A BEGINNER’S
JOURNEY
INTO THE WORLD
OF
HARDWARE HACKING
Introduction
Hardware hackings is fun!
Or at least it seems to be, for a software guy.
Try some of the following hardware hacks and get
started.
Who am I? (this slide again? every
year?)
Research Assistant at Deakin University.
Resercher at Volvent security (Rux party sponsor!).
Just passed my PhD thesis examination (on
software). Pics by DNZ.
Outline
Interfacing with UART
Ripping Firmware
Games with IR alarm systems
Gardening with Arduino
UART Basics
UART is like an embedded version of RS232.
Pretty much the same, except the voltage level.
You can attach a serial console.
Interfacing with UART
Serial console access give us:
Root shells on occasion.
Login access.
Boot information.
More verbose logging, E.g. When a daemon crashes.
The ability to interact with the bootloader to upload
new firmware.
Removing the case
Make sure to have screwdrivers.
And jewellers screwdrivers.
And a Torx screwdriver set.
Screws can be hidden in rubber feet or behind
stickers.
Sometimes the cases are clipped in.
A small flathead screwdriver is good for prying.
Finding ports
Look for header pins.
Sometimes just pads – you will need to solder
header pins.
4 pins are very typical, sometimes more.
If you have 10 or more pins, then it’s probably
JTAG (pictured)
Finding the Ground Pin and Voltage
Use “continuity test” feature of multimeter.
Attach one probe to metal shielding.
This is commonly grounded
Test each pin with other probe.
Beeps when continuity (GND) is found.
Measure voltage on other pins.
Most are 3.3v, but sometimes more or less.
Finding the Transmit Pin
Connect GND to oscilloscope GND
Test each pin with scope
Reboot device while doing it
Should see square waves (data) on scope when TX
Interfacing to a PC
Several choices
UART to USB cable
Bus Pirate
JTAGulator
Need to know the voltage levels that you measured
earlier.
Just attach each identified pin.
Using a serial console
In Linux, use Minicom.
Pretty much everything is 8N1.
Use baudrate program to try different baudrates.
And you’ll get data!
Finding the Receive Pin
Brute force remaining pins
Attach each pin to RX.
Try typing something in the serial console.
If you get an echo, then you’ve found the right pin.
Otherwise you’ll get nothing.
This is what it looks like when you’ve
done it.
Now what?
Copy the password file and start cracking.
Sometimes /usr/bin/nc is present, so pipe a netcat
listener to /bin/sh.
Fuzz the server, look for crash logs.
silvio@silvio:~$ cat passwd-router admin:K28i.z/SKI2to:0:0:Administrator:/:/bin/sh
support:6PNjgYPP5wJuQ:0:0:Technical Support:/:/bin/sh
user:CSCn9ayV6iYMI:0:0:Normal User:/:/bin/sh
nobody:gNafYeKkdwPC2:0:0:nobody for ftp:/:/bin/sh
silvio@silvio:~$ john -show passwd-router admin:admin:0:0:Administrator:/:/bin/sh
support:support:0:0:Technical Support:/:/bin/sh
user:user:0:0:Normal User:/:/bin/sh
nobody:admin:0:0:nobody for ftp:/:/bin/sh
4 password hashes cracked, 0 left
Final thoughts on UART
It’s actually not that hard once you know the
method.
A JTAGulator should make things easy.
Every ADSL router I own has a UART port.
It’s a good entry point into hw hacking.
Ripping Firmware
Sometimes it’s useful to have the firmware.
Reversing the code.
Finding static strings, usernames, or passwords.
silvio@silvio:~$ ls -la spi.rom
-rw-r--r-- 1 root root 4194304 Sep 19 13:02 spi.rom
silvio@silvio:~$ strings spi.rom|egrep 'ass|sername' passing 'arg' as arguments
passing arguments 'arg ...'; when booting a Linux kernel,
wan_pppoe_passwd=
usb_ftpusername_x=
http_username=admin ddns_username_x=
http_passwd=admin acc_username=
wan_pppoe_username=
...
IC identification
Most things are surface mount packages.
Part numbers are typically on the IC.
Use a small magnifying lamp to read the part
numbers.
Look up the datasheet on google.
Desoldering ICs
Sometimes you need to remove the IC to read or
write to it.
One way is to use desolder braid.
A better way is with a hot air rework station that
can heat up the solder.
Remove IC with tweezers or vacuum pickup tool.
Hot air rework station
NAND Flash Programming
Read and write to NAND with a “device
programmer”.
Buy a universal device programmer.
Place NAND in programmer, use software to read.
Universal Device Programmers
Xeltek pictured.
SPI Serial Flash
Flash memory, that doesn’t require block access.
Can be executed-in-place.
No need to copy into memory.
Often see things like bootloaders on it.
Common in SOIC-8 package.
You can use an expensive device programmer.
Or cheaper methods..
Reading SPI Flash incircuit
These can be read with a GoodFET or Bus Pirate.
If using BP, then you can use flashrom.
IC can be read incircuit.
Use IC test clips.
Or SMD hooks.
SPI Serial Flash Desoldering
SOIC can be desoldered.
If desoldered, use a SOIC DIP adapter and
breadboard.
Using a GoodFET to read SPI Flash
Look at datasheet for IC.
Attach GoodFET to IC.
Some IC pins may need to go to VCC with a
resistor.
Final thoughts on ripping firmware
Top of the line programmers are expensive.
A GoodFET or a Bus Pirate is affordable.
Once you rip the data from the IC, you have to
reconstruct the data.
This is not that trivial.
Games with IR alarm systems
Bought from Ebay.
The alarm
PIR motion sensor
IR arming/disarming remote
A first failed attempt
Learning remote.
Bought from Jcar.
Didn’t work.
Taking apart the remote
A lesson from circuit theory
The remote is an “Astable multivibrator”
A type of oscillator.
Plug values of resistors and capacitors into
f = 38.52khz.
T = ln(2)R2C1+ ln(2)R3C2
f = 1/T
Repurposing a different remote
Take remote from a different device.
Attach GPIO pin of Arduino to IR LED.
Do some Arduino coding..
Pulse at the 38.52khz
Getting the frequency using a counter
Checking the signal
Generating the signal with a function
generator
Making it easy.. The USB Infared Toy
Sold for $20.
Can capture and replay IR signals.
Disarms alarm.
Final thoughts on IR alarms
You get what you pay for.
Try to get an RF alarm with a “rolling code”.
This is what your car probably uses.
RF opens up a whole new world of fun.
Gardening with Arduino
Make your backyard irrigation system computer
controlled.
Arduino activates relay.
Relay controls water solenoid/valve.
PC activates Arduino.
Network controlled.
Cron job to start and stop the watering.
The Prototype
What does a relay do?
A small voltage and/or current can switch on a
much larger voltage and/or current.
The solenoid needs 24VAC.
That can be powered by a small wallwart.
The Arduino can activate the relay using one of its
low voltage/current GPIO pins.
I used a solid state relay.
Soldered and in project box
How do I connect the Arduino to a PC?
By a USB serial!
The Arduino listens for commands over the
USB/serial interface.
If the command is start, then it turns on the pin
connected to the relay.
I wrote a small network daemon on the PC that
takes commands and relays them to the Arduino.
The final product
Bazinga
Conclusion
Hardware hacking is fun.
Lots of things to try.
If you’ve got a spare ADSL router, pull it apart and
attach a serial console.
Thanks to Stephen Ridley.
Any questions?