I2C

Theory:

I2C (Inter-Integrated Circuit) is a synchronous, multi-master, multi-slave communication protocol used for short-range communication between components on a circuit board. I2C uses two main lines:

  • SCL (Serial Clock Line): Carries the clock signal generated by the master.

  • SDA (Serial Data Line): Carries the data between master and slave devices.

I2C is commonly used to connect microcontrollers to sensors, memory devices (like EEPROMs), and other peripherals. As a pentester, gaining access to the I2C bus can reveal sensitive data, provide the ability to modify system configurations, or help you intercept communications between components.

Requirements:

  1. Hardware:

    • I2C Interface Adapter (Bus Pirate, Saleae Logic Analyzer, FTDI I2C modules)

    • Jumper wires

    • Multimeter (for checking pin voltages and identifying the correct lines)

    • Soldering kit (if pins are not exposed)

  2. Software:

    • Tools for I2C communication:

      • i2cdetect, i2cdump, i2cset (Linux-based tools)

      • Bus Pirate tools for interacting with the I2C bus

    • Logic analyzer software for analyzing I2C traffic:

      • Sigrok with PulseView

  3. Knowledge:

    • Some I2C devices may misbehave or crash if continuously scanned. Be cautious when using i2cdetect

    • Ensure your I2C adapter matches the voltage levels of the device (usually 3.3V or 5V) to avoid damaging components.

Common Attacks:

  1. Identifying I2C Pins:

    • In many cases, the I2C lines are not labeled. You can identify them using a multimeter to detect the voltage levels, typically 3.3V or 5V, on the SCL and SDA lines.

    Command Example (Bus Pirate for identifying pins):

    m  # Select mode (I2C in this case)
    p  # Probe the bus for activity
  2. Device Discovery (I2C Bus Scanning):

    • Once connected to the I2C bus, you can scan for active devices using the i2cdetect tool or Bus Pirate. This allows you to enumerate all the I2C devices on the bus.

    Command Example (Linux I2C Bus Scan):

    i2cdetect -y 1 #This scans I2C bus 1 and returns the addresses of all connected devices.

    Bus Pirate I2C Scan:

    (1) m  # Enter I2C mode
    (2) (3)  # Search for I2C devices connected
  3. Reading Data from I2C Devices:

    • After identifying connected devices, you can read data from their registers, such as reading EEPROM contents or sensor data.

    Command Example (Reading an EEPROM using i2cdump):

    i2cdump -y 1 0x50   #This reads the data from the device at address 0x50 on bus 1.

    Bus Pirate Command (I2C EEPROM Read):

    (1) m  # Enter I2C mode
    (2) [ 0xA0 [ 0x00 r:32 ]  # Read 32 bytes from the EEPROM starting at address 0x00
  4. Modifying Data on I2C Devices:

    • You can also modify the data stored in an I2C device, such as changing configuration settings or writing to an EEPROM.

    Command Example (Writing to an EEPROM using i2cset):

    i2cset -y 1 0x50 0x00 0xFF  #This writes the value 0xFF to address 0x00 of the EEPROM at I2C address 0x50.

    Bus Pirate Command (EEPROM Write):

    (1) m  # Enter I2C mode
    (2) [ 0xA0 0x00 0xFF ]  # Write 0xFF to EEPROM address 0x00
  5. Sniffing I2C Traffic:

    • Using a logic analyzer or a Bus Pirate, you can sniff I2C communication between the master and slave devices to capture sensitive information or reverse engineer the communication protocol.

    Command Example (Bus Pirate I2C Sniffing):

    (1) m  # Enter I2C mode
    (2) s  # Sniff I2C traffic

    Sigrok/PulseView for I2C Analysis:

    • Connect the logic analyzer to the I2C lines and capture the signals. Use PulseView to decode the I2C data for easier analysis.

  6. Bypassing Security Mechanisms:

    • Certain devices may have write protection or security features. Pentesters can manipulate the I2C bus to disable these mechanisms or force a reset.

    Tools:

    • i2cset (for sending specific commands to reset a device or change its configuration).

    Command Example (Sending a reset command):

    i2cset -y 1 0x50 0x00 0x06

Last updated