I2C
Theory:
I2C (Inter-Integrated Circuit) is a synchronous, multi-master, multi-slave communication protocol used for short-range communication between components on a circuit board. I2C uses two main lines:
SCL (Serial Clock Line): Carries the clock signal generated by the master.
SDA (Serial Data Line): Carries the data between master and slave devices.
I2C is commonly used to connect microcontrollers to sensors, memory devices (like EEPROMs), and other peripherals. As a pentester, gaining access to the I2C bus can reveal sensitive data, provide the ability to modify system configurations, or help you intercept communications between components.
Requirements:
Hardware:
I2C Interface Adapter (Bus Pirate, Saleae Logic Analyzer, FTDI I2C modules)
Jumper wires
Multimeter (for checking pin voltages and identifying the correct lines)
Soldering kit (if pins are not exposed)
Software:
Tools for I2C communication:
i2cdetect
,i2cdump
,i2cset
(Linux-based tools)Bus Pirate
tools for interacting with the I2C bus
Logic analyzer software for analyzing I2C traffic:
Sigrok
withPulseView
Knowledge:
Some I2C devices may misbehave or crash if continuously scanned. Be cautious when using
i2cdetect
Ensure your I2C adapter matches the voltage levels of the device (usually 3.3V or 5V) to avoid damaging components.
Common Attacks:
Identifying I2C Pins:
In many cases, the I2C lines are not labeled. You can identify them using a multimeter to detect the voltage levels, typically 3.3V or 5V, on the SCL and SDA lines.
Command Example (Bus Pirate for identifying pins):
Device Discovery (I2C Bus Scanning):
Once connected to the I2C bus, you can scan for active devices using the
i2cdetect
tool or Bus Pirate. This allows you to enumerate all the I2C devices on the bus.
Command Example (Linux I2C Bus Scan):
Bus Pirate I2C Scan:
Reading Data from I2C Devices:
After identifying connected devices, you can read data from their registers, such as reading EEPROM contents or sensor data.
Command Example (Reading an EEPROM using
i2cdump
):Bus Pirate Command (I2C EEPROM Read):
Modifying Data on I2C Devices:
You can also modify the data stored in an I2C device, such as changing configuration settings or writing to an EEPROM.
Command Example (Writing to an EEPROM using
i2cset
):Bus Pirate Command (EEPROM Write):
Sniffing I2C Traffic:
Using a logic analyzer or a Bus Pirate, you can sniff I2C communication between the master and slave devices to capture sensitive information or reverse engineer the communication protocol.
Command Example (Bus Pirate I2C Sniffing):
Sigrok/PulseView for I2C Analysis:
Connect the logic analyzer to the I2C lines and capture the signals. Use PulseView to decode the I2C data for easier analysis.
Bypassing Security Mechanisms:
Certain devices may have write protection or security features. Pentesters can manipulate the I2C bus to disable these mechanisms or force a reset.
Tools:
i2cset (for sending specific commands to reset a device or change its configuration).
Command Example (Sending a reset command):
Last updated