - This is the h character which tells the BlinkM to fade to another color using the next 3 bytes as the HSB values
  2. 0xAA - This is the color blue
  3. 0x10 - This is the saturation value
  4. 0x01 - This is the brightness value
To send a message with this kind of structure we will type into the I2C prompt of the Bus Pirate this command:

Once you inject the command the feedback from the Bus Pirate should indicate that it received ACKs for each byte you injected.

If all goes well you should see the BlinkM turn blue when you inject the message; something that should never occur if the RedBoard is the only master on the I2C bus. Note that the color won't stay blue forever as the RedBoard will continue to send messages to change the color of the BlinkM red and green.

Success! Exciting right? Hello? <tap> <tap> Is this thing on? <tap> <tap>