12. Finding Ground
• Using the MultiMeter we can figure out which of the pins
on our headers connect to ground and which have voltage.
GroundVoltage
• Got Ground?
14. Common Interfaces
• UART - Universal Asynchronous Receiver/Transmitter
• SPI – Serial Peripheral Interface
• I2C – Inter Integrated Circuit
• JTAG – Joint Test Action Group – Hardware Debugging
Interface
• CAN – Controller Area Network (Cars/ATM/etc)
• RS232- Serial Interface used on many legacy devices
16. Connecting to Interfaces
• Bus Pirate
• Less of a learning curve
• Slower transfer speeds
• Supports UART, SPI, I2C and JTAG
• Shikra
• No UI but faster transfer speeds as a result
• Supports UART, SPI, I2C and JTAG
• TIAO USB Multiprotocol Adapter
• No UI but faster transfer speeds as a result
• Supports UART, SPI, I2C, JTAG, RS-232
• Supports multiple connections from same device
• Slightly less reliable in my experience
25. Brief JTAG Description
• JTAG stands for (Joint Test Action Group) which was formed in 1985.
• The following pins are required for JTAG use:
• TDI (Test Data In)
• TDO (Test Data Out)
• TCK (Test Clock)
• TMS (Test Mode Select)
• The TCK Pin (Test Clock) is what keeps the clock for the state machine.
• THE TMS Pin (Test Mode Select) is what determines when and how the State Machine advances
depending on it’s relative position during each clock cycle.
Source:
Wikipedia
26. Options for Connecting to JTAG
Source:
Wikipedia
Good Better Best
$45 $60-$600 $5000-$20000
29. Reverse Engineering
Reverse Engineering• Binary Ninja
• Free version available
• Limited Architecture Support
• Learn one IL to reverse thm all
• Ida Pro
• Paid Version required for disassembly
• ARM decompiler available but $$$$
• Also very good debugger
• Radare2
• Free multiplatform support
• No decompiler available
31. Tornado Anyone?
Reverse Engineering
Only way to stop the noise was “to unplug the radio systems and
the repeater”
Could have recorded the commands during a system test or
actual tornado, and then played them back.
Source: https://arstechnica.com/information-technology/2017/04/dallas-
siren-hack-used-radio-signals-to-spoof-alarm-says-city-manager/
Controlled by tone combinations used by the Emergency Alert
System broadcast over the National Weather Service's weather
radio – Spoofed?
Can also be controlled by Dual-Tone Multi-Frequency (DTMF) or
Audio Frequency Shift Keying (AFSK) encoded commands from a
dispatcher or command center terminal sent over UHF radio
frequencies -- 700 MHz range.