Berkner Tech

Berkner Tech Modern Hardware Security

Sniffing I2C and SPI Buses

Sniffing I2C and SPI buses on an embedded device, from mapping the bus to harvesting configs and keys

Inside a device, chips talk over I2C and SPI: the processor reads a config EEPROM, drives a display, queries a sensor, sometimes loads a key. Clip a sniffer onto those lines and you hear the whole conversation, passively, while the device runs. Here is how bus sniffing works and what it tends to reveal.

Why Passive Sniffing Is So Useful

Reading a flash chip tells you what is stored. Sniffing the bus tells you what is actually used, and when. Because the tap is passive, the device behaves normally and reveals its real runtime behavior: which EEPROM bytes it reads at boot, what commands flow between chips, whether anything sensitive crosses the wire.

Step 1: Capture a Boot

Clip onto the clock and data lines, then power the device and record. The most revealing window is the first second, when the processor reads its configuration:

Anatomy of an I2C transaction showing the start condition, device address, register, and stop
sigrok-cli --driver fx2lafw --config samplerate=400k \
  --samples 2M -P i2c -A i2c
Example output
i2c: Start
i2c: Address write: A0
i2c: Data write: 00
i2c: Start (repeated)
i2c: Address read: A1
i2c: Data read: 53 53 49 44 3D ...   # 'SSID='

Step 2: Read What Crossed

Decoding the read shows a configuration EEPROM streaming its contents, and in this capture the bytes spell the start of a Wi-Fi configuration. If a passphrase follows in the clear, the sniffer has it:

# continue decoding the EEPROM read payload as ASCII
echo '53 53 49 44 3D 48 6F 6D 65 4E 65 74' | xxd -r -p
Example output
SSID=HomeNet

Configuration read straight off the bus in plaintext is a common finding, and when keys travel the same way it is a critical one.

Three Things on the Bus

What sniffing typically surfaces:

Three things found on internal I2C and SPI buses: EEPROM reads, command traffic, and key material

Keeping Secrets off the Bus

Treat every on-board bus as observable. Do not move keys or passphrases across I2C or SPI in the clear; keep them inside a secure element that performs crypto internally, and encrypt sensitive configuration at rest. If a secret never crosses the wire unprotected, the sniffer hears nothing of value.

Where This Fits

Bus sniffing and the secrets it uncovers are part of a hardware product security assessment. That work is the kind of work we do at Berkner Tech.

References and Further Reading