SlideShare a Scribd company logo

BSides DFW2016-Hack Mode Enabled

P
pricemcdonald

This document discusses hardware hacking techniques for reverse engineering devices on a budget. It introduces tools like logic analyzers, JTAG debuggers, and open source software that can be used to identify chip components, access device interfaces, extract file systems, and perform reverse engineering. Specific tips are provided for using tools like Saleae logic analyzers and OpenOCD to access UART, JTAG, and file systems on example router and chip components. The document aims to demonstrate affordable methods for hardware analysis and modification.

Technology
1 of 44
Download to read offline
“Hack Mode” Enabled Hardware Hacking on a Budget BSides DFW 2016 Price McDonald
About:Me
O’Rly?
Ok, So Hardware Security sucks… But why focus on the hardware?
Methodology
Where do we get theThings? • Beta Programs • https://www.betabound.com/tp-link-router-private-beta/ • https://beta.linksys.com/ • https://www.beta.netgear.com/signup/ • Flea Markets • Ebay • Craigslist • Garage Sales
Disassembly “Voiding theWarranty”
Tamper Resistance/Detection/Alerting They mean different things, but may not matter either way.
Component Identification What do you see?
Component Identification(2) • EOL 802.11G router SoC (System on Chip) • 200 Mhz MIPS32 core • Supports Serial or Parallel Flash • One JTAG and two UART Ports • 336 ball FBGA (Fine-pitch Ball Grid Array) • 32M-BIT Parallel NOR Flash Memory • 3V only • 48-pinTSOP (Thin Small Outline Package) • CMOS DDR400 RAM • 66-pinTSOP II
Component IdentificationTip andTricks The image part with relationship ID rId5 was not found in the file.
Arts and CraftsTime
Finding Ground • Using the MultiMeter we can figure out which of the pins on our headers connect to ground and which have voltage. GroundVoltage Specifically 3.3v • Got Ground?
Physical Counter Measures Gap in trace Extra Resistor
Common InterfaceTypes • UART - Universal Asynchronous Receiver/Transmitter • SPI – Serial Peripheral Interface • I2C – Inter Integrated Circuit • JTAG – JointTest Action Group – Hardware Debugging Interface • CAN – Controller Area Network (Cars/ATM/etc) • RS232- Serial Interface used on many legacy devices
Pinout Reversing • Saleae Logic Analyzer • ~100 Bucks on the low end @ https://www.saleae.com • Also, EDU discounts available up to 50% depending on model. • Keep in mind that logic analyzers are sampling which can cause artificial data depending on the sampling rate and thresholds. • Works for I2C, UART, SPI, JTAG, CAN, etc, etc
Saleae Logic UI • Using the Saleae logic analyzer we can watch the pins during boot to check for voltage spikes during. This is a good indication of either a UART, I2C or SPI connection. System Boot Likely the boot log being transmitted over UART
Saleae Logic - Decoders Given that we suspect Async Serial (UART) we will select that analyzer
Saleae Logic - Decoding Among small embedded devices 115200 is a very common bit rate so it is an easy guess. But we will also cover a more automated way of determining bit rate.
Saleae Logic – Decoding(2) We must also ensure we are configuring the device to analyze the appropriate channel (which are color coded as long as you connect them correctly)
Saleae Logic – Output As you can see we are successfully decoding the output from the UART serial connection on our Broadcom chip.
Or, Have you heard of the Jtagulator? • Created by Joe Grand @ http://www.grandideastudio.com • ~180-200 Bucks
Connecting to Interfaces • Bus Pirate • Less of a learning curve • Slower transfer speeds • Supports UART, SPI, I2C and JTAG • Shikra • No UI but faster transfer speeds as a result • Supports UART, SPI, I2C and JTAG • TIAO USB Multiprotocol Adapter • No UI but faster transfer speeds as a result • Supports UART, SPI, I2C, JTAG, RS-232 • Supports multiple connections from same device • Slightly less reliable in my experience
Using the Shikra http://int3.cc/products/the-shikra
Connecting to UART The command used to connect to a UART serial adapter will vary by device and OS but will generally be similar to the command below. sudo screen /dev/[device id] baud rate Or the the case of the Device ID below for the Shikra: sudo screen /dev/ttyUSB0 115200
We now have shell! hopefully But now what?
NoTech hacking
NoTech hacking(2)
File System Fiddling Why is my root a mtdblock? But wait, what is an mtdblock? • MTD is a "MemoryTechnology Device. • Unix traditionally only knew block devices and character devices. Character devices were things like keyboards or mice, that you could read current data from, but couldn't be seek-ed and didn't have a size. Block devices had a fixed size and could be seek-ed. • A mtdblock is a block device emulated over an mtd device. Source:Wikipedia
File System Fiddling(2) Often times embedded device manufacturers leave important file systems unmounted. Another good Resource: http://wiki.in-circuit.de/index.php5?title=Flashfilesystem_UBIFS
Pilfering File Systems But, How do we get the file system off of the target device?
SSHWhoops?
Ultra quick JTAG primer • JTAG stands for (JointTest Action Group) which was formed in 1985. • IDCODE , BYPASS Registers are often very helpful • The following pins are required for JTAG use: • TDI (Test Data In) • TDO (Test Data Out) • TCK (Test Clock) • TMS (Test Mode Select) • TheTCK Pin (Test Clock) is what keeps the clock for the state machine. • THETMS Pin (Test Mode Select) is what determines when and how the State Machine advances depending on it’s relative position during each clock cycle. Source: Wikipedia
Options for connecting to JTAG Good Better Best $45 $60-$600 $5000-$20000
Jtagulator
How to Connect with OpenOCD The command to initiate openocd is : openocd –f interface –f target But now what? There are errors and stuff!!!!! #openocd on Freenode
How to Connect with OpenOCD(2) Silly openocd! That’s more like it J
Using OpenOCD
Reverse Engineering • Ida Pro • PaidVersion required for disassembly • ARM decompiler available but $$$$ • Also very good debugger • Radare2 • Free multiplatform support • No decompiler available • Binary Ninja • Free version available • Very Limited Architecture Support • Not currently an option for this type of work but something to keep in mind.
IDA Pro
Radare2
Other nice to haves
• http://www.grandideastudio.com/hardware-hacking-training/ • http://www.xipiter.com/training.html • https://www.eevblog.com • http://www.embedded.com/electronics-blogs/beginner-s-corner/
THANKYOU!!!! ANY MORE QUESTIONS?

Recommended

BSides Indy 2017 - Hardware Hacking - Abusing the Things
BSides Indy 2017 - Hardware Hacking - Abusing the ThingsBSides Indy 2017 - Hardware Hacking - Abusing the Things
BSides Indy 2017 - Hardware Hacking - Abusing the Things
Price McDonald
 
Bsides Puerto Rico-2017
Bsides Puerto Rico-2017Bsides Puerto Rico-2017
Bsides Puerto Rico-2017
Price McDonald
 
Hardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to RootHardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to Root
Yashin Mehaboobe
 
Hardware hacking 101
Hardware hacking 101Hardware hacking 101
Hardware hacking 101
Tiago Henriques
 
A BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKING
A BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKINGA BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKING
A BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKING
Silvio Cesare
 
PyTriage: A malware analysis framework
PyTriage: A malware analysis frameworkPyTriage: A malware analysis framework
PyTriage: A malware analysis framework
Yashin Mehaboobe
 
Making and breaking security in embedded devices
Making and breaking security in embedded devicesMaking and breaking security in embedded devices
Making and breaking security in embedded devices
Yashin Mehaboobe
 
Intro to Hardware Firmware Hacking
Intro to Hardware Firmware HackingIntro to Hardware Firmware Hacking
Intro to Hardware Firmware Hacking
Andrew Freeborn
 

Recommended

BSides Indy 2017 - Hardware Hacking - Abusing the Things
BSides Indy 2017 - Hardware Hacking - Abusing the ThingsBSides Indy 2017 - Hardware Hacking - Abusing the Things
BSides Indy 2017 - Hardware Hacking - Abusing the Things
Price McDonald
 
Bsides Puerto Rico-2017
Bsides Puerto Rico-2017Bsides Puerto Rico-2017
Bsides Puerto Rico-2017
Price McDonald
 
Hardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to RootHardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to Root
Yashin Mehaboobe
 
Hardware hacking 101
Hardware hacking 101Hardware hacking 101
Hardware hacking 101
Tiago Henriques
 
A BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKING
A BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKINGA BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKING
A BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKING
Silvio Cesare
 
PyTriage: A malware analysis framework
PyTriage: A malware analysis frameworkPyTriage: A malware analysis framework
PyTriage: A malware analysis framework
Yashin Mehaboobe
 
Making and breaking security in embedded devices
Making and breaking security in embedded devicesMaking and breaking security in embedded devices
Making and breaking security in embedded devices
Yashin Mehaboobe
 
Intro to Hardware Firmware Hacking
Intro to Hardware Firmware HackingIntro to Hardware Firmware Hacking
Intro to Hardware Firmware Hacking
Andrew Freeborn
 
Hardware Hacking
Hardware HackingHardware Hacking
Hardware Hacking
Andrew Brockhurst
 
Arduino Forensics
Arduino ForensicsArduino Forensics
Arduino Forensics
Steve Watson
 
Hardware Hacking Primer
Hardware Hacking PrimerHardware Hacking Primer
Hardware Hacking Primer
Yashin Mehaboobe
 
FSEC 2014 - I can haz your board with JTAG
FSEC 2014 - I can haz your board with JTAGFSEC 2014 - I can haz your board with JTAG
FSEC 2014 - I can haz your board with JTAG
Dobrica Pavlinušić
 
Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCON
Lyon Yang
 
Adventures in Femtoland: 350 Yuan for Invaluable Fun
Adventures in Femtoland: 350 Yuan for Invaluable FunAdventures in Femtoland: 350 Yuan for Invaluable Fun
Adventures in Femtoland: 350 Yuan for Invaluable Fun
arbitrarycode
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Lyon Yang
 
LinkIt Smart 7688 - a more connected world
LinkIt Smart 7688 - a more connected worldLinkIt Smart 7688 - a more connected world
LinkIt Smart 7688 - a more connected world
CAVEDU Education
 
Mozilla chirimen firefox os dwika v5
Mozilla chirimen firefox os dwika v5Mozilla chirimen firefox os dwika v5
Mozilla chirimen firefox os dwika v5
Dwika Sudrajat
 
Cheap, good, hackable tools from China: AVR component tester
Cheap, good, hackable tools from China: AVR component testerCheap, good, hackable tools from China: AVR component tester
Cheap, good, hackable tools from China: AVR component tester
Dobrica Pavlinušić
 
Introduction to NanoBoard-3000 FPGA
Introduction to NanoBoard-3000 FPGA Introduction to NanoBoard-3000 FPGA
Introduction to NanoBoard-3000 FPGA
Premier Farnell
 
Hardware hacking for software people
Hardware hacking for software peopleHardware hacking for software people
Hardware hacking for software people
Dobrica Pavlinušić
 
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
DefconRussia
 
Jtag
JtagJtag
Jtag
TELE-audiovision eng
 
The Baseband Playground
The Baseband PlaygroundThe Baseband Playground
The Baseband Playground
slides_luis
 
Cryptography 101 for Java developers
Cryptography 101 for Java developersCryptography 101 for Java developers
Cryptography 101 for Java developers
Michel Schudel
 
Raspberry Pi - best friend for all your GPIO needs
Raspberry Pi - best friend for all your GPIO needsRaspberry Pi - best friend for all your GPIO needs
Raspberry Pi - best friend for all your GPIO needs
Dobrica Pavlinušić
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via sms
qqlan
 
Solnik secure enclaveprocessor-pacsec
Solnik secure enclaveprocessor-pacsecSolnik secure enclaveprocessor-pacsec
Solnik secure enclaveprocessor-pacsec
PacSecJP
 
Musclenerd - Evolution of iPhone Baseband and Unlocks
Musclenerd - Evolution of iPhone Baseband and UnlocksMusclenerd - Evolution of iPhone Baseband and Unlocks
Musclenerd - Evolution of iPhone Baseband and Unlocks
Mike Webb
 
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
centralohioissa
 
Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]
Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]
Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]
RootedCON
 

More Related Content

What's hot

Hardware Hacking
Hardware HackingHardware Hacking
Hardware Hacking
Andrew Brockhurst
 
Arduino Forensics
Arduino ForensicsArduino Forensics
Arduino Forensics
Steve Watson
 
Hardware Hacking Primer
Hardware Hacking PrimerHardware Hacking Primer
Hardware Hacking Primer
Yashin Mehaboobe
 
FSEC 2014 - I can haz your board with JTAG
FSEC 2014 - I can haz your board with JTAGFSEC 2014 - I can haz your board with JTAG
FSEC 2014 - I can haz your board with JTAG
Dobrica Pavlinušić
 
Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCON
Lyon Yang
 
Adventures in Femtoland: 350 Yuan for Invaluable Fun
Adventures in Femtoland: 350 Yuan for Invaluable FunAdventures in Femtoland: 350 Yuan for Invaluable Fun
Adventures in Femtoland: 350 Yuan for Invaluable Fun
arbitrarycode
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Lyon Yang
 
LinkIt Smart 7688 - a more connected world
LinkIt Smart 7688 - a more connected worldLinkIt Smart 7688 - a more connected world
LinkIt Smart 7688 - a more connected world
CAVEDU Education
 
Mozilla chirimen firefox os dwika v5
Mozilla chirimen firefox os dwika v5Mozilla chirimen firefox os dwika v5
Mozilla chirimen firefox os dwika v5
Dwika Sudrajat
 
Cheap, good, hackable tools from China: AVR component tester
Cheap, good, hackable tools from China: AVR component testerCheap, good, hackable tools from China: AVR component tester
Cheap, good, hackable tools from China: AVR component tester
Dobrica Pavlinušić
 
Introduction to NanoBoard-3000 FPGA
Introduction to NanoBoard-3000 FPGA Introduction to NanoBoard-3000 FPGA
Introduction to NanoBoard-3000 FPGA
Premier Farnell
 
Hardware hacking for software people
Hardware hacking for software peopleHardware hacking for software people
Hardware hacking for software people
Dobrica Pavlinušić
 
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
DefconRussia
 
Jtag
JtagJtag
Jtag
TELE-audiovision eng
 
The Baseband Playground
The Baseband PlaygroundThe Baseband Playground
The Baseband Playground
slides_luis
 
Cryptography 101 for Java developers
Cryptography 101 for Java developersCryptography 101 for Java developers
Cryptography 101 for Java developers
Michel Schudel
 
Raspberry Pi - best friend for all your GPIO needs
Raspberry Pi - best friend for all your GPIO needsRaspberry Pi - best friend for all your GPIO needs
Raspberry Pi - best friend for all your GPIO needs
Dobrica Pavlinušić
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via sms
qqlan
 
Solnik secure enclaveprocessor-pacsec
Solnik secure enclaveprocessor-pacsecSolnik secure enclaveprocessor-pacsec
Solnik secure enclaveprocessor-pacsec
PacSecJP
 
Musclenerd - Evolution of iPhone Baseband and Unlocks
Musclenerd - Evolution of iPhone Baseband and UnlocksMusclenerd - Evolution of iPhone Baseband and Unlocks
Musclenerd - Evolution of iPhone Baseband and Unlocks
Mike Webb
 

What's hot (20)

Hardware Hacking
Hardware HackingHardware Hacking
Hardware Hacking
 
Arduino Forensics
Arduino ForensicsArduino Forensics
Arduino Forensics
 
Hardware Hacking Primer
Hardware Hacking PrimerHardware Hacking Primer
Hardware Hacking Primer
 
FSEC 2014 - I can haz your board with JTAG
FSEC 2014 - I can haz your board with JTAGFSEC 2014 - I can haz your board with JTAG
FSEC 2014 - I can haz your board with JTAG
 
Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCON
 
Adventures in Femtoland: 350 Yuan for Invaluable Fun
Adventures in Femtoland: 350 Yuan for Invaluable FunAdventures in Femtoland: 350 Yuan for Invaluable Fun
Adventures in Femtoland: 350 Yuan for Invaluable Fun
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
 
LinkIt Smart 7688 - a more connected world
LinkIt Smart 7688 - a more connected worldLinkIt Smart 7688 - a more connected world
LinkIt Smart 7688 - a more connected world
 
Mozilla chirimen firefox os dwika v5
Mozilla chirimen firefox os dwika v5Mozilla chirimen firefox os dwika v5
Mozilla chirimen firefox os dwika v5
 
Cheap, good, hackable tools from China: AVR component tester
Cheap, good, hackable tools from China: AVR component testerCheap, good, hackable tools from China: AVR component tester
Cheap, good, hackable tools from China: AVR component tester
 
Introduction to NanoBoard-3000 FPGA
Introduction to NanoBoard-3000 FPGA Introduction to NanoBoard-3000 FPGA
Introduction to NanoBoard-3000 FPGA
 
Hardware hacking for software people
Hardware hacking for software peopleHardware hacking for software people
Hardware hacking for software people
 
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
 
Jtag
JtagJtag
Jtag
 
The Baseband Playground
The Baseband PlaygroundThe Baseband Playground
The Baseband Playground
 
Cryptography 101 for Java developers
Cryptography 101 for Java developersCryptography 101 for Java developers
Cryptography 101 for Java developers
 
Raspberry Pi - best friend for all your GPIO needs
Raspberry Pi - best friend for all your GPIO needsRaspberry Pi - best friend for all your GPIO needs
Raspberry Pi - best friend for all your GPIO needs
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via sms
 
Solnik secure enclaveprocessor-pacsec
Solnik secure enclaveprocessor-pacsecSolnik secure enclaveprocessor-pacsec
Solnik secure enclaveprocessor-pacsec
 
Musclenerd - Evolution of iPhone Baseband and Unlocks
Musclenerd - Evolution of iPhone Baseband and UnlocksMusclenerd - Evolution of iPhone Baseband and Unlocks
Musclenerd - Evolution of iPhone Baseband and Unlocks
 

Viewers also liked

Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
centralohioissa
 
Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]
Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]
Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]
RootedCON
 
amrapali builders @@ hardware hacking and robotics using the raspberry pi.pdf
amrapali builders @@ hardware hacking and robotics using the raspberry pi.pdfamrapali builders @@ hardware hacking and robotics using the raspberry pi.pdf
amrapali builders @@ hardware hacking and robotics using the raspberry pi.pdf
amrapalibuildersreviews
 
Playful
PlayfulPlayful
Playful
Tinker London
 
Hardware Hacking caso práctico Ingeniería Inversa Smartcards
Hardware Hacking caso práctico Ingeniería Inversa SmartcardsHardware Hacking caso práctico Ingeniería Inversa Smartcards
Hardware Hacking caso práctico Ingeniería Inversa Smartcards
Andres Lozano
 
Hardware Hacking in schools (ACEC2014)
Hardware Hacking in schools (ACEC2014)Hardware Hacking in schools (ACEC2014)
Hardware Hacking in schools (ACEC2014)
Dan Bowen
 
Hardware hacking
Hardware hackingHardware hacking
Hardware hacking
Tavish Naruka
 
Hacker's and painters Hardware Hacking 101 - 10th Oct 2014
Hacker's and painters Hardware Hacking 101 - 10th Oct 2014Hacker's and painters Hardware Hacking 101 - 10th Oct 2014
Hacker's and painters Hardware Hacking 101 - 10th Oct 2014
Takeda Pharmaceuticals
 
Coders need to learn hardware hacking NOW
Coders need to learn hardware hacking NOWCoders need to learn hardware hacking NOW
Coders need to learn hardware hacking NOW
Matt Biddulph
 
Breaking Bad EACS Implementations
Breaking Bad EACS ImplementationsBreaking Bad EACS Implementations
Breaking Bad EACS Implementations
Opposing Force S.r.l.
 
Router forensics
Router forensicsRouter forensics
Router forensics
Taruna Chauhan
 
JTAG Interface (Intro)
JTAG Interface (Intro)JTAG Interface (Intro)
JTAG Interface (Intro)
Nitesh Bhatia
 
CNIT 126 4: A Crash Course in x86 Disassembly
CNIT 126 4: A Crash Course in x86 DisassemblyCNIT 126 4: A Crash Course in x86 Disassembly
CNIT 126 4: A Crash Course in x86 Disassembly
Sam Bowne
 
Let's hack cheap hardware 2016 edition
Let's hack cheap hardware 2016 editionLet's hack cheap hardware 2016 edition
Let's hack cheap hardware 2016 edition
Dobrica Pavlinušić
 

Viewers also liked (14)

Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
 
Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]
Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]
Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]
 
amrapali builders @@ hardware hacking and robotics using the raspberry pi.pdf
amrapali builders @@ hardware hacking and robotics using the raspberry pi.pdfamrapali builders @@ hardware hacking and robotics using the raspberry pi.pdf
amrapali builders @@ hardware hacking and robotics using the raspberry pi.pdf
 
Playful
PlayfulPlayful
Playful
 
Hardware Hacking caso práctico Ingeniería Inversa Smartcards
Hardware Hacking caso práctico Ingeniería Inversa SmartcardsHardware Hacking caso práctico Ingeniería Inversa Smartcards
Hardware Hacking caso práctico Ingeniería Inversa Smartcards
 
Hardware Hacking in schools (ACEC2014)
Hardware Hacking in schools (ACEC2014)Hardware Hacking in schools (ACEC2014)
Hardware Hacking in schools (ACEC2014)
 
Hardware hacking
Hardware hackingHardware hacking
Hardware hacking
 
Hacker's and painters Hardware Hacking 101 - 10th Oct 2014
Hacker's and painters Hardware Hacking 101 - 10th Oct 2014Hacker's and painters Hardware Hacking 101 - 10th Oct 2014
Hacker's and painters Hardware Hacking 101 - 10th Oct 2014
 
Coders need to learn hardware hacking NOW
Coders need to learn hardware hacking NOWCoders need to learn hardware hacking NOW
Coders need to learn hardware hacking NOW
 
Breaking Bad EACS Implementations
Breaking Bad EACS ImplementationsBreaking Bad EACS Implementations
Breaking Bad EACS Implementations
 
Router forensics
Router forensicsRouter forensics
Router forensics
 
JTAG Interface (Intro)
JTAG Interface (Intro)JTAG Interface (Intro)
JTAG Interface (Intro)
 
CNIT 126 4: A Crash Course in x86 Disassembly
CNIT 126 4: A Crash Course in x86 DisassemblyCNIT 126 4: A Crash Course in x86 Disassembly
CNIT 126 4: A Crash Course in x86 Disassembly
 
Let's hack cheap hardware 2016 edition
Let's hack cheap hardware 2016 editionLet's hack cheap hardware 2016 edition
Let's hack cheap hardware 2016 edition
 

Similar to BSides DFW2016-Hack Mode Enabled

Insecure Obsolete and Trivial - The Real IOT
Insecure Obsolete and Trivial - The Real IOTInsecure Obsolete and Trivial - The Real IOT
Insecure Obsolete and Trivial - The Real IOT
Price McDonald
 
Thotcon 0x8 - Hardware Hacking on a Budget
Thotcon 0x8 - Hardware Hacking on a BudgetThotcon 0x8 - Hardware Hacking on a Budget
Thotcon 0x8 - Hardware Hacking on a Budget
Price McDonald
 
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh OjhaKazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
Yogesh Ojha
 
IOT Exploitation
IOT Exploitation IOT Exploitation
IOT Exploitation
Cysinfo Cyber Security Community
 
Tools Of The Hardware Hacking Trade Final
Tools Of The Hardware Hacking Trade FinalTools Of The Hardware Hacking Trade Final
Tools Of The Hardware Hacking Trade Final
Priyanka Aash
 
Practical reverse engineering and exploit development for AVR-based Embedded ...
Practical reverse engineering and exploit development for AVR-based Embedded ...Practical reverse engineering and exploit development for AVR-based Embedded ...
Practical reverse engineering and exploit development for AVR-based Embedded ...
Alexander Bolshev
 
Asia 14-garcia-illera-dude-wtf-in-my-can
Asia 14-garcia-illera-dude-wtf-in-my-canAsia 14-garcia-illera-dude-wtf-in-my-can
Asia 14-garcia-illera-dude-wtf-in-my-can
injenerzntu
 
Track 5 session 3 - st dev con 2016 - mechanisms for trusted code execution...
Track 5 session 3 - st dev con 2016 - mechanisms for trusted code execution...Track 5 session 3 - st dev con 2016 - mechanisms for trusted code execution...
Track 5 session 3 - st dev con 2016 - mechanisms for trusted code execution...
ST_World
 
DefCon 2012 - Gaining Access to User Android Data
DefCon 2012 - Gaining Access to User Android DataDefCon 2012 - Gaining Access to User Android Data
DefCon 2012 - Gaining Access to User Android Data
Michael Smith
 
OT Security - h-c0n 2020
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020
Jose Palanco
 
Peter Gutmann Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015
Peter Gutmann Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015Peter Gutmann Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015
Peter Gutmann Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015
CSO_Presentations
 
Intel(r) Quick Assist Technology Overview
Intel(r) Quick Assist Technology OverviewIntel(r) Quick Assist Technology Overview
Intel(r) Quick Assist Technology Overview
Michelle Holley
 
Prezentare tcs2011
Prezentare tcs2011Prezentare tcs2011
Prezentare tcs2011
Alexandru IOVANOVICI
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?
Chris Sistrunk
 
Presentation for IoT workshop at Sinhagad University (Feb 4, 2016) - 2/2
Presentation for IoT workshop at Sinhagad University (Feb 4, 2016) - 2/2Presentation for IoT workshop at Sinhagad University (Feb 4, 2016) - 2/2
Presentation for IoT workshop at Sinhagad University (Feb 4, 2016) - 2/2
Bhavin Chandarana
 
Phytium 64 core cpu preview
Phytium 64 core cpu previewPhytium 64 core cpu preview
Phytium 64 core cpu preview
inside-BigData.com
 
Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2
PacSecJP
 
Hack.LU 2018 ARM IoT Firmware Emulation Workshop
Hack.LU 2018 ARM IoT Firmware Emulation WorkshopHack.LU 2018 ARM IoT Firmware Emulation Workshop
Hack.LU 2018 ARM IoT Firmware Emulation Workshop
Saumil Shah
 
Multithreading Fundamentals
Multithreading FundamentalsMultithreading Fundamentals
Multithreading Fundamentals
PostSharp Technologies
 
Shodan- That Device Search Engine
Shodan- That Device Search EngineShodan- That Device Search Engine
Shodan- That Device Search Engine
InMobi Technology
 

Similar to BSides DFW2016-Hack Mode Enabled (20)

Insecure Obsolete and Trivial - The Real IOT
Insecure Obsolete and Trivial - The Real IOTInsecure Obsolete and Trivial - The Real IOT
Insecure Obsolete and Trivial - The Real IOT
 
Thotcon 0x8 - Hardware Hacking on a Budget
Thotcon 0x8 - Hardware Hacking on a BudgetThotcon 0x8 - Hardware Hacking on a Budget
Thotcon 0x8 - Hardware Hacking on a Budget
 
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh OjhaKazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
 
IOT Exploitation
IOT Exploitation IOT Exploitation
IOT Exploitation
 
Tools Of The Hardware Hacking Trade Final
Tools Of The Hardware Hacking Trade FinalTools Of The Hardware Hacking Trade Final
Tools Of The Hardware Hacking Trade Final
 
Practical reverse engineering and exploit development for AVR-based Embedded ...
Practical reverse engineering and exploit development for AVR-based Embedded ...Practical reverse engineering and exploit development for AVR-based Embedded ...
Practical reverse engineering and exploit development for AVR-based Embedded ...
 
Asia 14-garcia-illera-dude-wtf-in-my-can
Asia 14-garcia-illera-dude-wtf-in-my-canAsia 14-garcia-illera-dude-wtf-in-my-can
Asia 14-garcia-illera-dude-wtf-in-my-can
 
Track 5 session 3 - st dev con 2016 - mechanisms for trusted code execution...
Track 5 session 3 - st dev con 2016 - mechanisms for trusted code execution...Track 5 session 3 - st dev con 2016 - mechanisms for trusted code execution...
Track 5 session 3 - st dev con 2016 - mechanisms for trusted code execution...
 
DefCon 2012 - Gaining Access to User Android Data
DefCon 2012 - Gaining Access to User Android DataDefCon 2012 - Gaining Access to User Android Data
DefCon 2012 - Gaining Access to User Android Data
 
OT Security - h-c0n 2020
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020
 
Peter Gutmann Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015
Peter Gutmann Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015Peter Gutmann Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015
Peter Gutmann Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015
 
Intel(r) Quick Assist Technology Overview
Intel(r) Quick Assist Technology OverviewIntel(r) Quick Assist Technology Overview
Intel(r) Quick Assist Technology Overview
 
Prezentare tcs2011
Prezentare tcs2011Prezentare tcs2011
Prezentare tcs2011
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?
 
Presentation for IoT workshop at Sinhagad University (Feb 4, 2016) - 2/2
Presentation for IoT workshop at Sinhagad University (Feb 4, 2016) - 2/2Presentation for IoT workshop at Sinhagad University (Feb 4, 2016) - 2/2
Presentation for IoT workshop at Sinhagad University (Feb 4, 2016) - 2/2
 
Phytium 64 core cpu preview
Phytium 64 core cpu previewPhytium 64 core cpu preview
Phytium 64 core cpu preview
 
Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2
 
Hack.LU 2018 ARM IoT Firmware Emulation Workshop
Hack.LU 2018 ARM IoT Firmware Emulation WorkshopHack.LU 2018 ARM IoT Firmware Emulation Workshop
Hack.LU 2018 ARM IoT Firmware Emulation Workshop
 
Multithreading Fundamentals
Multithreading FundamentalsMultithreading Fundamentals
Multithreading Fundamentals
 
Shodan- That Device Search Engine
Shodan- That Device Search EngineShodan- That Device Search Engine
Shodan- That Device Search Engine
 

Recently uploaded

UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
Neo4j
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
Zilliz
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
IndexBug
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 

Recently uploaded (20)

UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 

BSides DFW2016-Hack Mode Enabled

  • 1. “Hack Mode” Enabled Hardware Hacking on a Budget BSides DFW 2016 Price McDonald
  • 4. Ok, So Hardware Security sucks… But why focus on the hardware?
  • 6. Where do we get theThings? • Beta Programs • https://www.betabound.com/tp-link-router-private-beta/ • https://beta.linksys.com/ • https://www.beta.netgear.com/signup/ • Flea Markets • Ebay • Craigslist • Garage Sales
  • 8. Tamper Resistance/Detection/Alerting They mean different things, but may not matter either way.
  • 10. Component Identification(2) • EOL 802.11G router SoC (System on Chip) • 200 Mhz MIPS32 core • Supports Serial or Parallel Flash • One JTAG and two UART Ports • 336 ball FBGA (Fine-pitch Ball Grid Array) • 32M-BIT Parallel NOR Flash Memory • 3V only • 48-pinTSOP (Thin Small Outline Package) • CMOS DDR400 RAM • 66-pinTSOP II
  • 11. Component IdentificationTip andTricks The image part with relationship ID rId5 was not found in the file.
  • 13. Finding Ground • Using the MultiMeter we can figure out which of the pins on our headers connect to ground and which have voltage. GroundVoltage Specifically 3.3v • Got Ground?
  • 14. Physical Counter Measures Gap in trace Extra Resistor
  • 15. Common InterfaceTypes • UART - Universal Asynchronous Receiver/Transmitter • SPI – Serial Peripheral Interface • I2C – Inter Integrated Circuit • JTAG – JointTest Action Group – Hardware Debugging Interface • CAN – Controller Area Network (Cars/ATM/etc) • RS232- Serial Interface used on many legacy devices
  • 16. Pinout Reversing • Saleae Logic Analyzer • ~100 Bucks on the low end @ https://www.saleae.com • Also, EDU discounts available up to 50% depending on model. • Keep in mind that logic analyzers are sampling which can cause artificial data depending on the sampling rate and thresholds. • Works for I2C, UART, SPI, JTAG, CAN, etc, etc
  • 17. Saleae Logic UI • Using the Saleae logic analyzer we can watch the pins during boot to check for voltage spikes during. This is a good indication of either a UART, I2C or SPI connection. System Boot Likely the boot log being transmitted over UART
  • 18. Saleae Logic - Decoders Given that we suspect Async Serial (UART) we will select that analyzer
  • 19. Saleae Logic - Decoding Among small embedded devices 115200 is a very common bit rate so it is an easy guess. But we will also cover a more automated way of determining bit rate.
  • 20. Saleae Logic – Decoding(2) We must also ensure we are configuring the device to analyze the appropriate channel (which are color coded as long as you connect them correctly)
  • 21. Saleae Logic – Output As you can see we are successfully decoding the output from the UART serial connection on our Broadcom chip.
  • 22. Or, Have you heard of the Jtagulator? • Created by Joe Grand @ http://www.grandideastudio.com • ~180-200 Bucks
  • 23. Connecting to Interfaces • Bus Pirate • Less of a learning curve • Slower transfer speeds • Supports UART, SPI, I2C and JTAG • Shikra • No UI but faster transfer speeds as a result • Supports UART, SPI, I2C and JTAG • TIAO USB Multiprotocol Adapter • No UI but faster transfer speeds as a result • Supports UART, SPI, I2C, JTAG, RS-232 • Supports multiple connections from same device • Slightly less reliable in my experience
  • 25. Connecting to UART The command used to connect to a UART serial adapter will vary by device and OS but will generally be similar to the command below. sudo screen /dev/[device id] baud rate Or the the case of the Device ID below for the Shikra: sudo screen /dev/ttyUSB0 115200
  • 26. We now have shell! hopefully But now what?
  • 29. File System Fiddling Why is my root a mtdblock? But wait, what is an mtdblock? • MTD is a "MemoryTechnology Device. • Unix traditionally only knew block devices and character devices. Character devices were things like keyboards or mice, that you could read current data from, but couldn't be seek-ed and didn't have a size. Block devices had a fixed size and could be seek-ed. • A mtdblock is a block device emulated over an mtd device. Source:Wikipedia
  • 30. File System Fiddling(2) Often times embedded device manufacturers leave important file systems unmounted. Another good Resource: http://wiki.in-circuit.de/index.php5?title=Flashfilesystem_UBIFS
  • 31. Pilfering File Systems But, How do we get the file system off of the target device?
  • 33. Ultra quick JTAG primer • JTAG stands for (JointTest Action Group) which was formed in 1985. • IDCODE , BYPASS Registers are often very helpful • The following pins are required for JTAG use: • TDI (Test Data In) • TDO (Test Data Out) • TCK (Test Clock) • TMS (Test Mode Select) • TheTCK Pin (Test Clock) is what keeps the clock for the state machine. • THETMS Pin (Test Mode Select) is what determines when and how the State Machine advances depending on it’s relative position during each clock cycle. Source: Wikipedia
  • 34. Options for connecting to JTAG Good Better Best $45 $60-$600 $5000-$20000
  • 36. How to Connect with OpenOCD The command to initiate openocd is : openocd –f interface –f target But now what? There are errors and stuff!!!!! #openocd on Freenode
  • 37. How to Connect with OpenOCD(2) Silly openocd! That’s more like it J
  • 39. Reverse Engineering • Ida Pro • PaidVersion required for disassembly • ARM decompiler available but $$$$ • Also very good debugger • Radare2 • Free multiplatform support • No decompiler available • Binary Ninja • Free version available • Very Limited Architecture Support • Not currently an option for this type of work but something to keep in mind.
  • 42. Other nice to haves
  • 43. • http://www.grandideastudio.com/hardware-hacking-training/ • http://www.xipiter.com/training.html • https://www.eevblog.com • http://www.embedded.com/electronics-blogs/beginner-s-corner/