Richard Aplin raplin

## gist:63d34d9d71d39bd96238c0b506e0cf2e
#!/bin/sh

# put this file on a FAT32 SD card, in a directory called "Factory" and call it "config.sh"

echo "dumping device flash to sd card"
mkdir /mnt/flash
#dump whole flash chip (8mbytes)
dd if=/dev/mtdblock0 of=/mnt/flash/mtd0
#copy writable directories (also part of the mtd0 dump we just did)
mkdir /mnt/flash/jffs2

## RPiI2sFrequencyCounter.c
/*
RPi frequency counter

We use the RPi's I2S input (on pin 38)

Setting up I2S input:
https://learn.adafruit.com/adafruit-i2s-mems-microphone-breakout/raspberry-pi-wiring-test

Compile kernel module, modprobe it as described
(for RPI4 use 'modprobe snd-i2smic-rpi rpi_platform_generation=2')

## PythonUSBBarcodeScanner.py
import os,time
#import ioctl_opt
import fcntl,threading,Queue
import ctypes
import struct
import sys

_IOC_NRBITS = 8
_IOC_TYPEBITS = 8
_IOC_SIZEBITS = 14

## midiplus_controller_colortoy.py

class LED(object):
    RED=0x61
    GREEN=0x51
    BLUE=0x41
    PURPLE=0x31
    CYAN=0x21
    YELLOW=0x11
    WHITE=0x1
    OFF=0

## gist:633dd7febb7a9d65b7cf196f04156c4b
 iw list
Wiphy phy1
        max # scan SSIDs: 16
        max scan IEs length: 195 bytes
        max # sched scan SSIDs: 0
        max # match sets: 0
        max # scan plans: 1
        max scan plan interval: -1
        max scan plan iterations: 0
        Retry short limit: 7

## gist:f059ec9415b556c5cc51e7c5e4caf7f6
# This card is pretty dope; gets hot at high MIMO tx power, needs cooling! Unclear if these listed TX powers are correct at the antenna port..

iw list
Wiphy phy1
        max # scan SSIDs: 10
        max scan IEs length: 2048 bytes
        max # sched scan SSIDs: 0
        max # match sets: 0
        max # scan plans: 1
        max scan plan interval: -1

## CortexM_searchable_list.txt
Cortex M CPU searchable IRQ/peripheral list

Goal: Use this when reverse engineering a binary for an unknown Cortex M CPU to help figure out exactly what you're looking at

Simple usage:
Load the binary into IDA/Ghidra
Find the vector table (usually the first 256-ish bytes right at the start of the file), and find some 'interesting' IRQ vectors that point to real code.
(The first 16 vectors are internal Cortex M stuff (reset vector, NMI etc) and will not be useful)
In the IRQ handler code pointed to by the vector, you will very often soon encounter an obvious peripheral address being loaded into a register.
Search this file for "[XXXX:YYYYYYYY]" where X = last 4 hex address of the IRQ vector, and YYYYYYYY=hex peripheral address.

## deeprom.py
import struct,time
import re

class CaptureEnd(Exception):
    pass

class Capture(object):
    def __init__(self,fileName,pins,opts,startOffset=0):
        self.f=open(fileName,"rb")
        self.f.seek(startOffset)

## Hopi_HP-9800_Python_simple.py
#
# By Richard Aplin, released into the public domain for any purpose, no warranties implied, 8/17/2022
#
#
import struct
import serial

#Super lightweight code to read Hopi HP-9800 power meter

class Hopi(object):
	#!/bin/sh

	# put this file on a FAT32 SD card, in a directory called "Factory" and call it "config.sh"

	echo "dumping device flash to sd card"
	mkdir /mnt/flash
	#dump whole flash chip (8mbytes)
	dd if=/dev/mtdblock0 of=/mnt/flash/mtd0
	#copy writable directories (also part of the mtd0 dump we just did)
	mkdir /mnt/flash/jffs2
	/*
	RPi frequency counter

	We use the RPi's I2S input (on pin 38)

	Setting up I2S input:
	https://learn.adafruit.com/adafruit-i2s-mems-microphone-breakout/raspberry-pi-wiring-test

	Compile kernel module, modprobe it as described
	(for RPI4 use 'modprobe snd-i2smic-rpi rpi_platform_generation=2')
	import os,time
	#import ioctl_opt
	import fcntl,threading,Queue
	import ctypes
	import struct
	import sys

	_IOC_NRBITS = 8
	_IOC_TYPEBITS = 8
	_IOC_SIZEBITS = 14

	class LED(object):
	RED=0x61
	GREEN=0x51
	BLUE=0x41
	PURPLE=0x31
	CYAN=0x21
	YELLOW=0x11
	WHITE=0x1
	OFF=0
	iw list
	Wiphy phy1
	max # scan SSIDs: 16
	max scan IEs length: 195 bytes
	max # sched scan SSIDs: 0
	max # match sets: 0
	max # scan plans: 1
	max scan plan interval: -1
	max scan plan iterations: 0
	Retry short limit: 7
	# This card is pretty dope; gets hot at high MIMO tx power, needs cooling! Unclear if these listed TX powers are correct at the antenna port..

	iw list
	Wiphy phy1
	max # scan SSIDs: 10
	max scan IEs length: 2048 bytes
	max # sched scan SSIDs: 0
	max # match sets: 0
	max # scan plans: 1
	max scan plan interval: -1
	Cortex M CPU searchable IRQ/peripheral list

	Goal: Use this when reverse engineering a binary for an unknown Cortex M CPU to help figure out exactly what you're looking at

	Simple usage:
	Load the binary into IDA/Ghidra
	Find the vector table (usually the first 256-ish bytes right at the start of the file), and find some 'interesting' IRQ vectors that point to real code.
	(The first 16 vectors are internal Cortex M stuff (reset vector, NMI etc) and will not be useful)
	In the IRQ handler code pointed to by the vector, you will very often soon encounter an obvious peripheral address being loaded into a register.
	Search this file for "[XXXX:YYYYYYYY]" where X = last 4 hex address of the IRQ vector, and YYYYYYYY=hex peripheral address.
	import struct,time
	import re

	class CaptureEnd(Exception):
	pass

	class Capture(object):
	def __init__(self,fileName,pins,opts,startOffset=0):
	self.f=open(fileName,"rb")
	self.f.seek(startOffset)
	#
	# By Richard Aplin, released into the public domain for any purpose, no warranties implied, 8/17/2022
	#
	#
	import struct
	import serial

	#Super lightweight code to read Hopi HP-9800 power meter

	class Hopi(object):