Dobrica Pavlinušić's random unstructured stuff
USB armory Mk II: Revision 26
{toc: }
SoC: NXP i.MX6ULZ ARM® Cortex™-A7 900 MHz RAM: 512 MB DDR3 Storage: internal 16 GB eMMC + external microSD Bluetooth module: u-blox ANNA-B112 BLE USB-C ports: DRP (Dual Role Power) receptacle + UFP (Upstream Facing Port) plug, USB 2.0 only (no video support) LEDs: two Slide switch: for boot mode selection between eMMC and microSD External security elements: Microchip ATECC608A + NXP A71CH Physical size: 66 mm x 19 mm x 8 mm (without enclosure, including USB-C connector) Wiki which claims that there is binary release for Mk II is lying. You have to compile your own. https://github.com/inversepath/usbarmory-debian-base_image .pre dpavlin@klin:~/usb-armory/usbarmory-debian-base_image$ ls -al usbarmory-mark-two-debian_stretch-base_image-20191013.raw -rw-r--r-- 1 root root 3670016000 Oct 13 13:30 usbarmory-mark-two-debian_stretch-base_image-20191013.raw dpavlin@nuc:/mnt/klin/home/dpavlin/usb-armory/usbarmory-debian-base_image$ dd if=usbarmory-mark-two-debian_stretch-base_image-20191013.raw of=/dev/sdb bs=1M dpavlin@nuc:~$ dmesg [764607.538898] usb 2-1: new high-speed USB device number 34 using xhci_hcd [764607.689068] usb 2-1: New USB device found, idVendor=0525, idProduct=a4a2, bcdDevice= 4.19 [764607.689078] usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0 [764607.689082] usb 2-1: Product: RNDIS/Ethernet Gadget [764607.689100] usb 2-1: Manufacturer: Linux 4.19.78-0 with 2184000.usb [764607.900916] cdc_subset: probe of 2-1:1.0 failed with error -22 [764607.902622] cdc_subset 2-1:1.1 usb0: register 'cdc_subset' at usb-0000:00:14.0-1, Linux Device, ae:47:47:81:a0:a4 [764607.902666] usbcore: registered new interface driver cdc_subset [764607.902711] cdc_ether: probe of 2-1:1.0 failed with error -16 [764607.902732] usbcore: registered new interface driver cdc_ether [764607.914234] cdc_subset 2-1:1.1 enp0s20u1i1: renamed from usb0 dpavlin@nuc:~$ sudo ifconfig enp0s20u1i1 10.0.0.2 netmask 255.255.255.0 dpavlin@nuc:~$ sudo iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE dpavlin@nuc:~$ ssh usbarmory@10.0.0.1 # password is usbarmory usbarmory@usbarmory:~$ uname -a Linux usbarmory 4.19.78-0 #1 PREEMPT Sun Oct 13 11:05:18 UTC 2019 armv7l GNU/Linux usbarmory@usbarmory:~$ cat /proc/cpuinfo processor : 0 model name : ARMv7 Processor rev 5 (v7l) BogoMIPS : 109.09 Features : half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 lpae CPU implementer : 0x41 CPU architecture: 7 CPU variant : 0x0 CPU part : 0xc07 CPU revision : 5 Hardware : Freescale i.MX6 Ultralite (Device Tree) Revision : 0000 Serial : 0000000000000000 usbarmory@usbarmory:~$ free total used free shared buff/cache available Mem: 512204 25588 436744 7624 49872 467984 Swap: 0 0 0 .pre ^ boot select switch Switch near sdcard select booting from emmc or microsd (silkscreen is somewhat poor, but by default bafore removing sticker it will boot from sdcard) If it's closer to sdcard, it will boot from sdcard ^ image delivered on device Password for image delivered with device is not usbarmory (?) In fact, it doesn't have usbarmory user in /etc/passwd, but has it in /etc/shadow, go figure! .pre root@usbarmory:/# cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false _apt:x:104:65534::/nonexistent:/bin/false messagebus:x:105:108::/var/run/dbus:/bin/false sshd:x:106:65534::/run/sshd:/usr/sbin/nologin interlock:x:1000:1000::/home/interlock:/bin/bash lcars:x:1001:1001::/home/lcars:/bin/bash root@usbarmory:/# cat /etc/shadow root:*:18068:0:99999:7::: daemon:*:18068:0:99999:7::: bin:*:18068:0:99999:7::: sys:*:18068:0:99999:7::: sync:*:18068:0:99999:7::: games:*:18068:0:99999:7::: man:*:18068:0:99999:7::: lp:*:18068:0:99999:7::: mail:*:18068:0:99999:7::: news:*:18068:0:99999:7::: uucp:*:18068:0:99999:7::: proxy:*:18068:0:99999:7::: www-data:*:18068:0:99999:7::: backup:*:18068:0:99999:7::: list:*:18068:0:99999:7::: irc:*:18068:0:99999:7::: gnats:*:18068:0:99999:7::: nobody:*:18068:0:99999:7::: systemd-timesync:*:18068:0:99999:7::: systemd-network:*:18068:0:99999:7::: systemd-resolve:*:18068:0:99999:7::: systemd-bus-proxy:*:18068:0:99999:7::: _apt:*:18068:0:99999:7::: messagebus:*:18068:0:99999:7::: sshd:*:18068:0:99999:7::: usbarmory:$6$rcyB4m4EPv$udqWloCZH/Av1IkJVuZHyWMhw/fYkhLGevlo17C3x6qMemSHUmPPAQrvc0SaY.yWVIIU0ADL0g54MZmidcxFn.:18068:0:99999:7::: lcars:$6$iFljmotV$gnK66oZpz7BD3BqlFpPWoY/Q1tey8in75868neosxypKswjSoNDQotiMBZ9hh.vQBDyltA08z2Vji/QjElv4g.:18072:0:99999:7::: interlock:!:18072:0:99999:7::: .pre After adding usbarmory account, running apt upgrade (since image has old kernel) device isn't bootable any more (at least it's not detected by host in which it's plugged in). Let's try to rebuild image for emmc and flash it. Well, re-build fails with patches allready applied errors in linux source, so let's wipe it: .pre root@813046ba7c77:/opt/armory# rm -Rf linux-* u-boot-2019.07* root@813046ba7c77:/opt/armory# make all V=mark-two IMX=imx6ull BOOT=eMMC -j 8 .pre ^ pads on board documentation again claims that schematics is available, but it isn't for mk2 https://github.com/inversepath/usbarmory/tree/master/hardware from changelog thouse pads might be jtag (since it's enabled in u-boot), but without schematics who knows... It seems that 8 gpio pins are available using additional board: https://github.com/inversepath/usbarmory/tree/master/hardware/mark-two-debug-accessory ^ sdcard vs emmc speed .pre root@usbarmory:/mnt/klin/home/dpavlin/usb-armory/usbarmory-debian-base_image# hdparm -Tt /dev/mmcblk[01] /dev/mmcblk0: # -- sdcard Timing cached reads: 664 MB in 2.00 seconds = 331.99 MB/sec Timing buffered disk reads: 34 MB in 3.03 seconds = 11.21 MB/sec /dev/mmcblk1: # -- emmc Timing cached reads: 716 MB in 2.00 seconds = 357.40 MB/sec Timing buffered disk reads: 128 MB in 3.04 seconds = 42.17 MB/sec .pre ^ community https://groups.google.com/forum/#!forum/usbarmory https://hackaday.com/2019/09/29/usb-armory-mkii-a-usb-c-thumb-drive-based-linux-computer-for-pentesters/ ^ led heartbeat off https://photos.app.goo.gl/rRrzfbbs4GGjt3ePA very bright and annoying in dark room .pre sbarmory@usbarmory:/sys/class/leds/LED_WHITE$ cat trigger none kbd-scrolllock kbd-numlock kbd-capslock kbd-kanalock kbd-shiftlock kbd-altgrlock kbd-ctrllock kbd-altlock kbd-shiftllock kbd-shiftrlock kbd-ctrlllock kbd-ctrlrlock mmc0 mmc1 cpu cpu0 [heartbeat] root@usbarmory:/sys/devices/soc0/leds/leds/LED_WHITE# echo none > trigger .pre ^ nwtwork speed .pre root@usbarmory:~# iperf3 -c 10.0.0.2 Connecting to host 10.0.0.2, port 5201 [ 4] local 10.0.0.1 port 33574 connected to 10.0.0.2 port 5201 [ ID] Interval Transfer Bandwidth Retr Cwnd [ 4] 0.00-1.03 sec 23.0 MBytes 188 Mbits/sec 0 174 KBytes [ 4] 1.03-2.00 sec 20.6 MBytes 178 Mbits/sec 0 272 KBytes [ 4] 2.00-3.01 sec 21.1 MBytes 176 Mbits/sec 0 286 KBytes [ 4] 3.01-4.01 sec 21.8 MBytes 182 Mbits/sec 0 297 KBytes [ 4] 4.01-5.00 sec 20.1 MBytes 171 Mbits/sec 0 297 KBytes [ 4] 5.00-6.00 sec 21.0 MBytes 176 Mbits/sec 0 329 KBytes [ 4] 6.00-7.00 sec 20.3 MBytes 171 Mbits/sec 0 329 KBytes [ 4] 7.00-8.00 sec 20.4 MBytes 171 Mbits/sec 0 329 KBytes [ 4] 8.00-9.00 sec 20.3 MBytes 171 Mbits/sec 0 329 KBytes [ 4] 9.00-10.00 sec 20.1 MBytes 169 Mbits/sec 0 329 KBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bandwidth Retr [ 4] 0.00-10.00 sec 209 MBytes 175 Mbits/sec 0 sender [ 4] 0.00-10.00 sec 208 MBytes 174 Mbits/sec receiver iperf Done. .pre ^ bluetooth https://github.com/inversepath/usbarmory/wiki/Bluetooth .pre root@usbarmory:/home/usbarmory# microcom -p /dev/ttymxc0 AT+GMR "1.0.0-017" .pre ^ armoryctl no binary in package, requires 1.12 go (which isn't in debian buster as of now) .pre dpavlin@klin:~/usb-armory$ git clone https://github.com/inversepath/armoryctl dpavlin@klin:~/usb-armory/armoryctl$ make armoryctl GOARCH=arm github.com/inversepath/armoryctl/anna_b112 # github.com/inversepath/armoryctl/anna_b112 anna_b112/openocd.go:328:9: undefined: strings.ReplaceAll anna_b112/openocd.go:329:8: undefined: strings.ReplaceAll note: module requires Go 1.12make: *** [Makefile:27: armoryctl] Error 2 .pre After compile: .pre usbarmory@usbarmory:~$ sudo ./armoryctl tusb id TUSB320 usbarmory@usbarmory:~$ sudo ./armoryctl ble info manufacturer:"u-blox" model:"ANNA-B1" serial:"0" sw:"1.0.0-017" device_name:"USBARMORY-MKII-DUT-3776" usbarmory@usbarmory:~$ sudo ./armoryctl se1 info serial:0x0123455d2a9039e5ee revision:0x00006002 usbarmory@usbarmory:~$ sudo ./armoryctl pmic info id:0x4("PF1510") family:0xf("15") otp:"A6" rev:0x11 .pre ^ i2c .pre root@usbarmory:/home/usbarmory# i2cdetect -l root@usbarmory:/home/usbarmory# modprobe i2c-dev root@usbarmory:/home/usbarmory# i2cdetect -l i2c-0 i2c 21a0000.i2c I2C adapter root@usbarmory:/home/usbarmory# i2cdetect -y 0 0 1 2 3 4 5 6 7 8 9 a b c d e f 00: -- -- -- -- -- 08 -- -- -- -- -- -- -- 10: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 20: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 30: -- 31 -- -- -- -- -- -- -- -- -- -- -- -- -- -- 40: -- -- -- -- -- -- -- -- 48 -- -- -- -- -- -- -- 50: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 60: 60 61 -- -- -- -- -- -- -- -- -- -- -- -- -- -- 70: -- -- -- -- -- -- -- -- .pre |