Hardware Hacking Book

[Ene Vinson]

Toput together an effective hardware hacking toolkit, one must carefully consider what kinds of tasks need to be performed, and in what order. Once a basic workflow is identified, one can put together a set of complementary hardware tools and resources to meet the expected needs. The goal is to have the tools to go as far as one can in a single session, and identify any specialized equipment that will be needed later. That way, follow-up sessions can be as effective as possible.

[Films By Kris Hardware] has started quite an interesting YouTube series on hacking and owning a PogoPlug Mobile v4. While this has been done many times in the past, he gives a great step by step tutorial. The series so far is quite impressive, going into great detail on how to gain root access to the device through serial a serial connection.

In a gist, hardware hacking generally means the alteration of a piece of existing hardware to utilize it in a way that was not proposed. The aim is to extract information, hack network functions, take over control of the concerned hardware, or cause it to misbehave or malfunction.

With an increase in the number of IoT products, hardware hacking has become more prominent than ever. This paves the way for ethical hardware security assessments to come into the fray to increase data and network security.

The applications and benefits of Hardware Hacking are numerous. However, its main application in ethical hacking is to uncover the loopholes in order to harden access points. A few important applications of hardware hacking are:

One of the simplest methods of hardware hacking, you connect the logic analyzer to any test point on the circuit board. The logic analyzer will then proceed to record and translate any signals to be interpreted into something useful.

SPI- SPI is a synchronous serial communication interface. It was designed primarily to communicate (transfer data) between the components located on the same PCB (Printed Circuit Board).

UART- UART interface is a hardware device (physical circuit in the controller or a standalone IC) used for asynchronous serial communication. It enables the translation of data between the serial and parallel interfaces using a shift register.

SWD- SWD (Serial Wire Debug) provides the debug port by reducing the pin count to just two, the bidirectional data signal (SWDIO), and a clock signal (SWCLK) sent by the host. It provides all the normal JTAG debug and test functionality (it does not provide the boundary scan feature as in JTAG).

FI- Fault injection (FI) attack is a physical attack on the device to inject the fault in the system deliberately to change its intended behavior. It can bypass system security features, change system behavior to accomplish malicious intents, or extract the secret information, key, or even firmware by analyzing the erroneous outputs.

One needs the necessary tools to become a proficient hardware hacker. Hence, setting up your own lab is a crucial step towards achieving the same. We will go through everything you need to know and possess to become a skillful hardware hacker.

To perform efficient hardware hacking, you first must gain a comprehensive understanding of the target. The first step before you get to attacking the target hardware is hardware recon. Recon helps in the identification of critical access points, susceptible endpoints, and loopholes.

Our Bandit, Shakir, has provided great insight in our E-book, Hands-on IoT Hacking. Here is an excerpt from the e-book talking about the basic hardware tools required for initial hardware reconnaissance

Founded on the principle that hacking gadgets should be accessible to all hacking geeks, EXPLIoT creates an evolving range of devices and tools that deliver great hacking experiences delivered right to your doorstep.

Tigard is an open source FT2232H-based, multi-protocol, multi-voltage tool for hardware hacking. By incorporating commonly used pin-outs, a labelled wiring harness, onboard level-shifting, and a logic analyzer connection, it is designed specifically for attaching to and communicating with low-speed interfaces on reverse-engineered hardware targets.

Tigard combines support for all of the most-used interfaces and most-needed features on to a simple board. As a drop-in replacement for dozens of other hardware tools based on FTDI chips, it has native support from a number of commonly used hardware tools like OpenOCD, FlashROM, and more.

Thanks to the drop-in compatibility with so many tools, there is no need for Tigard-specific tools to interface with any targets. If you do find the need to customize a tool or script using Tigard, it should work fine with any other FT2232H interface board.

BitMagic Basic supports eight channels sampled at up to 24 Msps. It works like any other logic analyzer and includes a labeled wiring harness so you can use it with any 2.54 mm pin headers or your favorite probe clips.

Faced with a calendar free of travel and face-to-face training commitments, we used the time to design, build, and test Tigard, as well as bring our hands-on in-person training to a self-paced online format, updated to work with Tigard and BitMagic.

Tigard was designed as a drop-in replacement for other FT232H-series devices. In general, there are zero software changes required for support, though customizing configuration files might be necessary.

The entire design is open hardware, designed in KiCad with a public git repository. The documentation covers using a variety of software tools to complete several common tasks with Tigard. Should you have difficulty, Tigard has LEDs that will assist in debugging your target, your protocol, and your software.

Toolkit with Tigard, Bitmagic, and more - everything you need for the self-paced "Applied Physical Attacks on Embedded and IoT Systems" online course which covers the basics of hardware hacking on embedded systems. Includes access to all online lectures, labs, and supporting materials.

This was an interesting journey into what I thought was going to entail lifting data from a typical SPI or I2C chip, but alas it was neither, rather the Microwire protocol. Let's explore this protocol, how we might interface with a Microwire EEPROM and extract data using the newly released Arduino UNO R4 eval board. I mean...this was really just some weekend hacking and a chance to crack open this shiny new Arduino...right?!

The board that we are targeting is a proprietary commercial USB programmer that is used to interface with Texas Instrument MSP430 microcontrollers, and specifically as a means to access SPY-BI-WIRE (SBW). Although, SBW is not the intent of this post but is something that will be a future post as it is an interesting method to multiplex JTAG over a two-wire protocol.

The other important part is selecting the correct GPIO interface for extracting data from the USB programmer's IC. I am just going to say that I started to reach for the Bus Pirate, then I thought about the GreatFet, but realized that I had an Arduino UNO R4 that is a perfectly capable ESP32 enabled eval board. This decision to use the latter actually turned into an ideal exercise to explore the Arduino IDE, write some C, and simply do some experimentation. This is what we are dealing with (Arduino lower side of picture and USB programmer near the top)...

Looking at this device, we can see some interesting items. First, even though this was originally enclosed in a plastic case, is that the manufacturer/designer has not done anything to obfuscate the various interfaces. This is to be expected as it is a programmer and used to interface with target device GPIO, itself. The other obvious items are the M-Cortex and JTAG interfaces on the far right.

Why not just hook up a JTAGulator and bit bang the pins? Well, if we trace the VIAs (i.e., the copper substrate lines) through the PCB, we run into a bank of resistors. The resistors are shielding the components (i.e., MCU and EEPROM) from voltages on the target device. As such, the M-Cortex ( i.e., 10 pin JTAG) and the 14 pin JTAG are simply there as two options to interface with equivalent GPIO on the target device. It is unlikely that the JTAG interface will provide uninhibited access to the on-board component-chain as we might expect.

Microwire can be thought of as the predecessor to SPI. Whereas SPI utilizes a 4-wire circuit (i.e., MISO - master in slave out, MOSI - master out slave in, CLK/SCK - serial clock, CS/SS - chip select), Microwire uses a 3-wire circuit (i.e., MISO, MOSI, and CLK/SCK). Microwire permits variable length, but is dependent on the type of package and uses the ORG pin configuration to determine memory management (e.g., word size). The other notable item is that Microwire is slightly slower than SPI. Lastly, is that Microwire does not "float" the CS voltage (i.e., neither high nor low), meaning that the voltage is explicitly tied high or low to determine whether or not the chip is actively listening or not.

This particular EEPROM does not support the ORG pin, meaning that the memory Word Size is a fixed 16bit width. Additionally, we might want to know the address bus width, in other words, the number of addresses we have available.

The Arduino UNO series of boards have numerous prototyping capabilities and the latest ESP32 enabled R4 is much the same layout, but more powerful. The wiring should align with the following table, whereas an Arduino UNO and EEPROM schematic are provided for reference. The finished wiring will look similar to the first picture of this post.

I started down the path of reading the data sheet and coding Microwire functionality, but then came upon a couple of usable Microwire Arduino libraries. I don't want to take away from the importance of creating or building from the ground up, but already having an understanding of how the underlying protocol works makes using someone else's research a convenience.

3a8082e126