SlideShare una empresa de Scribd logo

BSides DFW2016-Hack Mode Enabled

P
pricemcdonald

11-5-2016 BSides DFW - Price McDonald

Tecnología
1 de 44
Descargar para leer sin conexión
“Hack Mode” Enabled Hardware Hacking on a Budget BSides DFW 2016 Price McDonald
About:Me
O’Rly?
Ok, So Hardware Security sucks… But why focus on the hardware?
Methodology
Where do we get theThings? • Beta Programs • https://www.betabound.com/tp-link-router-private-beta/ • https://beta.linksys.com/ • https://www.beta.netgear.com/signup/ • Flea Markets • Ebay • Craigslist • Garage Sales
Disassembly “Voiding theWarranty”
Tamper Resistance/Detection/Alerting They mean different things, but may not matter either way.
Component Identification What do you see?
Component Identification(2) • EOL 802.11G router SoC (System on Chip) • 200 Mhz MIPS32 core • Supports Serial or Parallel Flash • One JTAG and two UART Ports • 336 ball FBGA (Fine-pitch Ball Grid Array) • 32M-BIT Parallel NOR Flash Memory • 3V only • 48-pinTSOP (Thin Small Outline Package) • CMOS DDR400 RAM • 66-pinTSOP II
Component IdentificationTip andTricks The image part with relationship ID rId5 was not found in the file.
Arts and CraftsTime
Finding Ground • Using the MultiMeter we can figure out which of the pins on our headers connect to ground and which have voltage. GroundVoltage Specifically 3.3v • Got Ground?
Physical Counter Measures Gap in trace Extra Resistor
Common InterfaceTypes • UART - Universal Asynchronous Receiver/Transmitter • SPI – Serial Peripheral Interface • I2C – Inter Integrated Circuit • JTAG – JointTest Action Group – Hardware Debugging Interface • CAN – Controller Area Network (Cars/ATM/etc) • RS232- Serial Interface used on many legacy devices
Pinout Reversing • Saleae Logic Analyzer • ~100 Bucks on the low end @ https://www.saleae.com • Also, EDU discounts available up to 50% depending on model. • Keep in mind that logic analyzers are sampling which can cause artificial data depending on the sampling rate and thresholds. • Works for I2C, UART, SPI, JTAG, CAN, etc, etc
Saleae Logic UI • Using the Saleae logic analyzer we can watch the pins during boot to check for voltage spikes during. This is a good indication of either a UART, I2C or SPI connection. System Boot Likely the boot log being transmitted over UART
Saleae Logic - Decoders Given that we suspect Async Serial (UART) we will select that analyzer
Saleae Logic - Decoding Among small embedded devices 115200 is a very common bit rate so it is an easy guess. But we will also cover a more automated way of determining bit rate.
Saleae Logic – Decoding(2) We must also ensure we are configuring the device to analyze the appropriate channel (which are color coded as long as you connect them correctly)
Saleae Logic – Output As you can see we are successfully decoding the output from the UART serial connection on our Broadcom chip.
Or, Have you heard of the Jtagulator? • Created by Joe Grand @ http://www.grandideastudio.com • ~180-200 Bucks
Connecting to Interfaces • Bus Pirate • Less of a learning curve • Slower transfer speeds • Supports UART, SPI, I2C and JTAG • Shikra • No UI but faster transfer speeds as a result • Supports UART, SPI, I2C and JTAG • TIAO USB Multiprotocol Adapter • No UI but faster transfer speeds as a result • Supports UART, SPI, I2C, JTAG, RS-232 • Supports multiple connections from same device • Slightly less reliable in my experience
Using the Shikra http://int3.cc/products/the-shikra
Connecting to UART The command used to connect to a UART serial adapter will vary by device and OS but will generally be similar to the command below. sudo screen /dev/[device id] baud rate Or the the case of the Device ID below for the Shikra: sudo screen /dev/ttyUSB0 115200
We now have shell! hopefully But now what?
NoTech hacking
NoTech hacking(2)
File System Fiddling Why is my root a mtdblock? But wait, what is an mtdblock? • MTD is a "MemoryTechnology Device. • Unix traditionally only knew block devices and character devices. Character devices were things like keyboards or mice, that you could read current data from, but couldn't be seek-ed and didn't have a size. Block devices had a fixed size and could be seek-ed. • A mtdblock is a block device emulated over an mtd device. Source:Wikipedia
File System Fiddling(2) Often times embedded device manufacturers leave important file systems unmounted. Another good Resource: http://wiki.in-circuit.de/index.php5?title=Flashfilesystem_UBIFS
Pilfering File Systems But, How do we get the file system off of the target device?
SSHWhoops?
Ultra quick JTAG primer • JTAG stands for (JointTest Action Group) which was formed in 1985. • IDCODE , BYPASS Registers are often very helpful • The following pins are required for JTAG use: • TDI (Test Data In) • TDO (Test Data Out) • TCK (Test Clock) • TMS (Test Mode Select) • TheTCK Pin (Test Clock) is what keeps the clock for the state machine. • THETMS Pin (Test Mode Select) is what determines when and how the State Machine advances depending on it’s relative position during each clock cycle. Source: Wikipedia
Options for connecting to JTAG Good Better Best $45 $60-$600 $5000-$20000
Jtagulator
How to Connect with OpenOCD The command to initiate openocd is : openocd –f interface –f target But now what? There are errors and stuff!!!!! #openocd on Freenode
How to Connect with OpenOCD(2) Silly openocd! That’s more like it J
Using OpenOCD
Reverse Engineering • Ida Pro • PaidVersion required for disassembly • ARM decompiler available but $$$$ • Also very good debugger • Radare2 • Free multiplatform support • No decompiler available • Binary Ninja • Free version available • Very Limited Architecture Support • Not currently an option for this type of work but something to keep in mind.
IDA Pro
Radare2
Other nice to haves
• http://www.grandideastudio.com/hardware-hacking-training/ • http://www.xipiter.com/training.html • https://www.eevblog.com • http://www.embedded.com/electronics-blogs/beginner-s-corner/
THANKYOU!!!! ANY MORE QUESTIONS?

Recomendados

BSides Indy 2017 - Hardware Hacking - Abusing the Things
BSides Indy 2017 - Hardware Hacking - Abusing the ThingsBSides Indy 2017 - Hardware Hacking - Abusing the Things
BSides Indy 2017 - Hardware Hacking - Abusing the ThingsPrice McDonald
 
Bsides Puerto Rico-2017
Bsides Puerto Rico-2017Bsides Puerto Rico-2017
Bsides Puerto Rico-2017Price McDonald
 
Hardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to RootHardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to RootYashin Mehaboobe
 
Hardware hacking 101
Hardware hacking 101Hardware hacking 101
Hardware hacking 101Tiago Henriques
 
A BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKING
A BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKINGA BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKING
A BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKINGSilvio Cesare
 
PyTriage: A malware analysis framework
PyTriage: A malware analysis frameworkPyTriage: A malware analysis framework
PyTriage: A malware analysis frameworkYashin Mehaboobe
 
Making and breaking security in embedded devices
Making and breaking security in embedded devicesMaking and breaking security in embedded devices
Making and breaking security in embedded devicesYashin Mehaboobe
 
Intro to Hardware Firmware Hacking
Intro to Hardware Firmware HackingIntro to Hardware Firmware Hacking
Intro to Hardware Firmware HackingAndrew Freeborn
 

Recomendados

BSides Indy 2017 - Hardware Hacking - Abusing the Things
BSides Indy 2017 - Hardware Hacking - Abusing the ThingsBSides Indy 2017 - Hardware Hacking - Abusing the Things
BSides Indy 2017 - Hardware Hacking - Abusing the ThingsPrice McDonald
 
Bsides Puerto Rico-2017
Bsides Puerto Rico-2017Bsides Puerto Rico-2017
Bsides Puerto Rico-2017Price McDonald
 
Hardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to RootHardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to RootYashin Mehaboobe
 
Hardware hacking 101
Hardware hacking 101Hardware hacking 101
Hardware hacking 101Tiago Henriques
 
A BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKING
A BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKINGA BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKING
A BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKINGSilvio Cesare
 
PyTriage: A malware analysis framework
PyTriage: A malware analysis frameworkPyTriage: A malware analysis framework
PyTriage: A malware analysis frameworkYashin Mehaboobe
 
Making and breaking security in embedded devices
Making and breaking security in embedded devicesMaking and breaking security in embedded devices
Making and breaking security in embedded devicesYashin Mehaboobe
 
Intro to Hardware Firmware Hacking
Intro to Hardware Firmware HackingIntro to Hardware Firmware Hacking
Intro to Hardware Firmware HackingAndrew Freeborn
 
Hardware Hacking
Hardware HackingHardware Hacking
Hardware HackingAndrew Brockhurst
 
Arduino Forensics
Arduino ForensicsArduino Forensics
Arduino ForensicsSteve Watson
 
Hardware Hacking Primer
Hardware Hacking PrimerHardware Hacking Primer
Hardware Hacking PrimerYashin Mehaboobe
 
FSEC 2014 - I can haz your board with JTAG
FSEC 2014 - I can haz your board with JTAGFSEC 2014 - I can haz your board with JTAG
FSEC 2014 - I can haz your board with JTAGDobrica Pavlinušić
 
Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONLyon Yang
 
Adventures in Femtoland: 350 Yuan for Invaluable Fun
Adventures in Femtoland: 350 Yuan for Invaluable FunAdventures in Femtoland: 350 Yuan for Invaluable Fun
Adventures in Femtoland: 350 Yuan for Invaluable Funarbitrarycode
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangLyon Yang
 
LinkIt Smart 7688 - a more connected world
LinkIt Smart 7688 - a more connected worldLinkIt Smart 7688 - a more connected world
LinkIt Smart 7688 - a more connected worldCAVEDU Education
 
Mozilla chirimen firefox os dwika v5
Mozilla chirimen firefox os dwika v5Mozilla chirimen firefox os dwika v5
Mozilla chirimen firefox os dwika v5Dwika Sudrajat
 
Cheap, good, hackable tools from China: AVR component tester
Cheap, good, hackable tools from China: AVR component testerCheap, good, hackable tools from China: AVR component tester
Cheap, good, hackable tools from China: AVR component testerDobrica Pavlinušić
 
Introduction to NanoBoard-3000 FPGA
Introduction to NanoBoard-3000 FPGA Introduction to NanoBoard-3000 FPGA
Introduction to NanoBoard-3000 FPGA Premier Farnell
 
Hardware hacking for software people
Hardware hacking for software peopleHardware hacking for software people
Hardware hacking for software peopleDobrica Pavlinušić
 
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...DefconRussia
 
Jtag
JtagJtag
JtagTELE-audiovision eng
 
The Baseband Playground
The Baseband PlaygroundThe Baseband Playground
The Baseband Playgroundslides_luis
 
Cryptography 101 for Java developers
Cryptography 101 for Java developersCryptography 101 for Java developers
Cryptography 101 for Java developersMichel Schudel
 
Raspberry Pi - best friend for all your GPIO needs
Raspberry Pi - best friend for all your GPIO needsRaspberry Pi - best friend for all your GPIO needs
Raspberry Pi - best friend for all your GPIO needsDobrica Pavlinušić
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsqqlan
 
Solnik secure enclaveprocessor-pacsec
Solnik secure enclaveprocessor-pacsecSolnik secure enclaveprocessor-pacsec
Solnik secure enclaveprocessor-pacsecPacSecJP
 
Musclenerd - Evolution of iPhone Baseband and Unlocks
Musclenerd - Evolution of iPhone Baseband and UnlocksMusclenerd - Evolution of iPhone Baseband and Unlocks
Musclenerd - Evolution of iPhone Baseband and UnlocksMike Webb
 
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...centralohioissa
 
Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]
Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]
Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]RootedCON
 

Más contenido relacionado

La actualidad más candente

FSEC 2014 - I can haz your board with JTAG
FSEC 2014 - I can haz your board with JTAGFSEC 2014 - I can haz your board with JTAG
FSEC 2014 - I can haz your board with JTAGDobrica Pavlinušić
 
Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONLyon Yang
 
Adventures in Femtoland: 350 Yuan for Invaluable Fun
Adventures in Femtoland: 350 Yuan for Invaluable FunAdventures in Femtoland: 350 Yuan for Invaluable Fun
Adventures in Femtoland: 350 Yuan for Invaluable Funarbitrarycode
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangLyon Yang
 
LinkIt Smart 7688 - a more connected world
LinkIt Smart 7688 - a more connected worldLinkIt Smart 7688 - a more connected world
LinkIt Smart 7688 - a more connected worldCAVEDU Education
 
Mozilla chirimen firefox os dwika v5
Mozilla chirimen firefox os dwika v5Mozilla chirimen firefox os dwika v5
Mozilla chirimen firefox os dwika v5Dwika Sudrajat
 
Cheap, good, hackable tools from China: AVR component tester
Cheap, good, hackable tools from China: AVR component testerCheap, good, hackable tools from China: AVR component tester
Cheap, good, hackable tools from China: AVR component testerDobrica Pavlinušić
 
Introduction to NanoBoard-3000 FPGA
Introduction to NanoBoard-3000 FPGA Introduction to NanoBoard-3000 FPGA
Introduction to NanoBoard-3000 FPGA Premier Farnell
 
Hardware hacking for software people
Hardware hacking for software peopleHardware hacking for software people
Hardware hacking for software peopleDobrica Pavlinušić
 
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...DefconRussia
 
The Baseband Playground
The Baseband PlaygroundThe Baseband Playground
The Baseband Playgroundslides_luis
 
Cryptography 101 for Java developers
Cryptography 101 for Java developersCryptography 101 for Java developers
Cryptography 101 for Java developersMichel Schudel
 
Raspberry Pi - best friend for all your GPIO needs
Raspberry Pi - best friend for all your GPIO needsRaspberry Pi - best friend for all your GPIO needs
Raspberry Pi - best friend for all your GPIO needsDobrica Pavlinušić
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsqqlan
 
Solnik secure enclaveprocessor-pacsec
Solnik secure enclaveprocessor-pacsecSolnik secure enclaveprocessor-pacsec
Solnik secure enclaveprocessor-pacsecPacSecJP
 
Musclenerd - Evolution of iPhone Baseband and Unlocks
Musclenerd - Evolution of iPhone Baseband and UnlocksMusclenerd - Evolution of iPhone Baseband and Unlocks
Musclenerd - Evolution of iPhone Baseband and UnlocksMike Webb
 

La actualidad más candente (20)

Hardware Hacking
Hardware HackingHardware Hacking
Hardware Hacking
 
Arduino Forensics
Arduino ForensicsArduino Forensics
Arduino Forensics
 
Hardware Hacking Primer
Hardware Hacking PrimerHardware Hacking Primer
Hardware Hacking Primer
 
FSEC 2014 - I can haz your board with JTAG
FSEC 2014 - I can haz your board with JTAGFSEC 2014 - I can haz your board with JTAG
FSEC 2014 - I can haz your board with JTAG
 
Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCON
 
Adventures in Femtoland: 350 Yuan for Invaluable Fun
Adventures in Femtoland: 350 Yuan for Invaluable FunAdventures in Femtoland: 350 Yuan for Invaluable Fun
Adventures in Femtoland: 350 Yuan for Invaluable Fun
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
 
LinkIt Smart 7688 - a more connected world
LinkIt Smart 7688 - a more connected worldLinkIt Smart 7688 - a more connected world
LinkIt Smart 7688 - a more connected world
 
Mozilla chirimen firefox os dwika v5
Mozilla chirimen firefox os dwika v5Mozilla chirimen firefox os dwika v5
Mozilla chirimen firefox os dwika v5
 
Cheap, good, hackable tools from China: AVR component tester
Cheap, good, hackable tools from China: AVR component testerCheap, good, hackable tools from China: AVR component tester
Cheap, good, hackable tools from China: AVR component tester
 
Introduction to NanoBoard-3000 FPGA
Introduction to NanoBoard-3000 FPGA Introduction to NanoBoard-3000 FPGA
Introduction to NanoBoard-3000 FPGA
 
Hardware hacking for software people
Hardware hacking for software peopleHardware hacking for software people
Hardware hacking for software people
 
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
 
Jtag
JtagJtag
Jtag
 
The Baseband Playground
The Baseband PlaygroundThe Baseband Playground
The Baseband Playground
 
Cryptography 101 for Java developers
Cryptography 101 for Java developersCryptography 101 for Java developers
Cryptography 101 for Java developers
 
Raspberry Pi - best friend for all your GPIO needs
Raspberry Pi - best friend for all your GPIO needsRaspberry Pi - best friend for all your GPIO needs
Raspberry Pi - best friend for all your GPIO needs
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via sms
 
Solnik secure enclaveprocessor-pacsec
Solnik secure enclaveprocessor-pacsecSolnik secure enclaveprocessor-pacsec
Solnik secure enclaveprocessor-pacsec
 
Musclenerd - Evolution of iPhone Baseband and Unlocks
Musclenerd - Evolution of iPhone Baseband and UnlocksMusclenerd - Evolution of iPhone Baseband and Unlocks
Musclenerd - Evolution of iPhone Baseband and Unlocks
 

Destacado

Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...centralohioissa
 
Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]
Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]
Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]RootedCON
 
amrapali builders @@ hardware hacking and robotics using the raspberry pi.pdf
amrapali builders @@ hardware hacking and robotics using the raspberry pi.pdfamrapali builders @@ hardware hacking and robotics using the raspberry pi.pdf
amrapali builders @@ hardware hacking and robotics using the raspberry pi.pdfamrapalibuildersreviews
 
Hardware Hacking caso práctico Ingeniería Inversa Smartcards
Hardware Hacking caso práctico Ingeniería Inversa SmartcardsHardware Hacking caso práctico Ingeniería Inversa Smartcards
Hardware Hacking caso práctico Ingeniería Inversa SmartcardsAndres Lozano
 
Hardware Hacking in schools (ACEC2014)
Hardware Hacking in schools (ACEC2014)Hardware Hacking in schools (ACEC2014)
Hardware Hacking in schools (ACEC2014)Dan Bowen
 
Hacker's and painters Hardware Hacking 101 - 10th Oct 2014
Hacker's and painters Hardware Hacking 101 - 10th Oct 2014Hacker's and painters Hardware Hacking 101 - 10th Oct 2014
Hacker's and painters Hardware Hacking 101 - 10th Oct 2014Takeda Pharmaceuticals
 
Coders need to learn hardware hacking NOW
Coders need to learn hardware hacking NOWCoders need to learn hardware hacking NOW
Coders need to learn hardware hacking NOWMatt Biddulph
 
JTAG Interface (Intro)
JTAG Interface (Intro)JTAG Interface (Intro)
JTAG Interface (Intro)Nitesh Bhatia
 
CNIT 126 4: A Crash Course in x86 Disassembly
CNIT 126 4: A Crash Course in x86 DisassemblyCNIT 126 4: A Crash Course in x86 Disassembly
CNIT 126 4: A Crash Course in x86 DisassemblySam Bowne
 
Let's hack cheap hardware 2016 edition
Let's hack cheap hardware 2016 editionLet's hack cheap hardware 2016 edition
Let's hack cheap hardware 2016 editionDobrica Pavlinušić
 

Destacado (14)

Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
 
Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]
Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]
Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]
 
amrapali builders @@ hardware hacking and robotics using the raspberry pi.pdf
amrapali builders @@ hardware hacking and robotics using the raspberry pi.pdfamrapali builders @@ hardware hacking and robotics using the raspberry pi.pdf
amrapali builders @@ hardware hacking and robotics using the raspberry pi.pdf
 
Playful
PlayfulPlayful
Playful
 
Hardware Hacking caso práctico Ingeniería Inversa Smartcards
Hardware Hacking caso práctico Ingeniería Inversa SmartcardsHardware Hacking caso práctico Ingeniería Inversa Smartcards
Hardware Hacking caso práctico Ingeniería Inversa Smartcards
 
Hardware Hacking in schools (ACEC2014)
Hardware Hacking in schools (ACEC2014)Hardware Hacking in schools (ACEC2014)
Hardware Hacking in schools (ACEC2014)
 
Hardware hacking
Hardware hackingHardware hacking
Hardware hacking
 
Hacker's and painters Hardware Hacking 101 - 10th Oct 2014
Hacker's and painters Hardware Hacking 101 - 10th Oct 2014Hacker's and painters Hardware Hacking 101 - 10th Oct 2014
Hacker's and painters Hardware Hacking 101 - 10th Oct 2014
 
Coders need to learn hardware hacking NOW
Coders need to learn hardware hacking NOWCoders need to learn hardware hacking NOW
Coders need to learn hardware hacking NOW
 
Breaking Bad EACS Implementations
Breaking Bad EACS ImplementationsBreaking Bad EACS Implementations
Breaking Bad EACS Implementations
 
Router forensics
Router forensicsRouter forensics
Router forensics
 
JTAG Interface (Intro)
JTAG Interface (Intro)JTAG Interface (Intro)
JTAG Interface (Intro)
 
CNIT 126 4: A Crash Course in x86 Disassembly
CNIT 126 4: A Crash Course in x86 DisassemblyCNIT 126 4: A Crash Course in x86 Disassembly
CNIT 126 4: A Crash Course in x86 Disassembly
 
Let's hack cheap hardware 2016 edition
Let's hack cheap hardware 2016 editionLet's hack cheap hardware 2016 edition
Let's hack cheap hardware 2016 edition
 

Similar a BSides DFW2016-Hack Mode Enabled

Insecure Obsolete and Trivial - The Real IOT
Insecure Obsolete and Trivial - The Real IOTInsecure Obsolete and Trivial - The Real IOT
Insecure Obsolete and Trivial - The Real IOTPrice McDonald
 
Thotcon 0x8 - Hardware Hacking on a Budget
Thotcon 0x8 - Hardware Hacking on a BudgetThotcon 0x8 - Hardware Hacking on a Budget
Thotcon 0x8 - Hardware Hacking on a BudgetPrice McDonald
 
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh OjhaKazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh OjhaYogesh Ojha
 
Tools Of The Hardware Hacking Trade Final
Tools Of The Hardware Hacking Trade FinalTools Of The Hardware Hacking Trade Final
Tools Of The Hardware Hacking Trade FinalPriyanka Aash
 
Practical reverse engineering and exploit development for AVR-based Embedded ...
Practical reverse engineering and exploit development for AVR-based Embedded ...Practical reverse engineering and exploit development for AVR-based Embedded ...
Practical reverse engineering and exploit development for AVR-based Embedded ...Alexander Bolshev
 
Asia 14-garcia-illera-dude-wtf-in-my-can
Asia 14-garcia-illera-dude-wtf-in-my-canAsia 14-garcia-illera-dude-wtf-in-my-can
Asia 14-garcia-illera-dude-wtf-in-my-caninjenerzntu
 
Track 5 session 3 - st dev con 2016 - mechanisms for trusted code execution...
Track 5 session 3 - st dev con 2016 - mechanisms for trusted code execution...Track 5 session 3 - st dev con 2016 - mechanisms for trusted code execution...
Track 5 session 3 - st dev con 2016 - mechanisms for trusted code execution...ST_World
 
DefCon 2012 - Gaining Access to User Android Data
DefCon 2012 - Gaining Access to User Android DataDefCon 2012 - Gaining Access to User Android Data
DefCon 2012 - Gaining Access to User Android DataMichael Smith
 
OT Security - h-c0n 2020
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020Jose Palanco
 
Peter Gutmann Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015
Peter Gutmann Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015Peter Gutmann Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015
Peter Gutmann Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015CSO_Presentations
 
Intel(r) Quick Assist Technology Overview
Intel(r) Quick Assist Technology OverviewIntel(r) Quick Assist Technology Overview
Intel(r) Quick Assist Technology OverviewMichelle Holley
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Chris Sistrunk
 
Presentation for IoT workshop at Sinhagad University (Feb 4, 2016) - 2/2
Presentation for IoT workshop at Sinhagad University (Feb 4, 2016) - 2/2Presentation for IoT workshop at Sinhagad University (Feb 4, 2016) - 2/2
Presentation for IoT workshop at Sinhagad University (Feb 4, 2016) - 2/2Bhavin Chandarana
 
Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2PacSecJP
 
Hack.LU 2018 ARM IoT Firmware Emulation Workshop
Hack.LU 2018 ARM IoT Firmware Emulation WorkshopHack.LU 2018 ARM IoT Firmware Emulation Workshop
Hack.LU 2018 ARM IoT Firmware Emulation WorkshopSaumil Shah
 
Shodan- That Device Search Engine
Shodan- That Device Search EngineShodan- That Device Search Engine
Shodan- That Device Search EngineInMobi Technology
 

Similar a BSides DFW2016-Hack Mode Enabled (20)

Insecure Obsolete and Trivial - The Real IOT
Insecure Obsolete and Trivial - The Real IOTInsecure Obsolete and Trivial - The Real IOT
Insecure Obsolete and Trivial - The Real IOT
 
Thotcon 0x8 - Hardware Hacking on a Budget
Thotcon 0x8 - Hardware Hacking on a BudgetThotcon 0x8 - Hardware Hacking on a Budget
Thotcon 0x8 - Hardware Hacking on a Budget
 
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh OjhaKazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
 
IOT Exploitation
IOT Exploitation IOT Exploitation
IOT Exploitation
 
Tools Of The Hardware Hacking Trade Final
Tools Of The Hardware Hacking Trade FinalTools Of The Hardware Hacking Trade Final
Tools Of The Hardware Hacking Trade Final
 
Practical reverse engineering and exploit development for AVR-based Embedded ...
Practical reverse engineering and exploit development for AVR-based Embedded ...Practical reverse engineering and exploit development for AVR-based Embedded ...
Practical reverse engineering and exploit development for AVR-based Embedded ...
 
Asia 14-garcia-illera-dude-wtf-in-my-can
Asia 14-garcia-illera-dude-wtf-in-my-canAsia 14-garcia-illera-dude-wtf-in-my-can
Asia 14-garcia-illera-dude-wtf-in-my-can
 
Track 5 session 3 - st dev con 2016 - mechanisms for trusted code execution...
Track 5 session 3 - st dev con 2016 - mechanisms for trusted code execution...Track 5 session 3 - st dev con 2016 - mechanisms for trusted code execution...
Track 5 session 3 - st dev con 2016 - mechanisms for trusted code execution...
 
DefCon 2012 - Gaining Access to User Android Data
DefCon 2012 - Gaining Access to User Android DataDefCon 2012 - Gaining Access to User Android Data
DefCon 2012 - Gaining Access to User Android Data
 
OT Security - h-c0n 2020
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020
 
Peter Gutmann Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015
Peter Gutmann Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015Peter Gutmann Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015
Peter Gutmann Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015
 
Intel(r) Quick Assist Technology Overview
Intel(r) Quick Assist Technology OverviewIntel(r) Quick Assist Technology Overview
Intel(r) Quick Assist Technology Overview
 
Prezentare tcs2011
Prezentare tcs2011Prezentare tcs2011
Prezentare tcs2011
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?
 
Presentation for IoT workshop at Sinhagad University (Feb 4, 2016) - 2/2
Presentation for IoT workshop at Sinhagad University (Feb 4, 2016) - 2/2Presentation for IoT workshop at Sinhagad University (Feb 4, 2016) - 2/2
Presentation for IoT workshop at Sinhagad University (Feb 4, 2016) - 2/2
 
Phytium 64 core cpu preview
Phytium 64 core cpu previewPhytium 64 core cpu preview
Phytium 64 core cpu preview
 
Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2
 
Hack.LU 2018 ARM IoT Firmware Emulation Workshop
Hack.LU 2018 ARM IoT Firmware Emulation WorkshopHack.LU 2018 ARM IoT Firmware Emulation Workshop
Hack.LU 2018 ARM IoT Firmware Emulation Workshop
 
Multithreading Fundamentals
Multithreading FundamentalsMultithreading Fundamentals
Multithreading Fundamentals
 
Shodan- That Device Search Engine
Shodan- That Device Search EngineShodan- That Device Search Engine
Shodan- That Device Search Engine
 

Último

presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Bhuvaneswari Subramani
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 

Último (20)

presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 

BSides DFW2016-Hack Mode Enabled

  • 1. “Hack Mode” Enabled Hardware Hacking on a Budget BSides DFW 2016 Price McDonald
  • 4. Ok, So Hardware Security sucks… But why focus on the hardware?
  • 6. Where do we get theThings? • Beta Programs • https://www.betabound.com/tp-link-router-private-beta/ • https://beta.linksys.com/ • https://www.beta.netgear.com/signup/ • Flea Markets • Ebay • Craigslist • Garage Sales
  • 8. Tamper Resistance/Detection/Alerting They mean different things, but may not matter either way.
  • 10. Component Identification(2) • EOL 802.11G router SoC (System on Chip) • 200 Mhz MIPS32 core • Supports Serial or Parallel Flash • One JTAG and two UART Ports • 336 ball FBGA (Fine-pitch Ball Grid Array) • 32M-BIT Parallel NOR Flash Memory • 3V only • 48-pinTSOP (Thin Small Outline Package) • CMOS DDR400 RAM • 66-pinTSOP II
  • 11. Component IdentificationTip andTricks The image part with relationship ID rId5 was not found in the file.
  • 13. Finding Ground • Using the MultiMeter we can figure out which of the pins on our headers connect to ground and which have voltage. GroundVoltage Specifically 3.3v • Got Ground?
  • 14. Physical Counter Measures Gap in trace Extra Resistor
  • 15. Common InterfaceTypes • UART - Universal Asynchronous Receiver/Transmitter • SPI – Serial Peripheral Interface • I2C – Inter Integrated Circuit • JTAG – JointTest Action Group – Hardware Debugging Interface • CAN – Controller Area Network (Cars/ATM/etc) • RS232- Serial Interface used on many legacy devices
  • 16. Pinout Reversing • Saleae Logic Analyzer • ~100 Bucks on the low end @ https://www.saleae.com • Also, EDU discounts available up to 50% depending on model. • Keep in mind that logic analyzers are sampling which can cause artificial data depending on the sampling rate and thresholds. • Works for I2C, UART, SPI, JTAG, CAN, etc, etc
  • 17. Saleae Logic UI • Using the Saleae logic analyzer we can watch the pins during boot to check for voltage spikes during. This is a good indication of either a UART, I2C or SPI connection. System Boot Likely the boot log being transmitted over UART
  • 18. Saleae Logic - Decoders Given that we suspect Async Serial (UART) we will select that analyzer
  • 19. Saleae Logic - Decoding Among small embedded devices 115200 is a very common bit rate so it is an easy guess. But we will also cover a more automated way of determining bit rate.
  • 20. Saleae Logic – Decoding(2) We must also ensure we are configuring the device to analyze the appropriate channel (which are color coded as long as you connect them correctly)
  • 21. Saleae Logic – Output As you can see we are successfully decoding the output from the UART serial connection on our Broadcom chip.
  • 22. Or, Have you heard of the Jtagulator? • Created by Joe Grand @ http://www.grandideastudio.com • ~180-200 Bucks
  • 23. Connecting to Interfaces • Bus Pirate • Less of a learning curve • Slower transfer speeds • Supports UART, SPI, I2C and JTAG • Shikra • No UI but faster transfer speeds as a result • Supports UART, SPI, I2C and JTAG • TIAO USB Multiprotocol Adapter • No UI but faster transfer speeds as a result • Supports UART, SPI, I2C, JTAG, RS-232 • Supports multiple connections from same device • Slightly less reliable in my experience
  • 25. Connecting to UART The command used to connect to a UART serial adapter will vary by device and OS but will generally be similar to the command below. sudo screen /dev/[device id] baud rate Or the the case of the Device ID below for the Shikra: sudo screen /dev/ttyUSB0 115200
  • 26. We now have shell! hopefully But now what?
  • 29. File System Fiddling Why is my root a mtdblock? But wait, what is an mtdblock? • MTD is a "MemoryTechnology Device. • Unix traditionally only knew block devices and character devices. Character devices were things like keyboards or mice, that you could read current data from, but couldn't be seek-ed and didn't have a size. Block devices had a fixed size and could be seek-ed. • A mtdblock is a block device emulated over an mtd device. Source:Wikipedia
  • 30. File System Fiddling(2) Often times embedded device manufacturers leave important file systems unmounted. Another good Resource: http://wiki.in-circuit.de/index.php5?title=Flashfilesystem_UBIFS
  • 31. Pilfering File Systems But, How do we get the file system off of the target device?
  • 33. Ultra quick JTAG primer • JTAG stands for (JointTest Action Group) which was formed in 1985. • IDCODE , BYPASS Registers are often very helpful • The following pins are required for JTAG use: • TDI (Test Data In) • TDO (Test Data Out) • TCK (Test Clock) • TMS (Test Mode Select) • TheTCK Pin (Test Clock) is what keeps the clock for the state machine. • THETMS Pin (Test Mode Select) is what determines when and how the State Machine advances depending on it’s relative position during each clock cycle. Source: Wikipedia
  • 34. Options for connecting to JTAG Good Better Best $45 $60-$600 $5000-$20000
  • 36. How to Connect with OpenOCD The command to initiate openocd is : openocd –f interface –f target But now what? There are errors and stuff!!!!! #openocd on Freenode
  • 37. How to Connect with OpenOCD(2) Silly openocd! That’s more like it J
  • 39. Reverse Engineering • Ida Pro • PaidVersion required for disassembly • ARM decompiler available but $$$$ • Also very good debugger • Radare2 • Free multiplatform support • No decompiler available • Binary Ninja • Free version available • Very Limited Architecture Support • Not currently an option for this type of work but something to keep in mind.
  • 42. Other nice to haves
  • 43. • http://www.grandideastudio.com/hardware-hacking-training/ • http://www.xipiter.com/training.html • https://www.eevblog.com • http://www.embedded.com/electronics-blogs/beginner-s-corner/