Table of Content
- Can I create a Google QR code for Google search results pages?
- Unpacking the Firmware Image
- Google Home Mini has arrived—here’s what you can do with it
- Google QR Code: QR Code Generator for Google
- Removing the NAND Flash from the Google Home PCB
- Be sure to pick the location that matches your shipping address.
Please note the Kernel version, sources, initramfs and init.rc file will be useful in the second part of this series of article. Here, the Linux Kernel command line contains the mtdparts configuration variable. This leaks both the names and sizes of all flash partitions. It was now time to actually have a look at the content of the NAND Flash dump. It appears that for each page, the OOB section is filled with a 90 bytes chunk of data.
As I explained before, NAND Flash memories are unreliable and the probability some bits are flipped is high. One of the very early design goal of NandBug was to be able to monitor the data read and written by the Google Home to the NAND Flash in real time. It could maybe have been useful to find interesting TOCTOU bugs in the secure boot implementation. Everything is next melted together with the hot air station. A better video of a similar process applied to a real BGA component can for instance be found here.
Can I create a Google QR code for Google search results pages?
This action is performed on the client side by Blockly. To start the app after installing, open a new tab in Chrome; In the new tab pane you will see an new Icon. We guide our loyal readers to some of the best products, latest trends, and most engaging stories with non-stop coverage, available across all major news platforms. The deal is too good to pass up if you’re an eBay regular, as you’re practically scoring a free Home Mini to add to your home. If you were looking to buy more Minis for other rooms, then this deal is perfect, as you get to save $49, which is the speaker’s usual retail price. This website is using a security service to protect itself from online attacks.
What's left is to research vulnerabilities on the WiFi/BLE module of the device or to modify the firmware stored in the NAND Flash of the device. It's reducing the likelihood I can still discover something to exploit in it to bypass the secure boot on a Google Home Mini. The hardware and software of the Google Home Mini is very close to what is embedded into Google Chromecast devices. Hence, it's interesting to have a look at what have been discovered against this product. As you might expect, I'm not the only one who has been studying the Google Home devices. Here is a quick summary of what others have discovered at the time of writing of this article.
Unpacking the Firmware Image
This push button is not accessible without cracking the case open. Pushing it at boot time will force the bootloader to boot from the USB port of the device. However, only signed code can theoretically be executed. Please note that, for successful code generation your device clock need to be in correct time and date and also set to correct time zone.
As the range of smart devices has been expanding so does the variety of tasks that can be performed with voice commands. The list of things you can do with Google Assistant is so huge that one might not remember them all. From Android, iOS, and Smart TVs to dedicated smart speakers and display devices, Google’s AI-powered voice assistant is everywhere. Google Assistant is the smartest way to control Wi-Fi-connected smart devices and appliances.
Google Home Mini has arrived—here’s what you can do with it
A FT2232H. This component adds Hi-Speed USB connectivity to the board. Hardware files are available here while the software can be downloaded from here. I made the schematics, Gerber files, and software of NandBug publicly available.
This bitstream will generate a FSM that's able to program pages. The pages addresses and data are received from the FT2232H using the Sync FIFO Mode. This bitstream will generate a FSM that's able to erase blocks. The addresses to erase are received from the FT2232H using the Sync FIFO Mode.
This section gives some information concerning the software and gateware architecture behind NandBug. It's not absolutely necessary to read this section to understand the rest of the article. To help with the soldering process, I ordered a stencil at the same time with the Interposer PCB. The holes of the stencil are matching the NAND Flash footprint. It's a mirrored version of the "normal" NAND Flash schematic. Indeed, this board will be soldered in place of the original NAND on the Google Home Mini PCB.
Thanks to NandBug, it's now possible to easily dump the entire content of the NAND Flash. However, before even thinking of patching the firmware, making full sense of this dump is needed. However, The NAND Flash signals are going too fast for achieving this with a simple ICE40 FPGA. This may have been possible with a more advance component. The NAND Flash dumping and programming features are reliable.
This source code will be extremely useful in the second article of this series. Just start with “Hey Google” to get answers from your Google Assistant, tackle your day, enjoy music or TV shows, and control your compatible smart home devices. And with Voice Match, the Assistant can tell your voice from others—up to six people can get personal assistance on each device.
The delicate BGA NAND Flash IC is soldered to this board. Repeatedly desoldering and soldering back the NAND Flash would have been annoying and could have caused damage to to the PCB. Last but not least, it's an interesting challenge that will need me to go down the rabbit hole.
As explained before, the SoC of the Google Home Mini comes without any public documentation. Being able to run custom code on it is valuable to understand it better. Things like dumping the BootROM of the system becomes possible. Dynamic analysis of the Goggle Home software running on the actual hardware becomes possible.
The first thing to note is that the way the data is written to a NAND Flash is somewhat special. Each page contains data and a special section called OOB, the out-of-bound section. More importantly, the Google Home Mini can still boot without problems despite all the heavy surgery it received.
All you need to do is copy the search results page URL, paste it into the ‘Google URL’ field, and create a QR code. Smart speakers are popular devices with tech-savvy consumers nowadays, and quite affordable. Apple’s HomePod is neither, but then again, Apple sells it as a high-end speaker rather than a smart one. Keep track of everything going around you and the world and get updates about the financial market and weather forecasts using the following Google Home commands. If your daily schedule is time-bound and you tend to forget things very often, you can manage your alarms, times, and reminders using Google Home commands. While all the executable data is apparently verified, having a total control on all the NAND Flash data does open a rather large attack surface.
No comments:
Post a Comment