Scribd
Upload
524 views

Hardware Hacking 101: Bsides Munich 2019 Radek Domanski, Johannes Wagner

This document provides an overview of a hardware hacking course that will cover various hardware hacking techniques. The course will be split into morning and afternoon sessions with participants working in teams of two. It will include four exercises involving inspecting a router, communicating over UART, hacking NOR flash memory, and exploring NAND flash. Participants will receive a Hydrabus hardware hacking tool to use during the exercises and keep. The document defines various hardware concepts like UART, baudrate, flash memory types, JTAG, and debugging with OpenOCD.

Uploaded by

Sadry Fievet
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
524 views

Hardware Hacking 101: Bsides Munich 2019 Radek Domanski, Johannes Wagner

This document provides an overview of a hardware hacking course that will cover various hardware hacking techniques. The course will be split into morning and afternoon sessions with participants working in teams of two. It will include four exercises involving inspecting a router, communicating over UART, hacking NOR flash memory, and exploring NAND flash. Participants will receive a Hydrabus hardware hacking tool to use during the exercises and keep. The document defines various hardware concepts like UART, baudrate, flash memory types, JTAG, and debugging with OpenOCD.

Uploaded by

Sadry Fievet
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 38

Hardware Hacking 101

BSides Munich 2019


Radek Domanski, Johannes Wagner
Introduction

Radek Domanski
@RabbitPro

Johannes Wagner
@ickyphuz 
Course Structure
Group A
• 2 sessions - morning && afternoon
Target
• Working in teams of 2

• 4 exercises modules Hydrabus

• Brake after exercise 2 and 3


RPi
172.16.0.31/24
• Mix hands-on vs theory

172.16.0.10/24
Gifts!!!
• Every participant receives a
Hydrabus as a gift. Yes! You
can take it home and
continue hacking!

• On top of that we have 8


HydraNFC shields that we will
distribute in a raffle. 4 pieces
per session.

• Thank you to the gift


sponsors:
What is hardware hacking?
• Locating debug interfaces

• Dumping firmware

• Glitching

• PCB/Hardware reverse engineering

• Bypassing security restrictions by modifying hardware

• Hardware implants
Inside a Router
Scenario
Exercise 1: Inspect the Router

Exercise 2:

Exercise 3:

Exercise 4:
Hydrabus
• OpenSource multi-tool
hardware

• STM32F415 32bits@168MHz
(40x faster than an Arduino)

• Over 15 protocols supported


(JTAG, NAND, SPI, CAN, UART,
I2C, etc.)

• menu mode and binary mode

• Support for NFC with


HydraNFC

• website: https://hydrabus.com/
Hydrabus
Hydrabus
(how to connect)

• screen /dev/tty<> 115200

• Sometimes it is required to
reset the device by a RESET
button
UART
Universal Asynchronous Receiver/Transmiter
• Serial communication

• Synchronized by software

• No clock signal is needed only RX,TX, VCC (power) and GND (ground)

• On the RX pin you should see fluctuating values around 3,14 V - 3,3 V with the multimeter (incoming data)

• TX pin should have 0 V and no connection to GND

• You can also use a logic analyzer but multimeter is way faster

• WARNING! Some UART connectors use 5V instead of 3,3 for High value. In that case, you need a so called „logic level
converter“ which basically converts the 5V to a 3,3V signal or you may brick your hydrabus/buspirate/shikra/etc. . But
the most common ones are using 3,3 V

src: http://www.circuitbasics.com/basics-uart-communication/
UART
Universal Asynchronous Receiver/Transmiter

• Data frame is limited to 9 bit

• Baudrate has to be selected correctly otherwise


encoding errors occur

src: http://www.circuitbasics.com/basics-uart-communication/
Multimeter
don’t brick it!
• 2 modes we need today

• Conductivity test (the beep thingy)

• One test-pin to ground (enclosure metal) and one test-pin to the board pin

• It beeps when there is a connection

• Voltage measurement

• One test-pin to ground pin and one to the board pin you want to test

Conductivity Voltage (DC)


Baudrate
What is it?
• It means basically how many symbol changes (not bits) per second
on the transmission medium are possible. In other words, the speed.

• Q: Why do we need it? A: With the wrong baud, we get weird stuff on
the terminal which nobody can read. Try it!
Baudrate
What is it?

• Q: How do i find the right baudrate?

• Most common is 115200 baud

• Other options but not limited by are: 9600, 19200, 38400,


57600

src: http://www.circuitbasics.com/basics-uart-communication/
Exercise 1: Inspect the Router

Exercise 2: UART

Exercise 3:

Exercise 4:
POST- Power On Selftest
Loading the boot code
from flash over SPI to the RAM

UBOOT loads initramfs and


Boots the system kernel

Partitions are mounted

SquashFS mounted

NVRAM loads user specific


Configuration files
Firmware

Boot kernel rootfs config radio


Memory types
DRAM
RAM
SRAM

NVRAM NOR

Memory Hybrid Flash NAND

EEPROM eMMC

EPROM

Rom PROM

Masked
Flash memory types

▸ NOR FLASH ▸ NAND FLASH ▸ eMMC FLASH


▸ SOIC8 package ▸ TSOP48 package ▸ BGA{153}
package
NOR Flash (SPI)
NOR to Hydrabus (SPI)
SLAVE

MASTER
NOR to Hydrabus
SPI Protocol
Read Data from NOR Flash
Exercise 1: Inspect the Router

Exercise 2: UART

Exercise 3: NOR Flash & Router hacking

Exercise 4:
NAND Flash

• Pages organised in blocks

• OOB and ECC introduced

• Raw access or controller access (bad block management)


NAND Data organization

source: https://www.blackhat.com/docs/us-14/materials/us-14-Oh-Reverse-Engineering-
Flash-Memory-For-Fun-And-Benefit-WP.pdf
NAND + Controller

source: NOR Flash


guide Micron
NAND chip extraction

https://www.youtube.com/watch?v=7VahHWI3pT8
NAND firmware extraction
Exercise 1: Inspect the Router

Exercise 2: UART

Exercise 3: NOR Flash & Router hacking

Exercise 4: NAND Flash


JTAG
Joint Test Action Group

• Debug interface for a processor

• Hardware equivalent to „root“ on the OS layer

• Comes in different pin layout schemes {10,14,20,…}-pin)

src: www.microchip.com
JTAG
Joint Test Action Group
• Finding the right pins is not trivial.

• Good indicators are labels on the PCB such as: TMS,TCK or TDI

• JTAGulator/JTAGenum/Hydrabus are devices to find the right pin layout from a lot of
provided input pins

• It may be locked on your devices (!)

src: grandideastudio.com/jtagulator/
JTAG
Joint Test Action Group

• Once you found the layout successfully connect the


following pins to the Hydrabus

• TCK (Test Clock)

• TDI (Test Data In)

• TDO (Test Data Out)

• TMS (Test Mode Select)

• TRST (Test Reset) *optional*


JTAG / OpenOCD
Joint Test Action Group

• Debugging the hardware can be done with OpenOCD


combined with GDB

• Starting the server and connect with GDB (example):

• openocd -s share/openocd/scripts -f interface/ftdi/esp32_devkitj_v1.cfg -f board/esp-


wroom-32.cfg

• target remote IP:PORT i.e. target remote localhost:4444

after connecting with the correct configuration it is recomended to set the adapters
clock speed, enable single core debugging etc. a great guide for the configuration can be found on openocd.org
(http://www.openocd.org/doc/html/Config-File-Guidelines.html) and a complete guideline with openocd features etc.
can be found at (https://docs.espressif.com/projects/esp-idf/en/latest/api-guides/jtag-debugging/index.html#jtag-debugging-configuring-esp32-
target).
TEXT
THANK YOU!

RADEK DOMANSKI JOHANNES WAGNER

TWITTER: @RABBITPRO TWITTER: @ICKYPHUZ 

You might also like