Abstract image of a woman sitting on books and studying on a laptop

BSides Indy 2017 - Hardware Hacking - Abusing the Things

Download as PDF, PPTX
P
Price McDonald

This document discusses hardware hacking techniques for reverse engineering devices on a budget. It provides tips for obtaining devices through beta programs, flea markets, eBay and more. It then covers disassembly, identifying components, using a logic analyzer to decode serial protocols, and accessing file systems and interfaces like UART, JTAG and SPI. The goal is to gather information from embedded devices through low-cost methods.

1 of 46
Download as PDF, PPTX
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
“HACK MODE” ENABLED HARDWARE HACKING ON A BUDGET BSIDES INDY 2017 PRICE MCDONALD
ABOUT:ME
O’RLY?
OK, SO HARDWARE SECURITY SUCKS… BUT WHY FOCUS ON THE HARDWARE?
METHODOLOGY
WHERE DO WE GET THE THINGS? • Beta Programs • https://www.betabound.com/tp-link-router- private-beta/ • https://beta.linksys.com/ • https://www.beta.netgear.com/signup/ • Flea Markets • Ebay • Craigslist • Garage Sales
DISASSEMBLY “VOIDING THE WARRANTY”
TAMPER RESISTANCE/DETECTION/ALERTING They mean different things, but may not matter either way.
COMPONENT IDENTIFICATION What do you see?
COMPONENT IDENTIFICATION(2) • EOL 802.11G router SoC (System on Chip) • 200 Mhz MIPS32 core • Supports Serial or Parallel Flash • One JTAG and two UART Ports • 336 ball FBGA (Fine-pitch Ball Grid Array) • 32M-BIT Parallel NOR Flash Memory • 3V only • 48-pin TSOP (Thin Small Outline Package) • CMOS DDR400 RAM • 66-pin TSOP II
COMPONENT IDENTIFICATION TIP AND TRICKS The image part with relationship ID rId5 was not found in the file.
ARTS AND CRAFTS TIME
FINDING GROUND • Using the MultiMeter we can figure out which of the pins on our headers connect to ground and which have voltage. GroundVoltage Specifically 3.3v • Got Ground?
PHYSICAL COUNTER MEASURES
COMMON INTERFACE TYPES • UART - Universal Asynchronous Receiver/Transmitter • SPI – Serial Peripheral Interface • I2C – Inter Integrated Circuit • JTAG – Joint Test Action Group – Hardware Debugging Interface • CAN – Controller Area Network (Cars/ATM/etc) • RS232- Serial Interface used on many legacy devices
PINOUT REVERSING • SALEAE LOGIC ANALYZER • ~100 BUCKS ON THE LOW END @ HTTPS://WWW.SALEAE.COM • ALSO, EDU DISCOUNTS AVAILABLE UP TO 50% DEPENDING ON MODEL. • KEEP IN MIND THAT LOGIC ANALYZERS ARE SAMPLING WHICH CAN CAUSE ARTIFICIAL DATA DEPENDING ON THE SAMPLING RATE AND THRESHOLDS. • WORKS FOR I2C, UART, SPI, JTAG, CAN, ETC, ETC
SALEAE LOGIC UI • Using the Saleae logic analyzer we can watch the pins during boot to check for voltage spikes during. This is a good indication of either a UART, I2C or SPI connection. System Boot Likely the boot log being transmitted over
SALEAE LOGIC - DECODERS GIVEN that we SUSPECT Async Serial (UART) we will select that analyzer
SALEAE LOGIC - DECODING Among small embedded devices 115200 is a very common bit rate so it is an easy guess. But we will also cover a more automated way of determining bit
SALEAE LOGIC – DECODING(2) We must also ensure we are configuring the device to analyze the appropriate channel (which are color coded as long as you connect them
SALEAE LOGIC – OUTPUT As you can see we are successfully decoding the output from the UART serial connection on our Broadcom chip.
OR, HAVE YOU HEARD OF THE JTAGULATOR? • Created by Joe Grand @ http://www.grandideastudio.com • ~180-200 Bucks
CONNECTING TO INTERFACES • Bus Pirate • Less of a learning curve • Slower transfer speeds • Supports UART, SPI, I2C and JTAG • Shikra • No UI but faster transfer speeds as a result • Supports UART, SPI, I2C and JTAG • TIAO USB Multiprotocol Adapter • No UI but faster transfer speeds as a result • Supports UART, SPI, I2C, JTAG, RS-232 • Supports multiple connections from same device • Slightly less reliable in my experience
USING THE SHIKRA http://int3.cc/products/the-shikra
CONNECTING TO UART The command used to connect to a UART serial adapter will vary by device and OS but will generally be similar to the command below. sudo screen /dev/[device id] baud rate Or the the case of the Device ID below for the Shikra: sudo screen /dev/ttyUSB0 115200
WE NOW HAVE SHELL! HOPEFULLY But now what?
NO TECH HACKING
NO TECH HACKING(2)
FILE SYSTEM FIDDLING Why is my root a mtdblock? But wait, what is an mtdblock? • MTD is a "Memory Technology Device. • Unix traditionally only knew block devices and character devices. Character devices were things like keyboards or mice, that you could read current data from, but couldn't be seek-ed and didn't have a size. Block devices had a fixed size and could be seek-ed. • A mtdblock is a block device emulated over an mtd device. Source: Wikipedia
FILE SYSTEM FIDDLING(2) Often times embedded device manufacturers leave important file systems unmounted. Another good Resource: http://wiki.in-circuit.de/index.php5?title=Flashfilesystem_
PILFERING FILE SYSTEMS But, How do we get the file system off of the target device?
SSH WHOOPS?
Ultra quick JTAG primer • JTAG stands for (Joint Test Action Group) which was formed in 1985. • The following pins are required for JTAG use: • TDI (Test Data In) • TDO (Test Data Out) • TCK (Test Clock) • TMS (Test Mode Select) • The TCK Pin (Test Clock) is what keeps the clock for the state machine. • THE TMS Pin (Test Mode Select) is what determines when and how the State Machine advances depending on it’s relative position during each clock cycle. Source: Wikipedia
OPTIONS FOR CONNECTING TO JTAG Good Better Best $45 $60-$600 $5000- $20000
JTAGULATOR
HOW TO CONNECT WITH OPENOCD The command to initiate openocd is : openocd –f interface – f target But now what? There are errors and stuff!!!!! #openocd on
HOW TO CONNECT WITH OPENOCD(2) Silly openocd! That’s more like it J
USING OPENOCD
MY PET PROJECT == CEREAL
REVERSE ENGINEERING • Binary Ninja • Free version available • Limited Architecture Support • Learn one IL to reverse them all • Ida Pro • Paid Version required for disassembly • ARM decompiler available but $$$$ • Also very good debugger • Radare2 • Free multiplatform support • No decompiler available
RADARE2
IDA PRO
OTHER NICE TO HAVES
• http://www.grandideastudio.com/hardware-hacking-training/ • http://www.xipiter.com/training.html • https://www.eevblog.com • http://www.embedded.com/electronics-blogs/beginner-s-corner/
THANK YOU!!!! ANY MORE QUESTIONS?
CONTACT INFORMATION TWITTER: @PRICEMCDONALD LINKEDIN: LINKEDIN.COM/PRICEMCDONALD EMAIL: PRICEMCDONALD@GMAIL.COM

More Related Content

PDF
BSides DFW2016-Hack Mode Enabled
pricemcdonald
 
PDF
Bsides Puerto Rico-2017
Price McDonald
 
PDF
Intro to Hardware Firmware Hacking
Andrew Freeborn
 
PPTX
Hardware hacking 101
Tiago Henriques
 
PDF
Adventures in Femtoland: 350 Yuan for Invaluable Fun
arbitrarycode
 
PDF
Hardware Reverse Engineering: From Boot to Root
Yashin Mehaboobe
 
PDF
Hardware Hacking
Andrew Brockhurst
 
PDF
Arduino Forensics
Steve Watson
 
BSides DFW2016-Hack Mode Enabled
pricemcdonald
 
Bsides Puerto Rico-2017
Price McDonald
 
Intro to Hardware Firmware Hacking
Andrew Freeborn
 
Hardware hacking 101
Tiago Henriques
 
Adventures in Femtoland: 350 Yuan for Invaluable Fun
arbitrarycode
 
Hardware Reverse Engineering: From Boot to Root
Yashin Mehaboobe
 
Hardware Hacking
Andrew Brockhurst
 
Arduino Forensics
Steve Watson
 

What's hot(20)

PPTX
PyTriage: A malware analysis framework
Yashin Mehaboobe
 
PPTX
Making and breaking security in embedded devices
Yashin Mehaboobe
 
PPTX
Developing micro controller applications
Steve Mylroie
 
PDF
LinkIt Smart 7688 - a more connected world
CAVEDU Education
 
PDF
D1 t1 t. yunusov k. nesterov - bootkit via sms
qqlan
 
PPTX
Tah101
Vikas Gaikwad
 
PDF
SCADA deep inside: protocols and security mechanisms
Aleksandr Timorin
 
PDF
lwM2M OTA for ESP8266
Manolis Nikiforakis
 
PPTX
Nodemcu - introduction
Michal Sedlak
 
PPTX
[5]投影片 futurewad樹莓派研習會 141218
CAVEDU Education
 
PPTX
Advanced SOHO Router Exploitation XCON
Lyon Yang
 
PDF
Rdl esp32 development board trainer kit
Research Design Lab
 
PPT
Introduction to NanoBoard-3000 FPGA
Premier Farnell
 
PPTX
iWave Systems Techologies Pvt Ltd: Products- Software BSPs
iWave Systems Technologies Pvt Ltd, Bangalore
 
PDF
How to Install ESP8266 WiFi Web Server using Arduino IDE
Naoto MATSUMOTO
 
PDF
Adafruit Huzzah Esp8266 WiFi Board
Biagio Botticelli
 
PPTX
IoT Hands-On-Lab, KINGS, 2019
Jong-Hyun Kim
 
PDF
Scada Strangelove - 29c3
qqlan
 
PDF
Hyperchem Ma, badbarcode en_1109_nocomment-final
PacSecJP
 
PDF
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Lyon Yang
 
PyTriage: A malware analysis framework
Yashin Mehaboobe
 
Making and breaking security in embedded devices
Yashin Mehaboobe
 
Developing micro controller applications
Steve Mylroie
 
LinkIt Smart 7688 - a more connected world
CAVEDU Education
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
qqlan
 
Tah101
Vikas Gaikwad
 
SCADA deep inside: protocols and security mechanisms
Aleksandr Timorin
 
lwM2M OTA for ESP8266
Manolis Nikiforakis
 
Nodemcu - introduction
Michal Sedlak
 
[5]投影片 futurewad樹莓派研習會 141218
CAVEDU Education
 
Advanced SOHO Router Exploitation XCON
Lyon Yang
 
Rdl esp32 development board trainer kit
Research Design Lab
 
Introduction to NanoBoard-3000 FPGA
Premier Farnell
 
iWave Systems Techologies Pvt Ltd: Products- Software BSPs
iWave Systems Technologies Pvt Ltd, Bangalore
 
How to Install ESP8266 WiFi Web Server using Arduino IDE
Naoto MATSUMOTO
 
Adafruit Huzzah Esp8266 WiFi Board
Biagio Botticelli
 
IoT Hands-On-Lab, KINGS, 2019
Jong-Hyun Kim
 
Scada Strangelove - 29c3
qqlan
 
Hyperchem Ma, badbarcode en_1109_nocomment-final
PacSecJP
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Lyon Yang
 

Viewers also liked(20)

PPTX
Health Benefits of Pomegranate: This Fruits Fight against Cancer, Arthritis, ...
Fitness for Life
 
PPTX
Las etapas de dirección
rosalinda1970
 
DOCX
Emociones toxicas
Oscar Sanabria
 
PPTX
Estadísitca
aleyambon
 
PDF
What's This React Native Thing I Keep Hearing About?
Evan Stone
 
PPT
Visita al Maria Espinalt
escolasantmartibcn
 
PPTX
7 conseils pour bien choisir votre lave-vaisselle
Mon Choix Malin
 
PPTX
Planeacion de ventas
MELISSA FIGUEROA
 
PPTX
factors modifyng drug effcts
Prathyusha Rani
 
PPTX
Proposal a new Business(IT Training Center)
Rafayet Hossain
 
PPTX
Tarea seminario III
Roberto Millares Rodríguez
 
PDF
Каталог 04/17
Aleksey Tabolin
 
PPTX
Placa
dareendlg
 
PPTX
Siderurgia
Ramón Mª Sola Jábega PhD. IES Manuel de Falla. Maracena. ( Granada)
 
DOC
Actividades de Melocotón en almíbar 16 17
Blanca Valerio
 
PDF
Eleven
MatiRipoll
 
PDF
Kit media i24news.tv
Altice Media Publicité
 
PDF
Trabajo ef entrenamiento
Miguel Martinez
 
PDF
Cloud Security
Carestream
 
PDF
Desafios e perspectivas para a abertura e expansão do Mercado Livre de Energia
Câmara de Comercialização de Energia Elétrica
 
Health Benefits of Pomegranate: This Fruits Fight against Cancer, Arthritis, ...
Fitness for Life
 
Las etapas de dirección
rosalinda1970
 
Emociones toxicas
Oscar Sanabria
 
Estadísitca
aleyambon
 
What's This React Native Thing I Keep Hearing About?
Evan Stone
 
Visita al Maria Espinalt
escolasantmartibcn
 
7 conseils pour bien choisir votre lave-vaisselle
Mon Choix Malin
 
Planeacion de ventas
MELISSA FIGUEROA
 
factors modifyng drug effcts
Prathyusha Rani
 
Proposal a new Business(IT Training Center)
Rafayet Hossain
 
Tarea seminario III
Roberto Millares Rodríguez
 
Каталог 04/17
Aleksey Tabolin
 
Placa
dareendlg
 
Siderurgia
Ramón Mª Sola Jábega PhD. IES Manuel de Falla. Maracena. ( Granada)
 
Actividades de Melocotón en almíbar 16 17
Blanca Valerio
 
Eleven
MatiRipoll
 
Kit media i24news.tv
Altice Media Publicité
 
Trabajo ef entrenamiento
Miguel Martinez
 
Cloud Security
Carestream
 
Desafios e perspectivas para a abertura e expansão do Mercado Livre de Energia
Câmara de Comercialização de Energia Elétrica
 

Similar to BSides Indy 2017 - Hardware Hacking - Abusing the Things(20)

PDF
Insecure Obsolete and Trivial - The Real IOT
Price McDonald
 
PDF
Thotcon 0x8 - Hardware Hacking on a Budget
Price McDonald
 
PDF
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
Yogesh Ojha
 
PDF
Asia 14-garcia-illera-dude-wtf-in-my-can
injenerzntu
 
PDF
IOT Exploitation
Cysinfo Cyber Security Community
 
PDF
GETTING STARTED WITH DATABASE SECURITY ASSESSMENT TOOL
Minh237839
 
PPTX
Prezentare tcs2011
Alexandru IOVANOVICI
 
PDF
Tools Of The Hardware Hacking Trade Final
Priyanka Aash
 
PPTX
Lecture Slide (1).pptx
BilalMumtaz9
 
PDF
Tos tutorial
manikainth
 
PDF
FIPS 140-2 Validations in a Secure Enclave
wolfSSL
 
PDF
OT Security - h-c0n 2020
Jose Palanco
 
PDF
DEF CON 27 - PHILIPPE LAULHERET - introduction to hardware hacking extended v...
Felipe Prado
 
PDF
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
CODE BLUE
 
PPTX
Hacker's and painters Hardware Hacking 101 - 10th Oct 2014
Takeda Pharmaceuticals
 
PDF
Track 5 session 3 - st dev con 2016 - mechanisms for trusted code execution...
ST_World
 
PPT
3rd Lecture
babak danyal
 
PPTX
We will charge you. How to [b]reach vendor’s network using EV charging station.
DefCamp
 
PDF
1-AVR Introduction to Atmega32 good .pdf
KSRaviKumarMVGREEE
 
PDF
DefCon 2012 - Gaining Access to User Android Data
Michael Smith
 
Insecure Obsolete and Trivial - The Real IOT
Price McDonald
 
Thotcon 0x8 - Hardware Hacking on a Budget
Price McDonald
 
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
Yogesh Ojha
 
Asia 14-garcia-illera-dude-wtf-in-my-can
injenerzntu
 
IOT Exploitation
Cysinfo Cyber Security Community
 
GETTING STARTED WITH DATABASE SECURITY ASSESSMENT TOOL
Minh237839
 
Prezentare tcs2011
Alexandru IOVANOVICI
 
Tools Of The Hardware Hacking Trade Final
Priyanka Aash
 
Lecture Slide (1).pptx
BilalMumtaz9
 
Tos tutorial
manikainth
 
FIPS 140-2 Validations in a Secure Enclave
wolfSSL
 
OT Security - h-c0n 2020
Jose Palanco
 
DEF CON 27 - PHILIPPE LAULHERET - introduction to hardware hacking extended v...
Felipe Prado
 
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
CODE BLUE
 
Hacker's and painters Hardware Hacking 101 - 10th Oct 2014
Takeda Pharmaceuticals
 
Track 5 session 3 - st dev con 2016 - mechanisms for trusted code execution...
ST_World
 
3rd Lecture
babak danyal
 
We will charge you. How to [b]reach vendor’s network using EV charging station.
DefCamp
 
1-AVR Introduction to Atmega32 good .pdf
KSRaviKumarMVGREEE
 
DefCon 2012 - Gaining Access to User Android Data
Michael Smith
 

Recently uploaded(20)

PPTX
File-07 Intellectual Property Right (IPR) Issues in Cyber Security- ICT-5418 ...
Ratul53
 
PDF
ELLIE29.pdfWETWETAWTAWETAETAETERTRTERTER
ArlietsAmores
 
PPTX
Introduction-to-Artificial-Intelligence (1).pptx
MohammadkhalidshFaq
 
PDF
Rooftops detection with YOLOv8 from aerial imagery and a brief review on roof...
IAESIJAI
 
PPTX
CRM(Customer Relationship Managmnet) Presentation
udaykiranuk1822
 
PDF
The Basics of Artificial Intelligence - Understanding the Key Concepts and Te...
FODUU
 
PDF
FASHION-DRIVEN TEXTILES AS A CRYSTAL OF A NEW STREAM FOR STAKEHOLDER CAPITALI...
IJMIT JOURNAL
 
PPTX
Rise of the Digital Control Grid Zeee Media and Hope and Tivon FTWProject.com
hopegirl587
 
PDF
eBook Outline_ AI in Cybersecurity – The Future of Digital Defense.pdf
samalmaheswar155
 
PPTX
Generative AI at Oracle- The next frontier of enterprise innovation.pptx
Geovanni Vega Velásquez
 
PPTX
AQUEEL MUSHTAQUE FAKIH COMPUTER CENTER .
nachanmasarrat13
 
PPTX
Strategic Picks — Prioritising the Right Agentic Use Cases [2/6]
suhanisingh58689
 
PDF
Applying Agentic AI in Enterprise Automation
DianaGray10
 
PDF
Child-friendly e-learning for artificial intelligence education in Indonesia:...
IAESIJAI
 
PDF
13 Powerful n8n Alternatives That Will Transform Your Workflow Automation Gam...
SOFTTECHHUB
 
PDF
【AI論文解説】高速・高品質な生成を実現するFlow Map Models(Part 1~3)
Sony - Neural Network Libraries
 
PDF
TicketRoot: Event Tech Solutions Deck 2025
TicketRoot
 
PDF
Peak of Data & AI Encore: Scalable Design & Infrastructure
Safe Software
 
PDF
Revolutionizing recommendations a survey: a comprehensive exploration of mode...
IAESIJAI
 
PDF
NewMind AI Journal Monthly Chronicles - August 2025
NewMind AI
 
File-07 Intellectual Property Right (IPR) Issues in Cyber Security- ICT-5418 ...
Ratul53
 
ELLIE29.pdfWETWETAWTAWETAETAETERTRTERTER
ArlietsAmores
 
Introduction-to-Artificial-Intelligence (1).pptx
MohammadkhalidshFaq
 
Rooftops detection with YOLOv8 from aerial imagery and a brief review on roof...
IAESIJAI
 
CRM(Customer Relationship Managmnet) Presentation
udaykiranuk1822
 
The Basics of Artificial Intelligence - Understanding the Key Concepts and Te...
FODUU
 
FASHION-DRIVEN TEXTILES AS A CRYSTAL OF A NEW STREAM FOR STAKEHOLDER CAPITALI...
IJMIT JOURNAL
 
Rise of the Digital Control Grid Zeee Media and Hope and Tivon FTWProject.com
hopegirl587
 
eBook Outline_ AI in Cybersecurity – The Future of Digital Defense.pdf
samalmaheswar155
 
Generative AI at Oracle- The next frontier of enterprise innovation.pptx
Geovanni Vega Velásquez
 
AQUEEL MUSHTAQUE FAKIH COMPUTER CENTER .
nachanmasarrat13
 
Strategic Picks — Prioritising the Right Agentic Use Cases [2/6]
suhanisingh58689
 
Applying Agentic AI in Enterprise Automation
DianaGray10
 
Child-friendly e-learning for artificial intelligence education in Indonesia:...
IAESIJAI
 
13 Powerful n8n Alternatives That Will Transform Your Workflow Automation Gam...
SOFTTECHHUB
 
【AI論文解説】高速・高品質な生成を実現するFlow Map Models(Part 1~3)
Sony - Neural Network Libraries
 
TicketRoot: Event Tech Solutions Deck 2025
TicketRoot
 
Peak of Data & AI Encore: Scalable Design & Infrastructure
Safe Software
 
Revolutionizing recommendations a survey: a comprehensive exploration of mode...
IAESIJAI
 
NewMind AI Journal Monthly Chronicles - August 2025
NewMind AI
 

BSides Indy 2017 - Hardware Hacking - Abusing the Things

  • 1.
    “HACK MODE” ENABLED HARDWAREHACKING ON A BUDGET BSIDES INDY 2017 PRICE MCDONALD
  • 2.
  • 3.
  • 4.
    OK, SO HARDWARE SECURITY SUCKS… BUTWHY FOCUS ON THE HARDWARE?
  • 5.
  • 6.
    WHERE DO WEGET THE THINGS? • Beta Programs • https://www.betabound.com/tp-link-router- private-beta/ • https://beta.linksys.com/ • https://www.beta.netgear.com/signup/ • Flea Markets • Ebay • Craigslist • Garage Sales
  • 7.
  • 8.
    TAMPER RESISTANCE/DETECTION/ALERTING They meandifferent things, but may not matter either way.
  • 9.
  • 10.
    COMPONENT IDENTIFICATION(2) • EOL802.11G router SoC (System on Chip) • 200 Mhz MIPS32 core • Supports Serial or Parallel Flash • One JTAG and two UART Ports • 336 ball FBGA (Fine-pitch Ball Grid Array) • 32M-BIT Parallel NOR Flash Memory • 3V only • 48-pin TSOP (Thin Small Outline Package) • CMOS DDR400 RAM • 66-pin TSOP II
  • 11.
    COMPONENT IDENTIFICATION TIPAND TRICKS The image part with relationship ID rId5 was not found in the file.
  • 12.
  • 13.
    FINDING GROUND • Usingthe MultiMeter we can figure out which of the pins on our headers connect to ground and which have voltage. GroundVoltage Specifically 3.3v • Got Ground?
  • 14.
  • 15.
    COMMON INTERFACE TYPES •UART - Universal Asynchronous Receiver/Transmitter • SPI – Serial Peripheral Interface • I2C – Inter Integrated Circuit • JTAG – Joint Test Action Group – Hardware Debugging Interface • CAN – Controller Area Network (Cars/ATM/etc) • RS232- Serial Interface used on many legacy devices
  • 16.
    PINOUT REVERSING • SALEAELOGIC ANALYZER • ~100 BUCKS ON THE LOW END @ HTTPS://WWW.SALEAE.COM • ALSO, EDU DISCOUNTS AVAILABLE UP TO 50% DEPENDING ON MODEL. • KEEP IN MIND THAT LOGIC ANALYZERS ARE SAMPLING WHICH CAN CAUSE ARTIFICIAL DATA DEPENDING ON THE SAMPLING RATE AND THRESHOLDS. • WORKS FOR I2C, UART, SPI, JTAG, CAN, ETC, ETC
  • 17.
    SALEAE LOGIC UI •Using the Saleae logic analyzer we can watch the pins during boot to check for voltage spikes during. This is a good indication of either a UART, I2C or SPI connection. System Boot Likely the boot log being transmitted over
  • 18.
    SALEAE LOGIC -DECODERS GIVEN that we SUSPECT Async Serial (UART) we will select that analyzer
  • 19.
    SALEAE LOGIC -DECODING Among small embedded devices 115200 is a very common bit rate so it is an easy guess. But we will also cover a more automated way of determining bit
  • 20.
    SALEAE LOGIC –DECODING(2) We must also ensure we are configuring the device to analyze the appropriate channel (which are color coded as long as you connect them
  • 21.
    SALEAE LOGIC –OUTPUT As you can see we are successfully decoding the output from the UART serial connection on our Broadcom chip.
  • 22.
    OR, HAVE YOUHEARD OF THE JTAGULATOR? • Created by Joe Grand @ http://www.grandideastudio.com • ~180-200 Bucks
  • 23.
    CONNECTING TO INTERFACES •Bus Pirate • Less of a learning curve • Slower transfer speeds • Supports UART, SPI, I2C and JTAG • Shikra • No UI but faster transfer speeds as a result • Supports UART, SPI, I2C and JTAG • TIAO USB Multiprotocol Adapter • No UI but faster transfer speeds as a result • Supports UART, SPI, I2C, JTAG, RS-232 • Supports multiple connections from same device • Slightly less reliable in my experience
  • 24.
  • 25.
    CONNECTING TO UART Thecommand used to connect to a UART serial adapter will vary by device and OS but will generally be similar to the command below. sudo screen /dev/[device id] baud rate Or the the case of the Device ID below for the Shikra: sudo screen /dev/ttyUSB0 115200
  • 26.
    WE NOW HAVESHELL! HOPEFULLY But now what?
  • 27.
  • 28.
  • 29.
    FILE SYSTEM FIDDLING Whyis my root a mtdblock? But wait, what is an mtdblock? • MTD is a "Memory Technology Device. • Unix traditionally only knew block devices and character devices. Character devices were things like keyboards or mice, that you could read current data from, but couldn't be seek-ed and didn't have a size. Block devices had a fixed size and could be seek-ed. • A mtdblock is a block device emulated over an mtd device. Source: Wikipedia
  • 30.
    FILE SYSTEM FIDDLING(2) Oftentimes embedded device manufacturers leave important file systems unmounted. Another good Resource: http://wiki.in-circuit.de/index.php5?title=Flashfilesystem_
  • 31.
    PILFERING FILE SYSTEMS But,How do we get the file system off of the target device?
  • 32.
  • 33.
    Ultra quick JTAGprimer • JTAG stands for (Joint Test Action Group) which was formed in 1985. • The following pins are required for JTAG use: • TDI (Test Data In) • TDO (Test Data Out) • TCK (Test Clock) • TMS (Test Mode Select) • The TCK Pin (Test Clock) is what keeps the clock for the state machine. • THE TMS Pin (Test Mode Select) is what determines when and how the State Machine advances depending on it’s relative position during each clock cycle. Source: Wikipedia
  • 34.
    OPTIONS FOR CONNECTINGTO JTAG Good Better Best $45 $60-$600 $5000- $20000
  • 35.
  • 36.
    HOW TO CONNECTWITH OPENOCD The command to initiate openocd is : openocd –f interface – f target But now what? There are errors and stuff!!!!! #openocd on
  • 37.
    HOW TO CONNECTWITH OPENOCD(2) Silly openocd! That’s more like it J
  • 38.
  • 39.
    MY PET PROJECT== CEREAL
  • 40.
    REVERSE ENGINEERING • BinaryNinja • Free version available • Limited Architecture Support • Learn one IL to reverse them all • Ida Pro • Paid Version required for disassembly • ARM decompiler available but $$$$ • Also very good debugger • Radare2 • Free multiplatform support • No decompiler available
  • 41.
  • 42.
  • 43.
  • 44.
    • http://www.grandideastudio.com/hardware-hacking-training/ • http://www.xipiter.com/training.html •https://www.eevblog.com • http://www.embedded.com/electronics-blogs/beginner-s-corner/
  • 45.
  • 46.