1 of 44

By INIT_6

Hardware Hacking 101...

2 of 44

Introduction

INIT_6:

Generalist aka Hacks All The Things
Not really a hardware hacker
Run 0DayAllDay
Talk fairly regularly at DHA and DC214
Been hacking since I was just a young lad

3 of 44

Disclaimer….

Hack responsibly, Hack only things that belong to you or have written permission. Even then check if you are allowed to by your government. In addition, some companies are sue happy, so be careful.

Especially with hardware hacking always assume you are going to break it. If you can’t afford throwing it out of a window on 635 (don’t thats littering) don’t mess with it.

4 of 44

Goals

Introducing basic hacking techniques:

Hardware Interfaces
Tools of the trade
Soldering
Reverse Engineering
Debugging

5 of 44

UART - Universal Asynchronous Receiver-Transmitter

UART is a computer hardware device for asynchronous serial communication in which the data format and transmission speeds are configurable.

The electric signaling levels and methods are handled by a driver circuit external to the UART. A UART is usually an individual (or part of an) integrated circuit (IC) used for serial communications over a computer or peripheral device serial port.

One or more UART peripherals are commonly integrated in microcontroller chips.

6 of 44

UART Connection

7 of 44

UART Connection Settings -- 115200 8N1

Baud Rate (115200) specifies how fast data is sent over a serial line. It’s usually expressed in units of bits-per-second (bps).
Data bits (8)
Parity (N)
Stop bits (1)

Framing the data Each block (usually a byte) of data transmitted is actually sent in a packet or frame of bits. Frames are created by appending synchronization and parity bits to our data.

Data chunk

The real meat of every serial packet is the data it carries. We ambiguously call this block of data a chunk, because its size isn’t specifically stated. The amount of data in each packet can be set to anything from 5 to 9 bits. Certainly, the standard data size is your basic 8-bit byte, but other sizes have their uses. A 7-bit data chunk can be more efficient than 8, especially if you’re just transferring 7-bit ASCII characters.

After agreeing on a character-length, both serial devices also have to agree on the endianness of their data. Is data sent most-significant bit (msb) to least, or vice-versa? If it’s not otherwise stated, you can usually assume that data is transferred least-significant bit (lsb) first.

Synchronization bits

The synchronization bits are two or three special bits transferred with each chunk of data. They are the start bit and the stop bit(s). True to their name, these bits mark the beginning and end of a packet. There’s always only one start bit, but the number of stop bits is configurable to either one or two (though it’s commonly left at one).

The start bit is always indicated by an idle data line going from 1 to 0, while the stop bit(s) will transition back to the idle state by holding the line at 1.

Parity bits - (Not often used but is using for error checking. You add up the 1’s and if they are even parity = 1 otherwise parity = 0)

Parity is a form of very simple, low-level error checking. It comes in two flavors: odd or even. To produce the parity bit, all 5-9 bits of the data byte are added up, and the evenness of the sum decides whether the bit is set or not. For example, assuming parity is set to even and was being added to a data byte like 0b01011101, which has an odd number of 1’s (5), the parity bit would be set to 1. Conversely, if the parity mode was set to odd, the parity bit would be 0.

Parity is optional, and not very widely used. It can be helpful for transmitting across noisy mediums, but it’ll also slow down your data transfer a bit and requires both sender and receiver to implement error-handling (usually, received data that fails must be re-sent).

8 of 44

JTAG - Joint Action Test Group

JTAG implements standards for on-chip instrumentation in electronic design automation as a complementary tool to digital simulation.

It specifies the use of a dedicated debug port implementing a serial communications interface for low-overhead access without requiring direct external access to the system address and data buses.

The interface connects to an on-chip test access port (TAP) that implements a stateful protocol to access a set of test registers that present chip logic levels and device capabilities of various parts.

9 of 44

JTAG Connection

TDI (Test Data In)

TDO (Test Data Out)

TCK (Test Clock)

TMS (Test Mode Select)

TRST (Test Reset) optional.

10 of 44

SPI - Serial Peripheral Interface

SPI is a synchronous serial communication interface specification used for short distance communication, primarily in embedded systems. Typical applications include Secure Digital cards and liquid crystal displays.

SPI devices communicate in full duplex mode using a master-slave architecture with a single master. The master device originates the frame for reading and writing. Multiple slave devices are supported through selection with individual slave select (SS) lines.

Sometimes SPI is called a four-wire serial bus, The SPI may be accurately described as a synchronous serial interface, but it is different from the Synchronous Serial Interface (SSI) protocol,

The Serial Peripheral Interface (SPI) was originally designed as a means of connecting peripherals to a central processor using a minimum of interconnect pins. Typically, this was used where access to the peripheral was infrequent or the transfer rate was unimportant. One of the initial popular uses was small non-volatile memories that could be used to store configuration information.

Today the interface is used on a wide range of products from real time clocks to UARTs.

The interface does share some of the characteristics of the JTAG interface; it communicates serially over separate input and output lines, and thus contains an internal serial shift register. Although not mandatory in either case, JTAG normally connects the internal shift registers of multiple devices in one long serial shift register chain where SPI normally connects multiple peripherals in parallel. In other words, with SPI the pin that transfers data from a controller (master) to a peripheral (slave) can be connected to the input pin of multiple devices. The pin is called Master Out Slave In (MOSI) which is a really nice way of removing any ambiguity regarding the direction of data transfer versus a specific chips viewpoint.

The interface was developed by Motorola in the mid 1980s and has become a de facto standard.

which is also a four-wire synchronous serial communication protocol. SSI Protocol employs differential signaling and provides only a single simplex communication channel.

11 of 44

SPI Connection

SCLK: Serial Clock (output from master)

MOSI: Master Output Slave Input, or Master Out Slave In (data output from master)

MISO: Master Input Slave Output, or Master In Slave Out (data output from slave)

SS: Slave Select (often active low, output from master)

12 of 44

Firmware

Firmware is a specific class of computer software that provides the low-level control for the device's specific hardware. Firmware can either provide a standardized operating environment for the device's more complex software or, for less complex devices, act as the device's complete operating system, performing all control, monitoring and data manipulation functions.

Typical examples of devices containing firmware are embedded systems, consumer appliances, computers, computer peripherals, and others. Almost all electronic devices beyond the simplest contain some firmware.

13 of 44

Firmware - Why would you want it?

Users / Passwords
Keys
Connection Details
Add / Remove functions
Find vulnerabilities in the software running
Fuzz drivers (head start if you have the firmware)
System details (Chip info, memory info, etc)

Users / passwords will give you a list of valid users to try and if they have a password or not.

Keys used for authentication or API access, etc.

Connection Details - Roku firmware told me the UART specifications just not where it is.

add/remove functions - patch the firmware with new software or remove software (maybe protection software)

Vulnerabilities like in the AT&T Router what had default creds, Dlink NAS units, TP-Link backdoors, etc

Fuzzing drivers is basically sending arbitrary data to a device’s driver in hopes of creating an exception that later you hope you can create a vulnerability in the driver to gain elevated privileges. As drivers are in kernel space it’s a typical target.

https://www.blackhat.com/docs/eu-17/materials/eu-17-Corina-Difuzzing-Android-Kernel-Drivers.pdf

It’s the devices operating system right, so you always want to find out as much info as possible on the way it is spouse to work. That way you can try to find a way to make it work slightly different to fit your needs.

14 of 44

Firmware - How To Obtain It

Download it from the Manufacturer's website.
Google search (See if someone else has gotten it for you)
MITM when the device is updating.
Dumping it from memory/flash/etc

15 of 44

Hardware

JTagulator - Bruteforce pins looking for possible jtag connections. $200

Buspirate - Supports SPI, UART, 1,2,3-Wire, etc. $30

SHIKRA - Supports SPI, JTAG, UART $45

OSEPP FTDI - Supports UART $15

Saleae - Logic Analyzer $400 - $1,000 ( up to $10,000)

Oscilloscope - Analyze signals $100 - $20,000

16 of 44

Hardware Extras

Caliper - For detailed measurements $40

Digital Multimeter - Read voltages, Continuity, etc $10 - $100+

Soldering iron $40 - $200 (Get one with replaceable tips and power control)

Jumper wires - Male-to-Male, Female-Male, Female-Female $10

breadboards, solder, flux, desoldering braid, tweezers, masking tape ~$20

Screwdriver - with security bits, torx, start, etc ~$50

17 of 44

Solder or Not to Solder

18 of 44

Connectors

SAM8116-ND - For AT&T Routers

SOIC clips - Clip onto chips directly

19 of 44

Bed Of Nails - “Pogo” pins

20 of 44

Bed Of Nails - “Pogo” pins

21 of 44

Software

OpenOCD - JTag software

minicom/screen - To connect to devices

Binwalk - Firmware Analysis Tool

Flashrom - a utility for identifying, reading, writing, verifying and erasing flash chips.

Cross-Compiler - For creating executables for your target system.

grep/xxd/hexedit/sed/awk/etc

22 of 44

Resources

https://www.digikey.com/
https://www.mouser.com (Will call available in Mansfield, TX)
Google.com (search part numbers)
https://www.reddit.com/r/AskElectronics/
https://www.reddit.com/r/hardwarehacking/
http://www.jtagtest.com/pinouts/
Dallas Makerspace
TheLab.ms (Plano Makerspace)
https://www.sparkfun.com/
https://www.adafruit.com/

23 of 44

Resources

https://www.datasheets.com/en/
DFW Hacking scene - almost everything you need can be found by asking. They will either let you borrow or more likely meetup with you and let you use whatever you are requesting.

24 of 44

Identifying Interfaces: External

Accessible to the outside world

Intended for engineers or manufacturers
Device programming or final system test

Usually hidden or protected

Underneath batteries
Behind stickers/covers

Dual purpose connectors

Headphone Jacks (Motorola Candy Bar Phones)
HDMI (Verizon Femtocell)

May be a proprietary/non-standard connector

25 of 44

Examples of External Interfaces

26 of 44

Examples of External Interfaces

27 of 44

Examples of External Interfaces

28 of 44

Identifying Interfaces: Internal

Test points or unpopulated pads

Silkscreen markings or notation
Easy-to-access locations

Familiar target or based on common pinout

Often single or double row footprint
JTAG: www.jtagtest.com/pinouts/

Can use PCB/Design heuristics

Traces of similar function are grouped together (bus)
Array of pull-up/pull-down resistors (To set static state of pins)
Test points usually placed on important/interesting signals

Might be covered by soldermask

29 of 44