A BEGINNER’S
JOURNEY
INTO THE WORLD
OF
HARDWARE HACKING

Introduction



Hardware hackings is fun!
Or at least it seems to be, for a software guy.
Try some of the following hardware hacks and get
started.

Who am I? (this slide again? every
year?)




Research Assistant at Deakin University.
Resercher at Volvent security (Rux party sponsor!).
Just passed my PhD thesis examination (on
software).
Pics by DNZ.

Outline




Interfacing with UART
Ripping Firmware
Games with IR alarm systems
Gardening with Arduino

UART Basics



UART is like an embedded version of RS232.
Pretty much the same, except the voltage level.
You can attach a serial console.

Interfacing with UART

Serial console access give us:
 Root
shells on occasion.
 Login access.
 Boot information.
 More verbose logging, E.g. When a daemon crashes.
 The ability to interact with the bootloader to upload
new firmware.

Removing the case






Make sure to have screwdrivers.
And jewellers screwdrivers.
And a Torx screwdriver set.
Screws can be hidden in rubber feet or behind
stickers.
Sometimes the cases are clipped in.
A small flathead screwdriver is good for prying.

Finding ports




Look for header pins.
Sometimes just pads – you will need to solder
header pins.
4 pins are very typical, sometimes more.
If you have 10 or more pins, then it’s probably
JTAG (pictured)

Finding the Ground Pin and Voltage


Use “continuity test” feature of multimeter.
Attach one probe to metal shielding.
 This




is commonly grounded
Test each pin with other probe.
Beeps when continuity (GND) is found.
Measure voltage on other pins.
Most are 3.3v, but sometimes more or less.

Finding the Transmit Pin




Connect GND to oscilloscope GND
Test each pin with scope
Reboot device while doing it
Should see square waves (data) on scope when TX

Interfacing to a PC

Several choices
 UART
to USB cable
 Bus Pirate
 JTAGulator


Need to know the voltage levels that you measured
earlier.
Just attach each identified pin.

Using a serial console




In Linux, use Minicom.
Pretty much everything is 8N1.
Use baudrate program to try different baudrates.
And you’ll get data!

Finding the Receive Pin

Brute force remaining pins
 Attach
each pin to RX.
 Try typing something in the serial console.
 If you get an echo, then you’ve found the right pin.
 Otherwise you’ll get nothing.

This is what it looks like when you’ve
done it.

Now what?



Copy the password file and start cracking.
Sometimes /usr/bin/nc is present, so pipe a netcat
listener to /bin/sh.
Fuzz the server, look for crash logs.
silvio@silvio:~$ cat passwd-router
admin:K28i.z/SKI2to:0:0:Administrator:/:/bin/sh
support:6PNjgYPP5wJuQ:0:0:Technical Support:/:/bin/sh
user:CSCn9ayV6iYMI:0:0:Normal User:/:/bin/sh
nobody:gNafYeKkdwPC2:0:0:nobody for ftp:/:/bin/sh
silvio@silvio:~$ john -show passwd-router
admin:admin:0:0:Administrator:/:/bin/sh
support:support:0:0:Technical Support:/:/bin/sh
user:user:0:0:Normal User:/:/bin/sh
nobody:admin:0:0:nobody for ftp:/:/bin/sh
4 password hashes cracked, 0 left

Final thoughts on UART




It’s actually not that hard once you know the
method.
A JTAGulator should make things easy.
Every ADSL router I own has a UART port.
It’s a good entry point into hw hacking.

Ripping Firmware

Sometimes it’s useful to have the firmware.
 Reversing
the code.
 Finding static strings, usernames, or passwords.
silvio@silvio:~$ ls -la spi.rom
-rw-r--r-- 1 root root 4194304 Sep 19 13:02 spi.rom
silvio@silvio:~$ strings spi.rom|egrep 'ass|sername'
passing 'arg' as arguments
passing arguments 'arg ...'; when booting a Linux kernel,
wan_pppoe_passwd=
usb_ftpusername_x=
http_username=admin
ddns_username_x=
http_passwd=admin
acc_username=
wan_pppoe_username=
...

IC identification




Most things are surface mount packages.
Part numbers are typically on the IC.
Use a small magnifying lamp to read the part
numbers.
Look up the datasheet on google.

Desoldering ICs




Sometimes you need to remove the IC to read or
write to it.
One way is to use desolder braid.
A better way is with a hot air rework station that
can heat up the solder.
Remove IC with tweezers or vacuum pickup tool.

Hot air rework station

NAND Flash Programming



Read and write to NAND with a “device
programmer”.
Buy a universal device programmer.
Place NAND in programmer, use software to read.

Universal Device Programmers

Xeltek pictured.

SPI Serial Flash


Flash memory, that doesn’t require block access.
Can be executed-in-place.
 No




need to copy into memory.
Often see things like bootloaders on it.
Common in SOIC-8 package.
You can use an expensive device programmer.
Or cheaper methods..

Reading SPI Flash incircuit





These can be read with a GoodFET or Bus Pirate.
If using BP, then you can use flashrom.
IC can be read incircuit.
Use IC test clips.
Or SMD hooks.

SPI Serial Flash Desoldering


SOIC can be desoldered.
If desoldered, use a SOIC  DIP adapter and
breadboard.

Using a GoodFET to read SPI Flash



Look at datasheet for IC.
Attach GoodFET to IC.
Some IC pins may need to go to VCC with a
resistor.

Final thoughts on ripping firmware



Top of the line programmers are expensive.
A GoodFET or a Bus Pirate is affordable.
Once you rip the data from the IC, you have to
reconstruct the data.
 This
is not that trivial.

Games with IR alarm systems

Bought from Ebay.

The alarm


PIR motion sensor
IR arming/disarming remote

A first failed attempt



Learning remote.
Bought from Jcar.
Didn’t work.

Taking apart the remote

A lesson from circuit theory



The remote is an “Astable multivibrator”
A type of oscillator.
Plug values of resistors and capacitors into
T = ln(2)R2C1+ ln(2)R3C2
f = 1/T

f = 38.52khz.

Repurposing a different remote




Take remote from a different device.
Attach GPIO pin of Arduino to IR LED.
Do some Arduino coding..
Pulse at the 38.52khz

The rig

Getting the frequency using a counter

Checking the signal

Generating the signal with a function
generator

Making it easy.. The USB Infared Toy



Sold for $20.
Can capture and replay IR signals.
Disarms alarm.

Final thoughts on IR alarms


You get what you pay for.
Try to get an RF alarm with a “rolling code”.
 This

is what your car probably uses.
RF opens up a whole new world of fun.

Gardening with Arduino






Make your backyard irrigation system computer
controlled.
Arduino activates relay.
Relay controls water solenoid/valve.
PC activates Arduino.
Network controlled.
Cron job to start and stop the watering.

The Prototype

What does a relay do?





A small voltage and/or current can switch on a
much larger voltage and/or current.
The solenoid needs 24VAC.
That can be powered by a small wallwart.
The Arduino can activate the relay using one of its
low voltage/current GPIO pins.
I used a solid state relay.

Soldered and in project box

How do I connect the Arduino to a PC?




By a USB serial!
The Arduino listens for commands over the
USB/serial interface.
If the command is start, then it turns on the pin
connected to the relay.
I wrote a small network daemon on the PC that
takes commands and relays them to the Arduino.

The final product

Bazinga

Conclusion





Hardware hacking is fun.
Lots of things to try.
If you’ve got a spare ADSL router, pull it apart and
attach a serial console.
Thanks to Stephen Ridley.
Any questions?