Table of Content
Please note the Kernel version, sources, initramfs and init.rc file will be useful in the second part of this series of article. Here, the Linux Kernel command line contains the mtdparts configuration variable. This leaks both the names and sizes of all flash partitions. It was now time to actually have a look at the content of the NAND Flash dump. It appears that for each page, the OOB section is filled with a 90 bytes chunk of data.
As I explained before, NAND Flash memories are unreliable and the probability some bits are flipped is high. One of the very early design goal of NandBug was to be able to monitor the data read and written by the Google Home to the NAND Flash in real time. It could maybe have been useful to find interesting TOCTOU bugs in the secure boot implementation. Everything is next melted together with the hot air station. A better video of a similar process applied to a real BGA component can for instance be found here.
Can I create a Google QR code for Google search results pages?
Let’s check the list of things you can ask Google Home to do. We know the bootloader and kernel partitions are part of the chain of trust. Unsurprisingly, because they are probably the most carefully written parts, I haven't been able to find any way to skip the secure boot from this side. Once mounted, the cache reveals it's mostly used to store user data and configuration files. For instance, a wpa_supplicant.conf file storing WiFi credentials exists.
This script will simply generate the Passthrough bitstream and upload it to the FPGA. Communicating with the configured FPGA to receive data from the NAND Flash or orchestrate programming operations. Uploading these bitstreams to the FPGA using the SPI Slave Mode programming procedure.
Unpacking the Firmware Image
This push button is not accessible without cracking the case open. Pushing it at boot time will force the bootloader to boot from the USB port of the device. However, only signed code can theoretically be executed. Please note that, for successful code generation your device clock need to be in correct time and date and also set to correct time zone.
The content and structure of the NAND Flash will need to be understood. It's the most direct way of achieving code execution on the platform. My goal will be to modify the NAND flash content until I can execute my own code. Finally, it's important to note that the main CPU comes without public documentation.
Google Home Mini has arrived—here’s what you can do with it
A FT2232H. This component adds Hi-Speed USB connectivity to the board. Hardware files are available here while the software can be downloaded from here. I made the schematics, Gerber files, and software of NandBug publicly available.
This bitstream will generate a FSM that's able to program pages. The pages addresses and data are received from the FT2232H using the Sync FIFO Mode. This bitstream will generate a FSM that's able to erase blocks. The addresses to erase are received from the FT2232H using the Sync FIFO Mode.
This section gives some information concerning the software and gateware architecture behind NandBug. It's not absolutely necessary to read this section to understand the rest of the article. To help with the soldering process, I ordered a stencil at the same time with the Interposer PCB. The holes of the stencil are matching the NAND Flash footprint. It's a mirrored version of the "normal" NAND Flash schematic. Indeed, this board will be soldered in place of the original NAND on the Google Home Mini PCB.
Very few details about this component are available online. All the juicy technical data is likely protected by a NDA. Marketing agencies and in-house marketers can use Google QR codes to promote Google links and reach a broader audience.
As it must be soldered like a BGA component, I'll turn it into one by soldering tiny solder balls. First things first, the NAND Flash must be desoldered from the Google Home PCB. This has been done with a cheap hot air reworking station. It's a model that can be bought from many places and that has served me well for several years now. Receiving and transmitting data to and from the NAND Flash. This is done using the Synchronous FIFO mode of the FT2232H.
A lot of Google Play Gift Card card codes have already been used so keep on trying. Our generator gives you the best chance to unlock new Google Play codes for a free $10, $20 or $50 gift card bonus. The Google Play Gift Card Code Generator allows you to create unlimited codes.
Check the list of Google Home funny commands to enjoy some amusing moments. I have compiled a list of 500+ funny things to ask Google Assistant which you must check out. Extracting files from this image is just a matter of running the unsquashfs command. The simple file utility can be used against this image to reveal it's in fact a Squashfs filesystem. A glance at the bootloader/berlin_tools/bootloader/nand_ctrl/mv_nand.c file is enough to understand the ECC is calculated by the hardware of the main SoC itself.
The first thing to note is that the way the data is written to a NAND Flash is somewhat special. Each page contains data and a special section called OOB, the out-of-bound section. More importantly, the Google Home Mini can still boot without problems despite all the heavy surgery it received.
A QR code is a two-dimensional barcode that is readable by smartphones. It allows to encode over 4000 Characters in a two dimensional barcode. QR codes may be used to display text to the user, to open a URL, save a contact to the address book or to compose text messages.
No comments:
Post a Comment