{"id":785,"date":"2022-03-03T10:26:54","date_gmt":"2022-03-03T09:26:54","guid":{"rendered":"https:\/\/security.humanativaspa.it\/?p=785"},"modified":"2025-09-09T09:39:50","modified_gmt":"2025-09-09T09:39:50","slug":"a-journey-into-iot-chip-identification-busside-and-i2c","status":"publish","type":"post","link":"https:\/\/hnsecurity.it\/it\/blog\/a-journey-into-iot-chip-identification-busside-and-i2c\/","title":{"rendered":"A journey into IoT \u2013 Chip identification, BUSSide, and I2C"},"content":{"rendered":"

Hi!<\/p>\n

Years ago ( \ud83d\ude41 ) I wrote an article<\/a> with the purpose of starting a series to introduce various IoT concepts<\/strong> to hackers and penetration testers that approach the topic for the first time. Unfortunately, that article was left alone for a long time, but now it’s time to continue that series of posts!<\/p>\n

While I’m waiting for the delivery of some random hardware from China, I will start with a couple of useful tools and tricks applied to an old USB card reader<\/strong>. Here it is:<\/p>\n

\"\"<\/p>\n

And this is how it looks without the external cover:<\/p>\n

\"\"<\/p>\n

When we are facing an unknown platform like this one, the first step should always be to identify all chips and components<\/strong> on the board.<\/p>\n

If we are lucky, our device has a wireless connection and it is sold in the United States, it should have an identifier named FCC ID<\/strong> printed somewhere on the product or on its box. With this ID we can download a lot of useful documentation that is publicly available<\/a>, mandatory for the legal sale in the US, including manuals, photos, and technical details. We will maybe see some examples when we analyze a wireless device, but this is not the case.<\/p>\n

Without technical documentation, we are on our own. Usually, most chips have an identifier printed on them, but this information is very hard to read. A useful tool is a digital microscope<\/strong>, that can be bought from a Chinese supplier for about 10-20 euros, and that can be connected to a laptop or a smartphone. With this device, we can easily take a picture of all the chips on the board and try to identify every component.<\/p>\n

As an example, let’s have a closer look at the chip in the top-left side of the board:<\/p>\n

\"\"<\/p>\n

With the digital microscope, we can read the identifier printed on the chip:<\/p>\n

\"\"<\/p>\n

By searching the identifier with our favorite search engine, we can easily find its datasheet<\/strong>, that shows that it is a Serial EEPROM<\/strong> memory with 2K of storage<\/strong> that communicates using the I2C protocol (Two-wire)<\/strong>. The same document gives us the details of the chip connection pins<\/strong>.<\/p>\n

\"\"<\/p>\n

We found an EEPROM memory. We can try to read its content using the I2C protoco<\/strong>l. I2C is a serial communication protocol that allows to connect on the same bus a large number of devices, each reachable from a specific address. It was invented in 1982 by Philips Semiconductors (now NXP). It requires only two PINs, one for data and one for the clock, necessary for synchronization.<\/p>\n

Every chip usually has a mark near the first PIN, necessary to identify the side of the chip. If you look at the above picture, you can see this mark in the bottom-left side of the chip. Using this mark and the datasheet, we can easily identify all the PINs and we can confirm the correctness of our analysis with the help of a multimeter <\/strong>in continuity mode. <\/strong>To verify the position of the Ground PIN (GND) it is sufficient to connect one probe of the multimeter to one of the metal components (usually connected with GND) and the other first to the bottom-left PIN of the chip and then to the top-right (see the previous article linked at the beginning of this post for more details).<\/p>\n

So, we now know the position of all the PINs we need to communicate with the EEPROM using the I2C protocol:<\/p>\n

\"\"<\/p>\n

To read (and maybe write) the content of the EEPROM we can use many different tools. One of the most used is the old but trusted Bus Pirate<\/a>.<\/p>\n

But let’s pretend for a moment that we have no idea of the location of the I2C PINs. A few years ago, Silvio Cesare<\/a> publicly released a great tool named BUSSide Badge<\/a> (sources on GitHub<\/a>). The badge is composed by a NodeMCU v2<\/strong> module (a couple of euros from Chinese suppliers) and a printed PLC (hard to find but not necessary to use the tool). This ultra-cheap badge has many functionalities, including:<\/p>\n