Decoding Bus Protocols With a Logic Analyzer
Two chips talking on a board look like meaningless wiggles on an oscilloscope. A logic analyzer with sigrok turns those wiggles into decoded protocol traffic: the UART console, the SPI flash reads, the I2C EEPROM contents. For a few dollars of hardware it is one of the highest-leverage tools in hardware security. Here is how to use it.
Why a Logic Analyzer Earns Its Place
Chips coordinate over serial buses, and those buses carry exactly the information an assessment wants: boot logs, firmware reads, configuration, sometimes keys. A logic analyzer samples the lines and a protocol decoder reconstructs the bytes, so you read the conversation instead of guessing at it.
Step 1: Capture and Decode
Clip onto the bus, sample fast enough to catch every edge, and apply the matching decoder:
sigrok-cli --driver fx2lafw --config samplerate=8m \ --samples 4M -P spi:clk=0:mosi=1:miso=2 -A spi
spi-1: MOSI: 03 00 00 00 spi-1: MISO: 5D 00 04 8B ... spi-1: MOSI: 03 01 80 00 spi-1: MISO: 68 73 71 73 # 'hsqs' squashfs magic
The MOSI bytes are a flash read command and the MISO response carries the SquashFS magic. The board is reading its firmware and the analyzer is reading along.
Three Buses Worth Decoding
Where to clip first depends on what you want:
From Wiggles to Findings
Once decoded, the bus traffic feeds the rest of the assessment: a UART console to interact with, a SPI stream to reconstruct firmware from, an I2C EEPROM whose contents may include a Wi-Fi passphrase. The defensive lesson is to assume on-board buses are observable and never move secrets across them in the clear.
Where This Fits
Bus decoding is a foundational technique in a hardware penetration test, feeding almost every other step. That work is the kind of work we do at Berkner Tech.