Google Nest Mini Charcoal
Table of Content
However, The NAND Flash signals are going too fast for achieving this with a simple ICE40 FPGA. This may have been possible with a more advance component. Receive the NAND Flash data and compare it to the content of filename. To generate the needed SPI and GPIO signals, the FT2232H is used in MPSSE Mode. Detailed documentation about this mode can be downloaded from here. Next, the NandBug main board was plugged to a computer and the following command ran. Using these two modes required a special configuration to be burnt to the EEPROM of the FT2232H.
My goal will be to modify the NAND flash content until I can execute my own code. The Google Home Mini is protected by some kind of secure boot. Bootloader and Kernel are cryptographically verified. While extremely informative, the attack described by the presentation cannot be used against my own device anymore. Finally, it's important to note that the main CPU comes without public documentation. Very few details about this component are available online.
Hire Shop
Google Home and Google Home Mini are Wi-Fi enabled smart speakers powered by the Google Assistant. It can play music through Spotify, keep track of your diary, control compatible smart products, and more – all through simple voice commands. Google Home is a Wi-Fi-enabled smart speaker powered by the Google Assistant. Control compatible smart products from the video display or with voice commands. This sleek control centre is powered by the Google Assistant and can control media devices, lights, display photos and more. I picked up the nest mini earlier today from Bunnings .
Optionally, a NAND Flash can be directly soldered to the board. Hardware files are available here while the software can be downloaded from here. I made the schematics, Gerber files, and software of NandBug publicly available. The delicate BGA NAND Flash IC is soldered to this board.
Smart lighting
Once mounted, the cache reveals it's mostly used to store user data and configuration files. For instance, a wpa_supplicant.conf file storing WiFi credentials exists. In order to mount and eventually alter the content of these partitions, I choose to use the exact same YAFFS2 driver that can be found on Google's shared files. This step doesn't differ much from a "normal" BGA component soldering. The NAND Flash footprint is soaked with solder flux, the Interposer Board carefully aligned to it, and hot air is applied.
So I would say it's more useful to people with iphones than it is to people with android phones. That said, it's still useful for everyone as you may be in a room of your house and not have your phone on you. This is what they’re trying to encourage you to use them for - more online orders. I guess everyone's experience is going to be different though. Google Home has proven to be a nice and convenient method for turning electronic on and off around the house.
Google Home Mini Hardware Overview
Control it all with just a tap or two – and get to the good stuff faster. The Feed tab highlights important events in your home in one place. Here, you’ll also find ways to get more out of your devices and improve your home setup. But, as the second part of this article will demonstrate, it remains possible. Apart from attempting to run my own code of the Google Home, I guess this solution could also be used to keep track of all firmware updates performed by Google.
This bitstream will generate a FSM that's able to program pages. The pages addresses and data are received from the FT2232H using the Sync FIFO Mode. This bitstream will generate a FSM that's able to erase blocks. The addresses to erase are received from the FT2232H using the Sync FIFO Mode.
We have safe and secure options to help you Get It Home. Want a smarter home but not sure where to start?
Of course, using 2.54mm connectors may cause signal integrity issues when dealing with high speed signals. However, looking at the Flash datasheet, it appears the maximum speed was not that fast, and I chose to take the risk. Receiving and transmitting data to and from the NAND Flash. This is done using the Synchronous FIFO mode of the FT2232H. In this mode, the FPGA and the FT2232H communicates by using a parallel bus synchronized by a 60Mhz clock. This allow for a reasonably fast data throughput.
The articles highlight that Google has released the source code for the bootloader and Linux Kernel running on the Chromecast. This source code will be extremely useful in the second article of this series. Many eyes already had a look at the bootloader. It's reducing the likelihood I can still discover something to exploit in it to bypass the secure boot on a Google Home Mini. As you might expect, I'm not the only one who has been studying the Google Home devices. Here is a quick summary of what others have discovered at the time of writing of this article.
A light I turn on every night displays in the morning as it turned off when it is still on. Giving verbal commands to my Google home results in lots of glitches lately. Grouping lights in one room together so that they all go on or off at the same time is a nightmare that shouldn't happen, and required a lot of workarounds to make it stop. Too easy to accidentally turn a light off when trying to dim or charge colors. We know the bootloader and kernel partitions are part of the chain of trust. Unsurprisingly, because they are probably the most carefully written parts, I haven't been able to find any way to skip the secure boot from this side.
The entire content of the 256MB NAND can be dumped in less than a minute. The 60MHz clock is generated by the FT2232H and clock the entire FPGA. Desoldering and soldering it back is easier said than done, especially considering I'll likely have to do it multiple times.
The FPGA is directly clocked by the 60MHz signal generated by the FT2232H when it's used in this mode. This section gives some information concerning the software and gateware architecture behind NandBug. It's not absolutely necessary to read this section to understand the rest of the article. These evenly spaced and sized solder balls will help greatly when it comes to solder the Interposer to the Google Home PCB.
Comments
Post a Comment