1
00:00:02,310 --> 00:00:03,930
Hello, welcome back.

2
00:00:04,620 --> 00:00:13,410
I will talk in this lesson about SPI exploitation, SPI stands for serial peripheral interface.

3
00:00:13,890 --> 00:00:21,570
Serial peripheral interface is a synchronous serial communication interface specification used for

4
00:00:21,570 --> 00:00:27,180
short distance communication, primarily in embedded systems.

5
00:00:29,530 --> 00:00:37,270
The figure shows the product sheet of a Microchip microcontroller with SPI serial interface.

6
00:00:39,400 --> 00:00:48,250
SPI flash memory, also known as flash storage, has become widespread in the embedded industry and

7
00:00:48,250 --> 00:00:56,080
is commonly used for storage and data transfers in portable devices, common devices include phones,

8
00:00:56,080 --> 00:01:04,000
tablets and media players, as well as industrial devices like security system and medical products.

9
00:01:05,560 --> 00:01:12,400
And this figure in the slide shows a product sheet of a Microchip SPI flash memory.

10
00:01:15,230 --> 00:01:24,440
Let's see now some features of SPI Communication Protocol, SPI is a full duplex communication protocol,

11
00:01:24,890 --> 00:01:33,740
SPI devices communicate using a master slave architecture, usually with a single master, the master

12
00:01:33,740 --> 00:01:36,300
or controller device originates

13
00:01:36,300 --> 00:01:45,350
the frame for reading and writing. Multiple slave devices may be supported through selection with individual

14
00:01:45,350 --> 00:01:50,960
chip select (CS), sometimes called slaves select lines.

15
00:01:53,680 --> 00:02:01,310
SPI needs three wires to enable the data exchange, plus a slave selection line.

16
00:02:02,230 --> 00:02:12,130
These lines are the MOSI line (Master Out Slave In) that's a data output from Master and MISO line

17
00:02:12,280 --> 00:02:14,070
Master In Slave Out

18
00:02:14,120 --> 00:02:17,140
that is a data output from slave,

19
00:02:18,010 --> 00:02:31,480
and SCLK Serial clock output from master line, and Chip/Slave Select line, often active low that

20
00:02:31,690 --> 00:02:36,430
outputs from master to indicate that data is being sent.

21
00:02:40,320 --> 00:02:49,590
The two figures in the slide show graphics relating to read and write operations via the SPI interface.

22
00:02:50,340 --> 00:02:57,240
In the write operation, the master sends the write command on the MOSI line, followed by the data

23
00:02:57,240 --> 00:03:00,420
to be written. In the read operation

24
00:03:00,420 --> 00:03:07,620
the master instead sends the read command on the MOSI line and then receives the data from the slave

25
00:03:07,770 --> 00:03:09,030
on the MISO line.

26
00:03:12,130 --> 00:03:20,530
Now let's see the steps to follow, to verify the safety of the SPI interface with respect, for example,

27
00:03:20,530 --> 00:03:29,560
to the possibility of extracting data directly from an EEPROM memory via the SPI interface. First step

28
00:03:29,560 --> 00:03:34,120
is to identify SPI pinouts of Iot device.

29
00:03:34,810 --> 00:03:40,450
Consultation of the data sheet of the SPI device is very useful for this activity.

30
00:03:41,050 --> 00:03:49,350
The second step is to connect the SPI pinouts to PC via a USB TTL converter interface.

31
00:03:50,560 --> 00:03:59,430
There are two ways to connect the SPI pinouts to the USB TTL converter. You can unsolder or the SPI EEPROM

32
00:03:59,440 --> 00:04:06,040
from the printed circuit board and insert it into an adapter suitable for the EPROM packaging.

33
00:04:06,430 --> 00:04:15,610
Or you can directly connect the SPI EEPROM pinouts to the USB TTL converter using Soic clips without

34
00:04:15,610 --> 00:04:17,080
unsolder the EPROM.

35
00:04:19,990 --> 00:04:27,800
And here is reported a schematic connection of an EPROM of an Iot device connected to an analysis 

36
00:04:27,830 --> 00:04:31,360
PC through an Attify Badge interface.

37
00:04:34,910 --> 00:04:44,870
Then next step, you can proceed to establish a connection between the PC and the Iot device through

38
00:04:44,870 --> 00:04:51,530
the choosen connection interface, launching appropriate connection programs from the PC to read and

39
00:04:51,530 --> 00:05:00,830
write data, such as the Python script spiflash.py, downloadable as a project from GitHub. So, if

40
00:05:00,830 --> 00:05:08,000
the data is not securely managed on the device an attacker can read it or manipulate it.

41
00:05:10,270 --> 00:05:14,020
OK, thank you for your attention, bye.