Hardware Reverse Engineering
From Boot To Root
Yashin Mehaboobe

• Security Researcher
• Hardware geek
• Speaker (HITB Amsterdam, Nullcon, c0c0n, Kaspersky
NextGeneration, Ground Zero Summit)
• Foodie
2
$whoami

Define: Reverse Engineering
• process of extracting knowledge or design information from
anything man-made and re-producing it or reproducing anything
based on the extracted information. [wikipedia]
• hardware as well as software
• used for commercial purposes/non commercial
• Industrial espionage (to borrow ideas)

A word about equipment
• Good equipment = $$$$
• Use open source equipment such as the bus pirate, hackRF, OpenBench
etc…
• Commercial tools work better in most of the cases
• Would be a good investment
• Have at least one each of the separate categories of tools
• Logic Analyzer
• RF Spectrum Analyzer
• Oscilloscope
• JTAG debugger
• Etc……

LOGIC ANALYZERS
• Monitor communication
• Decode protocols
• Replay (in some cases)
• Cheap (44$ to 500$++)
• Open source ones:
• Open Bench
• Bus Pirate

RF Analysis tools
• For scanning the RF frequencies
• Recognizing signals
• Storing and replay
• SDRs are your friends!
• Example:
• RFExplorer
• RTL-SDR
• HackRF/BladeRF/USRP

Oscilloscope
• Digital/Analog
• Useful for noting timing
• Can also help in recognition of communication protocol
• Very much needed

Why
• For fun
• For profit
• For fun and profit
• Vulnerability discovery….

Devices
• Routers
• Phones
• Gaming consoles
• Internet of Things!

Actual physical security
• Screws may be regular or proprietary
• Warranty void seals
• Tamper proof casing
• Stupidly powerful tamper proof (a la IronKey)

Initial steps
• Open casing
• Ascertain ICs and their functionality
• Lookup datasheets
• FCC IDs may be of help when it comes to radio
• Name and series numbers may exist on ICs where they have not
been sanitised

Hunting for datasheets
• Googling for the serial number may return the name
• name -> datasheet
• datasheet -> operation
• operation -> full pwnage (sometimes)
• Details to look out for differs system to system

Diagnostic Ports
• Ports left over after development
• Should be disabled by blowing the fuses (not always done)
• Majorly used:
• JTAG, UART
• Not so major:
• LPC (Mainly in XBOX and some TPM systems)

Serial
• Also known as UART
• Straight forward diagnostics (mostly)
• There will be an RX,TX, ground and vcc
• Sometimes also gives root access
• Look for groupings of four pins (mainly)

Finding Serial the hard way
• Using multimeter
• Continuity test
• Ground pins are usually cross shaped
• Touch a metal piece with the probe

Finding the Serial the hard way -2
• After Ground find VCC
• Turn on the power
• Find the pin with the steady voltage
• The other two are the RX and TX Pins

Finding Serial the easy way
• Using JTAGulator
• Made by Joe Grand
• Allows you to find UART and JTAG automatically

JTAG
• Joint Test Action Group
• Used for debugging purposes mainly
• Can be used in reverse engineering too
• Halt CPU, change instructions etc

Radio
• Can be reverse engineered through various means
• Direct radio analysis
• SPI sniffing
• FCC ids are a good way to determine frequency and other factors

Bluetooth
• Bluetooth 2 and 3 is surprisingly harder to eavesdrop on than 4.0
• An ubertooth is necessary for most bluetooth related operations
• Important data is rare
• Still good info is possible

Flash/EEPROM memory
• Nonvolatile
• Used to store data
• Firmware is usually stored in flash memory
• Usually uses SPI for communication
• Usually does not have any protection
• Exceptions include Atmels Crypto Memory

Invasive techniques
• Invasive attacks usually destroy the chip
• Used to get at the die
• Usually done to duplicate the chip
• Very expensive equipment required

Introducing labrynth
• A reverse engineering training platform
• Uses Atmega328p
• Separate EEPROM for data storage (24LC08)
• Find the password that grants you access

DEMO

Thank you!
• Special thanks to Justin Searle for loaning some crucial hardware!