Neko

Hardware Hacking

Tinkerer's unite! I'm going to attempt a very brief overview of approaching hardware from a security PoV

Last updated: March 5th, 2023

Recon

Searching

As with most engagements, this one starts with research. One of the best places to quickly find images and manuals for a device is by searching for the devices FCC ID on fccid.io. The FCC ID will likely be on the label of the device. Occasionally you can also find public research that has already been done on a device on hobbyist forums.

Teardown

Enclosure Bypass

Determine what is needed to open the casing of a device. It may be the case that the device can be opened by some pressure, if there seems to be glue holding the case together, use a heat gun to melt the glue. If the device has rubber pads there may be screws beneath them. As a last resort you can attempt to cut or force the device open.

Exploitation

Chips and Parts

You can start by identifying different chips and part numbers. Google will help you find corresponding datasheets that give more info and may hint at what protocol it works on.

Interfaces

UART

UART interfaces are usually in a pair of 3 or 4 where one of the pins are a GND. You can identify the GND by placing the black probe on any metal part of the device and placing the red probes on the four pads. The beeping pin is GND. To identify the other pins you can place the black probe on the ground and turn the device on. While the device is on, place the red probe on the other pins. The pin with constant high voltage is the Vcc pin. Reboot the device and place the red probe over the remaining two pins. The pin that fluctuates is the Tx pin and the low voltage pin is Rx. You can then use the Attify Badge to connect to UART and use a usb to connect to your PC.

To interact with the console you need to identify the baudrate via trial and error although commonly it's 9600, 38400, 19200, 57600 or 115200. Once you've identified the baudrate you can use the screen command: screen /dev/ttyUSB0 38400 From here you can reboot the device and access the debug logs to identify the booting process. You may be able to get bootloader access while the device is booting or find a way to get a root shell.

SPI

The SPI flash chip will usually have a component number on it that will allow you to find a datasheet. You can use a SOIC clip and Attify Badge to connect the device to your computer. Using spiflash.py will allow us to read with: spiflash.py -s 5120000 --read=new.bin and write with spiflash.py -s 5120000 -w new.bin

JTAG

Usually a set of 6, 12, 13 or 20 pin headers that may be spread across the board. If the IoT device is not running a full-fledged OS or the hardware does not provide a serial interface, a lower-level debug approach, JTAG, is usually available. We can connect in a similar manner to the other interfaces. Using OpenOCD will allow us to read and write data to the target.

#Read over JTAG
flash banks
dump_image firmware.bin 0x08000000 0x00010000
flash banks
#Write over JTAG
flash banks
flash write_image erase firmware.bin 0x08000000
flash banks

We can also use gdb for reversing:

#Debugging with GDB
gdb-multiarch program.bin
  set architecture arm
  target remote localhost:3333

More coming soon.