diff --git a/1-wire.txt b/1-wire.txt new file mode 100644 index 0000000..0e2cc1f --- /dev/null +++ b/1-wire.txt @@ -0,0 +1,41 @@ + 1)(2 + 3)(4 + 5)(6 +DATA 7)(8 + 9)(10 + 11)(12 + 13)(14 + 15)(16 + 17)(18 + 19)(20 + 21)(22 + 23)(24 + 25)(26 + 27)(28 + 29)(30 + 31)(32 + 33)(34 + 35)(36 + 37)(38 + 39)(40 + +- W1-GPIO - One-Wire Interface - +To enable the one-wire interface you need to add the following line to /boot/config +dtoverlay=w1-gpio +or +dtoverlay=w1-gpio,gpiopin=x +if you would like to use a custom pin (default is BCM4, as illustrated in pinout herein). + +Alternatively you can enable the one-wire interface on demand using raspi-config, or the following: + +sudo modprobe w1-gpio +Newer kernels (4.9.28 and later) allow you to use dynamic overlay loading instead, including creating multiple 1-Wire busses to be used at the same time: + +sudo dtoverlay w1-gpio gpiopin=4 pullup=0 # header pin 7 +sudo dtoverlay w1-gpio gpiopin=17 pullup=0 # header pin 11 +sudo dtoverlay w1-gpio gpiopin=27 pullup=0 # header pin 13 +once any of the steps above have been performed, and discovery is complete you can list the devices that your Raspberry Pi has discovered via all 1-Wire busses (by default BCM4), like so: + +ls /sys/bus/w1/devices/ +n.b. Using w1-gpio on the Raspberry Pi typically needs a 4.7 kΩ pull-up resistor connected between the GPIO pin and a 3.3v supply (e.g. header pin 1 or 17). Other means of connecting 1-Wire devices to the Raspberry Pi are also possible, such as using i2c to 1-Wire bridge chips. + diff --git a/1-wire.txt b/1-wire.txt new file mode 100644 index 0000000..0e2cc1f --- /dev/null +++ b/1-wire.txt @@ -0,0 +1,41 @@ + 1)(2 + 3)(4 + 5)(6 +DATA 7)(8 + 9)(10 + 11)(12 + 13)(14 + 15)(16 + 17)(18 + 19)(20 + 21)(22 + 23)(24 + 25)(26 + 27)(28 + 29)(30 + 31)(32 + 33)(34 + 35)(36 + 37)(38 + 39)(40 + +- W1-GPIO - One-Wire Interface - +To enable the one-wire interface you need to add the following line to /boot/config +dtoverlay=w1-gpio +or +dtoverlay=w1-gpio,gpiopin=x +if you would like to use a custom pin (default is BCM4, as illustrated in pinout herein). + +Alternatively you can enable the one-wire interface on demand using raspi-config, or the following: + +sudo modprobe w1-gpio +Newer kernels (4.9.28 and later) allow you to use dynamic overlay loading instead, including creating multiple 1-Wire busses to be used at the same time: + +sudo dtoverlay w1-gpio gpiopin=4 pullup=0 # header pin 7 +sudo dtoverlay w1-gpio gpiopin=17 pullup=0 # header pin 11 +sudo dtoverlay w1-gpio gpiopin=27 pullup=0 # header pin 13 +once any of the steps above have been performed, and discovery is complete you can list the devices that your Raspberry Pi has discovered via all 1-Wire busses (by default BCM4), like so: + +ls /sys/bus/w1/devices/ +n.b. Using w1-gpio on the Raspberry Pi typically needs a 4.7 kΩ pull-up resistor connected between the GPIO pin and a 3.3v supply (e.g. header pin 1 or 17). Other means of connecting 1-Wire devices to the Raspberry Pi are also possible, such as using i2c to 1-Wire bridge chips. + diff --git a/README.md b/README.md index 4afda27..9bd433e 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,6 @@ PiPins =============== -Documents to help with Pi Zero / Pi Zero W pinouts and protocols \ No newline at end of file +Documents to help with Pi Zero / Pi Zero W pinouts and protocols. + +Simple text files to keep on the pi for use as quick and dirty emergency hardware hacking lab. \ No newline at end of file diff --git a/1-wire.txt b/1-wire.txt new file mode 100644 index 0000000..0e2cc1f --- /dev/null +++ b/1-wire.txt @@ -0,0 +1,41 @@ + 1)(2 + 3)(4 + 5)(6 +DATA 7)(8 + 9)(10 + 11)(12 + 13)(14 + 15)(16 + 17)(18 + 19)(20 + 21)(22 + 23)(24 + 25)(26 + 27)(28 + 29)(30 + 31)(32 + 33)(34 + 35)(36 + 37)(38 + 39)(40 + +- W1-GPIO - One-Wire Interface - +To enable the one-wire interface you need to add the following line to /boot/config +dtoverlay=w1-gpio +or +dtoverlay=w1-gpio,gpiopin=x +if you would like to use a custom pin (default is BCM4, as illustrated in pinout herein). + +Alternatively you can enable the one-wire interface on demand using raspi-config, or the following: + +sudo modprobe w1-gpio +Newer kernels (4.9.28 and later) allow you to use dynamic overlay loading instead, including creating multiple 1-Wire busses to be used at the same time: + +sudo dtoverlay w1-gpio gpiopin=4 pullup=0 # header pin 7 +sudo dtoverlay w1-gpio gpiopin=17 pullup=0 # header pin 11 +sudo dtoverlay w1-gpio gpiopin=27 pullup=0 # header pin 13 +once any of the steps above have been performed, and discovery is complete you can list the devices that your Raspberry Pi has discovered via all 1-Wire busses (by default BCM4), like so: + +ls /sys/bus/w1/devices/ +n.b. Using w1-gpio on the Raspberry Pi typically needs a 4.7 kΩ pull-up resistor connected between the GPIO pin and a 3.3v supply (e.g. header pin 1 or 17). Other means of connecting 1-Wire devices to the Raspberry Pi are also possible, such as using i2c to 1-Wire bridge chips. + diff --git a/README.md b/README.md index 4afda27..9bd433e 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,6 @@ PiPins =============== -Documents to help with Pi Zero / Pi Zero W pinouts and protocols \ No newline at end of file +Documents to help with Pi Zero / Pi Zero W pinouts and protocols. + +Simple text files to keep on the pi for use as quick and dirty emergency hardware hacking lab. \ No newline at end of file diff --git a/URLs.txt b/URLs.txt new file mode 100644 index 0000000..511eaee --- /dev/null +++ b/URLs.txt @@ -0,0 +1,12 @@ +Collection of random useful URL's + +http://acoptex.com/project/8003/raspberry-basics-project-29a-raspberry-pi-zero-w-board-raspberry-pi-gpio-pinout-at-acoptexcom/ + +https://pinout.xyz/ + +https://payatu.com/using-rasberrypi-as-poor-mans-hardware-hacking-tool + +https://ralimtek.com/raspberry%20pi/electronics/software/raspberry_pi_secondary_sd_card/ + +https://github.com/superzerg/logic-analyzer +https://sigrok.org/wiki/PulseView \ No newline at end of file diff --git a/1-wire.txt b/1-wire.txt new file mode 100644 index 0000000..0e2cc1f --- /dev/null +++ b/1-wire.txt @@ -0,0 +1,41 @@ + 1)(2 + 3)(4 + 5)(6 +DATA 7)(8 + 9)(10 + 11)(12 + 13)(14 + 15)(16 + 17)(18 + 19)(20 + 21)(22 + 23)(24 + 25)(26 + 27)(28 + 29)(30 + 31)(32 + 33)(34 + 35)(36 + 37)(38 + 39)(40 + +- W1-GPIO - One-Wire Interface - +To enable the one-wire interface you need to add the following line to /boot/config +dtoverlay=w1-gpio +or +dtoverlay=w1-gpio,gpiopin=x +if you would like to use a custom pin (default is BCM4, as illustrated in pinout herein). + +Alternatively you can enable the one-wire interface on demand using raspi-config, or the following: + +sudo modprobe w1-gpio +Newer kernels (4.9.28 and later) allow you to use dynamic overlay loading instead, including creating multiple 1-Wire busses to be used at the same time: + +sudo dtoverlay w1-gpio gpiopin=4 pullup=0 # header pin 7 +sudo dtoverlay w1-gpio gpiopin=17 pullup=0 # header pin 11 +sudo dtoverlay w1-gpio gpiopin=27 pullup=0 # header pin 13 +once any of the steps above have been performed, and discovery is complete you can list the devices that your Raspberry Pi has discovered via all 1-Wire busses (by default BCM4), like so: + +ls /sys/bus/w1/devices/ +n.b. Using w1-gpio on the Raspberry Pi typically needs a 4.7 kΩ pull-up resistor connected between the GPIO pin and a 3.3v supply (e.g. header pin 1 or 17). Other means of connecting 1-Wire devices to the Raspberry Pi are also possible, such as using i2c to 1-Wire bridge chips. + diff --git a/README.md b/README.md index 4afda27..9bd433e 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,6 @@ PiPins =============== -Documents to help with Pi Zero / Pi Zero W pinouts and protocols \ No newline at end of file +Documents to help with Pi Zero / Pi Zero W pinouts and protocols. + +Simple text files to keep on the pi for use as quick and dirty emergency hardware hacking lab. \ No newline at end of file diff --git a/URLs.txt b/URLs.txt new file mode 100644 index 0000000..511eaee --- /dev/null +++ b/URLs.txt @@ -0,0 +1,12 @@ +Collection of random useful URL's + +http://acoptex.com/project/8003/raspberry-basics-project-29a-raspberry-pi-zero-w-board-raspberry-pi-gpio-pinout-at-acoptexcom/ + +https://pinout.xyz/ + +https://payatu.com/using-rasberrypi-as-poor-mans-hardware-hacking-tool + +https://ralimtek.com/raspberry%20pi/electronics/software/raspberry_pi_secondary_sd_card/ + +https://github.com/superzerg/logic-analyzer +https://sigrok.org/wiki/PulseView \ No newline at end of file diff --git a/dpi.txt b/dpi.txt new file mode 100644 index 0000000..cd70f1c --- /dev/null +++ b/dpi.txt @@ -0,0 +1,29 @@ + 1)(2 +V-SYNC 3)(4 +H-SYNC 5)(6 +Blue 0 7)(8 Green 2 + 9)(10 Green 3 +Green 5 11)(12 Green 6 +Red 7 13)(14 +Red 2 15)(16 Red 3 + 17)(18 Red 4 +Blue 6 19)(20 +Blue 5 21)(22 Red 5 +Blue 7 23)(24 Blue 4 + 25)(26 Blue 3 +CLK 27)(28 DEN +Blue 1 29)(30 +Blue 2 31)(32 Green 0 +Green 1 33)(34 +Green 7 35)(36 Green 4 +Red 6 37)(38 Red 0 + 39)(40 Red 1 + +- DPI - Display Parallel Interface - + +One of the alternate functions selectable on bank 0 of the Raspbery Pi GPIO is DPI. DPI (Display Parallel Interface) is a 24-bit parallel interface with 28 clock and synchronisation signals. + +This interface allows parallel RGB displays to be attached to the Raspberry Pi GPIO either in RGB24 (8 bits for red, green and blue) or RGB666 (6 bits per colour) or RGB565 (5 bits red, 6 green, and 5 blue). It is available as alternate function 2 (ALT2) on GPIO bank 0. + +The pinout presented here is for the RGB24 mode, see url below for documentation of the RGB666 and RGB565 modes. +https://www.raspberrypi.org/documentation/hardware/raspberrypi/dpi/ diff --git a/1-wire.txt b/1-wire.txt new file mode 100644 index 0000000..0e2cc1f --- /dev/null +++ b/1-wire.txt @@ -0,0 +1,41 @@ + 1)(2 + 3)(4 + 5)(6 +DATA 7)(8 + 9)(10 + 11)(12 + 13)(14 + 15)(16 + 17)(18 + 19)(20 + 21)(22 + 23)(24 + 25)(26 + 27)(28 + 29)(30 + 31)(32 + 33)(34 + 35)(36 + 37)(38 + 39)(40 + +- W1-GPIO - One-Wire Interface - +To enable the one-wire interface you need to add the following line to /boot/config +dtoverlay=w1-gpio +or +dtoverlay=w1-gpio,gpiopin=x +if you would like to use a custom pin (default is BCM4, as illustrated in pinout herein). + +Alternatively you can enable the one-wire interface on demand using raspi-config, or the following: + +sudo modprobe w1-gpio +Newer kernels (4.9.28 and later) allow you to use dynamic overlay loading instead, including creating multiple 1-Wire busses to be used at the same time: + +sudo dtoverlay w1-gpio gpiopin=4 pullup=0 # header pin 7 +sudo dtoverlay w1-gpio gpiopin=17 pullup=0 # header pin 11 +sudo dtoverlay w1-gpio gpiopin=27 pullup=0 # header pin 13 +once any of the steps above have been performed, and discovery is complete you can list the devices that your Raspberry Pi has discovered via all 1-Wire busses (by default BCM4), like so: + +ls /sys/bus/w1/devices/ +n.b. Using w1-gpio on the Raspberry Pi typically needs a 4.7 kΩ pull-up resistor connected between the GPIO pin and a 3.3v supply (e.g. header pin 1 or 17). Other means of connecting 1-Wire devices to the Raspberry Pi are also possible, such as using i2c to 1-Wire bridge chips. + diff --git a/README.md b/README.md index 4afda27..9bd433e 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,6 @@ PiPins =============== -Documents to help with Pi Zero / Pi Zero W pinouts and protocols \ No newline at end of file +Documents to help with Pi Zero / Pi Zero W pinouts and protocols. + +Simple text files to keep on the pi for use as quick and dirty emergency hardware hacking lab. \ No newline at end of file diff --git a/URLs.txt b/URLs.txt new file mode 100644 index 0000000..511eaee --- /dev/null +++ b/URLs.txt @@ -0,0 +1,12 @@ +Collection of random useful URL's + +http://acoptex.com/project/8003/raspberry-basics-project-29a-raspberry-pi-zero-w-board-raspberry-pi-gpio-pinout-at-acoptexcom/ + +https://pinout.xyz/ + +https://payatu.com/using-rasberrypi-as-poor-mans-hardware-hacking-tool + +https://ralimtek.com/raspberry%20pi/electronics/software/raspberry_pi_secondary_sd_card/ + +https://github.com/superzerg/logic-analyzer +https://sigrok.org/wiki/PulseView \ No newline at end of file diff --git a/dpi.txt b/dpi.txt new file mode 100644 index 0000000..cd70f1c --- /dev/null +++ b/dpi.txt @@ -0,0 +1,29 @@ + 1)(2 +V-SYNC 3)(4 +H-SYNC 5)(6 +Blue 0 7)(8 Green 2 + 9)(10 Green 3 +Green 5 11)(12 Green 6 +Red 7 13)(14 +Red 2 15)(16 Red 3 + 17)(18 Red 4 +Blue 6 19)(20 +Blue 5 21)(22 Red 5 +Blue 7 23)(24 Blue 4 + 25)(26 Blue 3 +CLK 27)(28 DEN +Blue 1 29)(30 +Blue 2 31)(32 Green 0 +Green 1 33)(34 +Green 7 35)(36 Green 4 +Red 6 37)(38 Red 0 + 39)(40 Red 1 + +- DPI - Display Parallel Interface - + +One of the alternate functions selectable on bank 0 of the Raspbery Pi GPIO is DPI. DPI (Display Parallel Interface) is a 24-bit parallel interface with 28 clock and synchronisation signals. + +This interface allows parallel RGB displays to be attached to the Raspberry Pi GPIO either in RGB24 (8 bits for red, green and blue) or RGB666 (6 bits per colour) or RGB565 (5 bits red, 6 green, and 5 blue). It is available as alternate function 2 (ALT2) on GPIO bank 0. + +The pinout presented here is for the RGB24 mode, see url below for documentation of the RGB666 and RGB565 modes. +https://www.raspberrypi.org/documentation/hardware/raspberrypi/dpi/ diff --git a/gpclk.txt b/gpclk.txt new file mode 100644 index 0000000..f313bdf --- /dev/null +++ b/gpclk.txt @@ -0,0 +1,36 @@ + 1)(2 + 3)(4 + 5)(6 +GPCLK0 7)(8 + 9)(10 + 11)(12 + 13)(14 + 15)(16 + 17)(18 + 19)(20 + 21)(22 + 23)(24 + 25)(26 + 27)(28 +GPCLK1 29)(30 +GPCLK2 31)(32 + 33)(34 + 35)(36 + 37)(38 + 39)(40 + +General Purpose Clock pins can be set up to output a fixed frequency without any ongoing software control. + +The following clock sources are available: + +0 0 Hz Ground +1 19.2 MHz oscillator +2 0 Hz testdebug0 +3 0 Hz testdebug1 +4 0 Hz PLLA +5 1000 MHz PLLC (changes with overclock settings) +6 500 MHz PLLD +7 216 MHz HDMI auxiliary +8-15 0 Hz Ground + +Other frequencies can be achieved by setting a clock-divider in the form of SOURCE/(DIV_I + DIV_F/4096). Note, that the BCM2835 ARM Peripherals document contains an error and states that the denominator of the divider is 1024 instead of 4096. \ No newline at end of file diff --git a/1-wire.txt b/1-wire.txt new file mode 100644 index 0000000..0e2cc1f --- /dev/null +++ b/1-wire.txt @@ -0,0 +1,41 @@ + 1)(2 + 3)(4 + 5)(6 +DATA 7)(8 + 9)(10 + 11)(12 + 13)(14 + 15)(16 + 17)(18 + 19)(20 + 21)(22 + 23)(24 + 25)(26 + 27)(28 + 29)(30 + 31)(32 + 33)(34 + 35)(36 + 37)(38 + 39)(40 + +- W1-GPIO - One-Wire Interface - +To enable the one-wire interface you need to add the following line to /boot/config +dtoverlay=w1-gpio +or +dtoverlay=w1-gpio,gpiopin=x +if you would like to use a custom pin (default is BCM4, as illustrated in pinout herein). + +Alternatively you can enable the one-wire interface on demand using raspi-config, or the following: + +sudo modprobe w1-gpio +Newer kernels (4.9.28 and later) allow you to use dynamic overlay loading instead, including creating multiple 1-Wire busses to be used at the same time: + +sudo dtoverlay w1-gpio gpiopin=4 pullup=0 # header pin 7 +sudo dtoverlay w1-gpio gpiopin=17 pullup=0 # header pin 11 +sudo dtoverlay w1-gpio gpiopin=27 pullup=0 # header pin 13 +once any of the steps above have been performed, and discovery is complete you can list the devices that your Raspberry Pi has discovered via all 1-Wire busses (by default BCM4), like so: + +ls /sys/bus/w1/devices/ +n.b. Using w1-gpio on the Raspberry Pi typically needs a 4.7 kΩ pull-up resistor connected between the GPIO pin and a 3.3v supply (e.g. header pin 1 or 17). Other means of connecting 1-Wire devices to the Raspberry Pi are also possible, such as using i2c to 1-Wire bridge chips. + diff --git a/README.md b/README.md index 4afda27..9bd433e 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,6 @@ PiPins =============== -Documents to help with Pi Zero / Pi Zero W pinouts and protocols \ No newline at end of file +Documents to help with Pi Zero / Pi Zero W pinouts and protocols. + +Simple text files to keep on the pi for use as quick and dirty emergency hardware hacking lab. \ No newline at end of file diff --git a/URLs.txt b/URLs.txt new file mode 100644 index 0000000..511eaee --- /dev/null +++ b/URLs.txt @@ -0,0 +1,12 @@ +Collection of random useful URL's + +http://acoptex.com/project/8003/raspberry-basics-project-29a-raspberry-pi-zero-w-board-raspberry-pi-gpio-pinout-at-acoptexcom/ + +https://pinout.xyz/ + +https://payatu.com/using-rasberrypi-as-poor-mans-hardware-hacking-tool + +https://ralimtek.com/raspberry%20pi/electronics/software/raspberry_pi_secondary_sd_card/ + +https://github.com/superzerg/logic-analyzer +https://sigrok.org/wiki/PulseView \ No newline at end of file diff --git a/dpi.txt b/dpi.txt new file mode 100644 index 0000000..cd70f1c --- /dev/null +++ b/dpi.txt @@ -0,0 +1,29 @@ + 1)(2 +V-SYNC 3)(4 +H-SYNC 5)(6 +Blue 0 7)(8 Green 2 + 9)(10 Green 3 +Green 5 11)(12 Green 6 +Red 7 13)(14 +Red 2 15)(16 Red 3 + 17)(18 Red 4 +Blue 6 19)(20 +Blue 5 21)(22 Red 5 +Blue 7 23)(24 Blue 4 + 25)(26 Blue 3 +CLK 27)(28 DEN +Blue 1 29)(30 +Blue 2 31)(32 Green 0 +Green 1 33)(34 +Green 7 35)(36 Green 4 +Red 6 37)(38 Red 0 + 39)(40 Red 1 + +- DPI - Display Parallel Interface - + +One of the alternate functions selectable on bank 0 of the Raspbery Pi GPIO is DPI. DPI (Display Parallel Interface) is a 24-bit parallel interface with 28 clock and synchronisation signals. + +This interface allows parallel RGB displays to be attached to the Raspberry Pi GPIO either in RGB24 (8 bits for red, green and blue) or RGB666 (6 bits per colour) or RGB565 (5 bits red, 6 green, and 5 blue). It is available as alternate function 2 (ALT2) on GPIO bank 0. + +The pinout presented here is for the RGB24 mode, see url below for documentation of the RGB666 and RGB565 modes. +https://www.raspberrypi.org/documentation/hardware/raspberrypi/dpi/ diff --git a/gpclk.txt b/gpclk.txt new file mode 100644 index 0000000..f313bdf --- /dev/null +++ b/gpclk.txt @@ -0,0 +1,36 @@ + 1)(2 + 3)(4 + 5)(6 +GPCLK0 7)(8 + 9)(10 + 11)(12 + 13)(14 + 15)(16 + 17)(18 + 19)(20 + 21)(22 + 23)(24 + 25)(26 + 27)(28 +GPCLK1 29)(30 +GPCLK2 31)(32 + 33)(34 + 35)(36 + 37)(38 + 39)(40 + +General Purpose Clock pins can be set up to output a fixed frequency without any ongoing software control. + +The following clock sources are available: + +0 0 Hz Ground +1 19.2 MHz oscillator +2 0 Hz testdebug0 +3 0 Hz testdebug1 +4 0 Hz PLLA +5 1000 MHz PLLC (changes with overclock settings) +6 500 MHz PLLD +7 216 MHz HDMI auxiliary +8-15 0 Hz Ground + +Other frequencies can be achieved by setting a clock-divider in the form of SOURCE/(DIV_I + DIV_F/4096). Note, that the BCM2835 ARM Peripherals document contains an error and states that the denominator of the divider is 1024 instead of 4096. \ No newline at end of file diff --git a/gpio.txt b/gpio.txt new file mode 100644 index 0000000..aa90bc4 --- /dev/null +++ b/gpio.txt @@ -0,0 +1,48 @@ + 1)(2 +BCM 2 3)(4 +BCM 3 5)(6 + 7)(8 BCM 14 + 9)(10 BCM 15 +BCM 17 11)(12 BCM 18 +BCM 27 13)(14 +BCM 22 15)(16 BCM 23 + 17)(18 BCM 24 +BCM 10 19)(20 +BCM 9 21)(22 BCM 25 +BCM 11 23)(24 BCM 8 + 25)(26 BCM 7 +BCM 0 27)(28 BCM 1 +BCM 5 29)(30 +BCM 6 31)(32 BCM 12 +BCM 13 33)(34 +BCM 19 35)(36 BCM 16 +BCM 26 37)(38 BCM 20 + 39)(40 BCM 21 + +BCM - Broadcom pin number, commonly called "GPIO", these are the ones you probably want to use with RPi.GPIO and GPIO Zero + +- Outputs and Inputs - + +Other GPIO pins are capable of a 3.3V output, also referred to as setting the pin HIGH in code. When an output pin is LOW this means that it is simply providing 0V. + +A GPIO pin designated as an input pin can be read as HIGH (3.3V) or LOW (0V). This is made easier with the use of internal pull-up or pull-down resistors. Pins GPIO 2 and GPIO 3 have fixed pull-up resistors, but for other pins this can be configured in software. Do not provide the pins with greater than 3.3V: this is a quick way to damage your Raspberry Pi! + +- PWM - + +PWM (Pulse Width Modulation) is used with components such as motors, servos and LEDs by sending short pulses to control how much power they recieve. + +PWM is also possible on the Raspberry Pi. GPIO 12, GPIO 13, GPIO 18, GPIO 19 are hardware PWM capable, though the Raspberry Pi is also able to provide software PWM through libraries such as pigpio on all pins. + +- BOARD or BCM? Which one to use? - + +Each pin has two numbers attached to it. Its BOARD number (the numbers in the circle) and its BCM (Broadcom SOC channel) number. You can choose which convention to use when you write your Python code: + +1. GPIO/BCM numbering: GPIO.setmode(GPIO.BCM) +2. Board numbering: GPIO.setmode(GPIO.BOARD) +You can only use one convention in each DIY project, so select a one which makes most sense to you (the output is the same). It is worth noting however, that certain peripherals rely on GPIO/BCM numbering (RPi.GPIO and GPIO Zero). + +The easiest way to control the GPIO pins is using the RPi.GPIO Python library. + +- Pinout command - + +A handy reference can be accessed on the Raspberry Pi by opening a Terminal window and running the command: "pinout". This tool is provided by the GPIO Zero Python library, which it is installed by default on the Raspbian desktop image, but not on Raspbian Lite. \ No newline at end of file diff --git a/1-wire.txt b/1-wire.txt new file mode 100644 index 0000000..0e2cc1f --- /dev/null +++ b/1-wire.txt @@ -0,0 +1,41 @@ + 1)(2 + 3)(4 + 5)(6 +DATA 7)(8 + 9)(10 + 11)(12 + 13)(14 + 15)(16 + 17)(18 + 19)(20 + 21)(22 + 23)(24 + 25)(26 + 27)(28 + 29)(30 + 31)(32 + 33)(34 + 35)(36 + 37)(38 + 39)(40 + +- W1-GPIO - One-Wire Interface - +To enable the one-wire interface you need to add the following line to /boot/config +dtoverlay=w1-gpio +or +dtoverlay=w1-gpio,gpiopin=x +if you would like to use a custom pin (default is BCM4, as illustrated in pinout herein). + +Alternatively you can enable the one-wire interface on demand using raspi-config, or the following: + +sudo modprobe w1-gpio +Newer kernels (4.9.28 and later) allow you to use dynamic overlay loading instead, including creating multiple 1-Wire busses to be used at the same time: + +sudo dtoverlay w1-gpio gpiopin=4 pullup=0 # header pin 7 +sudo dtoverlay w1-gpio gpiopin=17 pullup=0 # header pin 11 +sudo dtoverlay w1-gpio gpiopin=27 pullup=0 # header pin 13 +once any of the steps above have been performed, and discovery is complete you can list the devices that your Raspberry Pi has discovered via all 1-Wire busses (by default BCM4), like so: + +ls /sys/bus/w1/devices/ +n.b. Using w1-gpio on the Raspberry Pi typically needs a 4.7 kΩ pull-up resistor connected between the GPIO pin and a 3.3v supply (e.g. header pin 1 or 17). Other means of connecting 1-Wire devices to the Raspberry Pi are also possible, such as using i2c to 1-Wire bridge chips. + diff --git a/README.md b/README.md index 4afda27..9bd433e 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,6 @@ PiPins =============== -Documents to help with Pi Zero / Pi Zero W pinouts and protocols \ No newline at end of file +Documents to help with Pi Zero / Pi Zero W pinouts and protocols. + +Simple text files to keep on the pi for use as quick and dirty emergency hardware hacking lab. \ No newline at end of file diff --git a/URLs.txt b/URLs.txt new file mode 100644 index 0000000..511eaee --- /dev/null +++ b/URLs.txt @@ -0,0 +1,12 @@ +Collection of random useful URL's + +http://acoptex.com/project/8003/raspberry-basics-project-29a-raspberry-pi-zero-w-board-raspberry-pi-gpio-pinout-at-acoptexcom/ + +https://pinout.xyz/ + +https://payatu.com/using-rasberrypi-as-poor-mans-hardware-hacking-tool + +https://ralimtek.com/raspberry%20pi/electronics/software/raspberry_pi_secondary_sd_card/ + +https://github.com/superzerg/logic-analyzer +https://sigrok.org/wiki/PulseView \ No newline at end of file diff --git a/dpi.txt b/dpi.txt new file mode 100644 index 0000000..cd70f1c --- /dev/null +++ b/dpi.txt @@ -0,0 +1,29 @@ + 1)(2 +V-SYNC 3)(4 +H-SYNC 5)(6 +Blue 0 7)(8 Green 2 + 9)(10 Green 3 +Green 5 11)(12 Green 6 +Red 7 13)(14 +Red 2 15)(16 Red 3 + 17)(18 Red 4 +Blue 6 19)(20 +Blue 5 21)(22 Red 5 +Blue 7 23)(24 Blue 4 + 25)(26 Blue 3 +CLK 27)(28 DEN +Blue 1 29)(30 +Blue 2 31)(32 Green 0 +Green 1 33)(34 +Green 7 35)(36 Green 4 +Red 6 37)(38 Red 0 + 39)(40 Red 1 + +- DPI - Display Parallel Interface - + +One of the alternate functions selectable on bank 0 of the Raspbery Pi GPIO is DPI. DPI (Display Parallel Interface) is a 24-bit parallel interface with 28 clock and synchronisation signals. + +This interface allows parallel RGB displays to be attached to the Raspberry Pi GPIO either in RGB24 (8 bits for red, green and blue) or RGB666 (6 bits per colour) or RGB565 (5 bits red, 6 green, and 5 blue). It is available as alternate function 2 (ALT2) on GPIO bank 0. + +The pinout presented here is for the RGB24 mode, see url below for documentation of the RGB666 and RGB565 modes. +https://www.raspberrypi.org/documentation/hardware/raspberrypi/dpi/ diff --git a/gpclk.txt b/gpclk.txt new file mode 100644 index 0000000..f313bdf --- /dev/null +++ b/gpclk.txt @@ -0,0 +1,36 @@ + 1)(2 + 3)(4 + 5)(6 +GPCLK0 7)(8 + 9)(10 + 11)(12 + 13)(14 + 15)(16 + 17)(18 + 19)(20 + 21)(22 + 23)(24 + 25)(26 + 27)(28 +GPCLK1 29)(30 +GPCLK2 31)(32 + 33)(34 + 35)(36 + 37)(38 + 39)(40 + +General Purpose Clock pins can be set up to output a fixed frequency without any ongoing software control. + +The following clock sources are available: + +0 0 Hz Ground +1 19.2 MHz oscillator +2 0 Hz testdebug0 +3 0 Hz testdebug1 +4 0 Hz PLLA +5 1000 MHz PLLC (changes with overclock settings) +6 500 MHz PLLD +7 216 MHz HDMI auxiliary +8-15 0 Hz Ground + +Other frequencies can be achieved by setting a clock-divider in the form of SOURCE/(DIV_I + DIV_F/4096). Note, that the BCM2835 ARM Peripherals document contains an error and states that the denominator of the divider is 1024 instead of 4096. \ No newline at end of file diff --git a/gpio.txt b/gpio.txt new file mode 100644 index 0000000..aa90bc4 --- /dev/null +++ b/gpio.txt @@ -0,0 +1,48 @@ + 1)(2 +BCM 2 3)(4 +BCM 3 5)(6 + 7)(8 BCM 14 + 9)(10 BCM 15 +BCM 17 11)(12 BCM 18 +BCM 27 13)(14 +BCM 22 15)(16 BCM 23 + 17)(18 BCM 24 +BCM 10 19)(20 +BCM 9 21)(22 BCM 25 +BCM 11 23)(24 BCM 8 + 25)(26 BCM 7 +BCM 0 27)(28 BCM 1 +BCM 5 29)(30 +BCM 6 31)(32 BCM 12 +BCM 13 33)(34 +BCM 19 35)(36 BCM 16 +BCM 26 37)(38 BCM 20 + 39)(40 BCM 21 + +BCM - Broadcom pin number, commonly called "GPIO", these are the ones you probably want to use with RPi.GPIO and GPIO Zero + +- Outputs and Inputs - + +Other GPIO pins are capable of a 3.3V output, also referred to as setting the pin HIGH in code. When an output pin is LOW this means that it is simply providing 0V. + +A GPIO pin designated as an input pin can be read as HIGH (3.3V) or LOW (0V). This is made easier with the use of internal pull-up or pull-down resistors. Pins GPIO 2 and GPIO 3 have fixed pull-up resistors, but for other pins this can be configured in software. Do not provide the pins with greater than 3.3V: this is a quick way to damage your Raspberry Pi! + +- PWM - + +PWM (Pulse Width Modulation) is used with components such as motors, servos and LEDs by sending short pulses to control how much power they recieve. + +PWM is also possible on the Raspberry Pi. GPIO 12, GPIO 13, GPIO 18, GPIO 19 are hardware PWM capable, though the Raspberry Pi is also able to provide software PWM through libraries such as pigpio on all pins. + +- BOARD or BCM? Which one to use? - + +Each pin has two numbers attached to it. Its BOARD number (the numbers in the circle) and its BCM (Broadcom SOC channel) number. You can choose which convention to use when you write your Python code: + +1. GPIO/BCM numbering: GPIO.setmode(GPIO.BCM) +2. Board numbering: GPIO.setmode(GPIO.BOARD) +You can only use one convention in each DIY project, so select a one which makes most sense to you (the output is the same). It is worth noting however, that certain peripherals rely on GPIO/BCM numbering (RPi.GPIO and GPIO Zero). + +The easiest way to control the GPIO pins is using the RPi.GPIO Python library. + +- Pinout command - + +A handy reference can be accessed on the Raspberry Pi by opening a Terminal window and running the command: "pinout". This tool is provided by the GPIO Zero Python library, which it is installed by default on the Raspbian desktop image, but not on Raspbian Lite. \ No newline at end of file diff --git a/i2c.txt b/i2c.txt new file mode 100644 index 0000000..ff5deca --- /dev/null +++ b/i2c.txt @@ -0,0 +1,67 @@ + 1)(2 + Data 3)(4 + Clock 5)(6 + 7)(8 + 9)(10 + 11)(12 + 13)(14 + 15)(16 + 17)(18 + 19)(20 + 21)(22 + 23)(24 + 25)(26 +EEPROM Data 27)(28 EEPROM Clock + 29)(30 + 31)(32 + 33)(34 + 35)(36 + 37)(38 + 39)(40 + +I2C pins in BCM mode are: 2, 3 +I2C pins in WiringPi are: 8, 9 + +- I2C - Inter Integrated Circuit - + +The Raspberry Pi's I2C pins are an extremely useful way to talk to many different types of external peripheral; from the MCP23017 digital IO expander, to a connected ATmega. + +The I2C pins include a fixed 1.8 kohms pull-up resistor to 3.3v. This means they are not suitable for use as general purpose IO where a pull-up is not required. + +You can verify the address of connected I2C peripherals with a simple one-liner: + +sudo apt-get install i2c-tools +sudo i2cdetect -y 1 +You can then access I2C from Python using the smbus library: + +import smbus +DEVICE_BUS = 1 +DEVICE_ADDR = 0x15 +bus = smbus.SMBus(DEVICE_BUS) +bus.write_byte_data(DEVICE_ADDR, 0x00, 0x01) + +Pins 27 and 28 (ID_SD (EEPROM SDA2) and ID_SC (EEPROM SCL2)) are also I2C. There are used by the Pi for internal functions, and also some HAT boards. + +- RevEng communication - + +This communication is similar to the SPI, but it uses only two wire for communication – SDA/SCL. Each device is accessed by using their internal i2c address. Here we will use an I2C EEPROM as an example and see how we can read and write to the memory. i2ctools comes as a part of the Linux package, so no need to install anything. + +To find the address of your i2c slave device. + +i2cdetect -y 1 + +Now use a tool called as eeprog to read and write to the EEPROM. + +wget http://darkswarm.org/eeprog-0.7.6-tear5.tar.gz +tar -xvf eeprog-0.7.6-tear5.tar.gz eeprog-0.7.6-tear12/ +cd eeprog-0.7.6-tear12/ +make +sudo make install + +To write data to it: +echo “hello” | ./eeprog -f -16 -w 0 -t 5 /dev/i2c-1 0x50 +-w is the offset +-t is write delay + +To read data from it +./eeprog -x /dev/i2c-1 0x50 -16 -r 0x00:0x10 \ No newline at end of file diff --git a/1-wire.txt b/1-wire.txt new file mode 100644 index 0000000..0e2cc1f --- /dev/null +++ b/1-wire.txt @@ -0,0 +1,41 @@ + 1)(2 + 3)(4 + 5)(6 +DATA 7)(8 + 9)(10 + 11)(12 + 13)(14 + 15)(16 + 17)(18 + 19)(20 + 21)(22 + 23)(24 + 25)(26 + 27)(28 + 29)(30 + 31)(32 + 33)(34 + 35)(36 + 37)(38 + 39)(40 + +- W1-GPIO - One-Wire Interface - +To enable the one-wire interface you need to add the following line to /boot/config +dtoverlay=w1-gpio +or +dtoverlay=w1-gpio,gpiopin=x +if you would like to use a custom pin (default is BCM4, as illustrated in pinout herein). + +Alternatively you can enable the one-wire interface on demand using raspi-config, or the following: + +sudo modprobe w1-gpio +Newer kernels (4.9.28 and later) allow you to use dynamic overlay loading instead, including creating multiple 1-Wire busses to be used at the same time: + +sudo dtoverlay w1-gpio gpiopin=4 pullup=0 # header pin 7 +sudo dtoverlay w1-gpio gpiopin=17 pullup=0 # header pin 11 +sudo dtoverlay w1-gpio gpiopin=27 pullup=0 # header pin 13 +once any of the steps above have been performed, and discovery is complete you can list the devices that your Raspberry Pi has discovered via all 1-Wire busses (by default BCM4), like so: + +ls /sys/bus/w1/devices/ +n.b. Using w1-gpio on the Raspberry Pi typically needs a 4.7 kΩ pull-up resistor connected between the GPIO pin and a 3.3v supply (e.g. header pin 1 or 17). Other means of connecting 1-Wire devices to the Raspberry Pi are also possible, such as using i2c to 1-Wire bridge chips. + diff --git a/README.md b/README.md index 4afda27..9bd433e 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,6 @@ PiPins =============== -Documents to help with Pi Zero / Pi Zero W pinouts and protocols \ No newline at end of file +Documents to help with Pi Zero / Pi Zero W pinouts and protocols. + +Simple text files to keep on the pi for use as quick and dirty emergency hardware hacking lab. \ No newline at end of file diff --git a/URLs.txt b/URLs.txt new file mode 100644 index 0000000..511eaee --- /dev/null +++ b/URLs.txt @@ -0,0 +1,12 @@ +Collection of random useful URL's + +http://acoptex.com/project/8003/raspberry-basics-project-29a-raspberry-pi-zero-w-board-raspberry-pi-gpio-pinout-at-acoptexcom/ + +https://pinout.xyz/ + +https://payatu.com/using-rasberrypi-as-poor-mans-hardware-hacking-tool + +https://ralimtek.com/raspberry%20pi/electronics/software/raspberry_pi_secondary_sd_card/ + +https://github.com/superzerg/logic-analyzer +https://sigrok.org/wiki/PulseView \ No newline at end of file diff --git a/dpi.txt b/dpi.txt new file mode 100644 index 0000000..cd70f1c --- /dev/null +++ b/dpi.txt @@ -0,0 +1,29 @@ + 1)(2 +V-SYNC 3)(4 +H-SYNC 5)(6 +Blue 0 7)(8 Green 2 + 9)(10 Green 3 +Green 5 11)(12 Green 6 +Red 7 13)(14 +Red 2 15)(16 Red 3 + 17)(18 Red 4 +Blue 6 19)(20 +Blue 5 21)(22 Red 5 +Blue 7 23)(24 Blue 4 + 25)(26 Blue 3 +CLK 27)(28 DEN +Blue 1 29)(30 +Blue 2 31)(32 Green 0 +Green 1 33)(34 +Green 7 35)(36 Green 4 +Red 6 37)(38 Red 0 + 39)(40 Red 1 + +- DPI - Display Parallel Interface - + +One of the alternate functions selectable on bank 0 of the Raspbery Pi GPIO is DPI. DPI (Display Parallel Interface) is a 24-bit parallel interface with 28 clock and synchronisation signals. + +This interface allows parallel RGB displays to be attached to the Raspberry Pi GPIO either in RGB24 (8 bits for red, green and blue) or RGB666 (6 bits per colour) or RGB565 (5 bits red, 6 green, and 5 blue). It is available as alternate function 2 (ALT2) on GPIO bank 0. + +The pinout presented here is for the RGB24 mode, see url below for documentation of the RGB666 and RGB565 modes. +https://www.raspberrypi.org/documentation/hardware/raspberrypi/dpi/ diff --git a/gpclk.txt b/gpclk.txt new file mode 100644 index 0000000..f313bdf --- /dev/null +++ b/gpclk.txt @@ -0,0 +1,36 @@ + 1)(2 + 3)(4 + 5)(6 +GPCLK0 7)(8 + 9)(10 + 11)(12 + 13)(14 + 15)(16 + 17)(18 + 19)(20 + 21)(22 + 23)(24 + 25)(26 + 27)(28 +GPCLK1 29)(30 +GPCLK2 31)(32 + 33)(34 + 35)(36 + 37)(38 + 39)(40 + +General Purpose Clock pins can be set up to output a fixed frequency without any ongoing software control. + +The following clock sources are available: + +0 0 Hz Ground +1 19.2 MHz oscillator +2 0 Hz testdebug0 +3 0 Hz testdebug1 +4 0 Hz PLLA +5 1000 MHz PLLC (changes with overclock settings) +6 500 MHz PLLD +7 216 MHz HDMI auxiliary +8-15 0 Hz Ground + +Other frequencies can be achieved by setting a clock-divider in the form of SOURCE/(DIV_I + DIV_F/4096). Note, that the BCM2835 ARM Peripherals document contains an error and states that the denominator of the divider is 1024 instead of 4096. \ No newline at end of file diff --git a/gpio.txt b/gpio.txt new file mode 100644 index 0000000..aa90bc4 --- /dev/null +++ b/gpio.txt @@ -0,0 +1,48 @@ + 1)(2 +BCM 2 3)(4 +BCM 3 5)(6 + 7)(8 BCM 14 + 9)(10 BCM 15 +BCM 17 11)(12 BCM 18 +BCM 27 13)(14 +BCM 22 15)(16 BCM 23 + 17)(18 BCM 24 +BCM 10 19)(20 +BCM 9 21)(22 BCM 25 +BCM 11 23)(24 BCM 8 + 25)(26 BCM 7 +BCM 0 27)(28 BCM 1 +BCM 5 29)(30 +BCM 6 31)(32 BCM 12 +BCM 13 33)(34 +BCM 19 35)(36 BCM 16 +BCM 26 37)(38 BCM 20 + 39)(40 BCM 21 + +BCM - Broadcom pin number, commonly called "GPIO", these are the ones you probably want to use with RPi.GPIO and GPIO Zero + +- Outputs and Inputs - + +Other GPIO pins are capable of a 3.3V output, also referred to as setting the pin HIGH in code. When an output pin is LOW this means that it is simply providing 0V. + +A GPIO pin designated as an input pin can be read as HIGH (3.3V) or LOW (0V). This is made easier with the use of internal pull-up or pull-down resistors. Pins GPIO 2 and GPIO 3 have fixed pull-up resistors, but for other pins this can be configured in software. Do not provide the pins with greater than 3.3V: this is a quick way to damage your Raspberry Pi! + +- PWM - + +PWM (Pulse Width Modulation) is used with components such as motors, servos and LEDs by sending short pulses to control how much power they recieve. + +PWM is also possible on the Raspberry Pi. GPIO 12, GPIO 13, GPIO 18, GPIO 19 are hardware PWM capable, though the Raspberry Pi is also able to provide software PWM through libraries such as pigpio on all pins. + +- BOARD or BCM? Which one to use? - + +Each pin has two numbers attached to it. Its BOARD number (the numbers in the circle) and its BCM (Broadcom SOC channel) number. You can choose which convention to use when you write your Python code: + +1. GPIO/BCM numbering: GPIO.setmode(GPIO.BCM) +2. Board numbering: GPIO.setmode(GPIO.BOARD) +You can only use one convention in each DIY project, so select a one which makes most sense to you (the output is the same). It is worth noting however, that certain peripherals rely on GPIO/BCM numbering (RPi.GPIO and GPIO Zero). + +The easiest way to control the GPIO pins is using the RPi.GPIO Python library. + +- Pinout command - + +A handy reference can be accessed on the Raspberry Pi by opening a Terminal window and running the command: "pinout". This tool is provided by the GPIO Zero Python library, which it is installed by default on the Raspbian desktop image, but not on Raspbian Lite. \ No newline at end of file diff --git a/i2c.txt b/i2c.txt new file mode 100644 index 0000000..ff5deca --- /dev/null +++ b/i2c.txt @@ -0,0 +1,67 @@ + 1)(2 + Data 3)(4 + Clock 5)(6 + 7)(8 + 9)(10 + 11)(12 + 13)(14 + 15)(16 + 17)(18 + 19)(20 + 21)(22 + 23)(24 + 25)(26 +EEPROM Data 27)(28 EEPROM Clock + 29)(30 + 31)(32 + 33)(34 + 35)(36 + 37)(38 + 39)(40 + +I2C pins in BCM mode are: 2, 3 +I2C pins in WiringPi are: 8, 9 + +- I2C - Inter Integrated Circuit - + +The Raspberry Pi's I2C pins are an extremely useful way to talk to many different types of external peripheral; from the MCP23017 digital IO expander, to a connected ATmega. + +The I2C pins include a fixed 1.8 kohms pull-up resistor to 3.3v. This means they are not suitable for use as general purpose IO where a pull-up is not required. + +You can verify the address of connected I2C peripherals with a simple one-liner: + +sudo apt-get install i2c-tools +sudo i2cdetect -y 1 +You can then access I2C from Python using the smbus library: + +import smbus +DEVICE_BUS = 1 +DEVICE_ADDR = 0x15 +bus = smbus.SMBus(DEVICE_BUS) +bus.write_byte_data(DEVICE_ADDR, 0x00, 0x01) + +Pins 27 and 28 (ID_SD (EEPROM SDA2) and ID_SC (EEPROM SCL2)) are also I2C. There are used by the Pi for internal functions, and also some HAT boards. + +- RevEng communication - + +This communication is similar to the SPI, but it uses only two wire for communication – SDA/SCL. Each device is accessed by using their internal i2c address. Here we will use an I2C EEPROM as an example and see how we can read and write to the memory. i2ctools comes as a part of the Linux package, so no need to install anything. + +To find the address of your i2c slave device. + +i2cdetect -y 1 + +Now use a tool called as eeprog to read and write to the EEPROM. + +wget http://darkswarm.org/eeprog-0.7.6-tear5.tar.gz +tar -xvf eeprog-0.7.6-tear5.tar.gz eeprog-0.7.6-tear12/ +cd eeprog-0.7.6-tear12/ +make +sudo make install + +To write data to it: +echo “hello” | ./eeprog -f -16 -w 0 -t 5 /dev/i2c-1 0x50 +-w is the offset +-t is write delay + +To read data from it +./eeprog -x /dev/i2c-1 0x50 -16 -r 0x00:0x10 \ No newline at end of file diff --git a/jtag.txt b/jtag.txt new file mode 100644 index 0000000..94a7435 --- /dev/null +++ b/jtag.txt @@ -0,0 +1,70 @@ + 1)(2 + 3)(4 + 5)(6 +TDI (Alt5) 7)(8 + 9)(10 + 11)(12 +TMS (Alt4) 13)(14 +TRST (Alt4) 15)(16 RTCK (Alt4) + 17)(18 TDO (Alt4) + 19)(20 + 21)(22 TCK (Alt4) + 23)(24 + 25)(26 + 27)(28 +TDO (Alt5) 29)(30 +RTCK (Alt5) 31)(32 TMS (Alt5) +TCK (Alt5) 33)(34 + 35)(36 +TDI (Alt4) 37)(38 + 39)(40 + +JTAG is generally refers to on-chip debugging interfaces that follow the IEEE 1149.x standard. The standard doesn’t mandate a certain connection – it just dictates a standard for communicating with chips in a device. It uses 5 pins: TCK, TMS, TDI, TDO and (options) TRST; which are (Test) Clock, Mode Select, Data In, Data Out, and Reset. + +JTAG/SWD are standards which allow developers to debug any microcontroller or microprocessor. From an attacker perspective having access to the debug means game over for the device. An attacker can dump the internal memory or do changes in the memory dynamically. Let’s talk about accessing both JTAG and SWD using just a Raspberry pi. We use an opensource tool called as openOCD which talks to the debugger. + +Connection: + JTAG: + TCK – 23 + TMS – 22 + TDI – 19 + TDO – 21 + SRST – 12 + GND – 20 + SWD: + SWDIO – 18 + SWCLK – 22 + SRST – 12 + GND – 14 + +To Install openOCD: +git clone git://git.code.sf.net/p/openocd/code openocd +cd openocd/ +./bootstrap +./configure –enable-maintainer-mode –enable-bcm2835gpio –enable-sysfsgpio +make & sudo make install + +It will take some bit of time, so be patient. + +JTAG: +The Configuration file for JTAG comes with the openOCD package itself. just running this with target cfg will connect to it’s JTAG +openocd -f interface/raspberrypi-native.cfg -f target/stm32f4x.cfg +Now you can connect to gdb and debug the device.SWD: +openocd -f raspberrypi_swd.cfg -f target/stm32f4x.cfg +raspberrypi_swd.cfg is located in the git you downloaded earlier. +Now you can connect to gdb and debug the device. + +########################################################### + +JTAGenum +In a typical device, it is rare to find the JTAG interface and where the pins are located. So we use a tool called as JTAGenum which scan for all the pins the devices and tell you which pins is TMS-TCK-TDI-TDO. This is very helpfull if you don’t have proper documentation of the target device. + +Installation: +git clone https://github.com/cyphunk/JTAGenum +cd JTAGenum +source JTAGenum.sh +scan + +Pins to be used are 3 – 5 – 7 – 11 – 13 – 15 and common ground. + +This will take a bit of time as the GPIO is quite slow. \ No newline at end of file diff --git a/1-wire.txt b/1-wire.txt new file mode 100644 index 0000000..0e2cc1f --- /dev/null +++ b/1-wire.txt @@ -0,0 +1,41 @@ + 1)(2 + 3)(4 + 5)(6 +DATA 7)(8 + 9)(10 + 11)(12 + 13)(14 + 15)(16 + 17)(18 + 19)(20 + 21)(22 + 23)(24 + 25)(26 + 27)(28 + 29)(30 + 31)(32 + 33)(34 + 35)(36 + 37)(38 + 39)(40 + +- W1-GPIO - One-Wire Interface - +To enable the one-wire interface you need to add the following line to /boot/config +dtoverlay=w1-gpio +or +dtoverlay=w1-gpio,gpiopin=x +if you would like to use a custom pin (default is BCM4, as illustrated in pinout herein). + +Alternatively you can enable the one-wire interface on demand using raspi-config, or the following: + +sudo modprobe w1-gpio +Newer kernels (4.9.28 and later) allow you to use dynamic overlay loading instead, including creating multiple 1-Wire busses to be used at the same time: + +sudo dtoverlay w1-gpio gpiopin=4 pullup=0 # header pin 7 +sudo dtoverlay w1-gpio gpiopin=17 pullup=0 # header pin 11 +sudo dtoverlay w1-gpio gpiopin=27 pullup=0 # header pin 13 +once any of the steps above have been performed, and discovery is complete you can list the devices that your Raspberry Pi has discovered via all 1-Wire busses (by default BCM4), like so: + +ls /sys/bus/w1/devices/ +n.b. Using w1-gpio on the Raspberry Pi typically needs a 4.7 kΩ pull-up resistor connected between the GPIO pin and a 3.3v supply (e.g. header pin 1 or 17). Other means of connecting 1-Wire devices to the Raspberry Pi are also possible, such as using i2c to 1-Wire bridge chips. + diff --git a/README.md b/README.md index 4afda27..9bd433e 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,6 @@ PiPins =============== -Documents to help with Pi Zero / Pi Zero W pinouts and protocols \ No newline at end of file +Documents to help with Pi Zero / Pi Zero W pinouts and protocols. + +Simple text files to keep on the pi for use as quick and dirty emergency hardware hacking lab. \ No newline at end of file diff --git a/URLs.txt b/URLs.txt new file mode 100644 index 0000000..511eaee --- /dev/null +++ b/URLs.txt @@ -0,0 +1,12 @@ +Collection of random useful URL's + +http://acoptex.com/project/8003/raspberry-basics-project-29a-raspberry-pi-zero-w-board-raspberry-pi-gpio-pinout-at-acoptexcom/ + +https://pinout.xyz/ + +https://payatu.com/using-rasberrypi-as-poor-mans-hardware-hacking-tool + +https://ralimtek.com/raspberry%20pi/electronics/software/raspberry_pi_secondary_sd_card/ + +https://github.com/superzerg/logic-analyzer +https://sigrok.org/wiki/PulseView \ No newline at end of file diff --git a/dpi.txt b/dpi.txt new file mode 100644 index 0000000..cd70f1c --- /dev/null +++ b/dpi.txt @@ -0,0 +1,29 @@ + 1)(2 +V-SYNC 3)(4 +H-SYNC 5)(6 +Blue 0 7)(8 Green 2 + 9)(10 Green 3 +Green 5 11)(12 Green 6 +Red 7 13)(14 +Red 2 15)(16 Red 3 + 17)(18 Red 4 +Blue 6 19)(20 +Blue 5 21)(22 Red 5 +Blue 7 23)(24 Blue 4 + 25)(26 Blue 3 +CLK 27)(28 DEN +Blue 1 29)(30 +Blue 2 31)(32 Green 0 +Green 1 33)(34 +Green 7 35)(36 Green 4 +Red 6 37)(38 Red 0 + 39)(40 Red 1 + +- DPI - Display Parallel Interface - + +One of the alternate functions selectable on bank 0 of the Raspbery Pi GPIO is DPI. DPI (Display Parallel Interface) is a 24-bit parallel interface with 28 clock and synchronisation signals. + +This interface allows parallel RGB displays to be attached to the Raspberry Pi GPIO either in RGB24 (8 bits for red, green and blue) or RGB666 (6 bits per colour) or RGB565 (5 bits red, 6 green, and 5 blue). It is available as alternate function 2 (ALT2) on GPIO bank 0. + +The pinout presented here is for the RGB24 mode, see url below for documentation of the RGB666 and RGB565 modes. +https://www.raspberrypi.org/documentation/hardware/raspberrypi/dpi/ diff --git a/gpclk.txt b/gpclk.txt new file mode 100644 index 0000000..f313bdf --- /dev/null +++ b/gpclk.txt @@ -0,0 +1,36 @@ + 1)(2 + 3)(4 + 5)(6 +GPCLK0 7)(8 + 9)(10 + 11)(12 + 13)(14 + 15)(16 + 17)(18 + 19)(20 + 21)(22 + 23)(24 + 25)(26 + 27)(28 +GPCLK1 29)(30 +GPCLK2 31)(32 + 33)(34 + 35)(36 + 37)(38 + 39)(40 + +General Purpose Clock pins can be set up to output a fixed frequency without any ongoing software control. + +The following clock sources are available: + +0 0 Hz Ground +1 19.2 MHz oscillator +2 0 Hz testdebug0 +3 0 Hz testdebug1 +4 0 Hz PLLA +5 1000 MHz PLLC (changes with overclock settings) +6 500 MHz PLLD +7 216 MHz HDMI auxiliary +8-15 0 Hz Ground + +Other frequencies can be achieved by setting a clock-divider in the form of SOURCE/(DIV_I + DIV_F/4096). Note, that the BCM2835 ARM Peripherals document contains an error and states that the denominator of the divider is 1024 instead of 4096. \ No newline at end of file diff --git a/gpio.txt b/gpio.txt new file mode 100644 index 0000000..aa90bc4 --- /dev/null +++ b/gpio.txt @@ -0,0 +1,48 @@ + 1)(2 +BCM 2 3)(4 +BCM 3 5)(6 + 7)(8 BCM 14 + 9)(10 BCM 15 +BCM 17 11)(12 BCM 18 +BCM 27 13)(14 +BCM 22 15)(16 BCM 23 + 17)(18 BCM 24 +BCM 10 19)(20 +BCM 9 21)(22 BCM 25 +BCM 11 23)(24 BCM 8 + 25)(26 BCM 7 +BCM 0 27)(28 BCM 1 +BCM 5 29)(30 +BCM 6 31)(32 BCM 12 +BCM 13 33)(34 +BCM 19 35)(36 BCM 16 +BCM 26 37)(38 BCM 20 + 39)(40 BCM 21 + +BCM - Broadcom pin number, commonly called "GPIO", these are the ones you probably want to use with RPi.GPIO and GPIO Zero + +- Outputs and Inputs - + +Other GPIO pins are capable of a 3.3V output, also referred to as setting the pin HIGH in code. When an output pin is LOW this means that it is simply providing 0V. + +A GPIO pin designated as an input pin can be read as HIGH (3.3V) or LOW (0V). This is made easier with the use of internal pull-up or pull-down resistors. Pins GPIO 2 and GPIO 3 have fixed pull-up resistors, but for other pins this can be configured in software. Do not provide the pins with greater than 3.3V: this is a quick way to damage your Raspberry Pi! + +- PWM - + +PWM (Pulse Width Modulation) is used with components such as motors, servos and LEDs by sending short pulses to control how much power they recieve. + +PWM is also possible on the Raspberry Pi. GPIO 12, GPIO 13, GPIO 18, GPIO 19 are hardware PWM capable, though the Raspberry Pi is also able to provide software PWM through libraries such as pigpio on all pins. + +- BOARD or BCM? Which one to use? - + +Each pin has two numbers attached to it. Its BOARD number (the numbers in the circle) and its BCM (Broadcom SOC channel) number. You can choose which convention to use when you write your Python code: + +1. GPIO/BCM numbering: GPIO.setmode(GPIO.BCM) +2. Board numbering: GPIO.setmode(GPIO.BOARD) +You can only use one convention in each DIY project, so select a one which makes most sense to you (the output is the same). It is worth noting however, that certain peripherals rely on GPIO/BCM numbering (RPi.GPIO and GPIO Zero). + +The easiest way to control the GPIO pins is using the RPi.GPIO Python library. + +- Pinout command - + +A handy reference can be accessed on the Raspberry Pi by opening a Terminal window and running the command: "pinout". This tool is provided by the GPIO Zero Python library, which it is installed by default on the Raspbian desktop image, but not on Raspbian Lite. \ No newline at end of file diff --git a/i2c.txt b/i2c.txt new file mode 100644 index 0000000..ff5deca --- /dev/null +++ b/i2c.txt @@ -0,0 +1,67 @@ + 1)(2 + Data 3)(4 + Clock 5)(6 + 7)(8 + 9)(10 + 11)(12 + 13)(14 + 15)(16 + 17)(18 + 19)(20 + 21)(22 + 23)(24 + 25)(26 +EEPROM Data 27)(28 EEPROM Clock + 29)(30 + 31)(32 + 33)(34 + 35)(36 + 37)(38 + 39)(40 + +I2C pins in BCM mode are: 2, 3 +I2C pins in WiringPi are: 8, 9 + +- I2C - Inter Integrated Circuit - + +The Raspberry Pi's I2C pins are an extremely useful way to talk to many different types of external peripheral; from the MCP23017 digital IO expander, to a connected ATmega. + +The I2C pins include a fixed 1.8 kohms pull-up resistor to 3.3v. This means they are not suitable for use as general purpose IO where a pull-up is not required. + +You can verify the address of connected I2C peripherals with a simple one-liner: + +sudo apt-get install i2c-tools +sudo i2cdetect -y 1 +You can then access I2C from Python using the smbus library: + +import smbus +DEVICE_BUS = 1 +DEVICE_ADDR = 0x15 +bus = smbus.SMBus(DEVICE_BUS) +bus.write_byte_data(DEVICE_ADDR, 0x00, 0x01) + +Pins 27 and 28 (ID_SD (EEPROM SDA2) and ID_SC (EEPROM SCL2)) are also I2C. There are used by the Pi for internal functions, and also some HAT boards. + +- RevEng communication - + +This communication is similar to the SPI, but it uses only two wire for communication – SDA/SCL. Each device is accessed by using their internal i2c address. Here we will use an I2C EEPROM as an example and see how we can read and write to the memory. i2ctools comes as a part of the Linux package, so no need to install anything. + +To find the address of your i2c slave device. + +i2cdetect -y 1 + +Now use a tool called as eeprog to read and write to the EEPROM. + +wget http://darkswarm.org/eeprog-0.7.6-tear5.tar.gz +tar -xvf eeprog-0.7.6-tear5.tar.gz eeprog-0.7.6-tear12/ +cd eeprog-0.7.6-tear12/ +make +sudo make install + +To write data to it: +echo “hello” | ./eeprog -f -16 -w 0 -t 5 /dev/i2c-1 0x50 +-w is the offset +-t is write delay + +To read data from it +./eeprog -x /dev/i2c-1 0x50 -16 -r 0x00:0x10 \ No newline at end of file diff --git a/jtag.txt b/jtag.txt new file mode 100644 index 0000000..94a7435 --- /dev/null +++ b/jtag.txt @@ -0,0 +1,70 @@ + 1)(2 + 3)(4 + 5)(6 +TDI (Alt5) 7)(8 + 9)(10 + 11)(12 +TMS (Alt4) 13)(14 +TRST (Alt4) 15)(16 RTCK (Alt4) + 17)(18 TDO (Alt4) + 19)(20 + 21)(22 TCK (Alt4) + 23)(24 + 25)(26 + 27)(28 +TDO (Alt5) 29)(30 +RTCK (Alt5) 31)(32 TMS (Alt5) +TCK (Alt5) 33)(34 + 35)(36 +TDI (Alt4) 37)(38 + 39)(40 + +JTAG is generally refers to on-chip debugging interfaces that follow the IEEE 1149.x standard. The standard doesn’t mandate a certain connection – it just dictates a standard for communicating with chips in a device. It uses 5 pins: TCK, TMS, TDI, TDO and (options) TRST; which are (Test) Clock, Mode Select, Data In, Data Out, and Reset. + +JTAG/SWD are standards which allow developers to debug any microcontroller or microprocessor. From an attacker perspective having access to the debug means game over for the device. An attacker can dump the internal memory or do changes in the memory dynamically. Let’s talk about accessing both JTAG and SWD using just a Raspberry pi. We use an opensource tool called as openOCD which talks to the debugger. + +Connection: + JTAG: + TCK – 23 + TMS – 22 + TDI – 19 + TDO – 21 + SRST – 12 + GND – 20 + SWD: + SWDIO – 18 + SWCLK – 22 + SRST – 12 + GND – 14 + +To Install openOCD: +git clone git://git.code.sf.net/p/openocd/code openocd +cd openocd/ +./bootstrap +./configure –enable-maintainer-mode –enable-bcm2835gpio –enable-sysfsgpio +make & sudo make install + +It will take some bit of time, so be patient. + +JTAG: +The Configuration file for JTAG comes with the openOCD package itself. just running this with target cfg will connect to it’s JTAG +openocd -f interface/raspberrypi-native.cfg -f target/stm32f4x.cfg +Now you can connect to gdb and debug the device.SWD: +openocd -f raspberrypi_swd.cfg -f target/stm32f4x.cfg +raspberrypi_swd.cfg is located in the git you downloaded earlier. +Now you can connect to gdb and debug the device. + +########################################################### + +JTAGenum +In a typical device, it is rare to find the JTAG interface and where the pins are located. So we use a tool called as JTAGenum which scan for all the pins the devices and tell you which pins is TMS-TCK-TDI-TDO. This is very helpfull if you don’t have proper documentation of the target device. + +Installation: +git clone https://github.com/cyphunk/JTAGenum +cd JTAGenum +source JTAGenum.sh +scan + +Pins to be used are 3 – 5 – 7 – 11 – 13 – 15 and common ground. + +This will take a bit of time as the GPIO is quite slow. \ No newline at end of file diff --git a/logic_analyser.txt b/logic_analyser.txt new file mode 100644 index 0000000..68c70a0 --- /dev/null +++ b/logic_analyser.txt @@ -0,0 +1,23 @@ + - Logic Analyzer - PulseView - + +The serial connection is available on the PC (running Linux) as /dev/ttyUSB0. The sniffer is started using sigrok-cli, and the resulting sigrok session data is opened with PulseView. + +Command given on PC: + +sigrok-cli --driver=ols:conn=/dev/ttyUSB0 --config samplerate=3000000 --samples 100000 --probes 1=CLK,2=DIN,3=DC,4=nCS,5=nRST --triggers nCS=1 -o test.sr +--driver: The sniffer identifies itself as a Open Bench Logic Sniffer (OLS) on port /dev/ttyUSB0 +--config samplerate: using the maximum of 3M samples/s +--samples: 100000 samples (taking ~33ms at 3 MHz) +--probes: probe 1-5 are used, the labels are optional +--triggers: the sampling starts after probe 4 (nCS, inverted chip select) turns high +-o test.sr: the session is saved to a file that can be read by PulseView +The probes relate to the GPIO ports of the PI as: +SUMP probe 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 +Rev 1 GPIO 7 8 11 9 25 10 24 23 22 21 18 17 17 17 17 17 +Rev 2 GPIO 7 8 11 9 25 10 24 23 22 27 18 17 28 29 30 31 +This gives 12 probes on the rev1 board, 16 probes on rev 2 (if using the P5 header). +The I2C and GPIO clock pins are reserved for future use. + +possibly better logic analyzer for the pi: +https://github.com/richardghirst/Panalyzer +"The basic idea is that it disables interrupts for a period, while sampling the GPIO pins once a microsecond. It then re-enables interupts and displays traces showing what the relevant GPIO pins were doing." \ No newline at end of file diff --git a/1-wire.txt b/1-wire.txt new file mode 100644 index 0000000..0e2cc1f --- /dev/null +++ b/1-wire.txt @@ -0,0 +1,41 @@ + 1)(2 + 3)(4 + 5)(6 +DATA 7)(8 + 9)(10 + 11)(12 + 13)(14 + 15)(16 + 17)(18 + 19)(20 + 21)(22 + 23)(24 + 25)(26 + 27)(28 + 29)(30 + 31)(32 + 33)(34 + 35)(36 + 37)(38 + 39)(40 + +- W1-GPIO - One-Wire Interface - +To enable the one-wire interface you need to add the following line to /boot/config +dtoverlay=w1-gpio +or +dtoverlay=w1-gpio,gpiopin=x +if you would like to use a custom pin (default is BCM4, as illustrated in pinout herein). + +Alternatively you can enable the one-wire interface on demand using raspi-config, or the following: + +sudo modprobe w1-gpio +Newer kernels (4.9.28 and later) allow you to use dynamic overlay loading instead, including creating multiple 1-Wire busses to be used at the same time: + +sudo dtoverlay w1-gpio gpiopin=4 pullup=0 # header pin 7 +sudo dtoverlay w1-gpio gpiopin=17 pullup=0 # header pin 11 +sudo dtoverlay w1-gpio gpiopin=27 pullup=0 # header pin 13 +once any of the steps above have been performed, and discovery is complete you can list the devices that your Raspberry Pi has discovered via all 1-Wire busses (by default BCM4), like so: + +ls /sys/bus/w1/devices/ +n.b. Using w1-gpio on the Raspberry Pi typically needs a 4.7 kΩ pull-up resistor connected between the GPIO pin and a 3.3v supply (e.g. header pin 1 or 17). Other means of connecting 1-Wire devices to the Raspberry Pi are also possible, such as using i2c to 1-Wire bridge chips. + diff --git a/README.md b/README.md index 4afda27..9bd433e 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,6 @@ PiPins =============== -Documents to help with Pi Zero / Pi Zero W pinouts and protocols \ No newline at end of file +Documents to help with Pi Zero / Pi Zero W pinouts and protocols. + +Simple text files to keep on the pi for use as quick and dirty emergency hardware hacking lab. \ No newline at end of file diff --git a/URLs.txt b/URLs.txt new file mode 100644 index 0000000..511eaee --- /dev/null +++ b/URLs.txt @@ -0,0 +1,12 @@ +Collection of random useful URL's + +http://acoptex.com/project/8003/raspberry-basics-project-29a-raspberry-pi-zero-w-board-raspberry-pi-gpio-pinout-at-acoptexcom/ + +https://pinout.xyz/ + +https://payatu.com/using-rasberrypi-as-poor-mans-hardware-hacking-tool + +https://ralimtek.com/raspberry%20pi/electronics/software/raspberry_pi_secondary_sd_card/ + +https://github.com/superzerg/logic-analyzer +https://sigrok.org/wiki/PulseView \ No newline at end of file diff --git a/dpi.txt b/dpi.txt new file mode 100644 index 0000000..cd70f1c --- /dev/null +++ b/dpi.txt @@ -0,0 +1,29 @@ + 1)(2 +V-SYNC 3)(4 +H-SYNC 5)(6 +Blue 0 7)(8 Green 2 + 9)(10 Green 3 +Green 5 11)(12 Green 6 +Red 7 13)(14 +Red 2 15)(16 Red 3 + 17)(18 Red 4 +Blue 6 19)(20 +Blue 5 21)(22 Red 5 +Blue 7 23)(24 Blue 4 + 25)(26 Blue 3 +CLK 27)(28 DEN +Blue 1 29)(30 +Blue 2 31)(32 Green 0 +Green 1 33)(34 +Green 7 35)(36 Green 4 +Red 6 37)(38 Red 0 + 39)(40 Red 1 + +- DPI - Display Parallel Interface - + +One of the alternate functions selectable on bank 0 of the Raspbery Pi GPIO is DPI. DPI (Display Parallel Interface) is a 24-bit parallel interface with 28 clock and synchronisation signals. + +This interface allows parallel RGB displays to be attached to the Raspberry Pi GPIO either in RGB24 (8 bits for red, green and blue) or RGB666 (6 bits per colour) or RGB565 (5 bits red, 6 green, and 5 blue). It is available as alternate function 2 (ALT2) on GPIO bank 0. + +The pinout presented here is for the RGB24 mode, see url below for documentation of the RGB666 and RGB565 modes. +https://www.raspberrypi.org/documentation/hardware/raspberrypi/dpi/ diff --git a/gpclk.txt b/gpclk.txt new file mode 100644 index 0000000..f313bdf --- /dev/null +++ b/gpclk.txt @@ -0,0 +1,36 @@ + 1)(2 + 3)(4 + 5)(6 +GPCLK0 7)(8 + 9)(10 + 11)(12 + 13)(14 + 15)(16 + 17)(18 + 19)(20 + 21)(22 + 23)(24 + 25)(26 + 27)(28 +GPCLK1 29)(30 +GPCLK2 31)(32 + 33)(34 + 35)(36 + 37)(38 + 39)(40 + +General Purpose Clock pins can be set up to output a fixed frequency without any ongoing software control. + +The following clock sources are available: + +0 0 Hz Ground +1 19.2 MHz oscillator +2 0 Hz testdebug0 +3 0 Hz testdebug1 +4 0 Hz PLLA +5 1000 MHz PLLC (changes with overclock settings) +6 500 MHz PLLD +7 216 MHz HDMI auxiliary +8-15 0 Hz Ground + +Other frequencies can be achieved by setting a clock-divider in the form of SOURCE/(DIV_I + DIV_F/4096). Note, that the BCM2835 ARM Peripherals document contains an error and states that the denominator of the divider is 1024 instead of 4096. \ No newline at end of file diff --git a/gpio.txt b/gpio.txt new file mode 100644 index 0000000..aa90bc4 --- /dev/null +++ b/gpio.txt @@ -0,0 +1,48 @@ + 1)(2 +BCM 2 3)(4 +BCM 3 5)(6 + 7)(8 BCM 14 + 9)(10 BCM 15 +BCM 17 11)(12 BCM 18 +BCM 27 13)(14 +BCM 22 15)(16 BCM 23 + 17)(18 BCM 24 +BCM 10 19)(20 +BCM 9 21)(22 BCM 25 +BCM 11 23)(24 BCM 8 + 25)(26 BCM 7 +BCM 0 27)(28 BCM 1 +BCM 5 29)(30 +BCM 6 31)(32 BCM 12 +BCM 13 33)(34 +BCM 19 35)(36 BCM 16 +BCM 26 37)(38 BCM 20 + 39)(40 BCM 21 + +BCM - Broadcom pin number, commonly called "GPIO", these are the ones you probably want to use with RPi.GPIO and GPIO Zero + +- Outputs and Inputs - + +Other GPIO pins are capable of a 3.3V output, also referred to as setting the pin HIGH in code. When an output pin is LOW this means that it is simply providing 0V. + +A GPIO pin designated as an input pin can be read as HIGH (3.3V) or LOW (0V). This is made easier with the use of internal pull-up or pull-down resistors. Pins GPIO 2 and GPIO 3 have fixed pull-up resistors, but for other pins this can be configured in software. Do not provide the pins with greater than 3.3V: this is a quick way to damage your Raspberry Pi! + +- PWM - + +PWM (Pulse Width Modulation) is used with components such as motors, servos and LEDs by sending short pulses to control how much power they recieve. + +PWM is also possible on the Raspberry Pi. GPIO 12, GPIO 13, GPIO 18, GPIO 19 are hardware PWM capable, though the Raspberry Pi is also able to provide software PWM through libraries such as pigpio on all pins. + +- BOARD or BCM? Which one to use? - + +Each pin has two numbers attached to it. Its BOARD number (the numbers in the circle) and its BCM (Broadcom SOC channel) number. You can choose which convention to use when you write your Python code: + +1. GPIO/BCM numbering: GPIO.setmode(GPIO.BCM) +2. Board numbering: GPIO.setmode(GPIO.BOARD) +You can only use one convention in each DIY project, so select a one which makes most sense to you (the output is the same). It is worth noting however, that certain peripherals rely on GPIO/BCM numbering (RPi.GPIO and GPIO Zero). + +The easiest way to control the GPIO pins is using the RPi.GPIO Python library. + +- Pinout command - + +A handy reference can be accessed on the Raspberry Pi by opening a Terminal window and running the command: "pinout". This tool is provided by the GPIO Zero Python library, which it is installed by default on the Raspbian desktop image, but not on Raspbian Lite. \ No newline at end of file diff --git a/i2c.txt b/i2c.txt new file mode 100644 index 0000000..ff5deca --- /dev/null +++ b/i2c.txt @@ -0,0 +1,67 @@ + 1)(2 + Data 3)(4 + Clock 5)(6 + 7)(8 + 9)(10 + 11)(12 + 13)(14 + 15)(16 + 17)(18 + 19)(20 + 21)(22 + 23)(24 + 25)(26 +EEPROM Data 27)(28 EEPROM Clock + 29)(30 + 31)(32 + 33)(34 + 35)(36 + 37)(38 + 39)(40 + +I2C pins in BCM mode are: 2, 3 +I2C pins in WiringPi are: 8, 9 + +- I2C - Inter Integrated Circuit - + +The Raspberry Pi's I2C pins are an extremely useful way to talk to many different types of external peripheral; from the MCP23017 digital IO expander, to a connected ATmega. + +The I2C pins include a fixed 1.8 kohms pull-up resistor to 3.3v. This means they are not suitable for use as general purpose IO where a pull-up is not required. + +You can verify the address of connected I2C peripherals with a simple one-liner: + +sudo apt-get install i2c-tools +sudo i2cdetect -y 1 +You can then access I2C from Python using the smbus library: + +import smbus +DEVICE_BUS = 1 +DEVICE_ADDR = 0x15 +bus = smbus.SMBus(DEVICE_BUS) +bus.write_byte_data(DEVICE_ADDR, 0x00, 0x01) + +Pins 27 and 28 (ID_SD (EEPROM SDA2) and ID_SC (EEPROM SCL2)) are also I2C. There are used by the Pi for internal functions, and also some HAT boards. + +- RevEng communication - + +This communication is similar to the SPI, but it uses only two wire for communication – SDA/SCL. Each device is accessed by using their internal i2c address. Here we will use an I2C EEPROM as an example and see how we can read and write to the memory. i2ctools comes as a part of the Linux package, so no need to install anything. + +To find the address of your i2c slave device. + +i2cdetect -y 1 + +Now use a tool called as eeprog to read and write to the EEPROM. + +wget http://darkswarm.org/eeprog-0.7.6-tear5.tar.gz +tar -xvf eeprog-0.7.6-tear5.tar.gz eeprog-0.7.6-tear12/ +cd eeprog-0.7.6-tear12/ +make +sudo make install + +To write data to it: +echo “hello” | ./eeprog -f -16 -w 0 -t 5 /dev/i2c-1 0x50 +-w is the offset +-t is write delay + +To read data from it +./eeprog -x /dev/i2c-1 0x50 -16 -r 0x00:0x10 \ No newline at end of file diff --git a/jtag.txt b/jtag.txt new file mode 100644 index 0000000..94a7435 --- /dev/null +++ b/jtag.txt @@ -0,0 +1,70 @@ + 1)(2 + 3)(4 + 5)(6 +TDI (Alt5) 7)(8 + 9)(10 + 11)(12 +TMS (Alt4) 13)(14 +TRST (Alt4) 15)(16 RTCK (Alt4) + 17)(18 TDO (Alt4) + 19)(20 + 21)(22 TCK (Alt4) + 23)(24 + 25)(26 + 27)(28 +TDO (Alt5) 29)(30 +RTCK (Alt5) 31)(32 TMS (Alt5) +TCK (Alt5) 33)(34 + 35)(36 +TDI (Alt4) 37)(38 + 39)(40 + +JTAG is generally refers to on-chip debugging interfaces that follow the IEEE 1149.x standard. The standard doesn’t mandate a certain connection – it just dictates a standard for communicating with chips in a device. It uses 5 pins: TCK, TMS, TDI, TDO and (options) TRST; which are (Test) Clock, Mode Select, Data In, Data Out, and Reset. + +JTAG/SWD are standards which allow developers to debug any microcontroller or microprocessor. From an attacker perspective having access to the debug means game over for the device. An attacker can dump the internal memory or do changes in the memory dynamically. Let’s talk about accessing both JTAG and SWD using just a Raspberry pi. We use an opensource tool called as openOCD which talks to the debugger. + +Connection: + JTAG: + TCK – 23 + TMS – 22 + TDI – 19 + TDO – 21 + SRST – 12 + GND – 20 + SWD: + SWDIO – 18 + SWCLK – 22 + SRST – 12 + GND – 14 + +To Install openOCD: +git clone git://git.code.sf.net/p/openocd/code openocd +cd openocd/ +./bootstrap +./configure –enable-maintainer-mode –enable-bcm2835gpio –enable-sysfsgpio +make & sudo make install + +It will take some bit of time, so be patient. + +JTAG: +The Configuration file for JTAG comes with the openOCD package itself. just running this with target cfg will connect to it’s JTAG +openocd -f interface/raspberrypi-native.cfg -f target/stm32f4x.cfg +Now you can connect to gdb and debug the device.SWD: +openocd -f raspberrypi_swd.cfg -f target/stm32f4x.cfg +raspberrypi_swd.cfg is located in the git you downloaded earlier. +Now you can connect to gdb and debug the device. + +########################################################### + +JTAGenum +In a typical device, it is rare to find the JTAG interface and where the pins are located. So we use a tool called as JTAGenum which scan for all the pins the devices and tell you which pins is TMS-TCK-TDI-TDO. This is very helpfull if you don’t have proper documentation of the target device. + +Installation: +git clone https://github.com/cyphunk/JTAGenum +cd JTAGenum +source JTAGenum.sh +scan + +Pins to be used are 3 – 5 – 7 – 11 – 13 – 15 and common ground. + +This will take a bit of time as the GPIO is quite slow. \ No newline at end of file diff --git a/logic_analyser.txt b/logic_analyser.txt new file mode 100644 index 0000000..68c70a0 --- /dev/null +++ b/logic_analyser.txt @@ -0,0 +1,23 @@ + - Logic Analyzer - PulseView - + +The serial connection is available on the PC (running Linux) as /dev/ttyUSB0. The sniffer is started using sigrok-cli, and the resulting sigrok session data is opened with PulseView. + +Command given on PC: + +sigrok-cli --driver=ols:conn=/dev/ttyUSB0 --config samplerate=3000000 --samples 100000 --probes 1=CLK,2=DIN,3=DC,4=nCS,5=nRST --triggers nCS=1 -o test.sr +--driver: The sniffer identifies itself as a Open Bench Logic Sniffer (OLS) on port /dev/ttyUSB0 +--config samplerate: using the maximum of 3M samples/s +--samples: 100000 samples (taking ~33ms at 3 MHz) +--probes: probe 1-5 are used, the labels are optional +--triggers: the sampling starts after probe 4 (nCS, inverted chip select) turns high +-o test.sr: the session is saved to a file that can be read by PulseView +The probes relate to the GPIO ports of the PI as: +SUMP probe 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 +Rev 1 GPIO 7 8 11 9 25 10 24 23 22 21 18 17 17 17 17 17 +Rev 2 GPIO 7 8 11 9 25 10 24 23 22 27 18 17 28 29 30 31 +This gives 12 probes on the rev1 board, 16 probes on rev 2 (if using the P5 header). +The I2C and GPIO clock pins are reserved for future use. + +possibly better logic analyzer for the pi: +https://github.com/richardghirst/Panalyzer +"The basic idea is that it disables interrupts for a period, while sampling the GPIO pins once a microsecond. It then re-enables interupts and displays traces showing what the relevant GPIO pins were doing." \ No newline at end of file diff --git a/pcm.txt b/pcm.txt new file mode 100644 index 0000000..202fdff --- /dev/null +++ b/pcm.txt @@ -0,0 +1,24 @@ + 1)(2 + 3)(4 + 5)(6 + 7)(8 + 9)(10 + 11)(12 CLK + 13)(14 + 15)(16 + 17)(18 + 19)(20 + 21)(22 + 23)(24 + 25)(26 + 27)(28 + 29)(30 + 31)(32 + 33)(34 +FS 35)(36 + 37)(38 DIN + 39)(40 DOUT + +- PCM - Pulse-code Modulation - + +PCM (Pulse-code Modulation) is a digital representation of sampled analog. On the Raspberry Pi it's a form of digital audio output which can be understood by a DAC for high quality sound. \ No newline at end of file diff --git a/1-wire.txt b/1-wire.txt new file mode 100644 index 0000000..0e2cc1f --- /dev/null +++ b/1-wire.txt @@ -0,0 +1,41 @@ + 1)(2 + 3)(4 + 5)(6 +DATA 7)(8 + 9)(10 + 11)(12 + 13)(14 + 15)(16 + 17)(18 + 19)(20 + 21)(22 + 23)(24 + 25)(26 + 27)(28 + 29)(30 + 31)(32 + 33)(34 + 35)(36 + 37)(38 + 39)(40 + +- W1-GPIO - One-Wire Interface - +To enable the one-wire interface you need to add the following line to /boot/config +dtoverlay=w1-gpio +or +dtoverlay=w1-gpio,gpiopin=x +if you would like to use a custom pin (default is BCM4, as illustrated in pinout herein). + +Alternatively you can enable the one-wire interface on demand using raspi-config, or the following: + +sudo modprobe w1-gpio +Newer kernels (4.9.28 and later) allow you to use dynamic overlay loading instead, including creating multiple 1-Wire busses to be used at the same time: + +sudo dtoverlay w1-gpio gpiopin=4 pullup=0 # header pin 7 +sudo dtoverlay w1-gpio gpiopin=17 pullup=0 # header pin 11 +sudo dtoverlay w1-gpio gpiopin=27 pullup=0 # header pin 13 +once any of the steps above have been performed, and discovery is complete you can list the devices that your Raspberry Pi has discovered via all 1-Wire busses (by default BCM4), like so: + +ls /sys/bus/w1/devices/ +n.b. Using w1-gpio on the Raspberry Pi typically needs a 4.7 kΩ pull-up resistor connected between the GPIO pin and a 3.3v supply (e.g. header pin 1 or 17). Other means of connecting 1-Wire devices to the Raspberry Pi are also possible, such as using i2c to 1-Wire bridge chips. + diff --git a/README.md b/README.md index 4afda27..9bd433e 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,6 @@ PiPins =============== -Documents to help with Pi Zero / Pi Zero W pinouts and protocols \ No newline at end of file +Documents to help with Pi Zero / Pi Zero W pinouts and protocols. + +Simple text files to keep on the pi for use as quick and dirty emergency hardware hacking lab. \ No newline at end of file diff --git a/URLs.txt b/URLs.txt new file mode 100644 index 0000000..511eaee --- /dev/null +++ b/URLs.txt @@ -0,0 +1,12 @@ +Collection of random useful URL's + +http://acoptex.com/project/8003/raspberry-basics-project-29a-raspberry-pi-zero-w-board-raspberry-pi-gpio-pinout-at-acoptexcom/ + +https://pinout.xyz/ + +https://payatu.com/using-rasberrypi-as-poor-mans-hardware-hacking-tool + +https://ralimtek.com/raspberry%20pi/electronics/software/raspberry_pi_secondary_sd_card/ + +https://github.com/superzerg/logic-analyzer +https://sigrok.org/wiki/PulseView \ No newline at end of file diff --git a/dpi.txt b/dpi.txt new file mode 100644 index 0000000..cd70f1c --- /dev/null +++ b/dpi.txt @@ -0,0 +1,29 @@ + 1)(2 +V-SYNC 3)(4 +H-SYNC 5)(6 +Blue 0 7)(8 Green 2 + 9)(10 Green 3 +Green 5 11)(12 Green 6 +Red 7 13)(14 +Red 2 15)(16 Red 3 + 17)(18 Red 4 +Blue 6 19)(20 +Blue 5 21)(22 Red 5 +Blue 7 23)(24 Blue 4 + 25)(26 Blue 3 +CLK 27)(28 DEN +Blue 1 29)(30 +Blue 2 31)(32 Green 0 +Green 1 33)(34 +Green 7 35)(36 Green 4 +Red 6 37)(38 Red 0 + 39)(40 Red 1 + +- DPI - Display Parallel Interface - + +One of the alternate functions selectable on bank 0 of the Raspbery Pi GPIO is DPI. DPI (Display Parallel Interface) is a 24-bit parallel interface with 28 clock and synchronisation signals. + +This interface allows parallel RGB displays to be attached to the Raspberry Pi GPIO either in RGB24 (8 bits for red, green and blue) or RGB666 (6 bits per colour) or RGB565 (5 bits red, 6 green, and 5 blue). It is available as alternate function 2 (ALT2) on GPIO bank 0. + +The pinout presented here is for the RGB24 mode, see url below for documentation of the RGB666 and RGB565 modes. +https://www.raspberrypi.org/documentation/hardware/raspberrypi/dpi/ diff --git a/gpclk.txt b/gpclk.txt new file mode 100644 index 0000000..f313bdf --- /dev/null +++ b/gpclk.txt @@ -0,0 +1,36 @@ + 1)(2 + 3)(4 + 5)(6 +GPCLK0 7)(8 + 9)(10 + 11)(12 + 13)(14 + 15)(16 + 17)(18 + 19)(20 + 21)(22 + 23)(24 + 25)(26 + 27)(28 +GPCLK1 29)(30 +GPCLK2 31)(32 + 33)(34 + 35)(36 + 37)(38 + 39)(40 + +General Purpose Clock pins can be set up to output a fixed frequency without any ongoing software control. + +The following clock sources are available: + +0 0 Hz Ground +1 19.2 MHz oscillator +2 0 Hz testdebug0 +3 0 Hz testdebug1 +4 0 Hz PLLA +5 1000 MHz PLLC (changes with overclock settings) +6 500 MHz PLLD +7 216 MHz HDMI auxiliary +8-15 0 Hz Ground + +Other frequencies can be achieved by setting a clock-divider in the form of SOURCE/(DIV_I + DIV_F/4096). Note, that the BCM2835 ARM Peripherals document contains an error and states that the denominator of the divider is 1024 instead of 4096. \ No newline at end of file diff --git a/gpio.txt b/gpio.txt new file mode 100644 index 0000000..aa90bc4 --- /dev/null +++ b/gpio.txt @@ -0,0 +1,48 @@ + 1)(2 +BCM 2 3)(4 +BCM 3 5)(6 + 7)(8 BCM 14 + 9)(10 BCM 15 +BCM 17 11)(12 BCM 18 +BCM 27 13)(14 +BCM 22 15)(16 BCM 23 + 17)(18 BCM 24 +BCM 10 19)(20 +BCM 9 21)(22 BCM 25 +BCM 11 23)(24 BCM 8 + 25)(26 BCM 7 +BCM 0 27)(28 BCM 1 +BCM 5 29)(30 +BCM 6 31)(32 BCM 12 +BCM 13 33)(34 +BCM 19 35)(36 BCM 16 +BCM 26 37)(38 BCM 20 + 39)(40 BCM 21 + +BCM - Broadcom pin number, commonly called "GPIO", these are the ones you probably want to use with RPi.GPIO and GPIO Zero + +- Outputs and Inputs - + +Other GPIO pins are capable of a 3.3V output, also referred to as setting the pin HIGH in code. When an output pin is LOW this means that it is simply providing 0V. + +A GPIO pin designated as an input pin can be read as HIGH (3.3V) or LOW (0V). This is made easier with the use of internal pull-up or pull-down resistors. Pins GPIO 2 and GPIO 3 have fixed pull-up resistors, but for other pins this can be configured in software. Do not provide the pins with greater than 3.3V: this is a quick way to damage your Raspberry Pi! + +- PWM - + +PWM (Pulse Width Modulation) is used with components such as motors, servos and LEDs by sending short pulses to control how much power they recieve. + +PWM is also possible on the Raspberry Pi. GPIO 12, GPIO 13, GPIO 18, GPIO 19 are hardware PWM capable, though the Raspberry Pi is also able to provide software PWM through libraries such as pigpio on all pins. + +- BOARD or BCM? Which one to use? - + +Each pin has two numbers attached to it. Its BOARD number (the numbers in the circle) and its BCM (Broadcom SOC channel) number. You can choose which convention to use when you write your Python code: + +1. GPIO/BCM numbering: GPIO.setmode(GPIO.BCM) +2. Board numbering: GPIO.setmode(GPIO.BOARD) +You can only use one convention in each DIY project, so select a one which makes most sense to you (the output is the same). It is worth noting however, that certain peripherals rely on GPIO/BCM numbering (RPi.GPIO and GPIO Zero). + +The easiest way to control the GPIO pins is using the RPi.GPIO Python library. + +- Pinout command - + +A handy reference can be accessed on the Raspberry Pi by opening a Terminal window and running the command: "pinout". This tool is provided by the GPIO Zero Python library, which it is installed by default on the Raspbian desktop image, but not on Raspbian Lite. \ No newline at end of file diff --git a/i2c.txt b/i2c.txt new file mode 100644 index 0000000..ff5deca --- /dev/null +++ b/i2c.txt @@ -0,0 +1,67 @@ + 1)(2 + Data 3)(4 + Clock 5)(6 + 7)(8 + 9)(10 + 11)(12 + 13)(14 + 15)(16 + 17)(18 + 19)(20 + 21)(22 + 23)(24 + 25)(26 +EEPROM Data 27)(28 EEPROM Clock + 29)(30 + 31)(32 + 33)(34 + 35)(36 + 37)(38 + 39)(40 + +I2C pins in BCM mode are: 2, 3 +I2C pins in WiringPi are: 8, 9 + +- I2C - Inter Integrated Circuit - + +The Raspberry Pi's I2C pins are an extremely useful way to talk to many different types of external peripheral; from the MCP23017 digital IO expander, to a connected ATmega. + +The I2C pins include a fixed 1.8 kohms pull-up resistor to 3.3v. This means they are not suitable for use as general purpose IO where a pull-up is not required. + +You can verify the address of connected I2C peripherals with a simple one-liner: + +sudo apt-get install i2c-tools +sudo i2cdetect -y 1 +You can then access I2C from Python using the smbus library: + +import smbus +DEVICE_BUS = 1 +DEVICE_ADDR = 0x15 +bus = smbus.SMBus(DEVICE_BUS) +bus.write_byte_data(DEVICE_ADDR, 0x00, 0x01) + +Pins 27 and 28 (ID_SD (EEPROM SDA2) and ID_SC (EEPROM SCL2)) are also I2C. There are used by the Pi for internal functions, and also some HAT boards. + +- RevEng communication - + +This communication is similar to the SPI, but it uses only two wire for communication – SDA/SCL. Each device is accessed by using their internal i2c address. Here we will use an I2C EEPROM as an example and see how we can read and write to the memory. i2ctools comes as a part of the Linux package, so no need to install anything. + +To find the address of your i2c slave device. + +i2cdetect -y 1 + +Now use a tool called as eeprog to read and write to the EEPROM. + +wget http://darkswarm.org/eeprog-0.7.6-tear5.tar.gz +tar -xvf eeprog-0.7.6-tear5.tar.gz eeprog-0.7.6-tear12/ +cd eeprog-0.7.6-tear12/ +make +sudo make install + +To write data to it: +echo “hello” | ./eeprog -f -16 -w 0 -t 5 /dev/i2c-1 0x50 +-w is the offset +-t is write delay + +To read data from it +./eeprog -x /dev/i2c-1 0x50 -16 -r 0x00:0x10 \ No newline at end of file diff --git a/jtag.txt b/jtag.txt new file mode 100644 index 0000000..94a7435 --- /dev/null +++ b/jtag.txt @@ -0,0 +1,70 @@ + 1)(2 + 3)(4 + 5)(6 +TDI (Alt5) 7)(8 + 9)(10 + 11)(12 +TMS (Alt4) 13)(14 +TRST (Alt4) 15)(16 RTCK (Alt4) + 17)(18 TDO (Alt4) + 19)(20 + 21)(22 TCK (Alt4) + 23)(24 + 25)(26 + 27)(28 +TDO (Alt5) 29)(30 +RTCK (Alt5) 31)(32 TMS (Alt5) +TCK (Alt5) 33)(34 + 35)(36 +TDI (Alt4) 37)(38 + 39)(40 + +JTAG is generally refers to on-chip debugging interfaces that follow the IEEE 1149.x standard. The standard doesn’t mandate a certain connection – it just dictates a standard for communicating with chips in a device. It uses 5 pins: TCK, TMS, TDI, TDO and (options) TRST; which are (Test) Clock, Mode Select, Data In, Data Out, and Reset. + +JTAG/SWD are standards which allow developers to debug any microcontroller or microprocessor. From an attacker perspective having access to the debug means game over for the device. An attacker can dump the internal memory or do changes in the memory dynamically. Let’s talk about accessing both JTAG and SWD using just a Raspberry pi. We use an opensource tool called as openOCD which talks to the debugger. + +Connection: + JTAG: + TCK – 23 + TMS – 22 + TDI – 19 + TDO – 21 + SRST – 12 + GND – 20 + SWD: + SWDIO – 18 + SWCLK – 22 + SRST – 12 + GND – 14 + +To Install openOCD: +git clone git://git.code.sf.net/p/openocd/code openocd +cd openocd/ +./bootstrap +./configure –enable-maintainer-mode –enable-bcm2835gpio –enable-sysfsgpio +make & sudo make install + +It will take some bit of time, so be patient. + +JTAG: +The Configuration file for JTAG comes with the openOCD package itself. just running this with target cfg will connect to it’s JTAG +openocd -f interface/raspberrypi-native.cfg -f target/stm32f4x.cfg +Now you can connect to gdb and debug the device.SWD: +openocd -f raspberrypi_swd.cfg -f target/stm32f4x.cfg +raspberrypi_swd.cfg is located in the git you downloaded earlier. +Now you can connect to gdb and debug the device. + +########################################################### + +JTAGenum +In a typical device, it is rare to find the JTAG interface and where the pins are located. So we use a tool called as JTAGenum which scan for all the pins the devices and tell you which pins is TMS-TCK-TDI-TDO. This is very helpfull if you don’t have proper documentation of the target device. + +Installation: +git clone https://github.com/cyphunk/JTAGenum +cd JTAGenum +source JTAGenum.sh +scan + +Pins to be used are 3 – 5 – 7 – 11 – 13 – 15 and common ground. + +This will take a bit of time as the GPIO is quite slow. \ No newline at end of file diff --git a/logic_analyser.txt b/logic_analyser.txt new file mode 100644 index 0000000..68c70a0 --- /dev/null +++ b/logic_analyser.txt @@ -0,0 +1,23 @@ + - Logic Analyzer - PulseView - + +The serial connection is available on the PC (running Linux) as /dev/ttyUSB0. The sniffer is started using sigrok-cli, and the resulting sigrok session data is opened with PulseView. + +Command given on PC: + +sigrok-cli --driver=ols:conn=/dev/ttyUSB0 --config samplerate=3000000 --samples 100000 --probes 1=CLK,2=DIN,3=DC,4=nCS,5=nRST --triggers nCS=1 -o test.sr +--driver: The sniffer identifies itself as a Open Bench Logic Sniffer (OLS) on port /dev/ttyUSB0 +--config samplerate: using the maximum of 3M samples/s +--samples: 100000 samples (taking ~33ms at 3 MHz) +--probes: probe 1-5 are used, the labels are optional +--triggers: the sampling starts after probe 4 (nCS, inverted chip select) turns high +-o test.sr: the session is saved to a file that can be read by PulseView +The probes relate to the GPIO ports of the PI as: +SUMP probe 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 +Rev 1 GPIO 7 8 11 9 25 10 24 23 22 21 18 17 17 17 17 17 +Rev 2 GPIO 7 8 11 9 25 10 24 23 22 27 18 17 28 29 30 31 +This gives 12 probes on the rev1 board, 16 probes on rev 2 (if using the P5 header). +The I2C and GPIO clock pins are reserved for future use. + +possibly better logic analyzer for the pi: +https://github.com/richardghirst/Panalyzer +"The basic idea is that it disables interrupts for a period, while sampling the GPIO pins once a microsecond. It then re-enables interupts and displays traces showing what the relevant GPIO pins were doing." \ No newline at end of file diff --git a/pcm.txt b/pcm.txt new file mode 100644 index 0000000..202fdff --- /dev/null +++ b/pcm.txt @@ -0,0 +1,24 @@ + 1)(2 + 3)(4 + 5)(6 + 7)(8 + 9)(10 + 11)(12 CLK + 13)(14 + 15)(16 + 17)(18 + 19)(20 + 21)(22 + 23)(24 + 25)(26 + 27)(28 + 29)(30 + 31)(32 + 33)(34 +FS 35)(36 + 37)(38 DIN + 39)(40 DOUT + +- PCM - Pulse-code Modulation - + +PCM (Pulse-code Modulation) is a digital representation of sampled analog. On the Raspberry Pi it's a form of digital audio output which can be understood by a DAC for high quality sound. \ No newline at end of file diff --git a/pinout.jpg b/pinout.jpg new file mode 100644 index 0000000..a077f69 --- /dev/null +++ b/pinout.jpg Binary files differ diff --git a/1-wire.txt b/1-wire.txt new file mode 100644 index 0000000..0e2cc1f --- /dev/null +++ b/1-wire.txt @@ -0,0 +1,41 @@ + 1)(2 + 3)(4 + 5)(6 +DATA 7)(8 + 9)(10 + 11)(12 + 13)(14 + 15)(16 + 17)(18 + 19)(20 + 21)(22 + 23)(24 + 25)(26 + 27)(28 + 29)(30 + 31)(32 + 33)(34 + 35)(36 + 37)(38 + 39)(40 + +- W1-GPIO - One-Wire Interface - +To enable the one-wire interface you need to add the following line to /boot/config +dtoverlay=w1-gpio +or +dtoverlay=w1-gpio,gpiopin=x +if you would like to use a custom pin (default is BCM4, as illustrated in pinout herein). + +Alternatively you can enable the one-wire interface on demand using raspi-config, or the following: + +sudo modprobe w1-gpio +Newer kernels (4.9.28 and later) allow you to use dynamic overlay loading instead, including creating multiple 1-Wire busses to be used at the same time: + +sudo dtoverlay w1-gpio gpiopin=4 pullup=0 # header pin 7 +sudo dtoverlay w1-gpio gpiopin=17 pullup=0 # header pin 11 +sudo dtoverlay w1-gpio gpiopin=27 pullup=0 # header pin 13 +once any of the steps above have been performed, and discovery is complete you can list the devices that your Raspberry Pi has discovered via all 1-Wire busses (by default BCM4), like so: + +ls /sys/bus/w1/devices/ +n.b. Using w1-gpio on the Raspberry Pi typically needs a 4.7 kΩ pull-up resistor connected between the GPIO pin and a 3.3v supply (e.g. header pin 1 or 17). Other means of connecting 1-Wire devices to the Raspberry Pi are also possible, such as using i2c to 1-Wire bridge chips. + diff --git a/README.md b/README.md index 4afda27..9bd433e 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,6 @@ PiPins =============== -Documents to help with Pi Zero / Pi Zero W pinouts and protocols \ No newline at end of file +Documents to help with Pi Zero / Pi Zero W pinouts and protocols. + +Simple text files to keep on the pi for use as quick and dirty emergency hardware hacking lab. \ No newline at end of file diff --git a/URLs.txt b/URLs.txt new file mode 100644 index 0000000..511eaee --- /dev/null +++ b/URLs.txt @@ -0,0 +1,12 @@ +Collection of random useful URL's + +http://acoptex.com/project/8003/raspberry-basics-project-29a-raspberry-pi-zero-w-board-raspberry-pi-gpio-pinout-at-acoptexcom/ + +https://pinout.xyz/ + +https://payatu.com/using-rasberrypi-as-poor-mans-hardware-hacking-tool + +https://ralimtek.com/raspberry%20pi/electronics/software/raspberry_pi_secondary_sd_card/ + +https://github.com/superzerg/logic-analyzer +https://sigrok.org/wiki/PulseView \ No newline at end of file diff --git a/dpi.txt b/dpi.txt new file mode 100644 index 0000000..cd70f1c --- /dev/null +++ b/dpi.txt @@ -0,0 +1,29 @@ + 1)(2 +V-SYNC 3)(4 +H-SYNC 5)(6 +Blue 0 7)(8 Green 2 + 9)(10 Green 3 +Green 5 11)(12 Green 6 +Red 7 13)(14 +Red 2 15)(16 Red 3 + 17)(18 Red 4 +Blue 6 19)(20 +Blue 5 21)(22 Red 5 +Blue 7 23)(24 Blue 4 + 25)(26 Blue 3 +CLK 27)(28 DEN +Blue 1 29)(30 +Blue 2 31)(32 Green 0 +Green 1 33)(34 +Green 7 35)(36 Green 4 +Red 6 37)(38 Red 0 + 39)(40 Red 1 + +- DPI - Display Parallel Interface - + +One of the alternate functions selectable on bank 0 of the Raspbery Pi GPIO is DPI. DPI (Display Parallel Interface) is a 24-bit parallel interface with 28 clock and synchronisation signals. + +This interface allows parallel RGB displays to be attached to the Raspberry Pi GPIO either in RGB24 (8 bits for red, green and blue) or RGB666 (6 bits per colour) or RGB565 (5 bits red, 6 green, and 5 blue). It is available as alternate function 2 (ALT2) on GPIO bank 0. + +The pinout presented here is for the RGB24 mode, see url below for documentation of the RGB666 and RGB565 modes. +https://www.raspberrypi.org/documentation/hardware/raspberrypi/dpi/ diff --git a/gpclk.txt b/gpclk.txt new file mode 100644 index 0000000..f313bdf --- /dev/null +++ b/gpclk.txt @@ -0,0 +1,36 @@ + 1)(2 + 3)(4 + 5)(6 +GPCLK0 7)(8 + 9)(10 + 11)(12 + 13)(14 + 15)(16 + 17)(18 + 19)(20 + 21)(22 + 23)(24 + 25)(26 + 27)(28 +GPCLK1 29)(30 +GPCLK2 31)(32 + 33)(34 + 35)(36 + 37)(38 + 39)(40 + +General Purpose Clock pins can be set up to output a fixed frequency without any ongoing software control. + +The following clock sources are available: + +0 0 Hz Ground +1 19.2 MHz oscillator +2 0 Hz testdebug0 +3 0 Hz testdebug1 +4 0 Hz PLLA +5 1000 MHz PLLC (changes with overclock settings) +6 500 MHz PLLD +7 216 MHz HDMI auxiliary +8-15 0 Hz Ground + +Other frequencies can be achieved by setting a clock-divider in the form of SOURCE/(DIV_I + DIV_F/4096). Note, that the BCM2835 ARM Peripherals document contains an error and states that the denominator of the divider is 1024 instead of 4096. \ No newline at end of file diff --git a/gpio.txt b/gpio.txt new file mode 100644 index 0000000..aa90bc4 --- /dev/null +++ b/gpio.txt @@ -0,0 +1,48 @@ + 1)(2 +BCM 2 3)(4 +BCM 3 5)(6 + 7)(8 BCM 14 + 9)(10 BCM 15 +BCM 17 11)(12 BCM 18 +BCM 27 13)(14 +BCM 22 15)(16 BCM 23 + 17)(18 BCM 24 +BCM 10 19)(20 +BCM 9 21)(22 BCM 25 +BCM 11 23)(24 BCM 8 + 25)(26 BCM 7 +BCM 0 27)(28 BCM 1 +BCM 5 29)(30 +BCM 6 31)(32 BCM 12 +BCM 13 33)(34 +BCM 19 35)(36 BCM 16 +BCM 26 37)(38 BCM 20 + 39)(40 BCM 21 + +BCM - Broadcom pin number, commonly called "GPIO", these are the ones you probably want to use with RPi.GPIO and GPIO Zero + +- Outputs and Inputs - + +Other GPIO pins are capable of a 3.3V output, also referred to as setting the pin HIGH in code. When an output pin is LOW this means that it is simply providing 0V. + +A GPIO pin designated as an input pin can be read as HIGH (3.3V) or LOW (0V). This is made easier with the use of internal pull-up or pull-down resistors. Pins GPIO 2 and GPIO 3 have fixed pull-up resistors, but for other pins this can be configured in software. Do not provide the pins with greater than 3.3V: this is a quick way to damage your Raspberry Pi! + +- PWM - + +PWM (Pulse Width Modulation) is used with components such as motors, servos and LEDs by sending short pulses to control how much power they recieve. + +PWM is also possible on the Raspberry Pi. GPIO 12, GPIO 13, GPIO 18, GPIO 19 are hardware PWM capable, though the Raspberry Pi is also able to provide software PWM through libraries such as pigpio on all pins. + +- BOARD or BCM? Which one to use? - + +Each pin has two numbers attached to it. Its BOARD number (the numbers in the circle) and its BCM (Broadcom SOC channel) number. You can choose which convention to use when you write your Python code: + +1. GPIO/BCM numbering: GPIO.setmode(GPIO.BCM) +2. Board numbering: GPIO.setmode(GPIO.BOARD) +You can only use one convention in each DIY project, so select a one which makes most sense to you (the output is the same). It is worth noting however, that certain peripherals rely on GPIO/BCM numbering (RPi.GPIO and GPIO Zero). + +The easiest way to control the GPIO pins is using the RPi.GPIO Python library. + +- Pinout command - + +A handy reference can be accessed on the Raspberry Pi by opening a Terminal window and running the command: "pinout". This tool is provided by the GPIO Zero Python library, which it is installed by default on the Raspbian desktop image, but not on Raspbian Lite. \ No newline at end of file diff --git a/i2c.txt b/i2c.txt new file mode 100644 index 0000000..ff5deca --- /dev/null +++ b/i2c.txt @@ -0,0 +1,67 @@ + 1)(2 + Data 3)(4 + Clock 5)(6 + 7)(8 + 9)(10 + 11)(12 + 13)(14 + 15)(16 + 17)(18 + 19)(20 + 21)(22 + 23)(24 + 25)(26 +EEPROM Data 27)(28 EEPROM Clock + 29)(30 + 31)(32 + 33)(34 + 35)(36 + 37)(38 + 39)(40 + +I2C pins in BCM mode are: 2, 3 +I2C pins in WiringPi are: 8, 9 + +- I2C - Inter Integrated Circuit - + +The Raspberry Pi's I2C pins are an extremely useful way to talk to many different types of external peripheral; from the MCP23017 digital IO expander, to a connected ATmega. + +The I2C pins include a fixed 1.8 kohms pull-up resistor to 3.3v. This means they are not suitable for use as general purpose IO where a pull-up is not required. + +You can verify the address of connected I2C peripherals with a simple one-liner: + +sudo apt-get install i2c-tools +sudo i2cdetect -y 1 +You can then access I2C from Python using the smbus library: + +import smbus +DEVICE_BUS = 1 +DEVICE_ADDR = 0x15 +bus = smbus.SMBus(DEVICE_BUS) +bus.write_byte_data(DEVICE_ADDR, 0x00, 0x01) + +Pins 27 and 28 (ID_SD (EEPROM SDA2) and ID_SC (EEPROM SCL2)) are also I2C. There are used by the Pi for internal functions, and also some HAT boards. + +- RevEng communication - + +This communication is similar to the SPI, but it uses only two wire for communication – SDA/SCL. Each device is accessed by using their internal i2c address. Here we will use an I2C EEPROM as an example and see how we can read and write to the memory. i2ctools comes as a part of the Linux package, so no need to install anything. + +To find the address of your i2c slave device. + +i2cdetect -y 1 + +Now use a tool called as eeprog to read and write to the EEPROM. + +wget http://darkswarm.org/eeprog-0.7.6-tear5.tar.gz +tar -xvf eeprog-0.7.6-tear5.tar.gz eeprog-0.7.6-tear12/ +cd eeprog-0.7.6-tear12/ +make +sudo make install + +To write data to it: +echo “hello” | ./eeprog -f -16 -w 0 -t 5 /dev/i2c-1 0x50 +-w is the offset +-t is write delay + +To read data from it +./eeprog -x /dev/i2c-1 0x50 -16 -r 0x00:0x10 \ No newline at end of file diff --git a/jtag.txt b/jtag.txt new file mode 100644 index 0000000..94a7435 --- /dev/null +++ b/jtag.txt @@ -0,0 +1,70 @@ + 1)(2 + 3)(4 + 5)(6 +TDI (Alt5) 7)(8 + 9)(10 + 11)(12 +TMS (Alt4) 13)(14 +TRST (Alt4) 15)(16 RTCK (Alt4) + 17)(18 TDO (Alt4) + 19)(20 + 21)(22 TCK (Alt4) + 23)(24 + 25)(26 + 27)(28 +TDO (Alt5) 29)(30 +RTCK (Alt5) 31)(32 TMS (Alt5) +TCK (Alt5) 33)(34 + 35)(36 +TDI (Alt4) 37)(38 + 39)(40 + +JTAG is generally refers to on-chip debugging interfaces that follow the IEEE 1149.x standard. The standard doesn’t mandate a certain connection – it just dictates a standard for communicating with chips in a device. It uses 5 pins: TCK, TMS, TDI, TDO and (options) TRST; which are (Test) Clock, Mode Select, Data In, Data Out, and Reset. + +JTAG/SWD are standards which allow developers to debug any microcontroller or microprocessor. From an attacker perspective having access to the debug means game over for the device. An attacker can dump the internal memory or do changes in the memory dynamically. Let’s talk about accessing both JTAG and SWD using just a Raspberry pi. We use an opensource tool called as openOCD which talks to the debugger. + +Connection: + JTAG: + TCK – 23 + TMS – 22 + TDI – 19 + TDO – 21 + SRST – 12 + GND – 20 + SWD: + SWDIO – 18 + SWCLK – 22 + SRST – 12 + GND – 14 + +To Install openOCD: +git clone git://git.code.sf.net/p/openocd/code openocd +cd openocd/ +./bootstrap +./configure –enable-maintainer-mode –enable-bcm2835gpio –enable-sysfsgpio +make & sudo make install + +It will take some bit of time, so be patient. + +JTAG: +The Configuration file for JTAG comes with the openOCD package itself. just running this with target cfg will connect to it’s JTAG +openocd -f interface/raspberrypi-native.cfg -f target/stm32f4x.cfg +Now you can connect to gdb and debug the device.SWD: +openocd -f raspberrypi_swd.cfg -f target/stm32f4x.cfg +raspberrypi_swd.cfg is located in the git you downloaded earlier. +Now you can connect to gdb and debug the device. + +########################################################### + +JTAGenum +In a typical device, it is rare to find the JTAG interface and where the pins are located. So we use a tool called as JTAGenum which scan for all the pins the devices and tell you which pins is TMS-TCK-TDI-TDO. This is very helpfull if you don’t have proper documentation of the target device. + +Installation: +git clone https://github.com/cyphunk/JTAGenum +cd JTAGenum +source JTAGenum.sh +scan + +Pins to be used are 3 – 5 – 7 – 11 – 13 – 15 and common ground. + +This will take a bit of time as the GPIO is quite slow. \ No newline at end of file diff --git a/logic_analyser.txt b/logic_analyser.txt new file mode 100644 index 0000000..68c70a0 --- /dev/null +++ b/logic_analyser.txt @@ -0,0 +1,23 @@ + - Logic Analyzer - PulseView - + +The serial connection is available on the PC (running Linux) as /dev/ttyUSB0. The sniffer is started using sigrok-cli, and the resulting sigrok session data is opened with PulseView. + +Command given on PC: + +sigrok-cli --driver=ols:conn=/dev/ttyUSB0 --config samplerate=3000000 --samples 100000 --probes 1=CLK,2=DIN,3=DC,4=nCS,5=nRST --triggers nCS=1 -o test.sr +--driver: The sniffer identifies itself as a Open Bench Logic Sniffer (OLS) on port /dev/ttyUSB0 +--config samplerate: using the maximum of 3M samples/s +--samples: 100000 samples (taking ~33ms at 3 MHz) +--probes: probe 1-5 are used, the labels are optional +--triggers: the sampling starts after probe 4 (nCS, inverted chip select) turns high +-o test.sr: the session is saved to a file that can be read by PulseView +The probes relate to the GPIO ports of the PI as: +SUMP probe 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 +Rev 1 GPIO 7 8 11 9 25 10 24 23 22 21 18 17 17 17 17 17 +Rev 2 GPIO 7 8 11 9 25 10 24 23 22 27 18 17 28 29 30 31 +This gives 12 probes on the rev1 board, 16 probes on rev 2 (if using the P5 header). +The I2C and GPIO clock pins are reserved for future use. + +possibly better logic analyzer for the pi: +https://github.com/richardghirst/Panalyzer +"The basic idea is that it disables interrupts for a period, while sampling the GPIO pins once a microsecond. It then re-enables interupts and displays traces showing what the relevant GPIO pins were doing." \ No newline at end of file diff --git a/pcm.txt b/pcm.txt new file mode 100644 index 0000000..202fdff --- /dev/null +++ b/pcm.txt @@ -0,0 +1,24 @@ + 1)(2 + 3)(4 + 5)(6 + 7)(8 + 9)(10 + 11)(12 CLK + 13)(14 + 15)(16 + 17)(18 + 19)(20 + 21)(22 + 23)(24 + 25)(26 + 27)(28 + 29)(30 + 31)(32 + 33)(34 +FS 35)(36 + 37)(38 DIN + 39)(40 DOUT + +- PCM - Pulse-code Modulation - + +PCM (Pulse-code Modulation) is a digital representation of sampled analog. On the Raspberry Pi it's a form of digital audio output which can be understood by a DAC for high quality sound. \ No newline at end of file diff --git a/pinout.jpg b/pinout.jpg new file mode 100644 index 0000000..a077f69 --- /dev/null +++ b/pinout.jpg Binary files differ diff --git a/pinout2.png b/pinout2.png new file mode 100644 index 0000000..f657d35 --- /dev/null +++ b/pinout2.png Binary files differ diff --git a/1-wire.txt b/1-wire.txt new file mode 100644 index 0000000..0e2cc1f --- /dev/null +++ b/1-wire.txt @@ -0,0 +1,41 @@ + 1)(2 + 3)(4 + 5)(6 +DATA 7)(8 + 9)(10 + 11)(12 + 13)(14 + 15)(16 + 17)(18 + 19)(20 + 21)(22 + 23)(24 + 25)(26 + 27)(28 + 29)(30 + 31)(32 + 33)(34 + 35)(36 + 37)(38 + 39)(40 + +- W1-GPIO - One-Wire Interface - +To enable the one-wire interface you need to add the following line to /boot/config +dtoverlay=w1-gpio +or +dtoverlay=w1-gpio,gpiopin=x +if you would like to use a custom pin (default is BCM4, as illustrated in pinout herein). + +Alternatively you can enable the one-wire interface on demand using raspi-config, or the following: + +sudo modprobe w1-gpio +Newer kernels (4.9.28 and later) allow you to use dynamic overlay loading instead, including creating multiple 1-Wire busses to be used at the same time: + +sudo dtoverlay w1-gpio gpiopin=4 pullup=0 # header pin 7 +sudo dtoverlay w1-gpio gpiopin=17 pullup=0 # header pin 11 +sudo dtoverlay w1-gpio gpiopin=27 pullup=0 # header pin 13 +once any of the steps above have been performed, and discovery is complete you can list the devices that your Raspberry Pi has discovered via all 1-Wire busses (by default BCM4), like so: + +ls /sys/bus/w1/devices/ +n.b. Using w1-gpio on the Raspberry Pi typically needs a 4.7 kΩ pull-up resistor connected between the GPIO pin and a 3.3v supply (e.g. header pin 1 or 17). Other means of connecting 1-Wire devices to the Raspberry Pi are also possible, such as using i2c to 1-Wire bridge chips. + diff --git a/README.md b/README.md index 4afda27..9bd433e 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,6 @@ PiPins =============== -Documents to help with Pi Zero / Pi Zero W pinouts and protocols \ No newline at end of file +Documents to help with Pi Zero / Pi Zero W pinouts and protocols. + +Simple text files to keep on the pi for use as quick and dirty emergency hardware hacking lab. \ No newline at end of file diff --git a/URLs.txt b/URLs.txt new file mode 100644 index 0000000..511eaee --- /dev/null +++ b/URLs.txt @@ -0,0 +1,12 @@ +Collection of random useful URL's + +http://acoptex.com/project/8003/raspberry-basics-project-29a-raspberry-pi-zero-w-board-raspberry-pi-gpio-pinout-at-acoptexcom/ + +https://pinout.xyz/ + +https://payatu.com/using-rasberrypi-as-poor-mans-hardware-hacking-tool + +https://ralimtek.com/raspberry%20pi/electronics/software/raspberry_pi_secondary_sd_card/ + +https://github.com/superzerg/logic-analyzer +https://sigrok.org/wiki/PulseView \ No newline at end of file diff --git a/dpi.txt b/dpi.txt new file mode 100644 index 0000000..cd70f1c --- /dev/null +++ b/dpi.txt @@ -0,0 +1,29 @@ + 1)(2 +V-SYNC 3)(4 +H-SYNC 5)(6 +Blue 0 7)(8 Green 2 + 9)(10 Green 3 +Green 5 11)(12 Green 6 +Red 7 13)(14 +Red 2 15)(16 Red 3 + 17)(18 Red 4 +Blue 6 19)(20 +Blue 5 21)(22 Red 5 +Blue 7 23)(24 Blue 4 + 25)(26 Blue 3 +CLK 27)(28 DEN +Blue 1 29)(30 +Blue 2 31)(32 Green 0 +Green 1 33)(34 +Green 7 35)(36 Green 4 +Red 6 37)(38 Red 0 + 39)(40 Red 1 + +- DPI - Display Parallel Interface - + +One of the alternate functions selectable on bank 0 of the Raspbery Pi GPIO is DPI. DPI (Display Parallel Interface) is a 24-bit parallel interface with 28 clock and synchronisation signals. + +This interface allows parallel RGB displays to be attached to the Raspberry Pi GPIO either in RGB24 (8 bits for red, green and blue) or RGB666 (6 bits per colour) or RGB565 (5 bits red, 6 green, and 5 blue). It is available as alternate function 2 (ALT2) on GPIO bank 0. + +The pinout presented here is for the RGB24 mode, see url below for documentation of the RGB666 and RGB565 modes. +https://www.raspberrypi.org/documentation/hardware/raspberrypi/dpi/ diff --git a/gpclk.txt b/gpclk.txt new file mode 100644 index 0000000..f313bdf --- /dev/null +++ b/gpclk.txt @@ -0,0 +1,36 @@ + 1)(2 + 3)(4 + 5)(6 +GPCLK0 7)(8 + 9)(10 + 11)(12 + 13)(14 + 15)(16 + 17)(18 + 19)(20 + 21)(22 + 23)(24 + 25)(26 + 27)(28 +GPCLK1 29)(30 +GPCLK2 31)(32 + 33)(34 + 35)(36 + 37)(38 + 39)(40 + +General Purpose Clock pins can be set up to output a fixed frequency without any ongoing software control. + +The following clock sources are available: + +0 0 Hz Ground +1 19.2 MHz oscillator +2 0 Hz testdebug0 +3 0 Hz testdebug1 +4 0 Hz PLLA +5 1000 MHz PLLC (changes with overclock settings) +6 500 MHz PLLD +7 216 MHz HDMI auxiliary +8-15 0 Hz Ground + +Other frequencies can be achieved by setting a clock-divider in the form of SOURCE/(DIV_I + DIV_F/4096). Note, that the BCM2835 ARM Peripherals document contains an error and states that the denominator of the divider is 1024 instead of 4096. \ No newline at end of file diff --git a/gpio.txt b/gpio.txt new file mode 100644 index 0000000..aa90bc4 --- /dev/null +++ b/gpio.txt @@ -0,0 +1,48 @@ + 1)(2 +BCM 2 3)(4 +BCM 3 5)(6 + 7)(8 BCM 14 + 9)(10 BCM 15 +BCM 17 11)(12 BCM 18 +BCM 27 13)(14 +BCM 22 15)(16 BCM 23 + 17)(18 BCM 24 +BCM 10 19)(20 +BCM 9 21)(22 BCM 25 +BCM 11 23)(24 BCM 8 + 25)(26 BCM 7 +BCM 0 27)(28 BCM 1 +BCM 5 29)(30 +BCM 6 31)(32 BCM 12 +BCM 13 33)(34 +BCM 19 35)(36 BCM 16 +BCM 26 37)(38 BCM 20 + 39)(40 BCM 21 + +BCM - Broadcom pin number, commonly called "GPIO", these are the ones you probably want to use with RPi.GPIO and GPIO Zero + +- Outputs and Inputs - + +Other GPIO pins are capable of a 3.3V output, also referred to as setting the pin HIGH in code. When an output pin is LOW this means that it is simply providing 0V. + +A GPIO pin designated as an input pin can be read as HIGH (3.3V) or LOW (0V). This is made easier with the use of internal pull-up or pull-down resistors. Pins GPIO 2 and GPIO 3 have fixed pull-up resistors, but for other pins this can be configured in software. Do not provide the pins with greater than 3.3V: this is a quick way to damage your Raspberry Pi! + +- PWM - + +PWM (Pulse Width Modulation) is used with components such as motors, servos and LEDs by sending short pulses to control how much power they recieve. + +PWM is also possible on the Raspberry Pi. GPIO 12, GPIO 13, GPIO 18, GPIO 19 are hardware PWM capable, though the Raspberry Pi is also able to provide software PWM through libraries such as pigpio on all pins. + +- BOARD or BCM? Which one to use? - + +Each pin has two numbers attached to it. Its BOARD number (the numbers in the circle) and its BCM (Broadcom SOC channel) number. You can choose which convention to use when you write your Python code: + +1. GPIO/BCM numbering: GPIO.setmode(GPIO.BCM) +2. Board numbering: GPIO.setmode(GPIO.BOARD) +You can only use one convention in each DIY project, so select a one which makes most sense to you (the output is the same). It is worth noting however, that certain peripherals rely on GPIO/BCM numbering (RPi.GPIO and GPIO Zero). + +The easiest way to control the GPIO pins is using the RPi.GPIO Python library. + +- Pinout command - + +A handy reference can be accessed on the Raspberry Pi by opening a Terminal window and running the command: "pinout". This tool is provided by the GPIO Zero Python library, which it is installed by default on the Raspbian desktop image, but not on Raspbian Lite. \ No newline at end of file diff --git a/i2c.txt b/i2c.txt new file mode 100644 index 0000000..ff5deca --- /dev/null +++ b/i2c.txt @@ -0,0 +1,67 @@ + 1)(2 + Data 3)(4 + Clock 5)(6 + 7)(8 + 9)(10 + 11)(12 + 13)(14 + 15)(16 + 17)(18 + 19)(20 + 21)(22 + 23)(24 + 25)(26 +EEPROM Data 27)(28 EEPROM Clock + 29)(30 + 31)(32 + 33)(34 + 35)(36 + 37)(38 + 39)(40 + +I2C pins in BCM mode are: 2, 3 +I2C pins in WiringPi are: 8, 9 + +- I2C - Inter Integrated Circuit - + +The Raspberry Pi's I2C pins are an extremely useful way to talk to many different types of external peripheral; from the MCP23017 digital IO expander, to a connected ATmega. + +The I2C pins include a fixed 1.8 kohms pull-up resistor to 3.3v. This means they are not suitable for use as general purpose IO where a pull-up is not required. + +You can verify the address of connected I2C peripherals with a simple one-liner: + +sudo apt-get install i2c-tools +sudo i2cdetect -y 1 +You can then access I2C from Python using the smbus library: + +import smbus +DEVICE_BUS = 1 +DEVICE_ADDR = 0x15 +bus = smbus.SMBus(DEVICE_BUS) +bus.write_byte_data(DEVICE_ADDR, 0x00, 0x01) + +Pins 27 and 28 (ID_SD (EEPROM SDA2) and ID_SC (EEPROM SCL2)) are also I2C. There are used by the Pi for internal functions, and also some HAT boards. + +- RevEng communication - + +This communication is similar to the SPI, but it uses only two wire for communication – SDA/SCL. Each device is accessed by using their internal i2c address. Here we will use an I2C EEPROM as an example and see how we can read and write to the memory. i2ctools comes as a part of the Linux package, so no need to install anything. + +To find the address of your i2c slave device. + +i2cdetect -y 1 + +Now use a tool called as eeprog to read and write to the EEPROM. + +wget http://darkswarm.org/eeprog-0.7.6-tear5.tar.gz +tar -xvf eeprog-0.7.6-tear5.tar.gz eeprog-0.7.6-tear12/ +cd eeprog-0.7.6-tear12/ +make +sudo make install + +To write data to it: +echo “hello” | ./eeprog -f -16 -w 0 -t 5 /dev/i2c-1 0x50 +-w is the offset +-t is write delay + +To read data from it +./eeprog -x /dev/i2c-1 0x50 -16 -r 0x00:0x10 \ No newline at end of file diff --git a/jtag.txt b/jtag.txt new file mode 100644 index 0000000..94a7435 --- /dev/null +++ b/jtag.txt @@ -0,0 +1,70 @@ + 1)(2 + 3)(4 + 5)(6 +TDI (Alt5) 7)(8 + 9)(10 + 11)(12 +TMS (Alt4) 13)(14 +TRST (Alt4) 15)(16 RTCK (Alt4) + 17)(18 TDO (Alt4) + 19)(20 + 21)(22 TCK (Alt4) + 23)(24 + 25)(26 + 27)(28 +TDO (Alt5) 29)(30 +RTCK (Alt5) 31)(32 TMS (Alt5) +TCK (Alt5) 33)(34 + 35)(36 +TDI (Alt4) 37)(38 + 39)(40 + +JTAG is generally refers to on-chip debugging interfaces that follow the IEEE 1149.x standard. The standard doesn’t mandate a certain connection – it just dictates a standard for communicating with chips in a device. It uses 5 pins: TCK, TMS, TDI, TDO and (options) TRST; which are (Test) Clock, Mode Select, Data In, Data Out, and Reset. + +JTAG/SWD are standards which allow developers to debug any microcontroller or microprocessor. From an attacker perspective having access to the debug means game over for the device. An attacker can dump the internal memory or do changes in the memory dynamically. Let’s talk about accessing both JTAG and SWD using just a Raspberry pi. We use an opensource tool called as openOCD which talks to the debugger. + +Connection: + JTAG: + TCK – 23 + TMS – 22 + TDI – 19 + TDO – 21 + SRST – 12 + GND – 20 + SWD: + SWDIO – 18 + SWCLK – 22 + SRST – 12 + GND – 14 + +To Install openOCD: +git clone git://git.code.sf.net/p/openocd/code openocd +cd openocd/ +./bootstrap +./configure –enable-maintainer-mode –enable-bcm2835gpio –enable-sysfsgpio +make & sudo make install + +It will take some bit of time, so be patient. + +JTAG: +The Configuration file for JTAG comes with the openOCD package itself. just running this with target cfg will connect to it’s JTAG +openocd -f interface/raspberrypi-native.cfg -f target/stm32f4x.cfg +Now you can connect to gdb and debug the device.SWD: +openocd -f raspberrypi_swd.cfg -f target/stm32f4x.cfg +raspberrypi_swd.cfg is located in the git you downloaded earlier. +Now you can connect to gdb and debug the device. + +########################################################### + +JTAGenum +In a typical device, it is rare to find the JTAG interface and where the pins are located. So we use a tool called as JTAGenum which scan for all the pins the devices and tell you which pins is TMS-TCK-TDI-TDO. This is very helpfull if you don’t have proper documentation of the target device. + +Installation: +git clone https://github.com/cyphunk/JTAGenum +cd JTAGenum +source JTAGenum.sh +scan + +Pins to be used are 3 – 5 – 7 – 11 – 13 – 15 and common ground. + +This will take a bit of time as the GPIO is quite slow. \ No newline at end of file diff --git a/logic_analyser.txt b/logic_analyser.txt new file mode 100644 index 0000000..68c70a0 --- /dev/null +++ b/logic_analyser.txt @@ -0,0 +1,23 @@ + - Logic Analyzer - PulseView - + +The serial connection is available on the PC (running Linux) as /dev/ttyUSB0. The sniffer is started using sigrok-cli, and the resulting sigrok session data is opened with PulseView. + +Command given on PC: + +sigrok-cli --driver=ols:conn=/dev/ttyUSB0 --config samplerate=3000000 --samples 100000 --probes 1=CLK,2=DIN,3=DC,4=nCS,5=nRST --triggers nCS=1 -o test.sr +--driver: The sniffer identifies itself as a Open Bench Logic Sniffer (OLS) on port /dev/ttyUSB0 +--config samplerate: using the maximum of 3M samples/s +--samples: 100000 samples (taking ~33ms at 3 MHz) +--probes: probe 1-5 are used, the labels are optional +--triggers: the sampling starts after probe 4 (nCS, inverted chip select) turns high +-o test.sr: the session is saved to a file that can be read by PulseView +The probes relate to the GPIO ports of the PI as: +SUMP probe 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 +Rev 1 GPIO 7 8 11 9 25 10 24 23 22 21 18 17 17 17 17 17 +Rev 2 GPIO 7 8 11 9 25 10 24 23 22 27 18 17 28 29 30 31 +This gives 12 probes on the rev1 board, 16 probes on rev 2 (if using the P5 header). +The I2C and GPIO clock pins are reserved for future use. + +possibly better logic analyzer for the pi: +https://github.com/richardghirst/Panalyzer +"The basic idea is that it disables interrupts for a period, while sampling the GPIO pins once a microsecond. It then re-enables interupts and displays traces showing what the relevant GPIO pins were doing." \ No newline at end of file diff --git a/pcm.txt b/pcm.txt new file mode 100644 index 0000000..202fdff --- /dev/null +++ b/pcm.txt @@ -0,0 +1,24 @@ + 1)(2 + 3)(4 + 5)(6 + 7)(8 + 9)(10 + 11)(12 CLK + 13)(14 + 15)(16 + 17)(18 + 19)(20 + 21)(22 + 23)(24 + 25)(26 + 27)(28 + 29)(30 + 31)(32 + 33)(34 +FS 35)(36 + 37)(38 DIN + 39)(40 DOUT + +- PCM - Pulse-code Modulation - + +PCM (Pulse-code Modulation) is a digital representation of sampled analog. On the Raspberry Pi it's a form of digital audio output which can be understood by a DAC for high quality sound. \ No newline at end of file diff --git a/pinout.jpg b/pinout.jpg new file mode 100644 index 0000000..a077f69 --- /dev/null +++ b/pinout.jpg Binary files differ diff --git a/pinout2.png b/pinout2.png new file mode 100644 index 0000000..f657d35 --- /dev/null +++ b/pinout2.png Binary files differ diff --git a/power.txt b/power.txt new file mode 100644 index 0000000..16834ac --- /dev/null +++ b/power.txt @@ -0,0 +1,44 @@ +3.3v 1)(2 5v + 3)(4 5v + 5)(6 GND + 7)(8 +GND 9)(10 + 11)(12 + 13)(14 GND + 15)(16 +3.3v 17)(18 + 19)(20 GND + 21)(22 + 23)(24 +GND 25)(26 + 27)(28 + 29)(30 GND + 31)(32 + 33)(34 GND + 35)(36 + 37)(38 +GND 39)(40 + +- Voltages - + +The Raspberry Pi can provide both 5V (pins 2 and 4) and 3.3V (pins 1 and 17) power. It also provides the Ground pins (Ground or GND) for circuits on pins 6, 9, 14, 20, 25, 30, 34, and 39. These pins are all electrically connected, so it doesn't matter which one you use if you're wiring up a voltage supply. + +3.3V pins - Anything connected to these pins will always get 3.3V of power + +5V pins - Anything connected to these pins will always get 5V of power + +Ground (GND) - 0V, used to complete a circuit + +There is no single answer to how much current the 5V power pins can draw as it is reliant on what power supply you are using, and what other components you have attached to your Pi. + +The Raspberry Pi 3 will only draw 2.5A from its power supply, and requires around 750mA for boot up and normal headless operation. This means that if you are using a 2.5A power supply, the 5V pins can supply a total current of around 1.7A maximum. + +The 3.3V supply pin on the early Raspberry Pi had a maximum available current of about 50 mA. Enough to power a couple of LEDs or a microprocessor, but not much more. All Raspberry Pi since the Model B+ can provide quite a bit more, up to 500mA to remain on the safe side, thanks to a switching regulator. Still, you should generally use the 5V supply, coupled with a 3.3V regulator for 3.3V projects. + +- Ground - + +The Ground pins on the Raspberry Pi are all electrically connected, so it doesn't matter which one you use if you're wiring up a voltage supply. + +Generally the one that's most convenient or closest to the rest of your connections is tidier and easier, or alternatively the one closest to the supply pin that you use. + +For example, it's a good idea to use Physical Pin 17 for 3v3 and Physical Pin 25 for ground when using the SPI connections, as these are right next to the important pins for SPI0. \ No newline at end of file diff --git a/1-wire.txt b/1-wire.txt new file mode 100644 index 0000000..0e2cc1f --- /dev/null +++ b/1-wire.txt @@ -0,0 +1,41 @@ + 1)(2 + 3)(4 + 5)(6 +DATA 7)(8 + 9)(10 + 11)(12 + 13)(14 + 15)(16 + 17)(18 + 19)(20 + 21)(22 + 23)(24 + 25)(26 + 27)(28 + 29)(30 + 31)(32 + 33)(34 + 35)(36 + 37)(38 + 39)(40 + +- W1-GPIO - One-Wire Interface - +To enable the one-wire interface you need to add the following line to /boot/config +dtoverlay=w1-gpio +or +dtoverlay=w1-gpio,gpiopin=x +if you would like to use a custom pin (default is BCM4, as illustrated in pinout herein). + +Alternatively you can enable the one-wire interface on demand using raspi-config, or the following: + +sudo modprobe w1-gpio +Newer kernels (4.9.28 and later) allow you to use dynamic overlay loading instead, including creating multiple 1-Wire busses to be used at the same time: + +sudo dtoverlay w1-gpio gpiopin=4 pullup=0 # header pin 7 +sudo dtoverlay w1-gpio gpiopin=17 pullup=0 # header pin 11 +sudo dtoverlay w1-gpio gpiopin=27 pullup=0 # header pin 13 +once any of the steps above have been performed, and discovery is complete you can list the devices that your Raspberry Pi has discovered via all 1-Wire busses (by default BCM4), like so: + +ls /sys/bus/w1/devices/ +n.b. Using w1-gpio on the Raspberry Pi typically needs a 4.7 kΩ pull-up resistor connected between the GPIO pin and a 3.3v supply (e.g. header pin 1 or 17). Other means of connecting 1-Wire devices to the Raspberry Pi are also possible, such as using i2c to 1-Wire bridge chips. + diff --git a/README.md b/README.md index 4afda27..9bd433e 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,6 @@ PiPins =============== -Documents to help with Pi Zero / Pi Zero W pinouts and protocols \ No newline at end of file +Documents to help with Pi Zero / Pi Zero W pinouts and protocols. + +Simple text files to keep on the pi for use as quick and dirty emergency hardware hacking lab. \ No newline at end of file diff --git a/URLs.txt b/URLs.txt new file mode 100644 index 0000000..511eaee --- /dev/null +++ b/URLs.txt @@ -0,0 +1,12 @@ +Collection of random useful URL's + +http://acoptex.com/project/8003/raspberry-basics-project-29a-raspberry-pi-zero-w-board-raspberry-pi-gpio-pinout-at-acoptexcom/ + +https://pinout.xyz/ + +https://payatu.com/using-rasberrypi-as-poor-mans-hardware-hacking-tool + +https://ralimtek.com/raspberry%20pi/electronics/software/raspberry_pi_secondary_sd_card/ + +https://github.com/superzerg/logic-analyzer +https://sigrok.org/wiki/PulseView \ No newline at end of file diff --git a/dpi.txt b/dpi.txt new file mode 100644 index 0000000..cd70f1c --- /dev/null +++ b/dpi.txt @@ -0,0 +1,29 @@ + 1)(2 +V-SYNC 3)(4 +H-SYNC 5)(6 +Blue 0 7)(8 Green 2 + 9)(10 Green 3 +Green 5 11)(12 Green 6 +Red 7 13)(14 +Red 2 15)(16 Red 3 + 17)(18 Red 4 +Blue 6 19)(20 +Blue 5 21)(22 Red 5 +Blue 7 23)(24 Blue 4 + 25)(26 Blue 3 +CLK 27)(28 DEN +Blue 1 29)(30 +Blue 2 31)(32 Green 0 +Green 1 33)(34 +Green 7 35)(36 Green 4 +Red 6 37)(38 Red 0 + 39)(40 Red 1 + +- DPI - Display Parallel Interface - + +One of the alternate functions selectable on bank 0 of the Raspbery Pi GPIO is DPI. DPI (Display Parallel Interface) is a 24-bit parallel interface with 28 clock and synchronisation signals. + +This interface allows parallel RGB displays to be attached to the Raspberry Pi GPIO either in RGB24 (8 bits for red, green and blue) or RGB666 (6 bits per colour) or RGB565 (5 bits red, 6 green, and 5 blue). It is available as alternate function 2 (ALT2) on GPIO bank 0. + +The pinout presented here is for the RGB24 mode, see url below for documentation of the RGB666 and RGB565 modes. +https://www.raspberrypi.org/documentation/hardware/raspberrypi/dpi/ diff --git a/gpclk.txt b/gpclk.txt new file mode 100644 index 0000000..f313bdf --- /dev/null +++ b/gpclk.txt @@ -0,0 +1,36 @@ + 1)(2 + 3)(4 + 5)(6 +GPCLK0 7)(8 + 9)(10 + 11)(12 + 13)(14 + 15)(16 + 17)(18 + 19)(20 + 21)(22 + 23)(24 + 25)(26 + 27)(28 +GPCLK1 29)(30 +GPCLK2 31)(32 + 33)(34 + 35)(36 + 37)(38 + 39)(40 + +General Purpose Clock pins can be set up to output a fixed frequency without any ongoing software control. + +The following clock sources are available: + +0 0 Hz Ground +1 19.2 MHz oscillator +2 0 Hz testdebug0 +3 0 Hz testdebug1 +4 0 Hz PLLA +5 1000 MHz PLLC (changes with overclock settings) +6 500 MHz PLLD +7 216 MHz HDMI auxiliary +8-15 0 Hz Ground + +Other frequencies can be achieved by setting a clock-divider in the form of SOURCE/(DIV_I + DIV_F/4096). Note, that the BCM2835 ARM Peripherals document contains an error and states that the denominator of the divider is 1024 instead of 4096. \ No newline at end of file diff --git a/gpio.txt b/gpio.txt new file mode 100644 index 0000000..aa90bc4 --- /dev/null +++ b/gpio.txt @@ -0,0 +1,48 @@ + 1)(2 +BCM 2 3)(4 +BCM 3 5)(6 + 7)(8 BCM 14 + 9)(10 BCM 15 +BCM 17 11)(12 BCM 18 +BCM 27 13)(14 +BCM 22 15)(16 BCM 23 + 17)(18 BCM 24 +BCM 10 19)(20 +BCM 9 21)(22 BCM 25 +BCM 11 23)(24 BCM 8 + 25)(26 BCM 7 +BCM 0 27)(28 BCM 1 +BCM 5 29)(30 +BCM 6 31)(32 BCM 12 +BCM 13 33)(34 +BCM 19 35)(36 BCM 16 +BCM 26 37)(38 BCM 20 + 39)(40 BCM 21 + +BCM - Broadcom pin number, commonly called "GPIO", these are the ones you probably want to use with RPi.GPIO and GPIO Zero + +- Outputs and Inputs - + +Other GPIO pins are capable of a 3.3V output, also referred to as setting the pin HIGH in code. When an output pin is LOW this means that it is simply providing 0V. + +A GPIO pin designated as an input pin can be read as HIGH (3.3V) or LOW (0V). This is made easier with the use of internal pull-up or pull-down resistors. Pins GPIO 2 and GPIO 3 have fixed pull-up resistors, but for other pins this can be configured in software. Do not provide the pins with greater than 3.3V: this is a quick way to damage your Raspberry Pi! + +- PWM - + +PWM (Pulse Width Modulation) is used with components such as motors, servos and LEDs by sending short pulses to control how much power they recieve. + +PWM is also possible on the Raspberry Pi. GPIO 12, GPIO 13, GPIO 18, GPIO 19 are hardware PWM capable, though the Raspberry Pi is also able to provide software PWM through libraries such as pigpio on all pins. + +- BOARD or BCM? Which one to use? - + +Each pin has two numbers attached to it. Its BOARD number (the numbers in the circle) and its BCM (Broadcom SOC channel) number. You can choose which convention to use when you write your Python code: + +1. GPIO/BCM numbering: GPIO.setmode(GPIO.BCM) +2. Board numbering: GPIO.setmode(GPIO.BOARD) +You can only use one convention in each DIY project, so select a one which makes most sense to you (the output is the same). It is worth noting however, that certain peripherals rely on GPIO/BCM numbering (RPi.GPIO and GPIO Zero). + +The easiest way to control the GPIO pins is using the RPi.GPIO Python library. + +- Pinout command - + +A handy reference can be accessed on the Raspberry Pi by opening a Terminal window and running the command: "pinout". This tool is provided by the GPIO Zero Python library, which it is installed by default on the Raspbian desktop image, but not on Raspbian Lite. \ No newline at end of file diff --git a/i2c.txt b/i2c.txt new file mode 100644 index 0000000..ff5deca --- /dev/null +++ b/i2c.txt @@ -0,0 +1,67 @@ + 1)(2 + Data 3)(4 + Clock 5)(6 + 7)(8 + 9)(10 + 11)(12 + 13)(14 + 15)(16 + 17)(18 + 19)(20 + 21)(22 + 23)(24 + 25)(26 +EEPROM Data 27)(28 EEPROM Clock + 29)(30 + 31)(32 + 33)(34 + 35)(36 + 37)(38 + 39)(40 + +I2C pins in BCM mode are: 2, 3 +I2C pins in WiringPi are: 8, 9 + +- I2C - Inter Integrated Circuit - + +The Raspberry Pi's I2C pins are an extremely useful way to talk to many different types of external peripheral; from the MCP23017 digital IO expander, to a connected ATmega. + +The I2C pins include a fixed 1.8 kohms pull-up resistor to 3.3v. This means they are not suitable for use as general purpose IO where a pull-up is not required. + +You can verify the address of connected I2C peripherals with a simple one-liner: + +sudo apt-get install i2c-tools +sudo i2cdetect -y 1 +You can then access I2C from Python using the smbus library: + +import smbus +DEVICE_BUS = 1 +DEVICE_ADDR = 0x15 +bus = smbus.SMBus(DEVICE_BUS) +bus.write_byte_data(DEVICE_ADDR, 0x00, 0x01) + +Pins 27 and 28 (ID_SD (EEPROM SDA2) and ID_SC (EEPROM SCL2)) are also I2C. There are used by the Pi for internal functions, and also some HAT boards. + +- RevEng communication - + +This communication is similar to the SPI, but it uses only two wire for communication – SDA/SCL. Each device is accessed by using their internal i2c address. Here we will use an I2C EEPROM as an example and see how we can read and write to the memory. i2ctools comes as a part of the Linux package, so no need to install anything. + +To find the address of your i2c slave device. + +i2cdetect -y 1 + +Now use a tool called as eeprog to read and write to the EEPROM. + +wget http://darkswarm.org/eeprog-0.7.6-tear5.tar.gz +tar -xvf eeprog-0.7.6-tear5.tar.gz eeprog-0.7.6-tear12/ +cd eeprog-0.7.6-tear12/ +make +sudo make install + +To write data to it: +echo “hello” | ./eeprog -f -16 -w 0 -t 5 /dev/i2c-1 0x50 +-w is the offset +-t is write delay + +To read data from it +./eeprog -x /dev/i2c-1 0x50 -16 -r 0x00:0x10 \ No newline at end of file diff --git a/jtag.txt b/jtag.txt new file mode 100644 index 0000000..94a7435 --- /dev/null +++ b/jtag.txt @@ -0,0 +1,70 @@ + 1)(2 + 3)(4 + 5)(6 +TDI (Alt5) 7)(8 + 9)(10 + 11)(12 +TMS (Alt4) 13)(14 +TRST (Alt4) 15)(16 RTCK (Alt4) + 17)(18 TDO (Alt4) + 19)(20 + 21)(22 TCK (Alt4) + 23)(24 + 25)(26 + 27)(28 +TDO (Alt5) 29)(30 +RTCK (Alt5) 31)(32 TMS (Alt5) +TCK (Alt5) 33)(34 + 35)(36 +TDI (Alt4) 37)(38 + 39)(40 + +JTAG is generally refers to on-chip debugging interfaces that follow the IEEE 1149.x standard. The standard doesn’t mandate a certain connection – it just dictates a standard for communicating with chips in a device. It uses 5 pins: TCK, TMS, TDI, TDO and (options) TRST; which are (Test) Clock, Mode Select, Data In, Data Out, and Reset. + +JTAG/SWD are standards which allow developers to debug any microcontroller or microprocessor. From an attacker perspective having access to the debug means game over for the device. An attacker can dump the internal memory or do changes in the memory dynamically. Let’s talk about accessing both JTAG and SWD using just a Raspberry pi. We use an opensource tool called as openOCD which talks to the debugger. + +Connection: + JTAG: + TCK – 23 + TMS – 22 + TDI – 19 + TDO – 21 + SRST – 12 + GND – 20 + SWD: + SWDIO – 18 + SWCLK – 22 + SRST – 12 + GND – 14 + +To Install openOCD: +git clone git://git.code.sf.net/p/openocd/code openocd +cd openocd/ +./bootstrap +./configure –enable-maintainer-mode –enable-bcm2835gpio –enable-sysfsgpio +make & sudo make install + +It will take some bit of time, so be patient. + +JTAG: +The Configuration file for JTAG comes with the openOCD package itself. just running this with target cfg will connect to it’s JTAG +openocd -f interface/raspberrypi-native.cfg -f target/stm32f4x.cfg +Now you can connect to gdb and debug the device.SWD: +openocd -f raspberrypi_swd.cfg -f target/stm32f4x.cfg +raspberrypi_swd.cfg is located in the git you downloaded earlier. +Now you can connect to gdb and debug the device. + +########################################################### + +JTAGenum +In a typical device, it is rare to find the JTAG interface and where the pins are located. So we use a tool called as JTAGenum which scan for all the pins the devices and tell you which pins is TMS-TCK-TDI-TDO. This is very helpfull if you don’t have proper documentation of the target device. + +Installation: +git clone https://github.com/cyphunk/JTAGenum +cd JTAGenum +source JTAGenum.sh +scan + +Pins to be used are 3 – 5 – 7 – 11 – 13 – 15 and common ground. + +This will take a bit of time as the GPIO is quite slow. \ No newline at end of file diff --git a/logic_analyser.txt b/logic_analyser.txt new file mode 100644 index 0000000..68c70a0 --- /dev/null +++ b/logic_analyser.txt @@ -0,0 +1,23 @@ + - Logic Analyzer - PulseView - + +The serial connection is available on the PC (running Linux) as /dev/ttyUSB0. The sniffer is started using sigrok-cli, and the resulting sigrok session data is opened with PulseView. + +Command given on PC: + +sigrok-cli --driver=ols:conn=/dev/ttyUSB0 --config samplerate=3000000 --samples 100000 --probes 1=CLK,2=DIN,3=DC,4=nCS,5=nRST --triggers nCS=1 -o test.sr +--driver: The sniffer identifies itself as a Open Bench Logic Sniffer (OLS) on port /dev/ttyUSB0 +--config samplerate: using the maximum of 3M samples/s +--samples: 100000 samples (taking ~33ms at 3 MHz) +--probes: probe 1-5 are used, the labels are optional +--triggers: the sampling starts after probe 4 (nCS, inverted chip select) turns high +-o test.sr: the session is saved to a file that can be read by PulseView +The probes relate to the GPIO ports of the PI as: +SUMP probe 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 +Rev 1 GPIO 7 8 11 9 25 10 24 23 22 21 18 17 17 17 17 17 +Rev 2 GPIO 7 8 11 9 25 10 24 23 22 27 18 17 28 29 30 31 +This gives 12 probes on the rev1 board, 16 probes on rev 2 (if using the P5 header). +The I2C and GPIO clock pins are reserved for future use. + +possibly better logic analyzer for the pi: +https://github.com/richardghirst/Panalyzer +"The basic idea is that it disables interrupts for a period, while sampling the GPIO pins once a microsecond. It then re-enables interupts and displays traces showing what the relevant GPIO pins were doing." \ No newline at end of file diff --git a/pcm.txt b/pcm.txt new file mode 100644 index 0000000..202fdff --- /dev/null +++ b/pcm.txt @@ -0,0 +1,24 @@ + 1)(2 + 3)(4 + 5)(6 + 7)(8 + 9)(10 + 11)(12 CLK + 13)(14 + 15)(16 + 17)(18 + 19)(20 + 21)(22 + 23)(24 + 25)(26 + 27)(28 + 29)(30 + 31)(32 + 33)(34 +FS 35)(36 + 37)(38 DIN + 39)(40 DOUT + +- PCM - Pulse-code Modulation - + +PCM (Pulse-code Modulation) is a digital representation of sampled analog. On the Raspberry Pi it's a form of digital audio output which can be understood by a DAC for high quality sound. \ No newline at end of file diff --git a/pinout.jpg b/pinout.jpg new file mode 100644 index 0000000..a077f69 --- /dev/null +++ b/pinout.jpg Binary files differ diff --git a/pinout2.png b/pinout2.png new file mode 100644 index 0000000..f657d35 --- /dev/null +++ b/pinout2.png Binary files differ diff --git a/power.txt b/power.txt new file mode 100644 index 0000000..16834ac --- /dev/null +++ b/power.txt @@ -0,0 +1,44 @@ +3.3v 1)(2 5v + 3)(4 5v + 5)(6 GND + 7)(8 +GND 9)(10 + 11)(12 + 13)(14 GND + 15)(16 +3.3v 17)(18 + 19)(20 GND + 21)(22 + 23)(24 +GND 25)(26 + 27)(28 + 29)(30 GND + 31)(32 + 33)(34 GND + 35)(36 + 37)(38 +GND 39)(40 + +- Voltages - + +The Raspberry Pi can provide both 5V (pins 2 and 4) and 3.3V (pins 1 and 17) power. It also provides the Ground pins (Ground or GND) for circuits on pins 6, 9, 14, 20, 25, 30, 34, and 39. These pins are all electrically connected, so it doesn't matter which one you use if you're wiring up a voltage supply. + +3.3V pins - Anything connected to these pins will always get 3.3V of power + +5V pins - Anything connected to these pins will always get 5V of power + +Ground (GND) - 0V, used to complete a circuit + +There is no single answer to how much current the 5V power pins can draw as it is reliant on what power supply you are using, and what other components you have attached to your Pi. + +The Raspberry Pi 3 will only draw 2.5A from its power supply, and requires around 750mA for boot up and normal headless operation. This means that if you are using a 2.5A power supply, the 5V pins can supply a total current of around 1.7A maximum. + +The 3.3V supply pin on the early Raspberry Pi had a maximum available current of about 50 mA. Enough to power a couple of LEDs or a microprocessor, but not much more. All Raspberry Pi since the Model B+ can provide quite a bit more, up to 500mA to remain on the safe side, thanks to a switching regulator. Still, you should generally use the 5V supply, coupled with a 3.3V regulator for 3.3V projects. + +- Ground - + +The Ground pins on the Raspberry Pi are all electrically connected, so it doesn't matter which one you use if you're wiring up a voltage supply. + +Generally the one that's most convenient or closest to the rest of your connections is tidier and easier, or alternatively the one closest to the supply pin that you use. + +For example, it's a good idea to use Physical Pin 17 for 3v3 and Physical Pin 25 for ground when using the SPI connections, as these are right next to the important pins for SPI0. \ No newline at end of file diff --git a/sdio.txt b/sdio.txt new file mode 100644 index 0000000..5dba9af --- /dev/null +++ b/sdio.txt @@ -0,0 +1,26 @@ + 1)(2 + 3)(4 + 5)(6 + 7)(8 + 9)(10 + 11)(12 +DAT3 13)(14 +CLK 15)(16 CMD + 17)(18 DAT0 + 19)(20 + 21)(22 DAT1 + 23)(24 + 25)(26 + 27)(28 + 29)(30 + 31)(32 + 33)(34 + 35)(36 +DAT2 37)(38 + 39)(40 + +SDIO is the SD host/eMMC interface on the Raspberry Pi. SD host signals are normally used for the microSD slot. +These pins are "SD host" on Alt0 and "eMMC" on Alt3 + +have yet to actually get this to work, there are conflicting pinouts on: +https://ralimtek.com/raspberry%20pi/electronics/software/raspberry_pi_secondary_sd_card/ \ No newline at end of file diff --git a/1-wire.txt b/1-wire.txt new file mode 100644 index 0000000..0e2cc1f --- /dev/null +++ b/1-wire.txt @@ -0,0 +1,41 @@ + 1)(2 + 3)(4 + 5)(6 +DATA 7)(8 + 9)(10 + 11)(12 + 13)(14 + 15)(16 + 17)(18 + 19)(20 + 21)(22 + 23)(24 + 25)(26 + 27)(28 + 29)(30 + 31)(32 + 33)(34 + 35)(36 + 37)(38 + 39)(40 + +- W1-GPIO - One-Wire Interface - +To enable the one-wire interface you need to add the following line to /boot/config +dtoverlay=w1-gpio +or +dtoverlay=w1-gpio,gpiopin=x +if you would like to use a custom pin (default is BCM4, as illustrated in pinout herein). + +Alternatively you can enable the one-wire interface on demand using raspi-config, or the following: + +sudo modprobe w1-gpio +Newer kernels (4.9.28 and later) allow you to use dynamic overlay loading instead, including creating multiple 1-Wire busses to be used at the same time: + +sudo dtoverlay w1-gpio gpiopin=4 pullup=0 # header pin 7 +sudo dtoverlay w1-gpio gpiopin=17 pullup=0 # header pin 11 +sudo dtoverlay w1-gpio gpiopin=27 pullup=0 # header pin 13 +once any of the steps above have been performed, and discovery is complete you can list the devices that your Raspberry Pi has discovered via all 1-Wire busses (by default BCM4), like so: + +ls /sys/bus/w1/devices/ +n.b. Using w1-gpio on the Raspberry Pi typically needs a 4.7 kΩ pull-up resistor connected between the GPIO pin and a 3.3v supply (e.g. header pin 1 or 17). Other means of connecting 1-Wire devices to the Raspberry Pi are also possible, such as using i2c to 1-Wire bridge chips. + diff --git a/README.md b/README.md index 4afda27..9bd433e 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,6 @@ PiPins =============== -Documents to help with Pi Zero / Pi Zero W pinouts and protocols \ No newline at end of file +Documents to help with Pi Zero / Pi Zero W pinouts and protocols. + +Simple text files to keep on the pi for use as quick and dirty emergency hardware hacking lab. \ No newline at end of file diff --git a/URLs.txt b/URLs.txt new file mode 100644 index 0000000..511eaee --- /dev/null +++ b/URLs.txt @@ -0,0 +1,12 @@ +Collection of random useful URL's + +http://acoptex.com/project/8003/raspberry-basics-project-29a-raspberry-pi-zero-w-board-raspberry-pi-gpio-pinout-at-acoptexcom/ + +https://pinout.xyz/ + +https://payatu.com/using-rasberrypi-as-poor-mans-hardware-hacking-tool + +https://ralimtek.com/raspberry%20pi/electronics/software/raspberry_pi_secondary_sd_card/ + +https://github.com/superzerg/logic-analyzer +https://sigrok.org/wiki/PulseView \ No newline at end of file diff --git a/dpi.txt b/dpi.txt new file mode 100644 index 0000000..cd70f1c --- /dev/null +++ b/dpi.txt @@ -0,0 +1,29 @@ + 1)(2 +V-SYNC 3)(4 +H-SYNC 5)(6 +Blue 0 7)(8 Green 2 + 9)(10 Green 3 +Green 5 11)(12 Green 6 +Red 7 13)(14 +Red 2 15)(16 Red 3 + 17)(18 Red 4 +Blue 6 19)(20 +Blue 5 21)(22 Red 5 +Blue 7 23)(24 Blue 4 + 25)(26 Blue 3 +CLK 27)(28 DEN +Blue 1 29)(30 +Blue 2 31)(32 Green 0 +Green 1 33)(34 +Green 7 35)(36 Green 4 +Red 6 37)(38 Red 0 + 39)(40 Red 1 + +- DPI - Display Parallel Interface - + +One of the alternate functions selectable on bank 0 of the Raspbery Pi GPIO is DPI. DPI (Display Parallel Interface) is a 24-bit parallel interface with 28 clock and synchronisation signals. + +This interface allows parallel RGB displays to be attached to the Raspberry Pi GPIO either in RGB24 (8 bits for red, green and blue) or RGB666 (6 bits per colour) or RGB565 (5 bits red, 6 green, and 5 blue). It is available as alternate function 2 (ALT2) on GPIO bank 0. + +The pinout presented here is for the RGB24 mode, see url below for documentation of the RGB666 and RGB565 modes. +https://www.raspberrypi.org/documentation/hardware/raspberrypi/dpi/ diff --git a/gpclk.txt b/gpclk.txt new file mode 100644 index 0000000..f313bdf --- /dev/null +++ b/gpclk.txt @@ -0,0 +1,36 @@ + 1)(2 + 3)(4 + 5)(6 +GPCLK0 7)(8 + 9)(10 + 11)(12 + 13)(14 + 15)(16 + 17)(18 + 19)(20 + 21)(22 + 23)(24 + 25)(26 + 27)(28 +GPCLK1 29)(30 +GPCLK2 31)(32 + 33)(34 + 35)(36 + 37)(38 + 39)(40 + +General Purpose Clock pins can be set up to output a fixed frequency without any ongoing software control. + +The following clock sources are available: + +0 0 Hz Ground +1 19.2 MHz oscillator +2 0 Hz testdebug0 +3 0 Hz testdebug1 +4 0 Hz PLLA +5 1000 MHz PLLC (changes with overclock settings) +6 500 MHz PLLD +7 216 MHz HDMI auxiliary +8-15 0 Hz Ground + +Other frequencies can be achieved by setting a clock-divider in the form of SOURCE/(DIV_I + DIV_F/4096). Note, that the BCM2835 ARM Peripherals document contains an error and states that the denominator of the divider is 1024 instead of 4096. \ No newline at end of file diff --git a/gpio.txt b/gpio.txt new file mode 100644 index 0000000..aa90bc4 --- /dev/null +++ b/gpio.txt @@ -0,0 +1,48 @@ + 1)(2 +BCM 2 3)(4 +BCM 3 5)(6 + 7)(8 BCM 14 + 9)(10 BCM 15 +BCM 17 11)(12 BCM 18 +BCM 27 13)(14 +BCM 22 15)(16 BCM 23 + 17)(18 BCM 24 +BCM 10 19)(20 +BCM 9 21)(22 BCM 25 +BCM 11 23)(24 BCM 8 + 25)(26 BCM 7 +BCM 0 27)(28 BCM 1 +BCM 5 29)(30 +BCM 6 31)(32 BCM 12 +BCM 13 33)(34 +BCM 19 35)(36 BCM 16 +BCM 26 37)(38 BCM 20 + 39)(40 BCM 21 + +BCM - Broadcom pin number, commonly called "GPIO", these are the ones you probably want to use with RPi.GPIO and GPIO Zero + +- Outputs and Inputs - + +Other GPIO pins are capable of a 3.3V output, also referred to as setting the pin HIGH in code. When an output pin is LOW this means that it is simply providing 0V. + +A GPIO pin designated as an input pin can be read as HIGH (3.3V) or LOW (0V). This is made easier with the use of internal pull-up or pull-down resistors. Pins GPIO 2 and GPIO 3 have fixed pull-up resistors, but for other pins this can be configured in software. Do not provide the pins with greater than 3.3V: this is a quick way to damage your Raspberry Pi! + +- PWM - + +PWM (Pulse Width Modulation) is used with components such as motors, servos and LEDs by sending short pulses to control how much power they recieve. + +PWM is also possible on the Raspberry Pi. GPIO 12, GPIO 13, GPIO 18, GPIO 19 are hardware PWM capable, though the Raspberry Pi is also able to provide software PWM through libraries such as pigpio on all pins. + +- BOARD or BCM? Which one to use? - + +Each pin has two numbers attached to it. Its BOARD number (the numbers in the circle) and its BCM (Broadcom SOC channel) number. You can choose which convention to use when you write your Python code: + +1. GPIO/BCM numbering: GPIO.setmode(GPIO.BCM) +2. Board numbering: GPIO.setmode(GPIO.BOARD) +You can only use one convention in each DIY project, so select a one which makes most sense to you (the output is the same). It is worth noting however, that certain peripherals rely on GPIO/BCM numbering (RPi.GPIO and GPIO Zero). + +The easiest way to control the GPIO pins is using the RPi.GPIO Python library. + +- Pinout command - + +A handy reference can be accessed on the Raspberry Pi by opening a Terminal window and running the command: "pinout". This tool is provided by the GPIO Zero Python library, which it is installed by default on the Raspbian desktop image, but not on Raspbian Lite. \ No newline at end of file diff --git a/i2c.txt b/i2c.txt new file mode 100644 index 0000000..ff5deca --- /dev/null +++ b/i2c.txt @@ -0,0 +1,67 @@ + 1)(2 + Data 3)(4 + Clock 5)(6 + 7)(8 + 9)(10 + 11)(12 + 13)(14 + 15)(16 + 17)(18 + 19)(20 + 21)(22 + 23)(24 + 25)(26 +EEPROM Data 27)(28 EEPROM Clock + 29)(30 + 31)(32 + 33)(34 + 35)(36 + 37)(38 + 39)(40 + +I2C pins in BCM mode are: 2, 3 +I2C pins in WiringPi are: 8, 9 + +- I2C - Inter Integrated Circuit - + +The Raspberry Pi's I2C pins are an extremely useful way to talk to many different types of external peripheral; from the MCP23017 digital IO expander, to a connected ATmega. + +The I2C pins include a fixed 1.8 kohms pull-up resistor to 3.3v. This means they are not suitable for use as general purpose IO where a pull-up is not required. + +You can verify the address of connected I2C peripherals with a simple one-liner: + +sudo apt-get install i2c-tools +sudo i2cdetect -y 1 +You can then access I2C from Python using the smbus library: + +import smbus +DEVICE_BUS = 1 +DEVICE_ADDR = 0x15 +bus = smbus.SMBus(DEVICE_BUS) +bus.write_byte_data(DEVICE_ADDR, 0x00, 0x01) + +Pins 27 and 28 (ID_SD (EEPROM SDA2) and ID_SC (EEPROM SCL2)) are also I2C. There are used by the Pi for internal functions, and also some HAT boards. + +- RevEng communication - + +This communication is similar to the SPI, but it uses only two wire for communication – SDA/SCL. Each device is accessed by using their internal i2c address. Here we will use an I2C EEPROM as an example and see how we can read and write to the memory. i2ctools comes as a part of the Linux package, so no need to install anything. + +To find the address of your i2c slave device. + +i2cdetect -y 1 + +Now use a tool called as eeprog to read and write to the EEPROM. + +wget http://darkswarm.org/eeprog-0.7.6-tear5.tar.gz +tar -xvf eeprog-0.7.6-tear5.tar.gz eeprog-0.7.6-tear12/ +cd eeprog-0.7.6-tear12/ +make +sudo make install + +To write data to it: +echo “hello” | ./eeprog -f -16 -w 0 -t 5 /dev/i2c-1 0x50 +-w is the offset +-t is write delay + +To read data from it +./eeprog -x /dev/i2c-1 0x50 -16 -r 0x00:0x10 \ No newline at end of file diff --git a/jtag.txt b/jtag.txt new file mode 100644 index 0000000..94a7435 --- /dev/null +++ b/jtag.txt @@ -0,0 +1,70 @@ + 1)(2 + 3)(4 + 5)(6 +TDI (Alt5) 7)(8 + 9)(10 + 11)(12 +TMS (Alt4) 13)(14 +TRST (Alt4) 15)(16 RTCK (Alt4) + 17)(18 TDO (Alt4) + 19)(20 + 21)(22 TCK (Alt4) + 23)(24 + 25)(26 + 27)(28 +TDO (Alt5) 29)(30 +RTCK (Alt5) 31)(32 TMS (Alt5) +TCK (Alt5) 33)(34 + 35)(36 +TDI (Alt4) 37)(38 + 39)(40 + +JTAG is generally refers to on-chip debugging interfaces that follow the IEEE 1149.x standard. The standard doesn’t mandate a certain connection – it just dictates a standard for communicating with chips in a device. It uses 5 pins: TCK, TMS, TDI, TDO and (options) TRST; which are (Test) Clock, Mode Select, Data In, Data Out, and Reset. + +JTAG/SWD are standards which allow developers to debug any microcontroller or microprocessor. From an attacker perspective having access to the debug means game over for the device. An attacker can dump the internal memory or do changes in the memory dynamically. Let’s talk about accessing both JTAG and SWD using just a Raspberry pi. We use an opensource tool called as openOCD which talks to the debugger. + +Connection: + JTAG: + TCK – 23 + TMS – 22 + TDI – 19 + TDO – 21 + SRST – 12 + GND – 20 + SWD: + SWDIO – 18 + SWCLK – 22 + SRST – 12 + GND – 14 + +To Install openOCD: +git clone git://git.code.sf.net/p/openocd/code openocd +cd openocd/ +./bootstrap +./configure –enable-maintainer-mode –enable-bcm2835gpio –enable-sysfsgpio +make & sudo make install + +It will take some bit of time, so be patient. + +JTAG: +The Configuration file for JTAG comes with the openOCD package itself. just running this with target cfg will connect to it’s JTAG +openocd -f interface/raspberrypi-native.cfg -f target/stm32f4x.cfg +Now you can connect to gdb and debug the device.SWD: +openocd -f raspberrypi_swd.cfg -f target/stm32f4x.cfg +raspberrypi_swd.cfg is located in the git you downloaded earlier. +Now you can connect to gdb and debug the device. + +########################################################### + +JTAGenum +In a typical device, it is rare to find the JTAG interface and where the pins are located. So we use a tool called as JTAGenum which scan for all the pins the devices and tell you which pins is TMS-TCK-TDI-TDO. This is very helpfull if you don’t have proper documentation of the target device. + +Installation: +git clone https://github.com/cyphunk/JTAGenum +cd JTAGenum +source JTAGenum.sh +scan + +Pins to be used are 3 – 5 – 7 – 11 – 13 – 15 and common ground. + +This will take a bit of time as the GPIO is quite slow. \ No newline at end of file diff --git a/logic_analyser.txt b/logic_analyser.txt new file mode 100644 index 0000000..68c70a0 --- /dev/null +++ b/logic_analyser.txt @@ -0,0 +1,23 @@ + - Logic Analyzer - PulseView - + +The serial connection is available on the PC (running Linux) as /dev/ttyUSB0. The sniffer is started using sigrok-cli, and the resulting sigrok session data is opened with PulseView. + +Command given on PC: + +sigrok-cli --driver=ols:conn=/dev/ttyUSB0 --config samplerate=3000000 --samples 100000 --probes 1=CLK,2=DIN,3=DC,4=nCS,5=nRST --triggers nCS=1 -o test.sr +--driver: The sniffer identifies itself as a Open Bench Logic Sniffer (OLS) on port /dev/ttyUSB0 +--config samplerate: using the maximum of 3M samples/s +--samples: 100000 samples (taking ~33ms at 3 MHz) +--probes: probe 1-5 are used, the labels are optional +--triggers: the sampling starts after probe 4 (nCS, inverted chip select) turns high +-o test.sr: the session is saved to a file that can be read by PulseView +The probes relate to the GPIO ports of the PI as: +SUMP probe 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 +Rev 1 GPIO 7 8 11 9 25 10 24 23 22 21 18 17 17 17 17 17 +Rev 2 GPIO 7 8 11 9 25 10 24 23 22 27 18 17 28 29 30 31 +This gives 12 probes on the rev1 board, 16 probes on rev 2 (if using the P5 header). +The I2C and GPIO clock pins are reserved for future use. + +possibly better logic analyzer for the pi: +https://github.com/richardghirst/Panalyzer +"The basic idea is that it disables interrupts for a period, while sampling the GPIO pins once a microsecond. It then re-enables interupts and displays traces showing what the relevant GPIO pins were doing." \ No newline at end of file diff --git a/pcm.txt b/pcm.txt new file mode 100644 index 0000000..202fdff --- /dev/null +++ b/pcm.txt @@ -0,0 +1,24 @@ + 1)(2 + 3)(4 + 5)(6 + 7)(8 + 9)(10 + 11)(12 CLK + 13)(14 + 15)(16 + 17)(18 + 19)(20 + 21)(22 + 23)(24 + 25)(26 + 27)(28 + 29)(30 + 31)(32 + 33)(34 +FS 35)(36 + 37)(38 DIN + 39)(40 DOUT + +- PCM - Pulse-code Modulation - + +PCM (Pulse-code Modulation) is a digital representation of sampled analog. On the Raspberry Pi it's a form of digital audio output which can be understood by a DAC for high quality sound. \ No newline at end of file diff --git a/pinout.jpg b/pinout.jpg new file mode 100644 index 0000000..a077f69 --- /dev/null +++ b/pinout.jpg Binary files differ diff --git a/pinout2.png b/pinout2.png new file mode 100644 index 0000000..f657d35 --- /dev/null +++ b/pinout2.png Binary files differ diff --git a/power.txt b/power.txt new file mode 100644 index 0000000..16834ac --- /dev/null +++ b/power.txt @@ -0,0 +1,44 @@ +3.3v 1)(2 5v + 3)(4 5v + 5)(6 GND + 7)(8 +GND 9)(10 + 11)(12 + 13)(14 GND + 15)(16 +3.3v 17)(18 + 19)(20 GND + 21)(22 + 23)(24 +GND 25)(26 + 27)(28 + 29)(30 GND + 31)(32 + 33)(34 GND + 35)(36 + 37)(38 +GND 39)(40 + +- Voltages - + +The Raspberry Pi can provide both 5V (pins 2 and 4) and 3.3V (pins 1 and 17) power. It also provides the Ground pins (Ground or GND) for circuits on pins 6, 9, 14, 20, 25, 30, 34, and 39. These pins are all electrically connected, so it doesn't matter which one you use if you're wiring up a voltage supply. + +3.3V pins - Anything connected to these pins will always get 3.3V of power + +5V pins - Anything connected to these pins will always get 5V of power + +Ground (GND) - 0V, used to complete a circuit + +There is no single answer to how much current the 5V power pins can draw as it is reliant on what power supply you are using, and what other components you have attached to your Pi. + +The Raspberry Pi 3 will only draw 2.5A from its power supply, and requires around 750mA for boot up and normal headless operation. This means that if you are using a 2.5A power supply, the 5V pins can supply a total current of around 1.7A maximum. + +The 3.3V supply pin on the early Raspberry Pi had a maximum available current of about 50 mA. Enough to power a couple of LEDs or a microprocessor, but not much more. All Raspberry Pi since the Model B+ can provide quite a bit more, up to 500mA to remain on the safe side, thanks to a switching regulator. Still, you should generally use the 5V supply, coupled with a 3.3V regulator for 3.3V projects. + +- Ground - + +The Ground pins on the Raspberry Pi are all electrically connected, so it doesn't matter which one you use if you're wiring up a voltage supply. + +Generally the one that's most convenient or closest to the rest of your connections is tidier and easier, or alternatively the one closest to the supply pin that you use. + +For example, it's a good idea to use Physical Pin 17 for 3v3 and Physical Pin 25 for ground when using the SPI connections, as these are right next to the important pins for SPI0. \ No newline at end of file diff --git a/sdio.txt b/sdio.txt new file mode 100644 index 0000000..5dba9af --- /dev/null +++ b/sdio.txt @@ -0,0 +1,26 @@ + 1)(2 + 3)(4 + 5)(6 + 7)(8 + 9)(10 + 11)(12 +DAT3 13)(14 +CLK 15)(16 CMD + 17)(18 DAT0 + 19)(20 + 21)(22 DAT1 + 23)(24 + 25)(26 + 27)(28 + 29)(30 + 31)(32 + 33)(34 + 35)(36 +DAT2 37)(38 + 39)(40 + +SDIO is the SD host/eMMC interface on the Raspberry Pi. SD host signals are normally used for the microSD slot. +These pins are "SD host" on Alt0 and "eMMC" on Alt3 + +have yet to actually get this to work, there are conflicting pinouts on: +https://ralimtek.com/raspberry%20pi/electronics/software/raspberry_pi_secondary_sd_card/ \ No newline at end of file diff --git a/software.txt b/software.txt new file mode 100644 index 0000000..02dd54e --- /dev/null +++ b/software.txt @@ -0,0 +1,14 @@ +openocd - on-chip debugging, in-system programming and boundary-scan testing tool +binwalk - Binwalk is a tool for searching a given binary image for embedded files and executable code. +screen - virtual terminal - useful for dealing with serial/uart +minicom - It is used to talk to external RS-232 devices such as mobile phones, routers, and serial console ports. +https://github.com/cyphunk/JTAGenum - enumerate jtag pins +WiringPi-Python python library - An implementation of most of the Arduino Wiring functions for the Raspberry Pi. +i2ctools - a bus probing tool, a chip dumper, register-level SMBus access helpers, EEPROM decoding scripts, EEPROM programming tools, and a python module for SMBus access. +flashrom - read & write external flash memory of the target device which uses SPI communication interface. + +http://darkswarm.org/eeprog-0.7.6-tear5.tar.gz - eeprog to read and write to the EEPROM + + +sigrok-cli & Pulseview - logic analyzer software +https://github.com/richardghirst/Panalyzer - logic analyzer \ No newline at end of file diff --git a/1-wire.txt b/1-wire.txt new file mode 100644 index 0000000..0e2cc1f --- /dev/null +++ b/1-wire.txt @@ -0,0 +1,41 @@ + 1)(2 + 3)(4 + 5)(6 +DATA 7)(8 + 9)(10 + 11)(12 + 13)(14 + 15)(16 + 17)(18 + 19)(20 + 21)(22 + 23)(24 + 25)(26 + 27)(28 + 29)(30 + 31)(32 + 33)(34 + 35)(36 + 37)(38 + 39)(40 + +- W1-GPIO - One-Wire Interface - +To enable the one-wire interface you need to add the following line to /boot/config +dtoverlay=w1-gpio +or +dtoverlay=w1-gpio,gpiopin=x +if you would like to use a custom pin (default is BCM4, as illustrated in pinout herein). + +Alternatively you can enable the one-wire interface on demand using raspi-config, or the following: + +sudo modprobe w1-gpio +Newer kernels (4.9.28 and later) allow you to use dynamic overlay loading instead, including creating multiple 1-Wire busses to be used at the same time: + +sudo dtoverlay w1-gpio gpiopin=4 pullup=0 # header pin 7 +sudo dtoverlay w1-gpio gpiopin=17 pullup=0 # header pin 11 +sudo dtoverlay w1-gpio gpiopin=27 pullup=0 # header pin 13 +once any of the steps above have been performed, and discovery is complete you can list the devices that your Raspberry Pi has discovered via all 1-Wire busses (by default BCM4), like so: + +ls /sys/bus/w1/devices/ +n.b. Using w1-gpio on the Raspberry Pi typically needs a 4.7 kΩ pull-up resistor connected between the GPIO pin and a 3.3v supply (e.g. header pin 1 or 17). Other means of connecting 1-Wire devices to the Raspberry Pi are also possible, such as using i2c to 1-Wire bridge chips. + diff --git a/README.md b/README.md index 4afda27..9bd433e 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,6 @@ PiPins =============== -Documents to help with Pi Zero / Pi Zero W pinouts and protocols \ No newline at end of file +Documents to help with Pi Zero / Pi Zero W pinouts and protocols. + +Simple text files to keep on the pi for use as quick and dirty emergency hardware hacking lab. \ No newline at end of file diff --git a/URLs.txt b/URLs.txt new file mode 100644 index 0000000..511eaee --- /dev/null +++ b/URLs.txt @@ -0,0 +1,12 @@ +Collection of random useful URL's + +http://acoptex.com/project/8003/raspberry-basics-project-29a-raspberry-pi-zero-w-board-raspberry-pi-gpio-pinout-at-acoptexcom/ + +https://pinout.xyz/ + +https://payatu.com/using-rasberrypi-as-poor-mans-hardware-hacking-tool + +https://ralimtek.com/raspberry%20pi/electronics/software/raspberry_pi_secondary_sd_card/ + +https://github.com/superzerg/logic-analyzer +https://sigrok.org/wiki/PulseView \ No newline at end of file diff --git a/dpi.txt b/dpi.txt new file mode 100644 index 0000000..cd70f1c --- /dev/null +++ b/dpi.txt @@ -0,0 +1,29 @@ + 1)(2 +V-SYNC 3)(4 +H-SYNC 5)(6 +Blue 0 7)(8 Green 2 + 9)(10 Green 3 +Green 5 11)(12 Green 6 +Red 7 13)(14 +Red 2 15)(16 Red 3 + 17)(18 Red 4 +Blue 6 19)(20 +Blue 5 21)(22 Red 5 +Blue 7 23)(24 Blue 4 + 25)(26 Blue 3 +CLK 27)(28 DEN +Blue 1 29)(30 +Blue 2 31)(32 Green 0 +Green 1 33)(34 +Green 7 35)(36 Green 4 +Red 6 37)(38 Red 0 + 39)(40 Red 1 + +- DPI - Display Parallel Interface - + +One of the alternate functions selectable on bank 0 of the Raspbery Pi GPIO is DPI. DPI (Display Parallel Interface) is a 24-bit parallel interface with 28 clock and synchronisation signals. + +This interface allows parallel RGB displays to be attached to the Raspberry Pi GPIO either in RGB24 (8 bits for red, green and blue) or RGB666 (6 bits per colour) or RGB565 (5 bits red, 6 green, and 5 blue). It is available as alternate function 2 (ALT2) on GPIO bank 0. + +The pinout presented here is for the RGB24 mode, see url below for documentation of the RGB666 and RGB565 modes. +https://www.raspberrypi.org/documentation/hardware/raspberrypi/dpi/ diff --git a/gpclk.txt b/gpclk.txt new file mode 100644 index 0000000..f313bdf --- /dev/null +++ b/gpclk.txt @@ -0,0 +1,36 @@ + 1)(2 + 3)(4 + 5)(6 +GPCLK0 7)(8 + 9)(10 + 11)(12 + 13)(14 + 15)(16 + 17)(18 + 19)(20 + 21)(22 + 23)(24 + 25)(26 + 27)(28 +GPCLK1 29)(30 +GPCLK2 31)(32 + 33)(34 + 35)(36 + 37)(38 + 39)(40 + +General Purpose Clock pins can be set up to output a fixed frequency without any ongoing software control. + +The following clock sources are available: + +0 0 Hz Ground +1 19.2 MHz oscillator +2 0 Hz testdebug0 +3 0 Hz testdebug1 +4 0 Hz PLLA +5 1000 MHz PLLC (changes with overclock settings) +6 500 MHz PLLD +7 216 MHz HDMI auxiliary +8-15 0 Hz Ground + +Other frequencies can be achieved by setting a clock-divider in the form of SOURCE/(DIV_I + DIV_F/4096). Note, that the BCM2835 ARM Peripherals document contains an error and states that the denominator of the divider is 1024 instead of 4096. \ No newline at end of file diff --git a/gpio.txt b/gpio.txt new file mode 100644 index 0000000..aa90bc4 --- /dev/null +++ b/gpio.txt @@ -0,0 +1,48 @@ + 1)(2 +BCM 2 3)(4 +BCM 3 5)(6 + 7)(8 BCM 14 + 9)(10 BCM 15 +BCM 17 11)(12 BCM 18 +BCM 27 13)(14 +BCM 22 15)(16 BCM 23 + 17)(18 BCM 24 +BCM 10 19)(20 +BCM 9 21)(22 BCM 25 +BCM 11 23)(24 BCM 8 + 25)(26 BCM 7 +BCM 0 27)(28 BCM 1 +BCM 5 29)(30 +BCM 6 31)(32 BCM 12 +BCM 13 33)(34 +BCM 19 35)(36 BCM 16 +BCM 26 37)(38 BCM 20 + 39)(40 BCM 21 + +BCM - Broadcom pin number, commonly called "GPIO", these are the ones you probably want to use with RPi.GPIO and GPIO Zero + +- Outputs and Inputs - + +Other GPIO pins are capable of a 3.3V output, also referred to as setting the pin HIGH in code. When an output pin is LOW this means that it is simply providing 0V. + +A GPIO pin designated as an input pin can be read as HIGH (3.3V) or LOW (0V). This is made easier with the use of internal pull-up or pull-down resistors. Pins GPIO 2 and GPIO 3 have fixed pull-up resistors, but for other pins this can be configured in software. Do not provide the pins with greater than 3.3V: this is a quick way to damage your Raspberry Pi! + +- PWM - + +PWM (Pulse Width Modulation) is used with components such as motors, servos and LEDs by sending short pulses to control how much power they recieve. + +PWM is also possible on the Raspberry Pi. GPIO 12, GPIO 13, GPIO 18, GPIO 19 are hardware PWM capable, though the Raspberry Pi is also able to provide software PWM through libraries such as pigpio on all pins. + +- BOARD or BCM? Which one to use? - + +Each pin has two numbers attached to it. Its BOARD number (the numbers in the circle) and its BCM (Broadcom SOC channel) number. You can choose which convention to use when you write your Python code: + +1. GPIO/BCM numbering: GPIO.setmode(GPIO.BCM) +2. Board numbering: GPIO.setmode(GPIO.BOARD) +You can only use one convention in each DIY project, so select a one which makes most sense to you (the output is the same). It is worth noting however, that certain peripherals rely on GPIO/BCM numbering (RPi.GPIO and GPIO Zero). + +The easiest way to control the GPIO pins is using the RPi.GPIO Python library. + +- Pinout command - + +A handy reference can be accessed on the Raspberry Pi by opening a Terminal window and running the command: "pinout". This tool is provided by the GPIO Zero Python library, which it is installed by default on the Raspbian desktop image, but not on Raspbian Lite. \ No newline at end of file diff --git a/i2c.txt b/i2c.txt new file mode 100644 index 0000000..ff5deca --- /dev/null +++ b/i2c.txt @@ -0,0 +1,67 @@ + 1)(2 + Data 3)(4 + Clock 5)(6 + 7)(8 + 9)(10 + 11)(12 + 13)(14 + 15)(16 + 17)(18 + 19)(20 + 21)(22 + 23)(24 + 25)(26 +EEPROM Data 27)(28 EEPROM Clock + 29)(30 + 31)(32 + 33)(34 + 35)(36 + 37)(38 + 39)(40 + +I2C pins in BCM mode are: 2, 3 +I2C pins in WiringPi are: 8, 9 + +- I2C - Inter Integrated Circuit - + +The Raspberry Pi's I2C pins are an extremely useful way to talk to many different types of external peripheral; from the MCP23017 digital IO expander, to a connected ATmega. + +The I2C pins include a fixed 1.8 kohms pull-up resistor to 3.3v. This means they are not suitable for use as general purpose IO where a pull-up is not required. + +You can verify the address of connected I2C peripherals with a simple one-liner: + +sudo apt-get install i2c-tools +sudo i2cdetect -y 1 +You can then access I2C from Python using the smbus library: + +import smbus +DEVICE_BUS = 1 +DEVICE_ADDR = 0x15 +bus = smbus.SMBus(DEVICE_BUS) +bus.write_byte_data(DEVICE_ADDR, 0x00, 0x01) + +Pins 27 and 28 (ID_SD (EEPROM SDA2) and ID_SC (EEPROM SCL2)) are also I2C. There are used by the Pi for internal functions, and also some HAT boards. + +- RevEng communication - + +This communication is similar to the SPI, but it uses only two wire for communication – SDA/SCL. Each device is accessed by using their internal i2c address. Here we will use an I2C EEPROM as an example and see how we can read and write to the memory. i2ctools comes as a part of the Linux package, so no need to install anything. + +To find the address of your i2c slave device. + +i2cdetect -y 1 + +Now use a tool called as eeprog to read and write to the EEPROM. + +wget http://darkswarm.org/eeprog-0.7.6-tear5.tar.gz +tar -xvf eeprog-0.7.6-tear5.tar.gz eeprog-0.7.6-tear12/ +cd eeprog-0.7.6-tear12/ +make +sudo make install + +To write data to it: +echo “hello” | ./eeprog -f -16 -w 0 -t 5 /dev/i2c-1 0x50 +-w is the offset +-t is write delay + +To read data from it +./eeprog -x /dev/i2c-1 0x50 -16 -r 0x00:0x10 \ No newline at end of file diff --git a/jtag.txt b/jtag.txt new file mode 100644 index 0000000..94a7435 --- /dev/null +++ b/jtag.txt @@ -0,0 +1,70 @@ + 1)(2 + 3)(4 + 5)(6 +TDI (Alt5) 7)(8 + 9)(10 + 11)(12 +TMS (Alt4) 13)(14 +TRST (Alt4) 15)(16 RTCK (Alt4) + 17)(18 TDO (Alt4) + 19)(20 + 21)(22 TCK (Alt4) + 23)(24 + 25)(26 + 27)(28 +TDO (Alt5) 29)(30 +RTCK (Alt5) 31)(32 TMS (Alt5) +TCK (Alt5) 33)(34 + 35)(36 +TDI (Alt4) 37)(38 + 39)(40 + +JTAG is generally refers to on-chip debugging interfaces that follow the IEEE 1149.x standard. The standard doesn’t mandate a certain connection – it just dictates a standard for communicating with chips in a device. It uses 5 pins: TCK, TMS, TDI, TDO and (options) TRST; which are (Test) Clock, Mode Select, Data In, Data Out, and Reset. + +JTAG/SWD are standards which allow developers to debug any microcontroller or microprocessor. From an attacker perspective having access to the debug means game over for the device. An attacker can dump the internal memory or do changes in the memory dynamically. Let’s talk about accessing both JTAG and SWD using just a Raspberry pi. We use an opensource tool called as openOCD which talks to the debugger. + +Connection: + JTAG: + TCK – 23 + TMS – 22 + TDI – 19 + TDO – 21 + SRST – 12 + GND – 20 + SWD: + SWDIO – 18 + SWCLK – 22 + SRST – 12 + GND – 14 + +To Install openOCD: +git clone git://git.code.sf.net/p/openocd/code openocd +cd openocd/ +./bootstrap +./configure –enable-maintainer-mode –enable-bcm2835gpio –enable-sysfsgpio +make & sudo make install + +It will take some bit of time, so be patient. + +JTAG: +The Configuration file for JTAG comes with the openOCD package itself. just running this with target cfg will connect to it’s JTAG +openocd -f interface/raspberrypi-native.cfg -f target/stm32f4x.cfg +Now you can connect to gdb and debug the device.SWD: +openocd -f raspberrypi_swd.cfg -f target/stm32f4x.cfg +raspberrypi_swd.cfg is located in the git you downloaded earlier. +Now you can connect to gdb and debug the device. + +########################################################### + +JTAGenum +In a typical device, it is rare to find the JTAG interface and where the pins are located. So we use a tool called as JTAGenum which scan for all the pins the devices and tell you which pins is TMS-TCK-TDI-TDO. This is very helpfull if you don’t have proper documentation of the target device. + +Installation: +git clone https://github.com/cyphunk/JTAGenum +cd JTAGenum +source JTAGenum.sh +scan + +Pins to be used are 3 – 5 – 7 – 11 – 13 – 15 and common ground. + +This will take a bit of time as the GPIO is quite slow. \ No newline at end of file diff --git a/logic_analyser.txt b/logic_analyser.txt new file mode 100644 index 0000000..68c70a0 --- /dev/null +++ b/logic_analyser.txt @@ -0,0 +1,23 @@ + - Logic Analyzer - PulseView - + +The serial connection is available on the PC (running Linux) as /dev/ttyUSB0. The sniffer is started using sigrok-cli, and the resulting sigrok session data is opened with PulseView. + +Command given on PC: + +sigrok-cli --driver=ols:conn=/dev/ttyUSB0 --config samplerate=3000000 --samples 100000 --probes 1=CLK,2=DIN,3=DC,4=nCS,5=nRST --triggers nCS=1 -o test.sr +--driver: The sniffer identifies itself as a Open Bench Logic Sniffer (OLS) on port /dev/ttyUSB0 +--config samplerate: using the maximum of 3M samples/s +--samples: 100000 samples (taking ~33ms at 3 MHz) +--probes: probe 1-5 are used, the labels are optional +--triggers: the sampling starts after probe 4 (nCS, inverted chip select) turns high +-o test.sr: the session is saved to a file that can be read by PulseView +The probes relate to the GPIO ports of the PI as: +SUMP probe 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 +Rev 1 GPIO 7 8 11 9 25 10 24 23 22 21 18 17 17 17 17 17 +Rev 2 GPIO 7 8 11 9 25 10 24 23 22 27 18 17 28 29 30 31 +This gives 12 probes on the rev1 board, 16 probes on rev 2 (if using the P5 header). +The I2C and GPIO clock pins are reserved for future use. + +possibly better logic analyzer for the pi: +https://github.com/richardghirst/Panalyzer +"The basic idea is that it disables interrupts for a period, while sampling the GPIO pins once a microsecond. It then re-enables interupts and displays traces showing what the relevant GPIO pins were doing." \ No newline at end of file diff --git a/pcm.txt b/pcm.txt new file mode 100644 index 0000000..202fdff --- /dev/null +++ b/pcm.txt @@ -0,0 +1,24 @@ + 1)(2 + 3)(4 + 5)(6 + 7)(8 + 9)(10 + 11)(12 CLK + 13)(14 + 15)(16 + 17)(18 + 19)(20 + 21)(22 + 23)(24 + 25)(26 + 27)(28 + 29)(30 + 31)(32 + 33)(34 +FS 35)(36 + 37)(38 DIN + 39)(40 DOUT + +- PCM - Pulse-code Modulation - + +PCM (Pulse-code Modulation) is a digital representation of sampled analog. On the Raspberry Pi it's a form of digital audio output which can be understood by a DAC for high quality sound. \ No newline at end of file diff --git a/pinout.jpg b/pinout.jpg new file mode 100644 index 0000000..a077f69 --- /dev/null +++ b/pinout.jpg Binary files differ diff --git a/pinout2.png b/pinout2.png new file mode 100644 index 0000000..f657d35 --- /dev/null +++ b/pinout2.png Binary files differ diff --git a/power.txt b/power.txt new file mode 100644 index 0000000..16834ac --- /dev/null +++ b/power.txt @@ -0,0 +1,44 @@ +3.3v 1)(2 5v + 3)(4 5v + 5)(6 GND + 7)(8 +GND 9)(10 + 11)(12 + 13)(14 GND + 15)(16 +3.3v 17)(18 + 19)(20 GND + 21)(22 + 23)(24 +GND 25)(26 + 27)(28 + 29)(30 GND + 31)(32 + 33)(34 GND + 35)(36 + 37)(38 +GND 39)(40 + +- Voltages - + +The Raspberry Pi can provide both 5V (pins 2 and 4) and 3.3V (pins 1 and 17) power. It also provides the Ground pins (Ground or GND) for circuits on pins 6, 9, 14, 20, 25, 30, 34, and 39. These pins are all electrically connected, so it doesn't matter which one you use if you're wiring up a voltage supply. + +3.3V pins - Anything connected to these pins will always get 3.3V of power + +5V pins - Anything connected to these pins will always get 5V of power + +Ground (GND) - 0V, used to complete a circuit + +There is no single answer to how much current the 5V power pins can draw as it is reliant on what power supply you are using, and what other components you have attached to your Pi. + +The Raspberry Pi 3 will only draw 2.5A from its power supply, and requires around 750mA for boot up and normal headless operation. This means that if you are using a 2.5A power supply, the 5V pins can supply a total current of around 1.7A maximum. + +The 3.3V supply pin on the early Raspberry Pi had a maximum available current of about 50 mA. Enough to power a couple of LEDs or a microprocessor, but not much more. All Raspberry Pi since the Model B+ can provide quite a bit more, up to 500mA to remain on the safe side, thanks to a switching regulator. Still, you should generally use the 5V supply, coupled with a 3.3V regulator for 3.3V projects. + +- Ground - + +The Ground pins on the Raspberry Pi are all electrically connected, so it doesn't matter which one you use if you're wiring up a voltage supply. + +Generally the one that's most convenient or closest to the rest of your connections is tidier and easier, or alternatively the one closest to the supply pin that you use. + +For example, it's a good idea to use Physical Pin 17 for 3v3 and Physical Pin 25 for ground when using the SPI connections, as these are right next to the important pins for SPI0. \ No newline at end of file diff --git a/sdio.txt b/sdio.txt new file mode 100644 index 0000000..5dba9af --- /dev/null +++ b/sdio.txt @@ -0,0 +1,26 @@ + 1)(2 + 3)(4 + 5)(6 + 7)(8 + 9)(10 + 11)(12 +DAT3 13)(14 +CLK 15)(16 CMD + 17)(18 DAT0 + 19)(20 + 21)(22 DAT1 + 23)(24 + 25)(26 + 27)(28 + 29)(30 + 31)(32 + 33)(34 + 35)(36 +DAT2 37)(38 + 39)(40 + +SDIO is the SD host/eMMC interface on the Raspberry Pi. SD host signals are normally used for the microSD slot. +These pins are "SD host" on Alt0 and "eMMC" on Alt3 + +have yet to actually get this to work, there are conflicting pinouts on: +https://ralimtek.com/raspberry%20pi/electronics/software/raspberry_pi_secondary_sd_card/ \ No newline at end of file diff --git a/software.txt b/software.txt new file mode 100644 index 0000000..02dd54e --- /dev/null +++ b/software.txt @@ -0,0 +1,14 @@ +openocd - on-chip debugging, in-system programming and boundary-scan testing tool +binwalk - Binwalk is a tool for searching a given binary image for embedded files and executable code. +screen - virtual terminal - useful for dealing with serial/uart +minicom - It is used to talk to external RS-232 devices such as mobile phones, routers, and serial console ports. +https://github.com/cyphunk/JTAGenum - enumerate jtag pins +WiringPi-Python python library - An implementation of most of the Arduino Wiring functions for the Raspberry Pi. +i2ctools - a bus probing tool, a chip dumper, register-level SMBus access helpers, EEPROM decoding scripts, EEPROM programming tools, and a python module for SMBus access. +flashrom - read & write external flash memory of the target device which uses SPI communication interface. + +http://darkswarm.org/eeprog-0.7.6-tear5.tar.gz - eeprog to read and write to the EEPROM + + +sigrok-cli & Pulseview - logic analyzer software +https://github.com/richardghirst/Panalyzer - logic analyzer \ No newline at end of file diff --git a/spi.txt b/spi.txt new file mode 100644 index 0000000..0376ec9 --- /dev/null +++ b/spi.txt @@ -0,0 +1,65 @@ + 1)(2 + 3)(4 + 5)(6 + 7)(8 + 9)(10 +SPI1 CE1 11)(12 SPI1 CE0 + 13)(14 + 15)(16 + 17)(18 +SPI0 MOSI 19)(20 +SPI0 MISO 21)(22 +SPI0 SCLK 23)(24 SPI0 CE0 + 25)(26 SPI0 CE1 + 27)(28 + 29)(30 + 31)(32 + 33)(34 +SPI1 MISO 35)(36 SPI1 CE2 + 37)(38 SPI1 MOSI + 39)(40 SPI1 SCLK + +SPI0 pins in BCM mode are: 9 (MISO), 10 (MOSI), 11 (SCLK) + 7 (CE1) /8 (CE0) +SPI0 pins in WiringPi are: 12, 13, 14 + 10/11 +SPI1 pins in BCM mode are: 20 (MOSI), 19 (MISO), 21 (SCLK) + 17 (CE1) / 18 (CE0) , 16 (CE2) +SPI1 pins in WiringPi are: 28, 24, 29 + 0/1, 27 + +- SPI - Serial Peripheral Interface - + +Known as the four-wire serial bus, SPI lets you attach multiple compatible devices to a single set of pins by assigning them different chip-select pins. + +A useful example of an SPI peripheral is the MCP23S17 digital IO expander chip ( Note the S in place of the 0 found on the I2C version ). You can also use the SPI port to "Bit-Bang" an ATmega 328, loading Arduino sketches onto it with Gordon Hendersons' modified version of AVRDude. + +To talk to an SPI device, you assert its corresponding chip-select pin. By default the Pi has CE0 and CE1. + +import spidev +spi = spidev.SpiDev() +spi.open(0, CHIP_SELECT_0_OR_1) +spi.max_speed_hz = 1000000 +spi.xfer([value_8bit]) + +The SPI protocol is not enabled as standard on Raspbian, but it can be enabled with the raspi-config tool, along with I2C. + +- Dump flash memory - + +Most common test case in hardware testing is to extract the external flash memory of the target device which uses SPI communication interface. Most commonly used tool is flashrom which supports a wide variety of flash memory support. We are going to utilize the bcm2385 SPI interface /dev/spidev0.0 for reading and writing to it. + +Installation: +sudo apt-get install build-essential pciutils usbutils libpci-dev libusb-dev libftdi1 libftdi-dev zlib1g-dev subversion libusb-1.0-0-dev +svn co svn://flashrom.org/flashrom/trunk flashrom +cd flashrom +make + +Connection: +CS – 24 +MISO – 21 +MOSI – 19 +CLK – 23 +3.3v – 17 + +To read data from the flash memory +flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=512 -r spi_dump.bin + +Don’t forget the spispeed=512. + +Now you can use binwalk or fmk in the extracted firmware. \ No newline at end of file diff --git a/1-wire.txt b/1-wire.txt new file mode 100644 index 0000000..0e2cc1f --- /dev/null +++ b/1-wire.txt @@ -0,0 +1,41 @@ + 1)(2 + 3)(4 + 5)(6 +DATA 7)(8 + 9)(10 + 11)(12 + 13)(14 + 15)(16 + 17)(18 + 19)(20 + 21)(22 + 23)(24 + 25)(26 + 27)(28 + 29)(30 + 31)(32 + 33)(34 + 35)(36 + 37)(38 + 39)(40 + +- W1-GPIO - One-Wire Interface - +To enable the one-wire interface you need to add the following line to /boot/config +dtoverlay=w1-gpio +or +dtoverlay=w1-gpio,gpiopin=x +if you would like to use a custom pin (default is BCM4, as illustrated in pinout herein). + +Alternatively you can enable the one-wire interface on demand using raspi-config, or the following: + +sudo modprobe w1-gpio +Newer kernels (4.9.28 and later) allow you to use dynamic overlay loading instead, including creating multiple 1-Wire busses to be used at the same time: + +sudo dtoverlay w1-gpio gpiopin=4 pullup=0 # header pin 7 +sudo dtoverlay w1-gpio gpiopin=17 pullup=0 # header pin 11 +sudo dtoverlay w1-gpio gpiopin=27 pullup=0 # header pin 13 +once any of the steps above have been performed, and discovery is complete you can list the devices that your Raspberry Pi has discovered via all 1-Wire busses (by default BCM4), like so: + +ls /sys/bus/w1/devices/ +n.b. Using w1-gpio on the Raspberry Pi typically needs a 4.7 kΩ pull-up resistor connected between the GPIO pin and a 3.3v supply (e.g. header pin 1 or 17). Other means of connecting 1-Wire devices to the Raspberry Pi are also possible, such as using i2c to 1-Wire bridge chips. + diff --git a/README.md b/README.md index 4afda27..9bd433e 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,6 @@ PiPins =============== -Documents to help with Pi Zero / Pi Zero W pinouts and protocols \ No newline at end of file +Documents to help with Pi Zero / Pi Zero W pinouts and protocols. + +Simple text files to keep on the pi for use as quick and dirty emergency hardware hacking lab. \ No newline at end of file diff --git a/URLs.txt b/URLs.txt new file mode 100644 index 0000000..511eaee --- /dev/null +++ b/URLs.txt @@ -0,0 +1,12 @@ +Collection of random useful URL's + +http://acoptex.com/project/8003/raspberry-basics-project-29a-raspberry-pi-zero-w-board-raspberry-pi-gpio-pinout-at-acoptexcom/ + +https://pinout.xyz/ + +https://payatu.com/using-rasberrypi-as-poor-mans-hardware-hacking-tool + +https://ralimtek.com/raspberry%20pi/electronics/software/raspberry_pi_secondary_sd_card/ + +https://github.com/superzerg/logic-analyzer +https://sigrok.org/wiki/PulseView \ No newline at end of file diff --git a/dpi.txt b/dpi.txt new file mode 100644 index 0000000..cd70f1c --- /dev/null +++ b/dpi.txt @@ -0,0 +1,29 @@ + 1)(2 +V-SYNC 3)(4 +H-SYNC 5)(6 +Blue 0 7)(8 Green 2 + 9)(10 Green 3 +Green 5 11)(12 Green 6 +Red 7 13)(14 +Red 2 15)(16 Red 3 + 17)(18 Red 4 +Blue 6 19)(20 +Blue 5 21)(22 Red 5 +Blue 7 23)(24 Blue 4 + 25)(26 Blue 3 +CLK 27)(28 DEN +Blue 1 29)(30 +Blue 2 31)(32 Green 0 +Green 1 33)(34 +Green 7 35)(36 Green 4 +Red 6 37)(38 Red 0 + 39)(40 Red 1 + +- DPI - Display Parallel Interface - + +One of the alternate functions selectable on bank 0 of the Raspbery Pi GPIO is DPI. DPI (Display Parallel Interface) is a 24-bit parallel interface with 28 clock and synchronisation signals. + +This interface allows parallel RGB displays to be attached to the Raspberry Pi GPIO either in RGB24 (8 bits for red, green and blue) or RGB666 (6 bits per colour) or RGB565 (5 bits red, 6 green, and 5 blue). It is available as alternate function 2 (ALT2) on GPIO bank 0. + +The pinout presented here is for the RGB24 mode, see url below for documentation of the RGB666 and RGB565 modes. +https://www.raspberrypi.org/documentation/hardware/raspberrypi/dpi/ diff --git a/gpclk.txt b/gpclk.txt new file mode 100644 index 0000000..f313bdf --- /dev/null +++ b/gpclk.txt @@ -0,0 +1,36 @@ + 1)(2 + 3)(4 + 5)(6 +GPCLK0 7)(8 + 9)(10 + 11)(12 + 13)(14 + 15)(16 + 17)(18 + 19)(20 + 21)(22 + 23)(24 + 25)(26 + 27)(28 +GPCLK1 29)(30 +GPCLK2 31)(32 + 33)(34 + 35)(36 + 37)(38 + 39)(40 + +General Purpose Clock pins can be set up to output a fixed frequency without any ongoing software control. + +The following clock sources are available: + +0 0 Hz Ground +1 19.2 MHz oscillator +2 0 Hz testdebug0 +3 0 Hz testdebug1 +4 0 Hz PLLA +5 1000 MHz PLLC (changes with overclock settings) +6 500 MHz PLLD +7 216 MHz HDMI auxiliary +8-15 0 Hz Ground + +Other frequencies can be achieved by setting a clock-divider in the form of SOURCE/(DIV_I + DIV_F/4096). Note, that the BCM2835 ARM Peripherals document contains an error and states that the denominator of the divider is 1024 instead of 4096. \ No newline at end of file diff --git a/gpio.txt b/gpio.txt new file mode 100644 index 0000000..aa90bc4 --- /dev/null +++ b/gpio.txt @@ -0,0 +1,48 @@ + 1)(2 +BCM 2 3)(4 +BCM 3 5)(6 + 7)(8 BCM 14 + 9)(10 BCM 15 +BCM 17 11)(12 BCM 18 +BCM 27 13)(14 +BCM 22 15)(16 BCM 23 + 17)(18 BCM 24 +BCM 10 19)(20 +BCM 9 21)(22 BCM 25 +BCM 11 23)(24 BCM 8 + 25)(26 BCM 7 +BCM 0 27)(28 BCM 1 +BCM 5 29)(30 +BCM 6 31)(32 BCM 12 +BCM 13 33)(34 +BCM 19 35)(36 BCM 16 +BCM 26 37)(38 BCM 20 + 39)(40 BCM 21 + +BCM - Broadcom pin number, commonly called "GPIO", these are the ones you probably want to use with RPi.GPIO and GPIO Zero + +- Outputs and Inputs - + +Other GPIO pins are capable of a 3.3V output, also referred to as setting the pin HIGH in code. When an output pin is LOW this means that it is simply providing 0V. + +A GPIO pin designated as an input pin can be read as HIGH (3.3V) or LOW (0V). This is made easier with the use of internal pull-up or pull-down resistors. Pins GPIO 2 and GPIO 3 have fixed pull-up resistors, but for other pins this can be configured in software. Do not provide the pins with greater than 3.3V: this is a quick way to damage your Raspberry Pi! + +- PWM - + +PWM (Pulse Width Modulation) is used with components such as motors, servos and LEDs by sending short pulses to control how much power they recieve. + +PWM is also possible on the Raspberry Pi. GPIO 12, GPIO 13, GPIO 18, GPIO 19 are hardware PWM capable, though the Raspberry Pi is also able to provide software PWM through libraries such as pigpio on all pins. + +- BOARD or BCM? Which one to use? - + +Each pin has two numbers attached to it. Its BOARD number (the numbers in the circle) and its BCM (Broadcom SOC channel) number. You can choose which convention to use when you write your Python code: + +1. GPIO/BCM numbering: GPIO.setmode(GPIO.BCM) +2. Board numbering: GPIO.setmode(GPIO.BOARD) +You can only use one convention in each DIY project, so select a one which makes most sense to you (the output is the same). It is worth noting however, that certain peripherals rely on GPIO/BCM numbering (RPi.GPIO and GPIO Zero). + +The easiest way to control the GPIO pins is using the RPi.GPIO Python library. + +- Pinout command - + +A handy reference can be accessed on the Raspberry Pi by opening a Terminal window and running the command: "pinout". This tool is provided by the GPIO Zero Python library, which it is installed by default on the Raspbian desktop image, but not on Raspbian Lite. \ No newline at end of file diff --git a/i2c.txt b/i2c.txt new file mode 100644 index 0000000..ff5deca --- /dev/null +++ b/i2c.txt @@ -0,0 +1,67 @@ + 1)(2 + Data 3)(4 + Clock 5)(6 + 7)(8 + 9)(10 + 11)(12 + 13)(14 + 15)(16 + 17)(18 + 19)(20 + 21)(22 + 23)(24 + 25)(26 +EEPROM Data 27)(28 EEPROM Clock + 29)(30 + 31)(32 + 33)(34 + 35)(36 + 37)(38 + 39)(40 + +I2C pins in BCM mode are: 2, 3 +I2C pins in WiringPi are: 8, 9 + +- I2C - Inter Integrated Circuit - + +The Raspberry Pi's I2C pins are an extremely useful way to talk to many different types of external peripheral; from the MCP23017 digital IO expander, to a connected ATmega. + +The I2C pins include a fixed 1.8 kohms pull-up resistor to 3.3v. This means they are not suitable for use as general purpose IO where a pull-up is not required. + +You can verify the address of connected I2C peripherals with a simple one-liner: + +sudo apt-get install i2c-tools +sudo i2cdetect -y 1 +You can then access I2C from Python using the smbus library: + +import smbus +DEVICE_BUS = 1 +DEVICE_ADDR = 0x15 +bus = smbus.SMBus(DEVICE_BUS) +bus.write_byte_data(DEVICE_ADDR, 0x00, 0x01) + +Pins 27 and 28 (ID_SD (EEPROM SDA2) and ID_SC (EEPROM SCL2)) are also I2C. There are used by the Pi for internal functions, and also some HAT boards. + +- RevEng communication - + +This communication is similar to the SPI, but it uses only two wire for communication – SDA/SCL. Each device is accessed by using their internal i2c address. Here we will use an I2C EEPROM as an example and see how we can read and write to the memory. i2ctools comes as a part of the Linux package, so no need to install anything. + +To find the address of your i2c slave device. + +i2cdetect -y 1 + +Now use a tool called as eeprog to read and write to the EEPROM. + +wget http://darkswarm.org/eeprog-0.7.6-tear5.tar.gz +tar -xvf eeprog-0.7.6-tear5.tar.gz eeprog-0.7.6-tear12/ +cd eeprog-0.7.6-tear12/ +make +sudo make install + +To write data to it: +echo “hello” | ./eeprog -f -16 -w 0 -t 5 /dev/i2c-1 0x50 +-w is the offset +-t is write delay + +To read data from it +./eeprog -x /dev/i2c-1 0x50 -16 -r 0x00:0x10 \ No newline at end of file diff --git a/jtag.txt b/jtag.txt new file mode 100644 index 0000000..94a7435 --- /dev/null +++ b/jtag.txt @@ -0,0 +1,70 @@ + 1)(2 + 3)(4 + 5)(6 +TDI (Alt5) 7)(8 + 9)(10 + 11)(12 +TMS (Alt4) 13)(14 +TRST (Alt4) 15)(16 RTCK (Alt4) + 17)(18 TDO (Alt4) + 19)(20 + 21)(22 TCK (Alt4) + 23)(24 + 25)(26 + 27)(28 +TDO (Alt5) 29)(30 +RTCK (Alt5) 31)(32 TMS (Alt5) +TCK (Alt5) 33)(34 + 35)(36 +TDI (Alt4) 37)(38 + 39)(40 + +JTAG is generally refers to on-chip debugging interfaces that follow the IEEE 1149.x standard. The standard doesn’t mandate a certain connection – it just dictates a standard for communicating with chips in a device. It uses 5 pins: TCK, TMS, TDI, TDO and (options) TRST; which are (Test) Clock, Mode Select, Data In, Data Out, and Reset. + +JTAG/SWD are standards which allow developers to debug any microcontroller or microprocessor. From an attacker perspective having access to the debug means game over for the device. An attacker can dump the internal memory or do changes in the memory dynamically. Let’s talk about accessing both JTAG and SWD using just a Raspberry pi. We use an opensource tool called as openOCD which talks to the debugger. + +Connection: + JTAG: + TCK – 23 + TMS – 22 + TDI – 19 + TDO – 21 + SRST – 12 + GND – 20 + SWD: + SWDIO – 18 + SWCLK – 22 + SRST – 12 + GND – 14 + +To Install openOCD: +git clone git://git.code.sf.net/p/openocd/code openocd +cd openocd/ +./bootstrap +./configure –enable-maintainer-mode –enable-bcm2835gpio –enable-sysfsgpio +make & sudo make install + +It will take some bit of time, so be patient. + +JTAG: +The Configuration file for JTAG comes with the openOCD package itself. just running this with target cfg will connect to it’s JTAG +openocd -f interface/raspberrypi-native.cfg -f target/stm32f4x.cfg +Now you can connect to gdb and debug the device.SWD: +openocd -f raspberrypi_swd.cfg -f target/stm32f4x.cfg +raspberrypi_swd.cfg is located in the git you downloaded earlier. +Now you can connect to gdb and debug the device. + +########################################################### + +JTAGenum +In a typical device, it is rare to find the JTAG interface and where the pins are located. So we use a tool called as JTAGenum which scan for all the pins the devices and tell you which pins is TMS-TCK-TDI-TDO. This is very helpfull if you don’t have proper documentation of the target device. + +Installation: +git clone https://github.com/cyphunk/JTAGenum +cd JTAGenum +source JTAGenum.sh +scan + +Pins to be used are 3 – 5 – 7 – 11 – 13 – 15 and common ground. + +This will take a bit of time as the GPIO is quite slow. \ No newline at end of file diff --git a/logic_analyser.txt b/logic_analyser.txt new file mode 100644 index 0000000..68c70a0 --- /dev/null +++ b/logic_analyser.txt @@ -0,0 +1,23 @@ + - Logic Analyzer - PulseView - + +The serial connection is available on the PC (running Linux) as /dev/ttyUSB0. The sniffer is started using sigrok-cli, and the resulting sigrok session data is opened with PulseView. + +Command given on PC: + +sigrok-cli --driver=ols:conn=/dev/ttyUSB0 --config samplerate=3000000 --samples 100000 --probes 1=CLK,2=DIN,3=DC,4=nCS,5=nRST --triggers nCS=1 -o test.sr +--driver: The sniffer identifies itself as a Open Bench Logic Sniffer (OLS) on port /dev/ttyUSB0 +--config samplerate: using the maximum of 3M samples/s +--samples: 100000 samples (taking ~33ms at 3 MHz) +--probes: probe 1-5 are used, the labels are optional +--triggers: the sampling starts after probe 4 (nCS, inverted chip select) turns high +-o test.sr: the session is saved to a file that can be read by PulseView +The probes relate to the GPIO ports of the PI as: +SUMP probe 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 +Rev 1 GPIO 7 8 11 9 25 10 24 23 22 21 18 17 17 17 17 17 +Rev 2 GPIO 7 8 11 9 25 10 24 23 22 27 18 17 28 29 30 31 +This gives 12 probes on the rev1 board, 16 probes on rev 2 (if using the P5 header). +The I2C and GPIO clock pins are reserved for future use. + +possibly better logic analyzer for the pi: +https://github.com/richardghirst/Panalyzer +"The basic idea is that it disables interrupts for a period, while sampling the GPIO pins once a microsecond. It then re-enables interupts and displays traces showing what the relevant GPIO pins were doing." \ No newline at end of file diff --git a/pcm.txt b/pcm.txt new file mode 100644 index 0000000..202fdff --- /dev/null +++ b/pcm.txt @@ -0,0 +1,24 @@ + 1)(2 + 3)(4 + 5)(6 + 7)(8 + 9)(10 + 11)(12 CLK + 13)(14 + 15)(16 + 17)(18 + 19)(20 + 21)(22 + 23)(24 + 25)(26 + 27)(28 + 29)(30 + 31)(32 + 33)(34 +FS 35)(36 + 37)(38 DIN + 39)(40 DOUT + +- PCM - Pulse-code Modulation - + +PCM (Pulse-code Modulation) is a digital representation of sampled analog. On the Raspberry Pi it's a form of digital audio output which can be understood by a DAC for high quality sound. \ No newline at end of file diff --git a/pinout.jpg b/pinout.jpg new file mode 100644 index 0000000..a077f69 --- /dev/null +++ b/pinout.jpg Binary files differ diff --git a/pinout2.png b/pinout2.png new file mode 100644 index 0000000..f657d35 --- /dev/null +++ b/pinout2.png Binary files differ diff --git a/power.txt b/power.txt new file mode 100644 index 0000000..16834ac --- /dev/null +++ b/power.txt @@ -0,0 +1,44 @@ +3.3v 1)(2 5v + 3)(4 5v + 5)(6 GND + 7)(8 +GND 9)(10 + 11)(12 + 13)(14 GND + 15)(16 +3.3v 17)(18 + 19)(20 GND + 21)(22 + 23)(24 +GND 25)(26 + 27)(28 + 29)(30 GND + 31)(32 + 33)(34 GND + 35)(36 + 37)(38 +GND 39)(40 + +- Voltages - + +The Raspberry Pi can provide both 5V (pins 2 and 4) and 3.3V (pins 1 and 17) power. It also provides the Ground pins (Ground or GND) for circuits on pins 6, 9, 14, 20, 25, 30, 34, and 39. These pins are all electrically connected, so it doesn't matter which one you use if you're wiring up a voltage supply. + +3.3V pins - Anything connected to these pins will always get 3.3V of power + +5V pins - Anything connected to these pins will always get 5V of power + +Ground (GND) - 0V, used to complete a circuit + +There is no single answer to how much current the 5V power pins can draw as it is reliant on what power supply you are using, and what other components you have attached to your Pi. + +The Raspberry Pi 3 will only draw 2.5A from its power supply, and requires around 750mA for boot up and normal headless operation. This means that if you are using a 2.5A power supply, the 5V pins can supply a total current of around 1.7A maximum. + +The 3.3V supply pin on the early Raspberry Pi had a maximum available current of about 50 mA. Enough to power a couple of LEDs or a microprocessor, but not much more. All Raspberry Pi since the Model B+ can provide quite a bit more, up to 500mA to remain on the safe side, thanks to a switching regulator. Still, you should generally use the 5V supply, coupled with a 3.3V regulator for 3.3V projects. + +- Ground - + +The Ground pins on the Raspberry Pi are all electrically connected, so it doesn't matter which one you use if you're wiring up a voltage supply. + +Generally the one that's most convenient or closest to the rest of your connections is tidier and easier, or alternatively the one closest to the supply pin that you use. + +For example, it's a good idea to use Physical Pin 17 for 3v3 and Physical Pin 25 for ground when using the SPI connections, as these are right next to the important pins for SPI0. \ No newline at end of file diff --git a/sdio.txt b/sdio.txt new file mode 100644 index 0000000..5dba9af --- /dev/null +++ b/sdio.txt @@ -0,0 +1,26 @@ + 1)(2 + 3)(4 + 5)(6 + 7)(8 + 9)(10 + 11)(12 +DAT3 13)(14 +CLK 15)(16 CMD + 17)(18 DAT0 + 19)(20 + 21)(22 DAT1 + 23)(24 + 25)(26 + 27)(28 + 29)(30 + 31)(32 + 33)(34 + 35)(36 +DAT2 37)(38 + 39)(40 + +SDIO is the SD host/eMMC interface on the Raspberry Pi. SD host signals are normally used for the microSD slot. +These pins are "SD host" on Alt0 and "eMMC" on Alt3 + +have yet to actually get this to work, there are conflicting pinouts on: +https://ralimtek.com/raspberry%20pi/electronics/software/raspberry_pi_secondary_sd_card/ \ No newline at end of file diff --git a/software.txt b/software.txt new file mode 100644 index 0000000..02dd54e --- /dev/null +++ b/software.txt @@ -0,0 +1,14 @@ +openocd - on-chip debugging, in-system programming and boundary-scan testing tool +binwalk - Binwalk is a tool for searching a given binary image for embedded files and executable code. +screen - virtual terminal - useful for dealing with serial/uart +minicom - It is used to talk to external RS-232 devices such as mobile phones, routers, and serial console ports. +https://github.com/cyphunk/JTAGenum - enumerate jtag pins +WiringPi-Python python library - An implementation of most of the Arduino Wiring functions for the Raspberry Pi. +i2ctools - a bus probing tool, a chip dumper, register-level SMBus access helpers, EEPROM decoding scripts, EEPROM programming tools, and a python module for SMBus access. +flashrom - read & write external flash memory of the target device which uses SPI communication interface. + +http://darkswarm.org/eeprog-0.7.6-tear5.tar.gz - eeprog to read and write to the EEPROM + + +sigrok-cli & Pulseview - logic analyzer software +https://github.com/richardghirst/Panalyzer - logic analyzer \ No newline at end of file diff --git a/spi.txt b/spi.txt new file mode 100644 index 0000000..0376ec9 --- /dev/null +++ b/spi.txt @@ -0,0 +1,65 @@ + 1)(2 + 3)(4 + 5)(6 + 7)(8 + 9)(10 +SPI1 CE1 11)(12 SPI1 CE0 + 13)(14 + 15)(16 + 17)(18 +SPI0 MOSI 19)(20 +SPI0 MISO 21)(22 +SPI0 SCLK 23)(24 SPI0 CE0 + 25)(26 SPI0 CE1 + 27)(28 + 29)(30 + 31)(32 + 33)(34 +SPI1 MISO 35)(36 SPI1 CE2 + 37)(38 SPI1 MOSI + 39)(40 SPI1 SCLK + +SPI0 pins in BCM mode are: 9 (MISO), 10 (MOSI), 11 (SCLK) + 7 (CE1) /8 (CE0) +SPI0 pins in WiringPi are: 12, 13, 14 + 10/11 +SPI1 pins in BCM mode are: 20 (MOSI), 19 (MISO), 21 (SCLK) + 17 (CE1) / 18 (CE0) , 16 (CE2) +SPI1 pins in WiringPi are: 28, 24, 29 + 0/1, 27 + +- SPI - Serial Peripheral Interface - + +Known as the four-wire serial bus, SPI lets you attach multiple compatible devices to a single set of pins by assigning them different chip-select pins. + +A useful example of an SPI peripheral is the MCP23S17 digital IO expander chip ( Note the S in place of the 0 found on the I2C version ). You can also use the SPI port to "Bit-Bang" an ATmega 328, loading Arduino sketches onto it with Gordon Hendersons' modified version of AVRDude. + +To talk to an SPI device, you assert its corresponding chip-select pin. By default the Pi has CE0 and CE1. + +import spidev +spi = spidev.SpiDev() +spi.open(0, CHIP_SELECT_0_OR_1) +spi.max_speed_hz = 1000000 +spi.xfer([value_8bit]) + +The SPI protocol is not enabled as standard on Raspbian, but it can be enabled with the raspi-config tool, along with I2C. + +- Dump flash memory - + +Most common test case in hardware testing is to extract the external flash memory of the target device which uses SPI communication interface. Most commonly used tool is flashrom which supports a wide variety of flash memory support. We are going to utilize the bcm2385 SPI interface /dev/spidev0.0 for reading and writing to it. + +Installation: +sudo apt-get install build-essential pciutils usbutils libpci-dev libusb-dev libftdi1 libftdi-dev zlib1g-dev subversion libusb-1.0-0-dev +svn co svn://flashrom.org/flashrom/trunk flashrom +cd flashrom +make + +Connection: +CS – 24 +MISO – 21 +MOSI – 19 +CLK – 23 +3.3v – 17 + +To read data from the flash memory +flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=512 -r spi_dump.bin + +Don’t forget the spispeed=512. + +Now you can use binwalk or fmk in the extracted firmware. \ No newline at end of file diff --git a/uart.txt b/uart.txt new file mode 100644 index 0000000..67336c0 --- /dev/null +++ b/uart.txt @@ -0,0 +1,44 @@ + 1)(2 + 3)(4 + 5)(6 + 7)(8 TX + 9)(10 RX + 11)(12 + 13)(14 + 15)(16 + 17)(18 + 19)(20 + 21)(22 + 23)(24 + 25)(26 + 27)(28 + 29)(30 + 31)(32 + 33)(34 + 35)(36 + 37)(38 + 39)(40 + +UART pins in BCM mode are: 14, 15 +UART pins in WiringPi are: 15, 16 + +UART is an asynchronous serial communication protocol, meaning that it takes bytes of data and transmits the individual bits in a sequential fashion. + +Asynchronous transmission allows data to be transmitted without the sender having to send a clock signal to the receiver. Instead, the sender and receiver agree on timing parameters in advance and special bits called 'start bits' are added to each word and used to synchronize the sending and receiving units. + +UART is commonly used on the Pi as a convenient way to control it over the GPIO, or access the kernel boot messages from the serial console (enabled by default). + +It can also be used as a way to interface an Arduino, bootloaded ATmega, ESP8266, etc with your Pi. Be careful with logic-levels between the devices though, for example the Pi is 3.3v and the Arduino is 5v. Connect the two and you might conjure up some magic blue smoke. + +Assuming you have WiringPi-Python installed, the following python example opens the Pi's UART at 9600baud and puts 'hello world' + +import wiringpi +wiringpi.wiringPiSetup() +serial = wiringpi.serialOpen('/dev/ttyAMA0',9600) +wiringpi.serialPuts(serial,'hello world!') + +- tutorial - +1) find baudrate (baudrate.py - https://github.com/devttys0/baudrate/blob/master/baudrate.py) +2) screen [device] [baud] + e.g. $> screen /dev/ttyAMA0 9600 + exit with CTRL+a then CTRL+k \ No newline at end of file diff --git a/1-wire.txt b/1-wire.txt new file mode 100644 index 0000000..0e2cc1f --- /dev/null +++ b/1-wire.txt @@ -0,0 +1,41 @@ + 1)(2 + 3)(4 + 5)(6 +DATA 7)(8 + 9)(10 + 11)(12 + 13)(14 + 15)(16 + 17)(18 + 19)(20 + 21)(22 + 23)(24 + 25)(26 + 27)(28 + 29)(30 + 31)(32 + 33)(34 + 35)(36 + 37)(38 + 39)(40 + +- W1-GPIO - One-Wire Interface - +To enable the one-wire interface you need to add the following line to /boot/config +dtoverlay=w1-gpio +or +dtoverlay=w1-gpio,gpiopin=x +if you would like to use a custom pin (default is BCM4, as illustrated in pinout herein). + +Alternatively you can enable the one-wire interface on demand using raspi-config, or the following: + +sudo modprobe w1-gpio +Newer kernels (4.9.28 and later) allow you to use dynamic overlay loading instead, including creating multiple 1-Wire busses to be used at the same time: + +sudo dtoverlay w1-gpio gpiopin=4 pullup=0 # header pin 7 +sudo dtoverlay w1-gpio gpiopin=17 pullup=0 # header pin 11 +sudo dtoverlay w1-gpio gpiopin=27 pullup=0 # header pin 13 +once any of the steps above have been performed, and discovery is complete you can list the devices that your Raspberry Pi has discovered via all 1-Wire busses (by default BCM4), like so: + +ls /sys/bus/w1/devices/ +n.b. Using w1-gpio on the Raspberry Pi typically needs a 4.7 kΩ pull-up resistor connected between the GPIO pin and a 3.3v supply (e.g. header pin 1 or 17). Other means of connecting 1-Wire devices to the Raspberry Pi are also possible, such as using i2c to 1-Wire bridge chips. + diff --git a/README.md b/README.md index 4afda27..9bd433e 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,6 @@ PiPins =============== -Documents to help with Pi Zero / Pi Zero W pinouts and protocols \ No newline at end of file +Documents to help with Pi Zero / Pi Zero W pinouts and protocols. + +Simple text files to keep on the pi for use as quick and dirty emergency hardware hacking lab. \ No newline at end of file diff --git a/URLs.txt b/URLs.txt new file mode 100644 index 0000000..511eaee --- /dev/null +++ b/URLs.txt @@ -0,0 +1,12 @@ +Collection of random useful URL's + +http://acoptex.com/project/8003/raspberry-basics-project-29a-raspberry-pi-zero-w-board-raspberry-pi-gpio-pinout-at-acoptexcom/ + +https://pinout.xyz/ + +https://payatu.com/using-rasberrypi-as-poor-mans-hardware-hacking-tool + +https://ralimtek.com/raspberry%20pi/electronics/software/raspberry_pi_secondary_sd_card/ + +https://github.com/superzerg/logic-analyzer +https://sigrok.org/wiki/PulseView \ No newline at end of file diff --git a/dpi.txt b/dpi.txt new file mode 100644 index 0000000..cd70f1c --- /dev/null +++ b/dpi.txt @@ -0,0 +1,29 @@ + 1)(2 +V-SYNC 3)(4 +H-SYNC 5)(6 +Blue 0 7)(8 Green 2 + 9)(10 Green 3 +Green 5 11)(12 Green 6 +Red 7 13)(14 +Red 2 15)(16 Red 3 + 17)(18 Red 4 +Blue 6 19)(20 +Blue 5 21)(22 Red 5 +Blue 7 23)(24 Blue 4 + 25)(26 Blue 3 +CLK 27)(28 DEN +Blue 1 29)(30 +Blue 2 31)(32 Green 0 +Green 1 33)(34 +Green 7 35)(36 Green 4 +Red 6 37)(38 Red 0 + 39)(40 Red 1 + +- DPI - Display Parallel Interface - + +One of the alternate functions selectable on bank 0 of the Raspbery Pi GPIO is DPI. DPI (Display Parallel Interface) is a 24-bit parallel interface with 28 clock and synchronisation signals. + +This interface allows parallel RGB displays to be attached to the Raspberry Pi GPIO either in RGB24 (8 bits for red, green and blue) or RGB666 (6 bits per colour) or RGB565 (5 bits red, 6 green, and 5 blue). It is available as alternate function 2 (ALT2) on GPIO bank 0. + +The pinout presented here is for the RGB24 mode, see url below for documentation of the RGB666 and RGB565 modes. +https://www.raspberrypi.org/documentation/hardware/raspberrypi/dpi/ diff --git a/gpclk.txt b/gpclk.txt new file mode 100644 index 0000000..f313bdf --- /dev/null +++ b/gpclk.txt @@ -0,0 +1,36 @@ + 1)(2 + 3)(4 + 5)(6 +GPCLK0 7)(8 + 9)(10 + 11)(12 + 13)(14 + 15)(16 + 17)(18 + 19)(20 + 21)(22 + 23)(24 + 25)(26 + 27)(28 +GPCLK1 29)(30 +GPCLK2 31)(32 + 33)(34 + 35)(36 + 37)(38 + 39)(40 + +General Purpose Clock pins can be set up to output a fixed frequency without any ongoing software control. + +The following clock sources are available: + +0 0 Hz Ground +1 19.2 MHz oscillator +2 0 Hz testdebug0 +3 0 Hz testdebug1 +4 0 Hz PLLA +5 1000 MHz PLLC (changes with overclock settings) +6 500 MHz PLLD +7 216 MHz HDMI auxiliary +8-15 0 Hz Ground + +Other frequencies can be achieved by setting a clock-divider in the form of SOURCE/(DIV_I + DIV_F/4096). Note, that the BCM2835 ARM Peripherals document contains an error and states that the denominator of the divider is 1024 instead of 4096. \ No newline at end of file diff --git a/gpio.txt b/gpio.txt new file mode 100644 index 0000000..aa90bc4 --- /dev/null +++ b/gpio.txt @@ -0,0 +1,48 @@ + 1)(2 +BCM 2 3)(4 +BCM 3 5)(6 + 7)(8 BCM 14 + 9)(10 BCM 15 +BCM 17 11)(12 BCM 18 +BCM 27 13)(14 +BCM 22 15)(16 BCM 23 + 17)(18 BCM 24 +BCM 10 19)(20 +BCM 9 21)(22 BCM 25 +BCM 11 23)(24 BCM 8 + 25)(26 BCM 7 +BCM 0 27)(28 BCM 1 +BCM 5 29)(30 +BCM 6 31)(32 BCM 12 +BCM 13 33)(34 +BCM 19 35)(36 BCM 16 +BCM 26 37)(38 BCM 20 + 39)(40 BCM 21 + +BCM - Broadcom pin number, commonly called "GPIO", these are the ones you probably want to use with RPi.GPIO and GPIO Zero + +- Outputs and Inputs - + +Other GPIO pins are capable of a 3.3V output, also referred to as setting the pin HIGH in code. When an output pin is LOW this means that it is simply providing 0V. + +A GPIO pin designated as an input pin can be read as HIGH (3.3V) or LOW (0V). This is made easier with the use of internal pull-up or pull-down resistors. Pins GPIO 2 and GPIO 3 have fixed pull-up resistors, but for other pins this can be configured in software. Do not provide the pins with greater than 3.3V: this is a quick way to damage your Raspberry Pi! + +- PWM - + +PWM (Pulse Width Modulation) is used with components such as motors, servos and LEDs by sending short pulses to control how much power they recieve. + +PWM is also possible on the Raspberry Pi. GPIO 12, GPIO 13, GPIO 18, GPIO 19 are hardware PWM capable, though the Raspberry Pi is also able to provide software PWM through libraries such as pigpio on all pins. + +- BOARD or BCM? Which one to use? - + +Each pin has two numbers attached to it. Its BOARD number (the numbers in the circle) and its BCM (Broadcom SOC channel) number. You can choose which convention to use when you write your Python code: + +1. GPIO/BCM numbering: GPIO.setmode(GPIO.BCM) +2. Board numbering: GPIO.setmode(GPIO.BOARD) +You can only use one convention in each DIY project, so select a one which makes most sense to you (the output is the same). It is worth noting however, that certain peripherals rely on GPIO/BCM numbering (RPi.GPIO and GPIO Zero). + +The easiest way to control the GPIO pins is using the RPi.GPIO Python library. + +- Pinout command - + +A handy reference can be accessed on the Raspberry Pi by opening a Terminal window and running the command: "pinout". This tool is provided by the GPIO Zero Python library, which it is installed by default on the Raspbian desktop image, but not on Raspbian Lite. \ No newline at end of file diff --git a/i2c.txt b/i2c.txt new file mode 100644 index 0000000..ff5deca --- /dev/null +++ b/i2c.txt @@ -0,0 +1,67 @@ + 1)(2 + Data 3)(4 + Clock 5)(6 + 7)(8 + 9)(10 + 11)(12 + 13)(14 + 15)(16 + 17)(18 + 19)(20 + 21)(22 + 23)(24 + 25)(26 +EEPROM Data 27)(28 EEPROM Clock + 29)(30 + 31)(32 + 33)(34 + 35)(36 + 37)(38 + 39)(40 + +I2C pins in BCM mode are: 2, 3 +I2C pins in WiringPi are: 8, 9 + +- I2C - Inter Integrated Circuit - + +The Raspberry Pi's I2C pins are an extremely useful way to talk to many different types of external peripheral; from the MCP23017 digital IO expander, to a connected ATmega. + +The I2C pins include a fixed 1.8 kohms pull-up resistor to 3.3v. This means they are not suitable for use as general purpose IO where a pull-up is not required. + +You can verify the address of connected I2C peripherals with a simple one-liner: + +sudo apt-get install i2c-tools +sudo i2cdetect -y 1 +You can then access I2C from Python using the smbus library: + +import smbus +DEVICE_BUS = 1 +DEVICE_ADDR = 0x15 +bus = smbus.SMBus(DEVICE_BUS) +bus.write_byte_data(DEVICE_ADDR, 0x00, 0x01) + +Pins 27 and 28 (ID_SD (EEPROM SDA2) and ID_SC (EEPROM SCL2)) are also I2C. There are used by the Pi for internal functions, and also some HAT boards. + +- RevEng communication - + +This communication is similar to the SPI, but it uses only two wire for communication – SDA/SCL. Each device is accessed by using their internal i2c address. Here we will use an I2C EEPROM as an example and see how we can read and write to the memory. i2ctools comes as a part of the Linux package, so no need to install anything. + +To find the address of your i2c slave device. + +i2cdetect -y 1 + +Now use a tool called as eeprog to read and write to the EEPROM. + +wget http://darkswarm.org/eeprog-0.7.6-tear5.tar.gz +tar -xvf eeprog-0.7.6-tear5.tar.gz eeprog-0.7.6-tear12/ +cd eeprog-0.7.6-tear12/ +make +sudo make install + +To write data to it: +echo “hello” | ./eeprog -f -16 -w 0 -t 5 /dev/i2c-1 0x50 +-w is the offset +-t is write delay + +To read data from it +./eeprog -x /dev/i2c-1 0x50 -16 -r 0x00:0x10 \ No newline at end of file diff --git a/jtag.txt b/jtag.txt new file mode 100644 index 0000000..94a7435 --- /dev/null +++ b/jtag.txt @@ -0,0 +1,70 @@ + 1)(2 + 3)(4 + 5)(6 +TDI (Alt5) 7)(8 + 9)(10 + 11)(12 +TMS (Alt4) 13)(14 +TRST (Alt4) 15)(16 RTCK (Alt4) + 17)(18 TDO (Alt4) + 19)(20 + 21)(22 TCK (Alt4) + 23)(24 + 25)(26 + 27)(28 +TDO (Alt5) 29)(30 +RTCK (Alt5) 31)(32 TMS (Alt5) +TCK (Alt5) 33)(34 + 35)(36 +TDI (Alt4) 37)(38 + 39)(40 + +JTAG is generally refers to on-chip debugging interfaces that follow the IEEE 1149.x standard. The standard doesn’t mandate a certain connection – it just dictates a standard for communicating with chips in a device. It uses 5 pins: TCK, TMS, TDI, TDO and (options) TRST; which are (Test) Clock, Mode Select, Data In, Data Out, and Reset. + +JTAG/SWD are standards which allow developers to debug any microcontroller or microprocessor. From an attacker perspective having access to the debug means game over for the device. An attacker can dump the internal memory or do changes in the memory dynamically. Let’s talk about accessing both JTAG and SWD using just a Raspberry pi. We use an opensource tool called as openOCD which talks to the debugger. + +Connection: + JTAG: + TCK – 23 + TMS – 22 + TDI – 19 + TDO – 21 + SRST – 12 + GND – 20 + SWD: + SWDIO – 18 + SWCLK – 22 + SRST – 12 + GND – 14 + +To Install openOCD: +git clone git://git.code.sf.net/p/openocd/code openocd +cd openocd/ +./bootstrap +./configure –enable-maintainer-mode –enable-bcm2835gpio –enable-sysfsgpio +make & sudo make install + +It will take some bit of time, so be patient. + +JTAG: +The Configuration file for JTAG comes with the openOCD package itself. just running this with target cfg will connect to it’s JTAG +openocd -f interface/raspberrypi-native.cfg -f target/stm32f4x.cfg +Now you can connect to gdb and debug the device.SWD: +openocd -f raspberrypi_swd.cfg -f target/stm32f4x.cfg +raspberrypi_swd.cfg is located in the git you downloaded earlier. +Now you can connect to gdb and debug the device. + +########################################################### + +JTAGenum +In a typical device, it is rare to find the JTAG interface and where the pins are located. So we use a tool called as JTAGenum which scan for all the pins the devices and tell you which pins is TMS-TCK-TDI-TDO. This is very helpfull if you don’t have proper documentation of the target device. + +Installation: +git clone https://github.com/cyphunk/JTAGenum +cd JTAGenum +source JTAGenum.sh +scan + +Pins to be used are 3 – 5 – 7 – 11 – 13 – 15 and common ground. + +This will take a bit of time as the GPIO is quite slow. \ No newline at end of file diff --git a/logic_analyser.txt b/logic_analyser.txt new file mode 100644 index 0000000..68c70a0 --- /dev/null +++ b/logic_analyser.txt @@ -0,0 +1,23 @@ + - Logic Analyzer - PulseView - + +The serial connection is available on the PC (running Linux) as /dev/ttyUSB0. The sniffer is started using sigrok-cli, and the resulting sigrok session data is opened with PulseView. + +Command given on PC: + +sigrok-cli --driver=ols:conn=/dev/ttyUSB0 --config samplerate=3000000 --samples 100000 --probes 1=CLK,2=DIN,3=DC,4=nCS,5=nRST --triggers nCS=1 -o test.sr +--driver: The sniffer identifies itself as a Open Bench Logic Sniffer (OLS) on port /dev/ttyUSB0 +--config samplerate: using the maximum of 3M samples/s +--samples: 100000 samples (taking ~33ms at 3 MHz) +--probes: probe 1-5 are used, the labels are optional +--triggers: the sampling starts after probe 4 (nCS, inverted chip select) turns high +-o test.sr: the session is saved to a file that can be read by PulseView +The probes relate to the GPIO ports of the PI as: +SUMP probe 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 +Rev 1 GPIO 7 8 11 9 25 10 24 23 22 21 18 17 17 17 17 17 +Rev 2 GPIO 7 8 11 9 25 10 24 23 22 27 18 17 28 29 30 31 +This gives 12 probes on the rev1 board, 16 probes on rev 2 (if using the P5 header). +The I2C and GPIO clock pins are reserved for future use. + +possibly better logic analyzer for the pi: +https://github.com/richardghirst/Panalyzer +"The basic idea is that it disables interrupts for a period, while sampling the GPIO pins once a microsecond. It then re-enables interupts and displays traces showing what the relevant GPIO pins were doing." \ No newline at end of file diff --git a/pcm.txt b/pcm.txt new file mode 100644 index 0000000..202fdff --- /dev/null +++ b/pcm.txt @@ -0,0 +1,24 @@ + 1)(2 + 3)(4 + 5)(6 + 7)(8 + 9)(10 + 11)(12 CLK + 13)(14 + 15)(16 + 17)(18 + 19)(20 + 21)(22 + 23)(24 + 25)(26 + 27)(28 + 29)(30 + 31)(32 + 33)(34 +FS 35)(36 + 37)(38 DIN + 39)(40 DOUT + +- PCM - Pulse-code Modulation - + +PCM (Pulse-code Modulation) is a digital representation of sampled analog. On the Raspberry Pi it's a form of digital audio output which can be understood by a DAC for high quality sound. \ No newline at end of file diff --git a/pinout.jpg b/pinout.jpg new file mode 100644 index 0000000..a077f69 --- /dev/null +++ b/pinout.jpg Binary files differ diff --git a/pinout2.png b/pinout2.png new file mode 100644 index 0000000..f657d35 --- /dev/null +++ b/pinout2.png Binary files differ diff --git a/power.txt b/power.txt new file mode 100644 index 0000000..16834ac --- /dev/null +++ b/power.txt @@ -0,0 +1,44 @@ +3.3v 1)(2 5v + 3)(4 5v + 5)(6 GND + 7)(8 +GND 9)(10 + 11)(12 + 13)(14 GND + 15)(16 +3.3v 17)(18 + 19)(20 GND + 21)(22 + 23)(24 +GND 25)(26 + 27)(28 + 29)(30 GND + 31)(32 + 33)(34 GND + 35)(36 + 37)(38 +GND 39)(40 + +- Voltages - + +The Raspberry Pi can provide both 5V (pins 2 and 4) and 3.3V (pins 1 and 17) power. It also provides the Ground pins (Ground or GND) for circuits on pins 6, 9, 14, 20, 25, 30, 34, and 39. These pins are all electrically connected, so it doesn't matter which one you use if you're wiring up a voltage supply. + +3.3V pins - Anything connected to these pins will always get 3.3V of power + +5V pins - Anything connected to these pins will always get 5V of power + +Ground (GND) - 0V, used to complete a circuit + +There is no single answer to how much current the 5V power pins can draw as it is reliant on what power supply you are using, and what other components you have attached to your Pi. + +The Raspberry Pi 3 will only draw 2.5A from its power supply, and requires around 750mA for boot up and normal headless operation. This means that if you are using a 2.5A power supply, the 5V pins can supply a total current of around 1.7A maximum. + +The 3.3V supply pin on the early Raspberry Pi had a maximum available current of about 50 mA. Enough to power a couple of LEDs or a microprocessor, but not much more. All Raspberry Pi since the Model B+ can provide quite a bit more, up to 500mA to remain on the safe side, thanks to a switching regulator. Still, you should generally use the 5V supply, coupled with a 3.3V regulator for 3.3V projects. + +- Ground - + +The Ground pins on the Raspberry Pi are all electrically connected, so it doesn't matter which one you use if you're wiring up a voltage supply. + +Generally the one that's most convenient or closest to the rest of your connections is tidier and easier, or alternatively the one closest to the supply pin that you use. + +For example, it's a good idea to use Physical Pin 17 for 3v3 and Physical Pin 25 for ground when using the SPI connections, as these are right next to the important pins for SPI0. \ No newline at end of file diff --git a/sdio.txt b/sdio.txt new file mode 100644 index 0000000..5dba9af --- /dev/null +++ b/sdio.txt @@ -0,0 +1,26 @@ + 1)(2 + 3)(4 + 5)(6 + 7)(8 + 9)(10 + 11)(12 +DAT3 13)(14 +CLK 15)(16 CMD + 17)(18 DAT0 + 19)(20 + 21)(22 DAT1 + 23)(24 + 25)(26 + 27)(28 + 29)(30 + 31)(32 + 33)(34 + 35)(36 +DAT2 37)(38 + 39)(40 + +SDIO is the SD host/eMMC interface on the Raspberry Pi. SD host signals are normally used for the microSD slot. +These pins are "SD host" on Alt0 and "eMMC" on Alt3 + +have yet to actually get this to work, there are conflicting pinouts on: +https://ralimtek.com/raspberry%20pi/electronics/software/raspberry_pi_secondary_sd_card/ \ No newline at end of file diff --git a/software.txt b/software.txt new file mode 100644 index 0000000..02dd54e --- /dev/null +++ b/software.txt @@ -0,0 +1,14 @@ +openocd - on-chip debugging, in-system programming and boundary-scan testing tool +binwalk - Binwalk is a tool for searching a given binary image for embedded files and executable code. +screen - virtual terminal - useful for dealing with serial/uart +minicom - It is used to talk to external RS-232 devices such as mobile phones, routers, and serial console ports. +https://github.com/cyphunk/JTAGenum - enumerate jtag pins +WiringPi-Python python library - An implementation of most of the Arduino Wiring functions for the Raspberry Pi. +i2ctools - a bus probing tool, a chip dumper, register-level SMBus access helpers, EEPROM decoding scripts, EEPROM programming tools, and a python module for SMBus access. +flashrom - read & write external flash memory of the target device which uses SPI communication interface. + +http://darkswarm.org/eeprog-0.7.6-tear5.tar.gz - eeprog to read and write to the EEPROM + + +sigrok-cli & Pulseview - logic analyzer software +https://github.com/richardghirst/Panalyzer - logic analyzer \ No newline at end of file diff --git a/spi.txt b/spi.txt new file mode 100644 index 0000000..0376ec9 --- /dev/null +++ b/spi.txt @@ -0,0 +1,65 @@ + 1)(2 + 3)(4 + 5)(6 + 7)(8 + 9)(10 +SPI1 CE1 11)(12 SPI1 CE0 + 13)(14 + 15)(16 + 17)(18 +SPI0 MOSI 19)(20 +SPI0 MISO 21)(22 +SPI0 SCLK 23)(24 SPI0 CE0 + 25)(26 SPI0 CE1 + 27)(28 + 29)(30 + 31)(32 + 33)(34 +SPI1 MISO 35)(36 SPI1 CE2 + 37)(38 SPI1 MOSI + 39)(40 SPI1 SCLK + +SPI0 pins in BCM mode are: 9 (MISO), 10 (MOSI), 11 (SCLK) + 7 (CE1) /8 (CE0) +SPI0 pins in WiringPi are: 12, 13, 14 + 10/11 +SPI1 pins in BCM mode are: 20 (MOSI), 19 (MISO), 21 (SCLK) + 17 (CE1) / 18 (CE0) , 16 (CE2) +SPI1 pins in WiringPi are: 28, 24, 29 + 0/1, 27 + +- SPI - Serial Peripheral Interface - + +Known as the four-wire serial bus, SPI lets you attach multiple compatible devices to a single set of pins by assigning them different chip-select pins. + +A useful example of an SPI peripheral is the MCP23S17 digital IO expander chip ( Note the S in place of the 0 found on the I2C version ). You can also use the SPI port to "Bit-Bang" an ATmega 328, loading Arduino sketches onto it with Gordon Hendersons' modified version of AVRDude. + +To talk to an SPI device, you assert its corresponding chip-select pin. By default the Pi has CE0 and CE1. + +import spidev +spi = spidev.SpiDev() +spi.open(0, CHIP_SELECT_0_OR_1) +spi.max_speed_hz = 1000000 +spi.xfer([value_8bit]) + +The SPI protocol is not enabled as standard on Raspbian, but it can be enabled with the raspi-config tool, along with I2C. + +- Dump flash memory - + +Most common test case in hardware testing is to extract the external flash memory of the target device which uses SPI communication interface. Most commonly used tool is flashrom which supports a wide variety of flash memory support. We are going to utilize the bcm2385 SPI interface /dev/spidev0.0 for reading and writing to it. + +Installation: +sudo apt-get install build-essential pciutils usbutils libpci-dev libusb-dev libftdi1 libftdi-dev zlib1g-dev subversion libusb-1.0-0-dev +svn co svn://flashrom.org/flashrom/trunk flashrom +cd flashrom +make + +Connection: +CS – 24 +MISO – 21 +MOSI – 19 +CLK – 23 +3.3v – 17 + +To read data from the flash memory +flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=512 -r spi_dump.bin + +Don’t forget the spispeed=512. + +Now you can use binwalk or fmk in the extracted firmware. \ No newline at end of file diff --git a/uart.txt b/uart.txt new file mode 100644 index 0000000..67336c0 --- /dev/null +++ b/uart.txt @@ -0,0 +1,44 @@ + 1)(2 + 3)(4 + 5)(6 + 7)(8 TX + 9)(10 RX + 11)(12 + 13)(14 + 15)(16 + 17)(18 + 19)(20 + 21)(22 + 23)(24 + 25)(26 + 27)(28 + 29)(30 + 31)(32 + 33)(34 + 35)(36 + 37)(38 + 39)(40 + +UART pins in BCM mode are: 14, 15 +UART pins in WiringPi are: 15, 16 + +UART is an asynchronous serial communication protocol, meaning that it takes bytes of data and transmits the individual bits in a sequential fashion. + +Asynchronous transmission allows data to be transmitted without the sender having to send a clock signal to the receiver. Instead, the sender and receiver agree on timing parameters in advance and special bits called 'start bits' are added to each word and used to synchronize the sending and receiving units. + +UART is commonly used on the Pi as a convenient way to control it over the GPIO, or access the kernel boot messages from the serial console (enabled by default). + +It can also be used as a way to interface an Arduino, bootloaded ATmega, ESP8266, etc with your Pi. Be careful with logic-levels between the devices though, for example the Pi is 3.3v and the Arduino is 5v. Connect the two and you might conjure up some magic blue smoke. + +Assuming you have WiringPi-Python installed, the following python example opens the Pi's UART at 9600baud and puts 'hello world' + +import wiringpi +wiringpi.wiringPiSetup() +serial = wiringpi.serialOpen('/dev/ttyAMA0',9600) +wiringpi.serialPuts(serial,'hello world!') + +- tutorial - +1) find baudrate (baudrate.py - https://github.com/devttys0/baudrate/blob/master/baudrate.py) +2) screen [device] [baud] + e.g. $> screen /dev/ttyAMA0 9600 + exit with CTRL+a then CTRL+k \ No newline at end of file diff --git a/wiringpi.txt b/wiringpi.txt new file mode 100644 index 0000000..44c7b6b --- /dev/null +++ b/wiringpi.txt @@ -0,0 +1,34 @@ + 1)(2 +WPi 8 3)(4 +WPi 9 5)(6 +WPi 7 7)(8 WPi 15 + 9)(10 WPi 16 +WPi 0 11)(12 WPi 1 +WPi 2 13)(14 +WPi 3 15)(16 WPi 4 + 17)(18 WPi +WPi 12 19)(20 +WPi 13 21)(22 WPi 6 +WPi 14 23)(24 WPi 10 + 25)(26 WPi 11 +WPi 30 27)(28 WPi 31 +WPi 21 29)(30 +WPi 22 31)(32 WPi 26 +WPi 23 33)(34 +WPi 24 35)(36 WPi 27 +WPi 25 37)(38 WPi 28 + 39)(40 WPi 29 + +- WiringPi - +WiringPi is an attempt to bring Arduino-wiring-like simplicity to the Raspberry Pi. + +The goal is to have a single common platform and set of functions for accessing the Raspberry Pi GPIO across multiple languages. WiringPi is a C library at heart, but it's available to both Ruby and Python users who can "gem install wiringpi" or "pip install WiringPi" respectively. + +Python users note the 2 on the end, the WiringPi-Python library finally brings a whole host of existing WiringPi functionality to Python including brand new features from WiringPi 2. + +WiringPi uses its own pin numbering scheme, here you'll learn how WiringPi numbers your GPIO pins, what those pins do and how to do shiny things with them from within Python or Ruby. + +Installing to Python couldn't be easier, just: + +sudo pip install WiringPi +For more information about WiringPi you should visit the official WiringPi website. \ No newline at end of file