Table of Content
The Interposer Board that's soldered to the Google Home Mini PCB, right at the NAND Flash location. This board breaks out the NAND Flash signals to a tiny connector. Desoldering and soldering it back is easier said than done, especially considering I'll likely have to do it multiple times. Last but not least, it's an interesting challenge that will need me to go down the rabbit hole. The content and structure of the NAND Flash will need to be understood. A exploit could be needed to bypass the secure boot.
That's why, for this project, I chose to rely on nMigen. The very same HDL concepts do of course apply, but can be expressed with the syntax a convenience offered by Python. Finally, the stencil can next be removed and another bath of hot air given for good measure. The Interposer can ultimately be cleaned with a good amount of a "Flux cleaner" solution.
Google Home Mini
The Google Home Mini launched in October of 2017 and was replaced two years later by the Nest Mini. Despite that, the original affordable speaker has remained available for sale but is now finally out of stock on the Google Store. After 30 minutes there was a very loud siren noise that would wake the dead. It’s very frustrating, I have to use another device for this. I swear this thing has gotten dumber since it was introduced. Least Google could do though if they aren't going to fix the bug is to remove the note from the UI that says they automatically stop.
As I explained before, NAND Flash memories are unreliable and the probability some bits are flipped is high. The width of the image is fixed to 2176 pixels, matching the size of a page. Hence, each line of the image corresponds to a single page.
Google Home Mini Hardware Overview
On the bottom side of the board, only the Interposer Board connector is fitted. Its bitstream format has been reverse-engineered and it is now supported by open source toolchains. A micro-USB connector, used for power and data transfer.
The first thing to note is that the way the data is written to a NAND Flash is somewhat special. Each page contains data and a special section called OOB, the out-of-bound section. This feature can somehow work a little bit at the very beginning of the Google Home boot sequence though. A this early point, the clock of the NAND Flash peripheral is reduced to a couple of hundred of kHz. More importantly, the Google Home Mini can still boot without problems despite all the heavy surgery it received. Receive the NAND Flash data and compare it to the content of filename.
Google Nest Mini (thế hệ Loa thông minh tích hợp trợ lý Google
See your activity, delete it manually, or choose to delete it automatically. Control your privacy on Google Assistant with your voice. Ask questions like “Where can I change my privacy settings?
However, before even thinking of patching the firmware, making full sense of this dump is needed. Overall, I'm quite happy with how NandBug is working. The NAND Flash dumping and programming features are reliable. This bitstream will generate a FSM that's able to program pages. The pages addresses and data are received from the FT2232H using the Sync FIFO Mode. Everything is now finally ready on the hardware side.
The Google Home Mini is a smart speaker that's built on the same platform as the original Google Home, but it's significantly smaller. If the device has been used before, factory reset your speaker or display before you continue. The Google Home has a single speaker with two passive radiators, which really help it produce decent sound for a device of its size.
Optionally, a NAND Flash can be directly soldered to the board. A FT2232H. This component adds Hi-Speed USB connectivity to the board. Hardware files are available here while the software can be downloaded from here. I made the schematics, Gerber files, and software of NandBug publicly available. The general idea is in fact to make the NAND Flash of the Google Home in-system programmable. It may sound like an over engineered solution and it maybe is.
Just start with “Hey Google” to get answers from your Google Assistant, tackle your day, enjoy music or TV shows, and control your compatible smart home devices. And with Voice Match, the Assistant can tell your voice from others—up to six people can get personal assistance on each device. If you want to set up a different device, you can find the instructions in Set up smart devices in the Google Home app.
My goal is not only to read but also to alter the NAND Flash data to achieve code execution. Hence, the ECC of all modified pages must be computed. Otherwise, the Google Home Processor will simply discard all the modified pages. It appears that for each page, the OOB section is filled with a 90 bytes chunk of data. Thanks to NandBug, it's now possible to easily dump the entire content of the NAND Flash.
The Google Home Mini PCB + Interposer Board can be connected to the NandBug Main Board. As it must be soldered like a BGA component, I'll turn it into one by soldering tiny solder balls. First things first, the NAND Flash must be desoldered from the Google Home PCB. This has been done with a cheap hot air reworking station. It's a model that can be bought from many places and that has served me well for several years now. A small connector matching the one of the main board.
No comments:
Post a Comment