Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Hardware hacking 101


Published on

Presentation done at confraria

  • Very nice tips on this. In case you need help on any kind of academic writing visit website ⇒ ⇐ and place your order
    Are you sure you want to  Yes  No
    Your message goes here
  • If u need a hand in making your writing assignments - visit ⇒ ⇐ for more detailed information.
    Are you sure you want to  Yes  No
    Your message goes here
  • Dating direct: ❤❤❤ ❤❤❤
    Are you sure you want to  Yes  No
    Your message goes here
  • Sex in your area is here: ❤❤❤ ❤❤❤
    Are you sure you want to  Yes  No
    Your message goes here

Hardware hacking 101

  1. 1. HARDWARE HACKING 101An introduction to hardware hacking and why it matters...
  2. 2. SPEAKER• BSc Software Engineering University of Brighton• MSc by Research in Computer Security and Forensics Univ of Bedfordshire• PhD Dropout• Enjoys breaking stuff• Founder @ptcoresec• Organizer of @Bsideslisbon with @morisson• Never had electronics lessons or any type of background• You should know me by now... It’s my 6th time speaking @confraria!
  3. 3. TOPICS
  4. 4. AGENDA• Hardware Hacking• What• Why• Bill of materials• Protocols• Hardware hackz• Demos
  5. 5. HARDWARE HACKING - WHATQ:What is hardware hacking, and why should I care about it ?A:Your secure software is only as secure as the hardware it is running on...Imagine implementing all your crypto correctly but then a tiny itsy bitsy of a“problem” with your RNG.
  7. 7. HARDWARE HACKING - WHY• Electronic equipment is virtually everywhere we look.• How safe is this hardware? Should be important to know if it is safe, since we have aton of things running on chips and using protocols that we take for granted as“secure”....• Hardware hacking is still a taboo, people feel that its harder to get into it – It’s highschool all over again “maths is hard, physics is hard...”• Old attacks work still work on hardware...• Lot’s of security by obscurity... “black box devices”
  8. 8. HARDWARE HACKING – WHYWHITEHAT VERSION• We see plenty of articles, most of them say “China hacked X, Y and Z”• Do we forget that there is also something that has the word “China”everywhere? The chips that run in pretty much all the hardware we use aremass built in China. “Made in china”• What if they decided to mass backdoor these chips? Or even better what ifthey decided to “selectively” backdoor and affect military “grade” chipsonly?
  9. 9. HARDWARE HACKING – WHYBLACKHAT VERSION• Stealing a service – Smartmeter hacking anyone? “Via verde” can also befunny one to look at – Oh, ISP Routers, are the lulz.• Cloning – Company X builds cool Whoopadywoo Gold edition gadget andcompany Z hires hardware reverse engineer to understand how it works.• Authentication – fake an authentication or bruteforcing it!
  10. 10. HARDWARE HACKING –CONCEPTS• You do need a bit of Physics
  11. 11. HARDWARE HACKING –CONCEPTS• Voltage - Simply put, voltage is used to provide power. In digital circuits itcan be used to transmit data in binary form ON/OFF 1/0. Also in digitalcircuits it is usually found in form of 3.3V and 5V. Two types of voltage exist:AC and DC• AC (alternative current) – This is what you usually find on the wall. It’sproduced in higher voltage at a power station and then reduced to beused at home by your equipment using a transformer for example.• DC (Direct current) – is what you find in batteries, essentially if a battery is 6Vit will stay that way until it depletes.
  12. 12. HARDWARE HACKING –CONCEPTS• To measure voltage you can use a multimeter or an oscilloscope (we willlook at these devices further down in this presentation).A few important points to remember about voltage:• You can only check voltage when your system is powered up.• Voltage must be read between two points (test point and ground point).• Voltage follows a direction – if you see negative values on the multimeteryou’re probably putting the ground/black probe on the wrong point.
  13. 13. HARDWARE HACKING –CONCEPTSResistance – a measurement that indicated the amount of current oppositioncreated by a resistor. A resistor is usually represented by the symboland it has two leads to which a resistor is connected to a circuit.Resistance is measured in Ohms and the symbol used is Ω (Omega)
  14. 14. HARDWARE HACKINGBILL OF MATERIALS• Soldering iron• Desoldering Tool• Solder• Multimeter• Logic Analyzer• Microscope / Magnifier• Digital Circuit Designsoftware• Wires – long, small, differentsizes• Microcontrollerreprogrammer• Prototyping microcontroller• Oscilloscope• Breadboards• Random electroniccomponents• Hardware to break!
  15. 15. HARDWARE HACKINGBILL OF MATERIALSSoldering ironPrice: range 50€ - 5000€>Multiple types: Gas, Laser, Heat...
  16. 16. HARDWARE HACKINGBILL OF MATERIALSDesoldering gun / pumpPrice range: 10€ - 500€>Multiple types: Pump, Gun
  17. 17. HARDWARE HACKINGBILL OF MATERIALSSolderPrice range: 2€ - 200€>Multiple types and sizes
  18. 18. HARDWARE HACKINGBILL OF MATERIALSMultimeterPrice range: 11€ - 9000€>Multiple types: Digital and Analog
  19. 19. HARDWARE HACKINGBILL OF MATERIALSMultimeterA multimeter is a device that can be used to measure multiple things, the mostbasic multimeters are able to measure the following:• Voltage• Current• ResistanceThe accuracy of these devices usually depends a lot on the price as well.
  21. 21. HARDWARE HACKINGBILL OF MATERIALSPutting the black probe (ground) on the negative side andthe red probe on the positive, and then choosing DC Voltage2V on the multimeter shows the following result
  22. 22. HARDWARE HACKINGBILL OF MATERIALSThe same thing can be done for resistors. If we grab arandom resistor:And then we connect the probes. (In this case I used a bit ofcable to connect them as they wouldn’t stick for the photo ,also it doesn’t matter to what end you connect each probe.Unlike voltage, resistance isn’t directional.)
  23. 23. HARDWARE HACKINGBILL OF MATERIALSLogic AnalyzerPrice range: irrelevant.What you want is this:The Salae Logic Analyzer - 140 €Used to understand which protocols are running andTo debug different chips/protocols.
  24. 24. HARDWARE HACKINGBILL OF MATERIALSMicroscope or MagnifierPrice range: 10€ - 5000€
  25. 25. HARDWARE HACKINGBILL OF MATERIALSDigital circuit softwarePrice range: 0 € - 5000 €
  26. 26. HARDWARE HACKINGBILL OF MATERIALSWiresPrice range: 5€ - 400€Made of multiple materials, different sizes, lenght etc...
  27. 27. HARDWARE HACKINGBILL OF MATERIALSMicrocontroller reprogrammerPrice range: 20€ - 500€>Different protocols, capacity, speed, functionality...In my case I have a Bus Pirate“The Bus Pirate is an open source hacker multi-tool that talks to electronic stuff.Its got a bunch of features an intrepid hacker might need to prototype theirnext project.”
  28. 28. HARDWARE HACKINGBILL OF MATERIALS• Bus Pirate• Talks multiple protocols• Built in Terminal• Can be controlled using python or c• Connects via USB• Protocols: 1-wire, UART, i2c, SPI, raw-2 wire, raw-3 wire,MIDI, PC Keyboard, JTAG
  30. 30. HARDWARE HACKINGBILL OF MATERIALSMicrocontroller reprogrammerPrice range: 20€ - 500€>Different protocols, capacity, speed,functionality...In my case I also happen to have aGoodFET 31
  31. 31. HARDWARE HACKINGBILL OF MATERIALSPrototyping microcontrollerPrice range: 20€ - xxxx€>Differentprotocols, capacity, speed, functionality...In my case I have multiple arduinos
  32. 32. HARDWARE HACKINGBILL OF MATERIALSPrototyping microcontrollerPrice range: 38€Differentprotocols, capacity, speed, functionality...Another great choice are the new beagleBoards. For the price they look even betterthen the arduinos.
  33. 33. HARDWARE HACKINGBILL OF MATERIALSOscilloscopePrice range: 40€ - 5000€>Differentcapacity, speed, functionality...In my case I currently have a DSONano v3, this is a cheap scope thatcan be bought for 40€, its really all youneed when you start, currently amconsidering upgrade to the RigolDS2072, which at 500€ is still a greatprice for a full blown scope.
  34. 34. HARDWARE HACKINGBILL OF MATERIALSBreadboardsPrice range: 5€ - 50€Different sizes.
  35. 35. HARDWARE HACKINGBILL OF MATERIALSRandom electronic components• Resistors• Batteries• Capacitors• Sensors• Diodes• Transistors
  36. 36. HARDWARE HACKINGBILL OF MATERIALSHardware to break!mobileNook TamagotchiIM-MERouters
  37. 37. HARDWARE HACKINGBILL OF MATERIALSHardware to break!femtocellPrinterRandom Hardware
  38. 38. HARDWARE HACKINGBILL OF MATERIALSHardware to break! Medical devices
  39. 39. HARDWARE HACKINGPROTOCOLSSPI - Serial Peripheral Interface – operates in full duplex, is a synchronous serialdata link, the devices communicate between them in a master/slave model.For SPI you will see a minimum of 3 pins.I2C – Inter Integrated Circuit – Uses 2 bidirectional lines SDA (Serial Data Line )and SDC (Serial Data Clock). It operates in half duplex and since it uses 2 linesyou will see 2 pins on devices.
  40. 40. HARDWARE HACKINGPROTOCOLS• JTAG - Joint Test Action Group – usually used to debug devices.There are two possible pin layouts for JTAG:• 4 pins• TDI (Test Data In)• TDO (Test Data Out)• TCK (Test Clock)• TMS (Test Mode Select)• 5 pins• TDI (Test Data In)• TDO (Test Data Out)• TCK (Test Clock)• TMS (Test Mode Select)• TRST (Test Reset) optional.
  41. 41. HARDWARE HACKINGPROCESS• The process to start some hardware hacking should be the following:1. Crack open the surrouding case to access PCB – Watch out for safetymeasures – (secure seals, protective plastics)2. Identify pins and components get access to datasheet3. Connect and acquire useful data4. Reverse5. ???6. ProfitOUR FOCUS
  42. 42. HARDWARE HACKINGPROCESS – PIN IDENTIFICATION• We know the different protocols, we know the number of pins, but how dowe find what each pin is?1. Use multimeter – Measure voltage on all different pins1. If pin has 3.3 volts or less its most likely used for data2. If pin has >5v power source!3. 0 volts = unused pin or ground2. Connect a scope, identify Square waves (these are digital signals)3. Connect logic analyzer to those pins, separate clock from data pins4. Analyze data and being reversing...Source:
  43. 43. HARDWARE HACKINGPROCESS – COMPONENTIDENTIFICATION• What if I don’t want to poke all the pins and connections?• You can try to identify the different components and access their datasheets, where u can get all the technical information you might need• Vendor and part numbers are usually printed on the components• Look for manufacturers logo• Alphanumeric codes to identify
  45. 45. HARDWARE HACKINGPROCESS – DATASHEETS• Data sheets are documents that contain technical information about thecomponent• Some are free, others are paid•••••
  47. 47. HARDWARE HACKING HACKZ• Real man wear pink pagers!
  48. 48. HARDWARE HACKING HACKZ• Wiring IM-ME for custom firmware installation!1 2 3 3 41 - !RST - Reset2 – DD – Debug Data3 – DC – Debug Clock4 - +2,5V - Power5 – Gnd - GroundMore information:
  49. 49. HARDWARE HACKING HACKZ• TV tuner + all mighty clock!
  50. 50. HARDWARE HACKING HACKZ• TV tuner + all mighty clock! Results:
  51. 51. HARDWARE HACKING HACKZ• Linksys WMB54G and others!Connector J9Pin 1 – TX – TransmissionPin 2 – RX – ReceiverPin 8 – GND - GroundRAMDISK: ext2 filesystem found at block 0RAMDISK: Loading 4096 blocks [1 disk] intoram disk... done.Freeing initrd memory: 4096k freedVFS: Mounted root (ext2 filesystem).Freeing unused kernel memory: 60k freedmount /proc file system ok!serial console detected. Disabling virtualterminals.init started: BusyBox v1.00-pre8(2008.01.17-05:54+0000) multi-call binaryBusyBox v1.00-pre8 (2008.01.17-05:54+0000)Built-in shell (ash)Enter help for a list of built-in commands.#
  52. 52. HARDWARE HACKING HACKZ• Hardware Random Number Generator• Two types of RNG: True and Pseudo• Pseudo – Created by algorithm• Problem – if someone knows your algorithm in theory can predict your random numbers• True – generates sequences that are impossible to predict. Userandom physical events as sources of randomness.Component QuantityArduino 12N3904 Transistor 34.7k Resistor 210k Resistor 11.5M Resistor 10.1µf Capacitor 110µf Capacitor 1Breadboard 112v DC Adapter 1
  54. 54. HARDWARE HACKING HACKZ1. The two transistors createavalanche noise2. Third transistor amplifies the noise3. Noise is sent across voltagedividers to the arduino
  55. 55. HARDWARE HACKING HACKZ10100110Arduino applies Von Neumann filtering toremove possible biasProvides network service that feedsrandom numbers
  56. 56. HARDWARE HACKING DEMOS• Logic analyzer and SMC WAAG EU
  57. 57. HARDWARE HACKING DEMOS• 2x Arduinos bomb Man in the middleTimer Activator
  58. 58. HARDWARE HACKINGCOMPLICATIONS• Hard to access pins for probing!• Solution!
  59. 59. HARDWARE HACKINGCOMPLICATIONS• Epoxy!• Heat gun• Dremel tool and sharp wooden stick• Best solution: Fuming Nitric Acid• Warm the nitric acid to 60 degree celsium• Putt small drops on the epoxy it will come right off
  60. 60. HARDWARE HACKINGCONCLUSION• Hardware hacking can be lots of fun even for software peeps• The initial part is simple and doesn’t have a HIGH learning curve• The more complicated parts will come naturally because you had somuch fun with the beginning• Tools for hardware hacking have lowered in price where a beginnerskit can easily be bough for 300-350 euros• Protocols down there still need to improve a lot on security