ESP32 Firmwares + BLE + Zigbee

docs/gadgets/bus-pirate.md

@@ -29,4 +29,5 @@ sudo flashrom -p Buspirate_spi:dev=/dev/ttyUSB0,spispeed=1M -c (Chip name)  -r (
 
 * [Bus Pirate Unboxing - Toolkit - Hacker Warehouse - 4 juin 2018](https://youtu.be/lP8vMvBu3Bg)
 * [Bus Pirate 5 REV 10 Hardware](https://hardware.buspirate.com/)
-* [Ph0wn, my first IoT CTF - Part 2 - Sebastien Andrivet - 19 December 2018](https://sebastien.andrivet.com/fr/posts/ph0wn-my-first-iot-ctf-part-2/)
+* [Ph0wn, my first IoT CTF - Part 2 - Sebastien Andrivet - 19 December 2018](https://sebastien.andrivet.com/fr/posts/ph0wn-my-first-iot-ctf-part-2/)
+* [Hardware Hacking: Plunder With a Bus Pirate - Brian Berg - February 15, 2024](https://trustedsec.com/blog/hardware-hacking-plunder-with-a-bus-pirate)

docs/gadgets/esp32.md

@@ -1,15 +1,30 @@
 # ESP32
 
+![ESP32](../assets/esp32-pinout.png)
+
+
 ## Tools
 
 * [espressif/esptool](https://github.com/espressif/esptool) - Espressif SoC serial bootloader utility
 * [jmswrnr/esp32knife](https://github.com/jmswrnr/esp32knife) - Tools for ESP32 firmware dissection
-
+* [scientifichackers/ampy](https://github.com/scientifichackers/ampy) - Utility to interact with a MicroPython board over a serial connection
+* [ESPWebTool](https://esp.huhn.me/) - Flash your ESP32 or ESP8266 through your browser.
 
 ## Flashing
 
 The ESP32 microprocessor uses the Xtensa instruction set, use `Tensilica Xtensa 32-bit little-endian` in Ghidra.
 
+* Flash a new firmware with `espressif/esptool`
+    ```ps1
+    esptool.py -p /dev/ttyUSB0 -b 460800 --before default_reset --after hard_reset --chip esp32  write_flash --flash_mode dio --flash_size 2MB --flash_freq 40m 0x1000 build/bootloader/bootloader.bin 0x8000 build/partition_table/partition-table.bin 0x10000 build/ble_ctf.bin
+    esptool.py -p /dev/ttyS5 -b 115200 --after hard_reset write_flash --flash_mode dio --flash_freq 40m --flash_size detect 0x8000 build/partition_table/partition-table.bin 0x1000 build/bootloader/bootloader.bin 0x10000 build/esp32-wifi-penetration-tool.bin
+    ```
+
+* Flash a new firmware with `scientifichackers/ampy` (MicroPython)
+    ```ps1
+    ampy --port /dev/ttyUSB0 put bla.py
+    ```
+
 * Dump the flash
     ```ps1
     esptool -p COM7 -b 115200 read_flash 0 0x400000 flash.bin
@@ -27,7 +42,9 @@ The ESP32 microprocessor uses the Xtensa instruction set, use `Tensilica Xtensa
     esptool -p COM7 -b 115200 write_flash 0x10000 ./patched.part.3.factory.fixed
     ```
 
+
 ## References
 
 * [ESP32-reversing - BlackVS](https://github.com/BlackVS/ESP32-reversing)
-
+* [ESP32 Wi-Fi Penetration Tool - GitHub - Exploring possibilities of ESP32 platform to attack on nearby Wi-Fi networks](https://github.com/risinek/esp32-wifi-penetration-tool)
+* [ESP32 Wi-Fi Penetration Tool - Documentation - Exploring possibilities of ESP32 platform to attack on nearby Wi-Fi networks](https://risinek.github.io/esp32-wifi-penetration-tool/)

docs/gadgets/flipper-zero.md

@@ -7,8 +7,8 @@
 * [Flipper Zero Firmware](https://github.com/flipperdevices/flipperzero-firmware)
 * [Flipper Zero Unleashed Firmware](https://github.com/Eng1n33r/flipperzero-firmware)
 * [Flipper Zero FW RogueMaster](https://github.com/RogueMaster/flipperzero-firmware-wPlugins)
+* [Flipper Zero Xtreme-Firmware](https://github.com/Flipper-XFW/Xtreme-Firmware)
 
-* [Awesome FlipperZero](https://github.com/djsime1/awesome-flipperzero)
 
 ### Firmware Update - PC
 
@@ -27,6 +27,11 @@
 * [RogueMaster/flipperzero-firmware-wPlugins - Web Update](https://lab.flipper.net/?url=https%3A%2F%2Frogue-master.net%2F%3Ffile%3DRM0322-1504-0.79.2-22158b0.tgz&channel=RM0322-1504-0.79.2-22158b0&version=0.79.2)
 
 
+## GPIO
+
+![GPIO Flipper](../assets/flipper-gpio.png)
+
+
 ## Videos
 
 * [Flipper Zero: Want some good news? - Penthertz](https://www.youtube.com/watch?v=tB0eYatvu0k)
@@ -43,4 +48,5 @@
 
 ## References
 
-* [The Ultimate Guide / CheatSheet to Flipper Zero - Ilias Mavropoulos - 17/01/2024](https://infosecwriteups.com/the-ultimate-guide-cheatsheet-to-flipper-zero-d4c42d79d32c)
+* [The Ultimate Guide / CheatSheet to Flipper Zero - Ilias Mavropoulos - 17/01/2024](https://infosecwriteups.com/the-ultimate-guide-cheatsheet-to-flipper-zero-d4c42d79d32c)
+* [djsime1/Awesome FlipperZero - 🐬 A collection of awesome resources for the Flipper Zero device](https://github.com/djsime1/awesome-flipperzero)

docs/protocols/bluetooth.md

@@ -1,20 +1,34 @@
 # Bluetooth
 
+## Tools
+
+* [bettercap/bettercap](https://github.com/bettercap/bettercap)
+* [expliot_framework/expliot](https://expliot.readthedocs.io/en/latest/index.html)
+* [hackgnar/bleah](https://github.com/hackgnar/bleah)
+* [bluez/gatttool](https://manpages.debian.org/unstable/bluez/gatttool.1.en.html)
+* [securing/gattacker](https://github.com/securing/gattacker)
+
+
 ## Bluetooth configuration
 
-Configuration for Kali Linux
+Requirements and configuration for Kali Linux.
 
 ```powershell
 $ sudo apt-get install bluetooth blueman bluez
 $ sudo systemctl start bluetooth
 $ sudo hciconfig hci0 up
+```
+
+Enumerate Bluetooth devices
 
+```powershell
 $ sudo hcitool lescan
 00:1A:7D:DA:71:06 Ph0wn Beacon
 25:55:84:20:73:70 (unknown)
 ```
 
-`apt` doesn't have a recent version of bluez, recompile it with the following lines.
+> [!CAUTION]
+> `apt` doesn't have a recent version of bluez, recompile it with the following lines.
 
 ```powershell
 wget https://www.kernel.org/pub/linux/bluetooth/bluez-5.18.tar.xz
@@ -26,6 +40,7 @@ make -j8 && sudo make install
 sudo cp attrib/gatttool /usr/local/bin/
 ```
 
+
 ## BLE - Enumerate services and characteristics
 
 > BLE is based on specification called General Attribute profile (GATT), that defines how communication/data transfer between client and server.
@@ -78,19 +93,29 @@ Read data with gatttool
 ```powershell
 $ sudo gatttool -b $MAC -I
 [00:1A:7D:DA:71:06][LE]> connect
+```
 
-# list characteristics
-[00:1A:7D:DA:71:06][LE]> characteristics
-handle: 0x000b, char properties: 0x0a, char value handle: 0x000c, uuid: 4b796c6f-5265-6e49-7342-61644a656469
+* List characteristics
 
-# read characteristic at char handle
-[00:1A:7D:DA:71:06][LE]> char-read-hnd 0x000c
-Characteristic value/descriptor: 44 65 63 72 79 70 74 20 74 68 65 20 6d 65 73 73 61 67 65 2c 20 77 72 69 74 65 20 74 68 65 20 64 65 63 72 79 70 74 65 64 20 76 61 6c 75 65 20 61 6e 64 20 72 65 61 64 20 62 61 63 6b 20 74 68 65 20 72 65 73 70 6f 6e 73 65 20 74 6f 20 66 6c 61 67 2e 20 45 6e 63 72 79 70 74 65 64 20 6d 65 73 73 61 67 65 3a 20 63 34 64 33 32 38 36 35 37 61 39 64 62 33 64 66 65 39 31 64 33 36 36 36 62 39 34 31 62 33 36 31
+    ```powershell
+    [00:1A:7D:DA:71:06][LE]> characteristics
+    handle: 0x000b, char properties: 0x0a, char value handle: 0x000c, uuid: 4b796c6f-5265-6e49-7342-61644a656469
+    ```
 
-# one liner
+* Read characteristic at char handle
+
+    ```powershell
+    [00:1A:7D:DA:71:06][LE]> char-read-hnd 0x000c
+    Characteristic value/descriptor: 44 65 63 72 79 70 74 20 74 68 65 20 6d 65 73 73 61 67 65 2c 20 77 72 69 74 65 20 74 68 65 20 64 65 63 72 79 70 74 65 64 20 76 61 6c 75 65 20 61 6e 64 20 72 65 61 64 20 62 61 63 6b 20 74 68 65 20 72 65 73 70 6f 6e 73 65 20 74 6f 20 66 6c 61 67 2e 20 45 6e 63 72 79 70 74 65 64 20 6d 65 73 73 61 67 65 3a 20 63 34 64 33 32 38 36 35 37 61 39 64 62 33 64 66 65 39 31 64 33 36 36 36 62 39 34 31 62 33 36 31
+    ```
+
+One liner to read a characteristic
+
+```powershell
 $ gatttool -b $MAC --char-read -a 0x002a|awk -F':' '{print $2}'|tr -d ' '|xxd -r -p;printf '\n'
 ```
 
+
 ## BLE - Read notification/indication
 
 ```powershell
@@ -144,6 +169,7 @@ ubertooth-btle -U 1 -A 38 -f  -c bulb_38.pcap
 ubertooth-btle -U 2 -A 39 -f  -c bulb_39.pcap
 ```
 
+
 ### Using Micro::Bit
 
 * [WEAPONIZING THE BBC MICRO:BIT - DAMIEN CAUQUIL / VIRTUALABS - DEF CON 25 - JULY 28, 2017](https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEF%20CON%2025%20-%20Damien-Cauquil-Weaponizing-the-BBC-MicroBit.pdf)
@@ -163,9 +189,13 @@ $ adb pull /sdcard/oem_log/btsnoop/<your log file>.log
 ## Challenges
 
 * [BLE HackMe](https://www.microsoft.com/store/apps/9N7PNVS9J1B7) - works with nRF Connect (Android), 
+* [hackgnar/ble_ctf](https://github.com/hackgnar/ble_ctf) - A Bluetooth low energy capture the flag
 
 
 ## References
 
 * [A Practical Introduction to Bluetooth Low Energy security without any special hardware - Slawomir Jasek - 19 November 2020](https://www.smartlockpicking.com/slides/HITB_Cyberweek_2020_A_Practical_Introduction_To_BLE_Security.pdf)
-* [Denial of Pleasure: Attacking Unusual BLE Targets with a Flipper Zero - Matteo Mandolini & Luca Bongiorni](https://www.whid.ninja/blog/denial-of-pleasure-attacking-unusual-ble-targets-with-a-flipper-zero)
+* [Denial of Pleasure: Attacking Unusual BLE Targets with a Flipper Zero - Matteo Mandolini & Luca Bongiorni](https://www.whid.ninja/blog/denial-of-pleasure-attacking-unusual-ble-targets-with-a-flipper-zero)
+* [BLE CTF - wiki.elvis.science - Embedded Lab Vienna for IOT & Security](https://wiki.elvis.science/index.php?title=BLE_CTF)
+* [BLUETOOTH LOW ENERGY CTF - WRITE UP - ECLECTIC KOALA](https://blog.tclaverie.eu/posts/bluetooth-low-energy-ctf---write-up/)
+* [BLECTF, a "Capture The Flag" hardware platform based on Bluetooth Low Energy BLE + Write-Up - Hacker de Cabecera  febrero 04, 2020](https://www.hackerdecabecera.com/2020/02/blectf-capture-flag-hardware-platafom.html)

docs/protocols/zigbee.md

@@ -1,11 +1,15 @@
 # ZigBee
 
-> Zigbee is a specification for a suite of high-level communication protocols using low-power digital radios. It's designed for use in areas like home automation, medical data collection, industrial control systems, and other applications that require secure and reliable wireless communication.
+> Zigbee is a specification for a suite of high-level communication protocols using low-power digital radios. It's designed for use in areas like home automation, medical data collection, industrial control systems, and other applications that require secure and reliable wireless communication. 
+
+Zigbee is an IEEE 802.15.4-based, wireless networking standard, which is basically used for two-way communication between sensors and control systems. Zigbee is a short-range wireless communication standard like Bluetooth and Wi-Fi while covering a range of 10 to 100 meters.
 
 
 ## Tools
 
 * [riverloopsec/killerbee](https://github.com/riverloopsec/killerbee) - IEEE 802.15.4/ZigBee Security Research Toolkit
+* [APIMote](https://www.attify-store.com/products/apimote) - The ApiMote is a ZigBee security research hardware intended for researchers, students, utility companies, etc. to use for learning about and evaluating the security of IEEE 802.15.4/ZigBee systems as authorized.
+* [Cognosec/SecBee](https://github.com/Cognosec/SecBee) (archived) - SecBee is a ZigBee security testing tool developed by Cognosec to test ZigBee implementations for security issues
 
 
 ## Default Trust Center Link Key
@@ -27,4 +31,9 @@ Example: [CVE-2020-28952 - Athom Homey Static and Well-known Keys](https://yougo
 
 * [AN1233: Zigbee Security - Silabs](https://www.silabs.com/documents/public/application-notes/an1233-zigbee-security.pdf)
 * [Zigbee Security 101 (Architecture And Security Issues) - February 11, 2023 - dattatray](https://payatu.com/blog/zigbee-security-101/)
-* [Tout, tout, tout vous saurez tout sur le ZigBee / MISC n°86 - July 2016 - Kovacs Nicolas](https://connect.ed-diamond.com/MISC/misc-086/tout-tout-tout-vous-saurez-tout-sur-le-zigbee)
+* [Tout, tout, tout vous saurez tout sur le ZigBee / MISC n°86 - July 2016 - Kovacs Nicolas](https://connect.ed-diamond.com/MISC/misc-086/tout-tout-tout-vous-saurez-tout-sur-le-zigbee)
+* [ZIGBEE SECURITY: BASICS (PART 2) - Vishruta Rudresh - November 8, 2017](https://research.kudelskisecurity.com/2017/11/08/zigbee-security-basics-part-2/)
+* [ZIGBEE SECURITY: BASICS (PART 3) - Vishruta Rudresh - November 21, 2017](https://research.kudelskisecurity.com/2017/11/21/zigbee-security-basics-part-3/)
+* [Understanding Zigbee and Wireless Mesh Networking - Ray Felch - 27 Aug 2021](https://www.blackhillsinfosec.com/understanding-zigbee-and-wireless-mesh-networking/)
+* [ZigBee Penetration Testing: Strengthen Your IoT Security - RF Security - 12/08/2022](https://www.offensive-wireless.com/zigbee-penetration-testing/)
+* [pCTF 2011 #32 That's no bluetooth - STALKR - TUESDAY, APRIL 26, 2011](https://blog.stalkr.net/2011/04/pctf-2011-32-thats-no-bluetooth.html)