Skip to content
/ msp430-w25q32jv Public

Simple POC for SPI communication between an MSP430 and Winbond W25Q32JV flash chip

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

nosoxon/msp430-w25q32jv

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
Makefile
Makefile
 
 
README.md
README.md
 
 
clips.png
clips.png
 
 
exfil.py
exfil.py
 
 
instructions.c
instructions.c
 
 
instructions.h
instructions.h
 
 
launchpad.png
launchpad.png
 
 
main.c
main.c
 
 
serial.c
serial.c
 
 
serial.h
serial.h
 
 

Repository files navigation

MSP430 exfiltrator for Winbond Flash chips

This is a simple POC for SPI communication between a TI MSP430G2553 microcontroller and Winbond W25Q32JV flash chip. Having no prior experience with SPI and limited experience with the MSP430, this project was both challenging and rewarding.

If you truly wish to run this code, you'll most likely need to modify the Makefile unless you're running Arch with the msp430-elf-* toolchain packages from the AUR. (I use arch btw)

Referenced Datasheets

Throughout my code there are several comments referencing datasheet sources:

Background

I bought a cheap wireless camera off Amazon, and it had a hardcoded password of `12345678'. It had a couple open ports, a flash chip (W25Q32JV), and a Ralink chip. Knowing this, I wanted to find out more about its inner workings, so I cobbled together this code for an MSP430 to communicate with the flash chip via SPI. Ideally, I would have used an SOIC-8 clip, but I made do with what I had.

Results

$ binwalk dump.bin 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             uImage header, header size: 64 bytes, header CRC: 0x7EBF92E6, created: 2013-09-02 14:03:02, image size: 81904 bytes, Data Address: 0x80200000, Entry Point: 0x80200000, data CRC: 0x739ABB93, OS: Linux, CPU: MIPS, image type: Standalone Program, compression type: none, image name: "SPI Flash Image"
69296         0x10EB0         U-Boot version string, "U-Boot 1.1.3 (Sep  2 2013 - 22:03:00)"
327680        0x50000         uImage header, header size: 64 bytes, header CRC: 0x24EF36B4, created: 2017-07-30 08:41:54, image size: 1578918 bytes, Data Address: 0x80000000, Entry Point: 0x8031F000, data CRC: 0x67F11261, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "Linux Kernel Image"
327744        0x50040         LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 3926339 bytes

It runs Linux! Extracting the rootfs cpio yielded the expected hardcoded WLAN configs and some binary blobs of interest. It also revealed that the software running on the camera was constructed with a proprietary Mediatek Ralink SDK. I trawled through Google results and open directories for hours with snippets from obvious template files in the cpio and eventually found the SDK.

About

Simple POC for SPI communication between an MSP430 and Winbond W25Q32JV flash chip

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages