Tags
There are no tags for this page.
Incoming Links
There are no pages that link to this page yet.
Attachments
Dobrica Pavlinušić's random unstructured stuff
USB armory Mk II
This page describes pre-prelease version of usb armory, so if you are receiving release version,
head over to usb armory wiki https://github.com/f-secure-foundry/usbarmory/wiki which improved massively
since this page was first written.
I had wrong expectations from this board: I was hoping to be able to use GPIO for serial or connecting sensors and that is not possible.
SoC: NXP i.MX6ULZ ARM® Cortex™-A7 900 MHz
RAM: 512 MB DDR3
Storage: internal 16 GB eMMC + external microSD
Bluetooth module: u-blox ANNA-B112 BLE
USB-C ports: DRP (Dual Role Power) receptacle + UFP (Upstream Facing Port) plug, USB 2.0 only (no video support)
LEDs: two
Slide switch: for boot mode selection between eMMC and microSD
External security elements: Microchip ATECC608A + NXP A71CH
Physical size: 66 mm x 19 mm x 8 mm (without enclosure, including USB-C connector)
https://github.com/inversepath/usbarmory-debian-base_image
dpavlin@klin:~/usb-armory/usbarmory-debian-base_image$ ls -al usbarmory-mark-two-debian_stretch-base_image-20191013.raw
-rw-r--r-- 1 root root 3670016000 Oct 13 13:30 usbarmory-mark-two-debian_stretch-base_image-20191013.raw
dpavlin@nuc:/mnt/klin/home/dpavlin/usb-armory/usbarmory-debian-base_image$ dd if=usbarmory-mark-two-debian_stretch-base_image-20191013.raw of=/dev/sdb bs=1M
dpavlin@nuc:~$ dmesg
[764607.538898] usb 2-1: new high-speed USB device number 34 using xhci_hcd
[764607.689068] usb 2-1: New USB device found, idVendor=0525, idProduct=a4a2, bcdDevice= 4.19
[764607.689078] usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[764607.689082] usb 2-1: Product: RNDIS/Ethernet Gadget
[764607.689100] usb 2-1: Manufacturer: Linux 4.19.78-0 with 2184000.usb
[764607.900916] cdc_subset: probe of 2-1:1.0 failed with error -22
[764607.902622] cdc_subset 2-1:1.1 usb0: register 'cdc_subset' at usb-0000:00:14.0-1, Linux Device, ae:47:47:81:a0:a4
[764607.902666] usbcore: registered new interface driver cdc_subset
[764607.902711] cdc_ether: probe of 2-1:1.0 failed with error -16
[764607.902732] usbcore: registered new interface driver cdc_ether
[764607.914234] cdc_subset 2-1:1.1 enp0s20u1i1: renamed from usb0
network setup
dpavlin@nuc:~$ sudo ifconfig enp0s20u1i1 10.0.0.2 netmask 255.255.255.0
dpavlin@nuc:~$ sudo iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE
dpavlin@nuc:~$ ssh usbarmory@10.0.0.1
# password is usbarmory
usbarmory@usbarmory:~$ uname -a
Linux usbarmory 4.19.78-0 #1 PREEMPT Sun Oct 13 11:05:18 UTC 2019 armv7l GNU/Linux
usbarmory@usbarmory:~$ cat /proc/cpuinfo
processor : 0
model name : ARMv7 Processor rev 5 (v7l)
BogoMIPS : 109.09
Features : half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 lpae
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x0
CPU part : 0xc07
CPU revision : 5
Hardware : Freescale i.MX6 Ultralite (Device Tree)
Revision : 0000
Serial : 0000000000000000
usbarmory@usbarmory:~$ free
total used free shared buff/cache available
Mem: 512204 25588 436744 7624 49872 467984
Swap: 0 0 0
boot select switch
Switch near sdcard select booting from emmc or microsd (silkscreen is somewhat poor, but by default bafore removing sticker it will boot from sdcard)
If it's closer to sdcard, it will boot from sdcard
image delivered on device
Password for image delivered with device is not usbarmory (?)
In fact, it doesn't have usbarmory user in /etc/passwd, but has it in /etc/shadow, go figure!
root@usbarmory:/# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
_apt:x:104:65534::/nonexistent:/bin/false
messagebus:x:105:108::/var/run/dbus:/bin/false
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
interlock:x:1000:1000::/home/interlock:/bin/bash
lcars:x:1001:1001::/home/lcars:/bin/bash
root@usbarmory:/# cat /etc/shadow
root:*:18068:0:99999:7:::
daemon:*:18068:0:99999:7:::
bin:*:18068:0:99999:7:::
sys:*:18068:0:99999:7:::
sync:*:18068:0:99999:7:::
games:*:18068:0:99999:7:::
man:*:18068:0:99999:7:::
lp:*:18068:0:99999:7:::
mail:*:18068:0:99999:7:::
news:*:18068:0:99999:7:::
uucp:*:18068:0:99999:7:::
proxy:*:18068:0:99999:7:::
www-data:*:18068:0:99999:7:::
backup:*:18068:0:99999:7:::
list:*:18068:0:99999:7:::
irc:*:18068:0:99999:7:::
gnats:*:18068:0:99999:7:::
nobody:*:18068:0:99999:7:::
systemd-timesync:*:18068:0:99999:7:::
systemd-network:*:18068:0:99999:7:::
systemd-resolve:*:18068:0:99999:7:::
systemd-bus-proxy:*:18068:0:99999:7:::
_apt:*:18068:0:99999:7:::
messagebus:*:18068:0:99999:7:::
sshd:*:18068:0:99999:7:::
usbarmory:$6$rcyB4m4EPv$udqWloCZH/Av1IkJVuZHyWMhw/fYkhLGevlo17C3x6qMemSHUmPPAQrvc0SaY.yWVIIU0ADL0g54MZmidcxFn.:18068:0:99999:7:::
lcars:$6$iFljmotV$gnK66oZpz7BD3BqlFpPWoY/Q1tey8in75868neosxypKswjSoNDQotiMBZ9hh.vQBDyltA08z2Vji/QjElv4g.:18072:0:99999:7:::
interlock:!:18072:0:99999:7:::
After adding usbarmory account, running apt upgrade (since image has old kernel) device isn't bootable any more (at least it's not detected by host in which it's plugged in).
Let's try to rebuild image for emmc and flash it.
Well, re-build fails with patches allready applied errors in linux source, so let's wipe it:
root@813046ba7c77:/opt/armory# rm -Rf linux-* u-boot-2019.07*
root@813046ba7c77:/opt/armory# make all V=mark-two IMX=imx6ull BOOT=eMMC -j 8
pads on board
there is kicad project of production one which just removed pads https://github.com/f-secure-foundry/usbarmory/tree/master/hardware/mark-two
from changelog those pads might be jtag (since it's enabled in u-boot), but schematics confirms it.
It seems that 8 gpio pins are available using additional board: https://github.com/inversepath/usbarmory/tree/master/hardware/mark-two-debug-accessory
sdcard vs emmc speed
root@usbarmory:/mnt/klin/home/dpavlin/usb-armory/usbarmory-debian-base_image# hdparm -Tt /dev/mmcblk[01]
/dev/mmcblk0: # -- sdcard
Timing cached reads: 664 MB in 2.00 seconds = 331.99 MB/sec
Timing buffered disk reads: 34 MB in 3.03 seconds = 11.21 MB/sec
/dev/mmcblk1: # -- emmc
Timing cached reads: 716 MB in 2.00 seconds = 357.40 MB/sec
Timing buffered disk reads: 128 MB in 3.04 seconds = 42.17 MB/sec
https://groups.google.com/forum/#!forum/usbarmory
https://hackaday.com/2019/09/29/usb-armory-mkii-a-usb-c-thumb-drive-based-linux-computer-for-pentesters/
led heartbeat off
https://photos.app.goo.gl/rRrzfbbs4GGjt3ePA
very bright and annoying in dark room
sbarmory@usbarmory:/sys/class/leds/LED_WHITE$ cat trigger
none kbd-scrolllock kbd-numlock kbd-capslock kbd-kanalock kbd-shiftlock kbd-altgrlock kbd-ctrllock kbd-altlock kbd-shiftllock kbd-shiftrlock kbd-ctrlllock kbd-ctrlrlock mmc0 mmc1 cpu cpu0 [heartbeat]
root@usbarmory:/sys/devices/soc0/leds/leds/LED_WHITE# echo none > trigger
network speed
root@usbarmory:~# iperf3 -c 10.0.0.2
Connecting to host 10.0.0.2, port 5201
[ 4] local 10.0.0.1 port 33574 connected to 10.0.0.2 port 5201
[ ID] Interval Transfer Bandwidth Retr Cwnd
[ 4] 0.00-1.03 sec 23.0 MBytes 188 Mbits/sec 0 174 KBytes
[ 4] 1.03-2.00 sec 20.6 MBytes 178 Mbits/sec 0 272 KBytes
[ 4] 2.00-3.01 sec 21.1 MBytes 176 Mbits/sec 0 286 KBytes
[ 4] 3.01-4.01 sec 21.8 MBytes 182 Mbits/sec 0 297 KBytes
[ 4] 4.01-5.00 sec 20.1 MBytes 171 Mbits/sec 0 297 KBytes
[ 4] 5.00-6.00 sec 21.0 MBytes 176 Mbits/sec 0 329 KBytes
[ 4] 6.00-7.00 sec 20.3 MBytes 171 Mbits/sec 0 329 KBytes
[ 4] 7.00-8.00 sec 20.4 MBytes 171 Mbits/sec 0 329 KBytes
[ 4] 8.00-9.00 sec 20.3 MBytes 171 Mbits/sec 0 329 KBytes
[ 4] 9.00-10.00 sec 20.1 MBytes 169 Mbits/sec 0 329 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bandwidth Retr
[ 4] 0.00-10.00 sec 209 MBytes 175 Mbits/sec 0 sender
[ 4] 0.00-10.00 sec 208 MBytes 174 Mbits/sec receiver
iperf Done.
network setup for desktop
dpavlin@nuc:~$ grep usbarmory -A 5 /etc/network/interfaces
# usbarmory
allow-hotplug enx1a5589a26942
iface enx1a5589a26942 inet static
address 10.0.0.2
netmask 255.255.255.0
post-up iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE
bluetooth
https://github.com/inversepath/usbarmory/wiki/Bluetooth
root@usbarmory:/home/usbarmory# microcom -p /dev/ttymxc0
AT+GMR
"1.0.0-017"
armoryctl
usbarmory@usbarmory:~$ sudo apt install armoryctl
since device is on stretch it has go 1.7 which can't compile it.
dpavlin@klin:~/usb-armory$ git clone https://github.com/inversepath/armoryctl
dpavlin@klin:~/usb-armory/armoryctl$ make armoryctl GOARCH=arm
github.com/inversepath/armoryctl/anna_b112
# github.com/inversepath/armoryctl/anna_b112
anna_b112/openocd.go:328:9: undefined: strings.ReplaceAll
anna_b112/openocd.go:329:8: undefined: strings.ReplaceAll
note: module requires Go 1.12make: *** [Makefile:27: armoryctl] Error 2
After compile:
usbarmory@usbarmory:~$ sudo ./armoryctl tusb id
TUSB320
usbarmory@usbarmory:~$ sudo ./armoryctl ble info
manufacturer:"u-blox" model:"ANNA-B1" serial:"0" sw:"1.0.0-017" device_name:"USBARMORY-MKII-DUT-3776"
usbarmory@usbarmory:~$ sudo ./armoryctl se1 info
serial:0x0123455d2a9039e5ee revision:0x00006002
usbarmory@usbarmory:~$ sudo ./armoryctl pmic info
id:0x4("PF1510") family:0xf("15") otp:"A6" rev:0x11
i2c
root@usbarmory:/home/usbarmory# i2cdetect -l
root@usbarmory:/home/usbarmory# modprobe i2c-dev
root@usbarmory:/home/usbarmory# i2cdetect -l
i2c-0 i2c 21a0000.i2c I2C adapter
root@usbarmory:/home/usbarmory# i2cdetect -y 0
0 1 2 3 4 5 6 7 8 9 a b c d e f
00: -- -- -- -- -- 08 -- -- -- -- -- -- --
10: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
20: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
30: -- 31 -- -- -- -- -- -- -- -- -- -- -- -- -- --
40: -- -- -- -- -- -- -- -- 48 -- -- -- -- -- -- --
50: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
60: 60 61 -- -- -- -- -- -- -- -- -- -- -- -- -- --
70: -- -- -- -- -- -- -- --
|