- Thu Jan 30, 2020 1:32 am
#85485
kicking around the idea of modifying the 'System parameter area' of the flash using the esptool. Particularly the Wifi credential storage is located in the last 12K of the flash ... if we look at the ld files we can see at what address it's located ... this example is for the 4MB flash ... but it's always located at the last 12KB ...
subtract the flash start address from the wifi partition address and we'll get the address on the flash to download from ... then looking at it (using a hex tool) we can see the data in clear text ... and using the struct from the SDK. we can see the information that is referenced during wifi configuration operations ... although there's also more information that can be seen in the data ... for example the hostname.
You can see the wifi credentials are stored in 4 separate places ... (pretty much identical records) ... btw the password has been changed ... in case some of these bytes are hashes ...
I plan to setup a router and make different configured connections and compare the records to try and map things out ... unless it's already been done (fingers crossed)
Thanks
Code: Select all
cat eagle.flash.4m1m.ld
/* Flash Split for 4M chips */
/* sketch @0x40200000 (~1019KB) (1044464B) */
/* empty @0x402FEFF0 (~2052KB) (2101264B) */
/* spiffs @0x40500000 (~1000KB) (1024000B) */
/* eeprom @0x405FB000 (4KB) (4096) */
/* rfcal @0x405FC000 (4KB) (4096) */
/* wifi @0x405FD000 (12KB) (12288) */ <<= address for the (3FD000) System parameter area
subtract the flash start address from the wifi partition address and we'll get the address on the flash to download from ... then looking at it (using a hex tool) we can see the data in clear text ... and using the struct from the SDK. we can see the information that is referenced during wifi configuration operations ... although there's also more information that can be seen in the data ... for example the hostname.
Code: Select all
struct station_config {
uint8 ssid[32]; /**< SSID of target AP*/
uint8 password[64]; /**< password of target AP*/
uint8 bssid_set; /**< whether set MAC address of target AP or not. Generally, station_config.bssid_set needs to be 0; and it needs to be 1 only when users need to check the MAC address of the AP.*/
uint8 bssid[6]; /**< MAC address of target AP*/
};
You can see the wifi credentials are stored in 4 separate places ... (pretty much identical records) ... btw the password has been changed ... in case some of these bytes are hashes ...
Code: Select all
esptool.py read_flash 0x3FD000 12288 wifi-12K.bin
xxd wifi-12K.bin
00000000: ffff ffff ffff ffff 0300 ffff 0b00 0000 ................
00000010: 4964 6561 4661 624c 6162 7300 0060 2140 IdeaFabLabs..`!@ <<= SSID IdeaFabLabs
00000020: d026 0000 da04 0000 da04 0000 800d 1040 .&.............@
00000030: 0305 0300 0300 0062 6574 6166 6973 6800 .......password. <<= Password password (this isn't the real password ...)
00000040: 24ff 3f58 f8fe 3fdc 84fe 3fec 24ff 3f20 $.?X..?...?.$.?
00000050: 0000 000b 1010 4020 0000 00b6 0000 00b6 ......@ ........
00000060: 0000 0005 0155 aa00 0000 0000 0464 00c0 .....U.......d..
00000070: a804 01ff ffff 0000 bdc6 cd5f 170e 8766 ..........._...f
00000080: 54b4 9556 c7d5 2e7f 9c2d ee9d 2899 9397 T..V.....-..(...
00000090: 03b4 ce9f 1963 d966 ffff ffff ffff ffff .....c.f........
000000a0: ffff ffff ffff ffff ff00 6038 e02f 6fd1 ..........`8./o. <<= bssid_set & BSSID 60:38:e0:2f:6f:d1
000000b0: 0500 0000 4e45 4f4a 5300 0040 dc18 ff3f ....NEOJS..@...? <<= Hostname NEOJS
000000c0: 9c04 0000 00d0 3f00 a45c 1040 feef effe ......?..\.@....
000000d0: feef effe 00ef effe f105 1040 dc18 ff3f ...........@...?
000000e0: 9c04 0000 0000 0000 feef effe feef effe ................
000000f0: dc18 ff3f aeeb 2440 88f5 fe3f c903 0000 ...?..$@...?....
00000100: c903 0000 947f 2140 0300 0000 dc18 ff3f ......!@.......?
00000110: 0000 0000 00ff ffff ffff ffff ffff ffff ................
00000120: ffff ffff ffff ffff ffff ffff ffff ffff ................
00000130: ffff ffff ff01 0000 04ff ffff 0100 ffff ................
00000140: 0b00 0000 4964 6561 4661 624c 6162 7300 ....IdeaFabLabs. <<= SSID IdeaFabLabs
00000150: 0060 2140 d026 0000 da04 0000 da04 0000 .`!@.&..........
00000160: 800d 1040 6265 7461 6669 7368 0024 ff3f ...@password.$.? <<= Password password (this isn't the real password ...)
00000170: 58f8 fe3f dc84 fe3f ec24 ff3f 2000 0000 X..?...?.$.? ...
00000180: 0b10 1040 2000 0000 b600 0000 b600 0000 ...@ ...........
00000190: 0501 55aa 0000 0000 0004 6400 c0a8 0401 ..U.......d.....
000001a0: ffff ff00 ffff ffff ffff ffff ffff ffff ................
-------------------------------------------------------------------------------------------------------------------------------------
00001000: ffff ffff ffff ffff 0300 ffff 0b00 0000 ................
00001010: 4964 6561 4661 624c 6162 7300 0060 2140 IdeaFabLabs..`!@
00001020: d026 0000 da04 0000 da04 0000 800d 1040 .&.............@
00001030: 0305 0300 0300 0162 6574 6166 6973 6800 .......password.
00001040: 24ff 3f58 f8fe 3fdc 84fe 3fec 24ff 3f20 $.?X..?...?.$.?
00001050: 0000 000b 1010 4020 0000 00b6 0000 00b6 ......@ ........
00001060: 0000 0005 0155 aa00 0000 0000 0464 00c0 .....U.......d..
00001070: a804 01ff ffff 0000 bdc6 cd5f 170e 8766 ..........._...f
00001080: 54b4 9556 c7d5 2e7f 9c2d ee9d 2899 9397 T..V.....-..(...
00001090: 03b4 ce9f 1963 d966 ffff ffff ffff ffff .....c.f........
000010a0: ffff ffff ffff ffff ff00 6038 e02f 6fd1 ..........`8./o.
000010b0: 0500 0000 4e45 4f4a 5300 0040 dc18 ff3f ....NEOJS..@...?
000010c0: 9c04 0000 00d0 3f00 a45c 1040 feef effe ......?..\.@....
000010d0: feef effe 00ef effe f105 1040 dc18 ff3f ...........@...?
000010e0: 9c04 0000 0000 0000 feef effe feef effe ................
000010f0: dc18 ff3f aeeb 2440 88f5 fe3f c903 0000 ...?..$@...?....
00001100: c903 0000 947f 2140 0300 0000 dc18 ff3f ......!@.......?
00001110: 0000 0000 00ff ffff ffff ffff ffff ffff ................
00001120: ffff ffff ffff ffff ffff ffff ffff ffff ................
00001130: ffff ffff ff01 0000 04ff ffff 0100 ffff ................
00001140: 0b00 0000 4964 6561 4661 624c 6162 7300 ....IdeaFabLabs.
00001150: 0060 2140 d026 0000 da04 0000 da04 0000 .`!@.&..........
00001160: 800d 1040 6265 7461 6669 7368 0024 ff3f ...@password.$.?
00001170: 58f8 fe3f dc84 fe3f ec24 ff3f 2000 0000 X..?...?.$.? ...
00001180: 0b10 1040 2000 0000 b600 0000 b600 0000 ...@ ...........
00001190: 0501 55aa 0000 0000 0004 6400 c0a8 0401 ..U.......d.....
000011a0: ffff ff00 ffff ffff ffff ffff ffff ffff ................
I plan to setup a router and make different configured connections and compare the records to try and map things out ... unless it's already been done (fingers crossed)
Thanks
