Why "the Shikra"?
FTDI's FT232H chip is the more powerful older brother to FT232R USB to UART adapter. The "-H" model of chips are widely used in JTAG adapters but also support several different serial protocols, plus the ability to bit-bang custom ones. The Shikra is Xipiter's nice, dead-simple FT232H device that allows you to use all these different modes. (FYI: Keeping with the "accipiter" theme at Xipiter, Shikra was also named after a bird of prey.)
The shikra for uart:
The bus pirate has several UART features like passive sniffing, baud detection, and a transparent passthrough mode. It should let you do most of what you need to over UART. Usually once i've figured out my pinout and baud rate, i switch to a simple USB TTL Serial cable to free up my bus pirate for better things. On the access-point/router shown below, UBOOT runs at 120kbps while the kernel (which loads after) boots at slower 115.2. The bus pirate tends to be very picky and fails if the baud rate is only slightly off, while a dedicated cable usually has a wider tolerance and can read both with no settings change. The Shikra had no problem with this.
It's really simple, the Shikra much like the BusPirate just has headers which you can use to jumper to your target. The pinouts of the Shikra are viewable in the documentation for it.
$ screen /dev/ttyUSB0 115200
Protip: I never worry about getting TX and RX right, since somewhere along the way they get mixed up, and it's usually easier to swap them once to get things to work than it is to make sure they're right in the first place.
The Shikra for JTAG:
JTAG adapters run $10 to $20,000 - but in the end they're all speaking the same protocol. For SexViaHex, we needed to use JTAG at the same time as UART so we knew we needed a second device. We tried using EZ-USB FX2 boards, but had trouble reliably sourcing them. The first time we taught the class, we used the Bus Pirate since it is well supported by OpenOCD - however it's incredibly slow, and required frequent reconnecting for hardware reset.
Shikra JTAG Pinout:
OpenOCD Config File for the Shikra:
ftdi_vid_pid 0x0403 0x6014
ftdi_layout_init 0x0c08 0x0f1b
The Shikra for SPI:
Embedded devices can add a few bytes to a few megabytes of storage for under a dollar with a tiny 8-pin SPI flash chip. There are also SPI network adapters, A/D converters, and all sorts of other devices, but the firmware on SPI flash chips is usually what's most interesting.(For more interesting devices that SPI can be found in, see the Xipiter talk "Hardware Hacking for Software People").
Where the BusPirate took ~30 minutes to extract a 4MB firmware image from a device, the Shikra took less than a minute!
One exercise we have in SexViaHex is to pull off the full firmware image from an embedded device. We use a clip like a Pomona 5250to directly contact the 8-pin SOIC chip's pins without having to desolder, and then we use the bus pirate and Flashrom to 'quickly' dump a 4MB firmware in 20 minutes - if it works the first time. Specialized devices like a Dediprog SF100 (pictured to the left) would be much quicker, but are a bit to large and expensive for us to buy 30 to put into our student kits for SexViaHex. Luckily Shikra supports SPI, and flashrom supports a generic FT2232 interface, allowing firmware dumps in less than a minute.
SDI - 2
*CS - 4
GND - 18
To dump an SPI flash with the Shikra we simply:
$ flashrom -p ft2232_spi:type=232H -r spidump.bin
In summary, I was pretty excited to get my hands on Shikra, and I'm looking forward to showing participants in our future SexViaHex classes how to use it to reverse engineer and hack up hardware devices!