# I2C ## **Theory:** I2C (Inter-Integrated Circuit) is a synchronous, multi-master, multi-slave communication protocol used for short-range communication between components on a circuit board. I2C uses two main lines: * **SCL (Serial Clock Line):** Carries the clock signal generated by the master. * **SDA (Serial Data Line):** Carries the data between master and slave devices. I2C is commonly used to connect microcontrollers to sensors, memory devices (like EEPROMs), and other peripherals. As a pentester, gaining access to the I2C bus can reveal sensitive data, provide the ability to modify system configurations, or help you intercept communications between components. ## **Requirements:** 1. **Hardware:** * I2C Interface Adapter (Bus Pirate, Saleae Logic Analyzer, FTDI I2C modules) * Jumper wires * Multimeter (for checking pin voltages and identifying the correct lines) * Soldering kit (if pins are not exposed) 2. **Software:** * Tools for I2C communication: * `i2cdetect`, `i2cdump`, `i2cset` (Linux-based tools) * `Bus Pirate` tools for interacting with the I2C bus * Logic analyzer software for analyzing I2C traffic: * `Sigrok` with `PulseView` 3. Knowledge: * Some I2C devices may misbehave or crash if continuously scanned. Be cautious when using `i2cdetect` * Ensure your I2C adapter matches the voltage levels of the device (usually 3.3V or 5V) to avoid damaging components. ## **Common Attacks:** 1. **Identifying I2C Pins:** * In many cases, the I2C lines are not labeled. You can identify them using a multimeter to detect the voltage levels, typically 3.3V or 5V, on the SCL and SDA lines. **Command Example (Bus Pirate for identifying pins):** ```bash m # Select mode (I2C in this case) p # Probe the bus for activity ``` 2. **Device Discovery (I2C Bus Scanning):** * Once connected to the I2C bus, you can scan for active devices using the `i2cdetect` tool or Bus Pirate. This allows you to enumerate all the I2C devices on the bus. **Command Example (Linux I2C Bus Scan):** ```bash i2cdetect -y 1 #This scans I2C bus 1 and returns the addresses of all connected devices. ``` **Bus Pirate I2C Scan:** ```bash (1) m # Enter I2C mode (2) (3) # Search for I2C devices connected ``` 3. **Reading Data from I2C Devices:** * After identifying connected devices, you can read data from their registers, such as reading EEPROM contents or sensor data. **Command Example (Reading an EEPROM using `i2cdump`):** ```bash i2cdump -y 1 0x50 #This reads the data from the device at address 0x50 on bus 1. ``` **Bus Pirate Command (I2C EEPROM Read):** ```bash (1) m # Enter I2C mode (2) [ 0xA0 [ 0x00 r:32 ] # Read 32 bytes from the EEPROM starting at address 0x00 ``` 4. **Modifying Data on I2C Devices:** * You can also modify the data stored in an I2C device, such as changing configuration settings or writing to an EEPROM. **Command Example (Writing to an EEPROM using `i2cset`):** ```bash i2cset -y 1 0x50 0x00 0xFF #This writes the value 0xFF to address 0x00 of the EEPROM at I2C address 0x50. ``` **Bus Pirate Command (EEPROM Write):** ```bash (1) m # Enter I2C mode (2) [ 0xA0 0x00 0xFF ] # Write 0xFF to EEPROM address 0x00 ``` 5. **Sniffing I2C Traffic:** * Using a logic analyzer or a Bus Pirate, you can sniff I2C communication between the master and slave devices to capture sensitive information or reverse engineer the communication protocol. **Command Example (Bus Pirate I2C Sniffing):** ```bash (1) m # Enter I2C mode (2) s # Sniff I2C traffic ``` **Sigrok/PulseView for I2C Analysis:** * Connect the logic analyzer to the I2C lines and capture the signals. Use PulseView to decode the I2C data for easier analysis. 6. **Bypassing Security Mechanisms:** * Certain devices may have write protection or security features. Pentesters can manipulate the I2C bus to disable these mechanisms or force a reset. **Tools:** * **i2cset** (for sending specific commands to reset a device or change its configuration). **Command Example (Sending a reset command):** ```bash i2cset -y 1 0x50 0x00 0x06 ```