“Hack Mode” Enabled
Hardware Hacking on a Budget
BSides DFW 2016
Price McDonald

About:Me

O’Rly?

Ok, So Hardware Security sucks…
But why focus on the hardware?

Methodology

Where do we get theThings?
• Beta Programs
• https://www.betabound.com/tp-link-router-private-beta/
• https://beta.linksys.com/
• https://www.beta.netgear.com/signup/
• Flea Markets
• Ebay
• Craigslist
• Garage Sales

Disassembly “Voiding theWarranty”

Tamper Resistance/Detection/Alerting
They mean different things, but may not matter either way.

Component Identification
What do you see?

Component Identification(2)
• EOL 802.11G router SoC (System on Chip)
• 200 Mhz MIPS32 core
• Supports Serial or Parallel Flash
• One JTAG and two UART Ports
• 336 ball FBGA (Fine-pitch Ball Grid Array)
• 32M-BIT Parallel NOR Flash Memory
• 3V only
• 48-pinTSOP (Thin Small Outline Package)
• CMOS DDR400 RAM
• 66-pinTSOP II

Component IdentificationTip andTricks
The image part
with relationship
ID rId5 was not
found in the file.

Arts and CraftsTime

Finding Ground
• Using the MultiMeter we can figure out which of the pins on our
headers connect to ground and which have voltage.
GroundVoltage
Specifically 3.3v
• Got Ground?

Physical Counter Measures
Gap in trace
Extra Resistor

Common InterfaceTypes
• UART - Universal Asynchronous Receiver/Transmitter
• SPI – Serial Peripheral Interface
• I2C – Inter Integrated Circuit
• JTAG – JointTest Action Group – Hardware Debugging Interface
• CAN – Controller Area Network (Cars/ATM/etc)
• RS232- Serial Interface used on many legacy devices

Pinout Reversing
• Saleae Logic Analyzer
• ~100 Bucks on the low end @ https://www.saleae.com
• Also, EDU discounts available up to 50% depending on model.
• Keep in mind that logic analyzers are sampling which can cause
artificial data depending on the sampling rate and thresholds.
• Works for I2C, UART, SPI, JTAG, CAN, etc, etc

Saleae Logic UI
• Using the Saleae logic analyzer we can watch the pins during boot to check for voltage spikes
during. This is a good indication of either a UART, I2C or SPI connection.
System Boot Likely the boot log being
transmitted over UART

Saleae Logic - Decoders
Given that we suspect Async Serial
(UART) we will select that analyzer

Saleae Logic - Decoding
Among small embedded devices 115200 is a very common bit rate so it is an easy guess. But
we will also cover a more automated way of determining bit rate.

Saleae Logic – Decoding(2)
We must also ensure we are configuring the device to analyze the appropriate channel
(which are color coded as long as you connect them correctly)

Saleae Logic – Output
As you can see we are successfully decoding the output from the UART serial connection
on our Broadcom chip.

Or, Have you heard of the Jtagulator?
• Created by Joe Grand @ http://www.grandideastudio.com
• ~180-200 Bucks

Connecting to Interfaces
• Bus Pirate
• Less of a learning curve
• Slower transfer speeds
• Supports UART, SPI, I2C and JTAG
• Shikra
• No UI but faster transfer speeds as a result
• Supports UART, SPI, I2C and JTAG
• TIAO USB Multiprotocol Adapter
• No UI but faster transfer speeds as a result
• Supports UART, SPI, I2C, JTAG, RS-232
• Supports multiple connections from same device
• Slightly less reliable in my experience

Using the Shikra
http://int3.cc/products/the-shikra

Connecting to UART
The command used to connect to a UART serial adapter will vary by device and OS
but will generally be similar to the command below.
sudo screen /dev/[device id] baud rate
Or the the case of the Device ID below for the Shikra:
sudo screen /dev/ttyUSB0 115200

We now have shell!
hopefully
But now what?

NoTech hacking

NoTech hacking(2)

File System Fiddling
Why is my root a mtdblock?
But wait, what is an mtdblock?
• MTD is a "MemoryTechnology Device.
• Unix traditionally only knew block devices and character devices. Character devices were
things like keyboards or mice, that you could read current data from, but couldn't be seek-ed
and didn't have a size. Block devices had a fixed size and could be seek-ed.
• A mtdblock is a block device emulated over an mtd device.
Source:Wikipedia

File System Fiddling(2)
Often times embedded device manufacturers leave important file systems unmounted.
Another good Resource:
http://wiki.in-circuit.de/index.php5?title=Flashfilesystem_UBIFS

Pilfering File Systems
But, How do we get the file system off of the target device?

SSHWhoops?

Ultra quick JTAG primer
• JTAG stands for (JointTest Action Group) which was formed in 1985.
• IDCODE , BYPASS Registers are often very helpful
• The following pins are required for JTAG use:
• TDI (Test Data In)
• TDO (Test Data Out)
• TCK (Test Clock)
• TMS (Test Mode Select)
• TheTCK Pin (Test Clock) is what keeps the clock for the state machine.
• THETMS Pin (Test Mode Select) is what determines when and how the State Machine advances depending on it’s relative
position during each clock cycle.
Source:
Wikipedia

Options for connecting to JTAG
Good Better Best
$45 $60-$600 $5000-$20000

Jtagulator

How to Connect with OpenOCD
The command to initiate openocd is : openocd –f interface –f target
But now what? There are errors and stuff!!!!!
#openocd on Freenode

How to Connect with OpenOCD(2)
Silly openocd!
That’s more like it J

Using OpenOCD

Reverse Engineering
• Ida Pro
• PaidVersion required for disassembly
• ARM decompiler available but $$$$
• Also very good debugger
• Radare2
• Free multiplatform support
• No decompiler available
• Binary Ninja
• Free version available
• Very Limited Architecture Support
• Not currently an option for this type of
work but something to keep in mind.

IDA Pro

Radare2

Other nice to haves

• http://www.grandideastudio.com/hardware-hacking-training/
• http://www.xipiter.com/training.html
• https://www.eevblog.com
• http://www.embedded.com/electronics-blogs/beginner-s-corner/

THANKYOU!!!!
ANY MORE QUESTIONS?