I started playing around with the Arduino Uno Rev 3 awhile back but never got around to documenting anything via a blog post (until now).
I read Steve Watson's slide series here on Arduino forensics, and decided to write up a blog on some of the stuff I was playing around with, too.
Most Arduino projects you find online seem to be more of a novelty and may not hold much forensic value overall, but there are some really neat projects and it is a rather easy process so I thought it is was worth writing down in case someone comes across the need in the future.
You never know when an Ardunio controlled drone will fall out of the sky and cause someone serious brain injury.
So here we have the Arduino Uno. I will be using this one for demo purposes. I purchased mine from Adafruit for $24.95 + Shipping. Go get yourself a few of them. If only to keep them on your shelf and not touch them like most people do... You know I am right.. :)
Sources of Evidence
By looking at the schematics and reading the technical specifications I came up with a list of possible sources of evidence. There may be more depending on how the Arduino is configured and what it's purpose is.
- Arduino itself
- Onboard Storage
- Web Services (APIs)
- Charting, Messaging, etc. services
- Webserver hosting the services
- Router/Network Devices
- Internet communication via a breakout/shield board.
- Myriad of Arduino shields, sensors, etc.
- Development System(s) (Writing Code)
- Flash Memory 32 KB (ATmega328)
- 0.5 KB used by bootloader
- Static Random Access Memory (SRAM) 2 KB (ATmega328)
- Electrically Erasable Programmable Read-Only Memory (EEPROM) 1 KB (ATmega328)
You can read more about the Arduino memories here
Wiring up the Uno
To dump the Flash and EEPROM I used Newbie Hack's AVR User Programmer. I went this route because I had some issues with the Bus Pirate v4 and Shikra.
Sometimes it is just easier to throw money at the problem. In this case, $9.95.
Once this was installed I wired up the Arduino. The 10 pin pinout and the device I am using can be found/purchased here.
If you want to reference the official schematics, which would also be useful when tracing the pins back to the MCU for "chip-off" acquisition as well.
The Arduino Uno Rev 3 SPI pinout can be found in Google Images quite easy as well. Here is an example if the above is too cryptic.
If you were to perform "chip-off" and analyze the chip via a breadboard you would need to have this reference of the chip pinout for the ATmega328P.
Now it's time to connect our USBAsp programmer to the Arduino. In this example I used a stripped down board to make it easier to see in the picture.
In the image you can see our AVR programmer and the ICSP pins connected up to the Uno. It really is as simple as that. Just follow the pinout diagrams above and you should be fine.
Now that we are wired up and have a solid connection let's attempt to dump the data for analysis.
We will be using avrdude to dump flash memory and EEPROM.
Linux: sudo apt-get install avrdude Mac: brew install avrdude
EEPROM is non-volatile so it's not impacted by power off/on cycles like flash memory.
Per the data sheet we know that the EEPROM size is 1KB.
avrdude -p m328p -P usb -c usbasp -U eeprom:r:eeprom.bin:r
And this is what it looks like when it's dumping the contents.
avrdude: AVR device initialized and ready to accept instructions Reading | ####################### | 100% 0.00s avrdude: Device signature = 0x1e950f (probably m328p) avrdude: reading eeprom memory: Reading | ####################### | 100% 0.40s avrdude: writing output file "eeprom.bin" avrdude: safemode: Fuses OK (E:FD, H:D6, L:FF) avrdude done. Thank you.
So we successfully dumped the EEPROM as seen here.
-rw-r--r-- 1 root staff 1.0K Mar 11 19:03 eeprom.bin
There is also an EEPROM library that you can use to read data out of EEPROM.
Now to dump the flash contents.
avrdude -p m328p -P usb -c usbasp -U flash:r:flash.bin:r
And we can see here that we dumped the flash memory successfully. Flash memory - think USB drive.
avrdude: AVR device initialized and ready to accept instructions Reading | ############################ | 100% 0.00s avrdude: Device signature = 0x1e950f (probably m328p) avrdude: reading flash memory: Reading | ############################# | 100% 6.11s avrdude: writing output file "flash.bin" avrdude: safemode: Fuses OK (E:FD, H:D6, L:FF) avrdude done. Thank you.
At present I do not have a solution for dumping SRAM from Arduino. If you have a solution let me know and I can update this post so everyone can take advantage of it. This would be the most artifact rich source of evidence.
I suspect this is more of a coding deficiency on my part, vs. it being difficult.
Analysis of the Data
Now it's time for analysis, which in this case isn't too difficult since we used a bare Arduino with nothing really running on it.
We can do a quick check with xxd to see if there are any contents available.
xxd eeprom.bin |head -1024
0000000: 69ff ffff ffff ffff ffff ffff ffff 0000010: ffff ffff ffff ffff ffff ffff ffff 0000020: ffff ffff ffff ffff ffff ffff ffff 0000030: ffff ffff ffff ffff ffff ffff ffff
Simply running strings against the flash contents produces some good information that could be relevant to a case.
MAC Address : Unable to retrieve MAC Address! DNSserv: DHCPsrv: Gateway: Netmask: IP Addr: Unable to retrieve the IP Address! Request DHCP Connected! Failed! Check your wiring? Initializing... localhost Free RAM: alucard_almond24 <-- SSID of my WLAN <redacted_wifi_password> <-- WLAN password www.adafruit.com <-- GET request I made localhost
That's really about it. Not too exciting. I'm sure it's more exciting for more complex projects.
All and all that's about all of the information you get. Granted, I do not have any fancy code/configurations running on my Arduino, but this should be a good starting point for some deeper analysis.
For anyone running a drone or similar hardware setup and wants to donate their EEPROM/Flash dumps let me know. I will add the analysis to this post.