Table of Content
It's a mirrored version of the "normal" NAND Flash schematic. Indeed, this board will be soldered in place of the original NAND on the Google Home Mini PCB. Sending various configuration bitstreams to the FPGA. This is done by using the SPI protocol and a couple of additional GPIOs. Manually soldering thin wires to the BGA footprint for breaking out the NAND Flash lines could have been risky because of signal integrity issues. It wouldn't have been a very clean and, more importantly, reliable solution.
The Google Home Mini PCB + Interposer Board can be connected to the NandBug Main Board. As it must be soldered like a BGA component, I'll turn it into one by soldering tiny solder balls. First things first, the NAND Flash must be desoldered from the Google Home PCB. This has been done with a cheap hot air reworking station. It's a model that can be bought from many places and that has served me well for several years now. A small connector matching the one of the main board.
More by Google LLC
Optionally, a NAND Flash can be directly soldered to the board. A FT2232H. This component adds Hi-Speed USB connectivity to the board. Hardware files are available here while the software can be downloaded from here. I made the schematics, Gerber files, and software of NandBug publicly available. The general idea is in fact to make the NAND Flash of the Google Home in-system programmable. It may sound like an over engineered solution and it maybe is.
This source code will be extremely useful in the second article of this series. In 2014, fail0verflow was able to root Chromecast devices with a vulnerability affecting the bootloader. A buffer overflow vulnerability triggered thanks to a special USB peripheral led to a full secure boot bypass. That said, the Home Mini used a micro-USB port instead of a barrel plug connector, and some people preferred that approach.
What Is a Google Home Mini and How Does It Work?
That information is passed to the cloud, where Google's powerful servers get to work. Don't be fooled by the Google Home Mini's affordable price tag or diminutive size. We know the bootloader and kernel partitions are part of the chain of trust. Unsurprisingly, because they are probably the most carefully written parts, I haven't been able to find any way to skip the secure boot from this side. One of the very early design goal of NandBug was to be able to monitor the data read and written by the Google Home to the NAND Flash in real time. It could maybe have been useful to find interesting TOCTOU bugs in the secure boot implementation.
The Google Home Mini is a smart speaker that's built on the same platform as the original Google Home, but it's significantly smaller. If the device has been used before, factory reset your speaker or display before you continue. The Google Home has a single speaker with two passive radiators, which really help it produce decent sound for a device of its size.
The NandBug System
A few weeks ago we unveiled Google Home Mini, the newest addition to the Google Home family. About the size of a donut, it has all the smarts of the Google Assistant and gives you hands-free help in any room of your house. Starting today, you can grab it online from the Google Store or online or on shelves of Best Buy, Walmart, Target and other stores.
I guess this nibbles swapping weirdness is caused by the way the low-level hardware BCH engine is actually working. Swap another time the nibbles of the computed BCH code. Swap the nibbles of each of the 2080 first bytes of the page.
There's more to this compact smart speaker than meets the eye
So, for us, each page is 2716 bytes, with 128 bytes used as OOB. In our case, reading the datasheet of the NAND Flash used by the Google Home, the TC58NVG1S3HBAI6 gives the following details about the internal memory organization. The OOB section of each page is usually used to store Error Correction Code or ECC. This is needed because of how imperfect NAND Flash technology is. Bit flips are very common with these memories, and ECC are an efficient way to address the issue.
Repeatedly desoldering and soldering back the NAND Flash would have been annoying and could have caused damage to to the PCB. It's the most direct way of achieving code execution on the platform. My goal will be to modify the NAND flash content until I can execute my own code. The Google Home Mini is protected by some kind of secure boot. Bootloader and Kernel are cryptographically verified. To conclude, at first sight, the hardware looks rather annoying to work with and doesn't appear to be very talkative.
You’ll be able to opt out of some settings, like Voice Match or personal results. You can change these settings at any time after you complete setup. In terms of functionality, the Home Mini and Nest Mini are identical. They answer all the same queries and commands, and they work with all of the same devices and apps.
The NAND Flash hardware peripheral of the processor is fully responsible from computing it. The only hint the source can give is that the ECC algorithm in use is very likely BCH. It's needed to correct the dump and to go further with unpacking the firmware files.
The Interposer Board that's soldered to the Google Home Mini PCB, right at the NAND Flash location. This board breaks out the NAND Flash signals to a tiny connector. Desoldering and soldering it back is easier said than done, especially considering I'll likely have to do it multiple times. Last but not least, it's an interesting challenge that will need me to go down the rabbit hole. The content and structure of the NAND Flash will need to be understood. A exploit could be needed to bypass the secure boot.
As demonstrated in the previous articles of this website, I've always been interested into running my own code on consumer devices. Create Routines that allow you to turn on compatible lights, check the weather, play the news, and more with one simple command. Glad to see that I am not the only one with this problem.
Reading through the init.rc script of the initramfs, it appears these two partitions are YAFFS2 partitions. The Linux Kernel version and compilation timestamp can be extracted from strings present in the binary data. Here, the Linux Kernel command line contains the mtdparts configuration variable. This leaks both the names and sizes of all flash partitions.
No comments:
Post a Comment