A BEGINNER’S

JOURNEY

INTO THE WORLD

OF

HARDWARE HACKING

Introduction

Hardware hackings is fun!

Or at least it seems to be, for a software guy.

Try some of the following hardware hacks and get

started.

Who am I? (this slide again? every

year?)

Research Assistant at Deakin University.

Resercher at Volvent security (Rux party sponsor!).

Just passed my PhD thesis examination (on

software). Pics by DNZ.

Outline

Interfacing with UART

Ripping Firmware

Games with IR alarm systems

Gardening with Arduino

UART Basics

UART is like an embedded version of RS232.

Pretty much the same, except the voltage level.

You can attach a serial console.

Interfacing with UART

Serial console access give us:

Root shells on occasion.

Login access.

Boot information.

More verbose logging, E.g. When a daemon crashes.

The ability to interact with the bootloader to upload

new firmware.

Removing the case

Make sure to have screwdrivers.

And jewellers screwdrivers.

And a Torx screwdriver set.

Screws can be hidden in rubber feet or behind

stickers.

Sometimes the cases are clipped in.

A small flathead screwdriver is good for prying.

Finding ports

Look for header pins.

Sometimes just pads – you will need to solder

header pins.

4 pins are very typical, sometimes more.

If you have 10 or more pins, then it’s probably

JTAG (pictured)

Finding the Ground Pin and Voltage

Use “continuity test” feature of multimeter.

Attach one probe to metal shielding.

This is commonly grounded

Test each pin with other probe.

Beeps when continuity (GND) is found.

Measure voltage on other pins.

Most are 3.3v, but sometimes more or less.

Finding the Transmit Pin

Connect GND to oscilloscope GND

Test each pin with scope

Reboot device while doing it

Should see square waves (data) on scope when TX

Interfacing to a PC

Several choices

UART to USB cable

Bus Pirate

JTAGulator

Need to know the voltage levels that you measured

earlier.

Just attach each identified pin.

Using a serial console

In Linux, use Minicom.

Pretty much everything is 8N1.

Use baudrate program to try different baudrates.

And you’ll get data!

Finding the Receive Pin

Brute force remaining pins

Attach each pin to RX.

Try typing something in the serial console.

If you get an echo, then you’ve found the right pin.

Otherwise you’ll get nothing.

This is what it looks like when you’ve

done it.

Now what?

Copy the password file and start cracking.

Sometimes /usr/bin/nc is present, so pipe a netcat

listener to /bin/sh.

Fuzz the server, look for crash logs.

silvio@silvio:~$ cat passwd-router admin:K28i.z/SKI2to:0:0:Administrator:/:/bin/sh

support:6PNjgYPP5wJuQ:0:0:Technical Support:/:/bin/sh

user:CSCn9ayV6iYMI:0:0:Normal User:/:/bin/sh

nobody:gNafYeKkdwPC2:0:0:nobody for ftp:/:/bin/sh

silvio@silvio:~$ john -show passwd-router admin:admin:0:0:Administrator:/:/bin/sh

support:support:0:0:Technical Support:/:/bin/sh

user:user:0:0:Normal User:/:/bin/sh

nobody:admin:0:0:nobody for ftp:/:/bin/sh

4 password hashes cracked, 0 left

Final thoughts on UART

It’s actually not that hard once you know the

method.

A JTAGulator should make things easy.

Every ADSL router I own has a UART port.

It’s a good entry point into hw hacking.

Ripping Firmware

Sometimes it’s useful to have the firmware.

Reversing the code.

Finding static strings, usernames, or passwords.

silvio@silvio:~$ ls -la spi.rom

-rw-r--r-- 1 root root 4194304 Sep 19 13:02 spi.rom

silvio@silvio:~$ strings spi.rom|egrep 'ass|sername' passing 'arg' as arguments

passing arguments 'arg ...'; when booting a Linux kernel,

wan_pppoe_passwd=

usb_ftpusername_x=

http_username=admin ddns_username_x=

http_passwd=admin acc_username=

wan_pppoe_username=

...

IC identification

Most things are surface mount packages.

Part numbers are typically on the IC.

Use a small magnifying lamp to read the part

numbers.

Look up the datasheet on google.

Desoldering ICs

Sometimes you need to remove the IC to read or

write to it.

One way is to use desolder braid.

A better way is with a hot air rework station that

can heat up the solder.

Remove IC with tweezers or vacuum pickup tool.

Hot air rework station

NAND Flash Programming

Read and write to NAND with a “device

programmer”.

Buy a universal device programmer.

Place NAND in programmer, use software to read.

Universal Device Programmers

Xeltek pictured.

SPI Serial Flash

Flash memory, that doesn’t require block access.

Can be executed-in-place.

No need to copy into memory.

Often see things like bootloaders on it.

Common in SOIC-8 package.

You can use an expensive device programmer.

Or cheaper methods..

Reading SPI Flash incircuit

These can be read with a GoodFET or Bus Pirate.

If using BP, then you can use flashrom.

IC can be read incircuit.

Use IC test clips.

Or SMD hooks.

SPI Serial Flash Desoldering

SOIC can be desoldered.

If desoldered, use a SOIC DIP adapter and

breadboard.

Using a GoodFET to read SPI Flash

Look at datasheet for IC.

Attach GoodFET to IC.

Some IC pins may need to go to VCC with a

resistor.

Final thoughts on ripping firmware

Top of the line programmers are expensive.

A GoodFET or a Bus Pirate is affordable.

Once you rip the data from the IC, you have to

reconstruct the data.

This is not that trivial.

Games with IR alarm systems

Bought from Ebay.

The alarm

PIR motion sensor

IR arming/disarming remote

A first failed attempt

Learning remote.

Bought from Jcar.

Didn’t work.

Taking apart the remote

A lesson from circuit theory

The remote is an “Astable multivibrator”

A type of oscillator.

Plug values of resistors and capacitors into

f = 38.52khz.

T = ln(2)R2C1+ ln(2)R3C2

f = 1/T

Repurposing a different remote

Take remote from a different device.

Attach GPIO pin of Arduino to IR LED.

Do some Arduino coding..

Pulse at the 38.52khz

The rig

Getting the frequency using a counter

Checking the signal

Generating the signal with a function

generator

Making it easy.. The USB Infared Toy

Sold for $20.

Can capture and replay IR signals.

Disarms alarm.

Final thoughts on IR alarms

You get what you pay for.

Try to get an RF alarm with a “rolling code”.

This is what your car probably uses.

RF opens up a whole new world of fun.

Gardening with Arduino

Make your backyard irrigation system computer

controlled.

Arduino activates relay.

Relay controls water solenoid/valve.

PC activates Arduino.

Network controlled.

Cron job to start and stop the watering.

The Prototype

What does a relay do?

A small voltage and/or current can switch on a

much larger voltage and/or current.

The solenoid needs 24VAC.

That can be powered by a small wallwart.

The Arduino can activate the relay using one of its

low voltage/current GPIO pins.

I used a solid state relay.

Soldered and in project box

How do I connect the Arduino to a PC?

By a USB serial!

The Arduino listens for commands over the

USB/serial interface.

If the command is start, then it turns on the pin

connected to the relay.

I wrote a small network daemon on the PC that

takes commands and relays them to the Arduino.

The final product

Bazinga

Conclusion

Hardware hacking is fun.

Lots of things to try.

If you’ve got a spare ADSL router, pull it apart and

attach a serial console.

Thanks to Stephen Ridley.

Any questions?