NANDo-Board: the swiss-army-knife for your IoT hacking adventures
https://lucabongiorni.medium.com/hacking-iot-rf-devices-with-b%C3%BCrtleinaboard-165e246b1ed0
With this new blog post I wanted to present you a new toy I created back in 2021 and that I can’t live without: NANDoBoard
The FT2232H is a USB 2.0 Hi-Speed (480Mb/s) to Dual Channel Serial UART/FIFO/JTAG/SPI/I2C IC. It has the capability of being configured in a variety of industry standard serial or parallel interfaces. Building on the innovative features of the FT2232, the FT2232H has two multi-protocol synchronous serial engines (MPSSEs) which allow for communication using JTAG, I2C and SPI on two channels simultaneously.>
What that means for hardware hackers? With a single NANDoBoard you will be able to:
- Debug through UART and JTAG/SWD ports AT THE SAME TIME!
- Dump SPI memories
- Dump NAND memories
- Be able to sniff & decode packets
What you need to build your own NANDoBoard:
Before going through each feature and related command examples... let’s review what you need to build your own NANDoBoard:
- This breakout is designed for the FT2232HL CJMCU board (e.g. https://s.click.aliexpress.com/e/_DeK6Oor )
- The Pull-up Resistor is 470 Ohm. **
- Screws to hold the PCB to the 3D-printed case are 2x6mm.
- BE SURE to mount the FT2232HL with the FTDI chipset FACING UP!!!
**Please check the BOM.txt for the components needed. Most likely (except the R470 OHM 2010) you may have all you need already.
NANDoBoard Usage Examples:
UART (Channel A) Usage Example:
Command to run the UART console feature:
Configure minicom/putty/whatever-terminal-you-are-used-to (e.g.
screen
/dev/ttyUSB0 115200
screen
-L /dev/ttyUSB0 115200
screen
-L -Logfile UART.log /dev/ttyUSB0 115200)
JTAG (Channel B) Usage Example:
Command to run the JTAG debugging feature:
sudo openocd -f NANDo-Board_JTAG_OpenOCD.cfg -f
target_device.cfg
SWD (Channel B) Usage Example:
Command to run the SWD debugging feature (remember to move the SWD Enable switch on the PCB before using this feature!):
openocd -f
NANDo-Board_SWD_OpenOCD.cfg -f target_device.cfg
Here below you can see the wiring to get working at the same time UART on Ch.A and JTAG on Ch.B against a commercial CPE.
SPI Dumping (Channel B) Usage Example:
With this feature you will be able to use either the DIP8 socket with its related DIP-to-SOP8/16 sockets o the classic SOP8/16 Clip
Command to run the SPI dumping feature:
flashrom -p ft2232_spi:type=2232H,port=B -r firmware.bin
Reminder: In case you need also to write a SPI flash... please do enable the WRITE PROTECT (WP) Jumper on the PCB (i.e. SPI WP Enable).
NAND Dumping Usage Example:
One of my favourite features of the FT2232HL is that has enough I/Os to allow us to communicate with NAND memories and thus dump them without buying expensive dedicated programmers.
Dump Raw Image:
yand_cli.py -r -f nand_raw_dump_withOOB.bin
Remove OOB Data:
python Nand-dump-tool.py -i nand_raw_dump_withOOB.bin -o nand_raw_dump_cleaned.bin
--page-size 2048 --oob-size 64 --layout separate
OR
python Nand-dump-tool.py -i
nand_raw_dump_withOOB.bin --layout=guess -I <ID-CODE-HERE> -o
nand_raw_dump_cleaned.bin
In the image below you can see an example of On-PCB NAND dumping with NANDoBoard and a 360Clip!
Of course, you could
always chip-off the PCB with a hot-airgun/reflow station and place the NAND
onto a TSOP48 connector directly on the NANDoBoard!
Logic Analyzer with Pulseview Usage Example:
Another cool feature that brings the FT2232HL to you is the fact that it can be used as a Logic Analyzer. I know... is lightyears away from a reliable LA... but still... does it dirty job with slow signals.
The strip pins AD0-AD7 labeled "Pulseview FTDI-LA" can be used as low-frequency Logic Analyzer Channels with Pulseview/Sigrok tool. Here the configuration you have to select in Pulseview once you plug the NANDoBoard into your PC:
An example of how still works fine, despite its limited capabilities, can be seen in the images below where it is possible to retrive the Masterkey of a hardware password manager while sniffing the SPI bus at boot time!
Here the SPI traffic dumps comparision between our NANDoBoard with Pulseview Vs a Logic Saleae. Both were able to succesfully dump and decode the SPI traffic and if you look closer you can even see what was the Masterkey of the hardware password manager under test. 8)
Multipurpose Pin Headers/Sockets
Finally, as for the FocacciaBoard... I wanted to add some pin headers/sockets that are not connected with the FT2232HL (i.e. on the lower-left part of NANDo-Board's PCB). They are there just in case you need to mess-up with many flying-wires and you want to keep all connections clean and in order like with an usual breadboard, but with screw-down terminal blocks & co.
Conclusions
Overall, NANDoBoard is far from being perfect, as usually I kept away messing with multi-level shifters and making this device compatible with targets having working voltages different from 3.3V. But for average needs it is all you need to hack common hardware and IoT devices!
If you reached reading so far, I salute you! Here the repo where you can get the usual Gerbers, BoM and STL to print its case: https://github.com/whid-injector/NANDo-boardFinally, stay tuned for upcoming hacking toys at https://twitter.com/whid_ninja
WHID's Trainings
The Offensive Hardware Hacking Training is a Self-Paced training including Videos, a printed Workbook and a cool Hardware Hacking Kit. And… you get everything shipped home Worldwide!
For more info… ➡ https://www.whid.ninja/store
