SlideShare ist ein Scribd-Unternehmen logo

BSides Indy 2017 - Hardware Hacking - Abusing the Things

P
Price McDonald

2017 BSides Indy presentation by Price McDonald with Coalfire Labs

Technologie
1 von 46
Downloaden Sie, um offline zu lesen
“HACK MODE” ENABLED HARDWARE HACKING ON A BUDGET BSIDES INDY 2017 PRICE MCDONALD
ABOUT:ME
O’RLY?
OK, SO HARDWARE SECURITY SUCKS… BUT WHY FOCUS ON THE HARDWARE?
METHODOLOGY
WHERE DO WE GET THE THINGS? • Beta Programs • https://www.betabound.com/tp-link-router- private-beta/ • https://beta.linksys.com/ • https://www.beta.netgear.com/signup/ • Flea Markets • Ebay • Craigslist • Garage Sales
DISASSEMBLY “VOIDING THE WARRANTY”
TAMPER RESISTANCE/DETECTION/ALERTING They mean different things, but may not matter either way.
COMPONENT IDENTIFICATION What do you see?
COMPONENT IDENTIFICATION(2) • EOL 802.11G router SoC (System on Chip) • 200 Mhz MIPS32 core • Supports Serial or Parallel Flash • One JTAG and two UART Ports • 336 ball FBGA (Fine-pitch Ball Grid Array) • 32M-BIT Parallel NOR Flash Memory • 3V only • 48-pin TSOP (Thin Small Outline Package) • CMOS DDR400 RAM • 66-pin TSOP II
COMPONENT IDENTIFICATION TIP AND TRICKS The image part with relationship ID rId5 was not found in the file.
ARTS AND CRAFTS TIME
FINDING GROUND • Using the MultiMeter we can figure out which of the pins on our headers connect to ground and which have voltage. GroundVoltage Specifically 3.3v • Got Ground?
PHYSICAL COUNTER MEASURES
COMMON INTERFACE TYPES • UART - Universal Asynchronous Receiver/Transmitter • SPI – Serial Peripheral Interface • I2C – Inter Integrated Circuit • JTAG – Joint Test Action Group – Hardware Debugging Interface • CAN – Controller Area Network (Cars/ATM/etc) • RS232- Serial Interface used on many legacy devices
PINOUT REVERSING • SALEAE LOGIC ANALYZER • ~100 BUCKS ON THE LOW END @ HTTPS://WWW.SALEAE.COM • ALSO, EDU DISCOUNTS AVAILABLE UP TO 50% DEPENDING ON MODEL. • KEEP IN MIND THAT LOGIC ANALYZERS ARE SAMPLING WHICH CAN CAUSE ARTIFICIAL DATA DEPENDING ON THE SAMPLING RATE AND THRESHOLDS. • WORKS FOR I2C, UART, SPI, JTAG, CAN, ETC, ETC
SALEAE LOGIC UI • Using the Saleae logic analyzer we can watch the pins during boot to check for voltage spikes during. This is a good indication of either a UART, I2C or SPI connection. System Boot Likely the boot log being transmitted over
SALEAE LOGIC - DECODERS GIVEN that we SUSPECT Async Serial (UART) we will select that analyzer
SALEAE LOGIC - DECODING Among small embedded devices 115200 is a very common bit rate so it is an easy guess. But we will also cover a more automated way of determining bit
SALEAE LOGIC – DECODING(2) We must also ensure we are configuring the device to analyze the appropriate channel (which are color coded as long as you connect them
SALEAE LOGIC – OUTPUT As you can see we are successfully decoding the output from the UART serial connection on our Broadcom chip.
OR, HAVE YOU HEARD OF THE JTAGULATOR? • Created by Joe Grand @ http://www.grandideastudio.com • ~180-200 Bucks
CONNECTING TO INTERFACES • Bus Pirate • Less of a learning curve • Slower transfer speeds • Supports UART, SPI, I2C and JTAG • Shikra • No UI but faster transfer speeds as a result • Supports UART, SPI, I2C and JTAG • TIAO USB Multiprotocol Adapter • No UI but faster transfer speeds as a result • Supports UART, SPI, I2C, JTAG, RS-232 • Supports multiple connections from same device • Slightly less reliable in my experience
USING THE SHIKRA http://int3.cc/products/the-shikra
CONNECTING TO UART The command used to connect to a UART serial adapter will vary by device and OS but will generally be similar to the command below. sudo screen /dev/[device id] baud rate Or the the case of the Device ID below for the Shikra: sudo screen /dev/ttyUSB0 115200
WE NOW HAVE SHELL! HOPEFULLY But now what?
NO TECH HACKING
NO TECH HACKING(2)
FILE SYSTEM FIDDLING Why is my root a mtdblock? But wait, what is an mtdblock? • MTD is a "Memory Technology Device. • Unix traditionally only knew block devices and character devices. Character devices were things like keyboards or mice, that you could read current data from, but couldn't be seek-ed and didn't have a size. Block devices had a fixed size and could be seek-ed. • A mtdblock is a block device emulated over an mtd device. Source: Wikipedia
FILE SYSTEM FIDDLING(2) Often times embedded device manufacturers leave important file systems unmounted. Another good Resource: http://wiki.in-circuit.de/index.php5?title=Flashfilesystem_
PILFERING FILE SYSTEMS But, How do we get the file system off of the target device?
SSH WHOOPS?
Ultra quick JTAG primer • JTAG stands for (Joint Test Action Group) which was formed in 1985. • The following pins are required for JTAG use: • TDI (Test Data In) • TDO (Test Data Out) • TCK (Test Clock) • TMS (Test Mode Select) • The TCK Pin (Test Clock) is what keeps the clock for the state machine. • THE TMS Pin (Test Mode Select) is what determines when and how the State Machine advances depending on it’s relative position during each clock cycle. Source: Wikipedia
OPTIONS FOR CONNECTING TO JTAG Good Better Best $45 $60-$600 $5000- $20000
JTAGULATOR
HOW TO CONNECT WITH OPENOCD The command to initiate openocd is : openocd –f interface – f target But now what? There are errors and stuff!!!!! #openocd on
HOW TO CONNECT WITH OPENOCD(2) Silly openocd! That’s more like it J
USING OPENOCD
MY PET PROJECT == CEREAL
REVERSE ENGINEERING • Binary Ninja • Free version available • Limited Architecture Support • Learn one IL to reverse them all • Ida Pro • Paid Version required for disassembly • ARM decompiler available but $$$$ • Also very good debugger • Radare2 • Free multiplatform support • No decompiler available
RADARE2
IDA PRO
OTHER NICE TO HAVES
• http://www.grandideastudio.com/hardware-hacking-training/ • http://www.xipiter.com/training.html • https://www.eevblog.com • http://www.embedded.com/electronics-blogs/beginner-s-corner/
THANK YOU!!!! ANY MORE QUESTIONS?
CONTACT INFORMATION TWITTER: @PRICEMCDONALD LINKEDIN: LINKEDIN.COM/PRICEMCDONALD EMAIL: PRICEMCDONALD@GMAIL.COM

Empfohlen

BSides DFW2016-Hack Mode Enabled
BSides DFW2016-Hack Mode EnabledBSides DFW2016-Hack Mode Enabled
BSides DFW2016-Hack Mode Enabledpricemcdonald
 
Bsides Puerto Rico-2017
Bsides Puerto Rico-2017Bsides Puerto Rico-2017
Bsides Puerto Rico-2017Price McDonald
 
Intro to Hardware Firmware Hacking
Intro to Hardware Firmware HackingIntro to Hardware Firmware Hacking
Intro to Hardware Firmware HackingAndrew Freeborn
 
Hardware hacking 101
Hardware hacking 101Hardware hacking 101
Hardware hacking 101Tiago Henriques
 
Adventures in Femtoland: 350 Yuan for Invaluable Fun
Adventures in Femtoland: 350 Yuan for Invaluable FunAdventures in Femtoland: 350 Yuan for Invaluable Fun
Adventures in Femtoland: 350 Yuan for Invaluable Funarbitrarycode
 
Hardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to RootHardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to RootYashin Mehaboobe
 
Hardware Hacking
Hardware HackingHardware Hacking
Hardware HackingAndrew Brockhurst
 
Arduino Forensics
Arduino ForensicsArduino Forensics
Arduino ForensicsSteve Watson
 

Empfohlen

BSides DFW2016-Hack Mode Enabled
BSides DFW2016-Hack Mode EnabledBSides DFW2016-Hack Mode Enabled
BSides DFW2016-Hack Mode Enabledpricemcdonald
 
Bsides Puerto Rico-2017
Bsides Puerto Rico-2017Bsides Puerto Rico-2017
Bsides Puerto Rico-2017Price McDonald
 
Intro to Hardware Firmware Hacking
Intro to Hardware Firmware HackingIntro to Hardware Firmware Hacking
Intro to Hardware Firmware HackingAndrew Freeborn
 
Hardware hacking 101
Hardware hacking 101Hardware hacking 101
Hardware hacking 101Tiago Henriques
 
Adventures in Femtoland: 350 Yuan for Invaluable Fun
Adventures in Femtoland: 350 Yuan for Invaluable FunAdventures in Femtoland: 350 Yuan for Invaluable Fun
Adventures in Femtoland: 350 Yuan for Invaluable Funarbitrarycode
 
Hardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to RootHardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to RootYashin Mehaboobe
 
Hardware Hacking
Hardware HackingHardware Hacking
Hardware HackingAndrew Brockhurst
 
Arduino Forensics
Arduino ForensicsArduino Forensics
Arduino ForensicsSteve Watson
 
PyTriage: A malware analysis framework
PyTriage: A malware analysis frameworkPyTriage: A malware analysis framework
PyTriage: A malware analysis frameworkYashin Mehaboobe
 
Making and breaking security in embedded devices
Making and breaking security in embedded devicesMaking and breaking security in embedded devices
Making and breaking security in embedded devicesYashin Mehaboobe
 
Developing micro controller applications
Developing micro controller applicationsDeveloping micro controller applications
Developing micro controller applicationsSteve Mylroie
 
LinkIt Smart 7688 - a more connected world
LinkIt Smart 7688 - a more connected worldLinkIt Smart 7688 - a more connected world
LinkIt Smart 7688 - a more connected worldCAVEDU Education
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsqqlan
 
Tah101
Tah101Tah101
Tah101Vikas Gaikwad
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsAleksandr Timorin
 
lwM2M OTA for ESP8266
lwM2M OTA for ESP8266lwM2M OTA for ESP8266
lwM2M OTA for ESP8266Manolis Nikiforakis
 
Nodemcu - introduction
Nodemcu - introductionNodemcu - introduction
Nodemcu - introductionMichal Sedlak
 
[5]投影片 futurewad樹莓派研習會 141218
[5]投影片 futurewad樹莓派研習會 141218[5]投影片 futurewad樹莓派研習會 141218
[5]投影片 futurewad樹莓派研習會 141218CAVEDU Education
 
Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONLyon Yang
 
Rdl esp32 development board trainer kit
Rdl esp32 development board trainer kitRdl esp32 development board trainer kit
Rdl esp32 development board trainer kitResearch Design Lab
 
Introduction to NanoBoard-3000 FPGA
Introduction to NanoBoard-3000 FPGA Introduction to NanoBoard-3000 FPGA
Introduction to NanoBoard-3000 FPGA Premier Farnell
 
iWave Systems Techologies Pvt Ltd: Products- Software BSPs
iWave Systems Techologies Pvt Ltd: Products- Software BSPsiWave Systems Techologies Pvt Ltd: Products- Software BSPs
iWave Systems Techologies Pvt Ltd: Products- Software BSPsiWave Systems Technologies Pvt Ltd, Bangalore
 
How to Install ESP8266 WiFi Web Server using Arduino IDE
How to Install ESP8266 WiFi Web Server using Arduino IDEHow to Install ESP8266 WiFi Web Server using Arduino IDE
How to Install ESP8266 WiFi Web Server using Arduino IDENaoto MATSUMOTO
 
Adafruit Huzzah Esp8266 WiFi Board
Adafruit Huzzah Esp8266 WiFi BoardAdafruit Huzzah Esp8266 WiFi Board
Adafruit Huzzah Esp8266 WiFi BoardBiagio Botticelli
 
IoT Hands-On-Lab, KINGS, 2019
IoT Hands-On-Lab, KINGS, 2019IoT Hands-On-Lab, KINGS, 2019
IoT Hands-On-Lab, KINGS, 2019Jong-Hyun Kim
 
Scada Strangelove - 29c3
Scada Strangelove - 29c3Scada Strangelove - 29c3
Scada Strangelove - 29c3qqlan
 
Hyperchem Ma, badbarcode en_1109_nocomment-final
Hyperchem Ma, badbarcode en_1109_nocomment-finalHyperchem Ma, badbarcode en_1109_nocomment-final
Hyperchem Ma, badbarcode en_1109_nocomment-finalPacSecJP
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangLyon Yang
 
Health Benefits of Pomegranate: This Fruits Fight against Cancer, Arthritis, ...
Health Benefits of Pomegranate: This Fruits Fight against Cancer, Arthritis, ...Health Benefits of Pomegranate: This Fruits Fight against Cancer, Arthritis, ...
Health Benefits of Pomegranate: This Fruits Fight against Cancer, Arthritis, ...Fitness for Life
 
Las etapas de dirección
Las etapas de direcciónLas etapas de dirección
Las etapas de direcciónrosalinda1970
 

Weitere ähnliche Inhalte

Was ist angesagt?

PyTriage: A malware analysis framework
PyTriage: A malware analysis frameworkPyTriage: A malware analysis framework
PyTriage: A malware analysis frameworkYashin Mehaboobe
 
Making and breaking security in embedded devices
Making and breaking security in embedded devicesMaking and breaking security in embedded devices
Making and breaking security in embedded devicesYashin Mehaboobe
 
Developing micro controller applications
Developing micro controller applicationsDeveloping micro controller applications
Developing micro controller applicationsSteve Mylroie
 
LinkIt Smart 7688 - a more connected world
LinkIt Smart 7688 - a more connected worldLinkIt Smart 7688 - a more connected world
LinkIt Smart 7688 - a more connected worldCAVEDU Education
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsqqlan
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsAleksandr Timorin
 
Nodemcu - introduction
Nodemcu - introductionNodemcu - introduction
Nodemcu - introductionMichal Sedlak
 
[5]投影片 futurewad樹莓派研習會 141218
[5]投影片 futurewad樹莓派研習會 141218[5]投影片 futurewad樹莓派研習會 141218
[5]投影片 futurewad樹莓派研習會 141218CAVEDU Education
 
Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONLyon Yang
 
Rdl esp32 development board trainer kit
Rdl esp32 development board trainer kitRdl esp32 development board trainer kit
Rdl esp32 development board trainer kitResearch Design Lab
 
Introduction to NanoBoard-3000 FPGA
Introduction to NanoBoard-3000 FPGA Introduction to NanoBoard-3000 FPGA
Introduction to NanoBoard-3000 FPGA Premier Farnell
 
How to Install ESP8266 WiFi Web Server using Arduino IDE
How to Install ESP8266 WiFi Web Server using Arduino IDEHow to Install ESP8266 WiFi Web Server using Arduino IDE
How to Install ESP8266 WiFi Web Server using Arduino IDENaoto MATSUMOTO
 
Adafruit Huzzah Esp8266 WiFi Board
Adafruit Huzzah Esp8266 WiFi BoardAdafruit Huzzah Esp8266 WiFi Board
Adafruit Huzzah Esp8266 WiFi BoardBiagio Botticelli
 
IoT Hands-On-Lab, KINGS, 2019
IoT Hands-On-Lab, KINGS, 2019IoT Hands-On-Lab, KINGS, 2019
IoT Hands-On-Lab, KINGS, 2019Jong-Hyun Kim
 
Scada Strangelove - 29c3
Scada Strangelove - 29c3Scada Strangelove - 29c3
Scada Strangelove - 29c3qqlan
 
Hyperchem Ma, badbarcode en_1109_nocomment-final
Hyperchem Ma, badbarcode en_1109_nocomment-finalHyperchem Ma, badbarcode en_1109_nocomment-final
Hyperchem Ma, badbarcode en_1109_nocomment-finalPacSecJP
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangLyon Yang
 

Was ist angesagt? (20)

PyTriage: A malware analysis framework
PyTriage: A malware analysis frameworkPyTriage: A malware analysis framework
PyTriage: A malware analysis framework
 
Making and breaking security in embedded devices
Making and breaking security in embedded devicesMaking and breaking security in embedded devices
Making and breaking security in embedded devices
 
Developing micro controller applications
Developing micro controller applicationsDeveloping micro controller applications
Developing micro controller applications
 
LinkIt Smart 7688 - a more connected world
LinkIt Smart 7688 - a more connected worldLinkIt Smart 7688 - a more connected world
LinkIt Smart 7688 - a more connected world
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via sms
 
Tah101
Tah101Tah101
Tah101
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanisms
 
lwM2M OTA for ESP8266
lwM2M OTA for ESP8266lwM2M OTA for ESP8266
lwM2M OTA for ESP8266
 
Nodemcu - introduction
Nodemcu - introductionNodemcu - introduction
Nodemcu - introduction
 
[5]投影片 futurewad樹莓派研習會 141218
[5]投影片 futurewad樹莓派研習會 141218[5]投影片 futurewad樹莓派研習會 141218
[5]投影片 futurewad樹莓派研習會 141218
 
Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCON
 
Rdl esp32 development board trainer kit
Rdl esp32 development board trainer kitRdl esp32 development board trainer kit
Rdl esp32 development board trainer kit
 
Introduction to NanoBoard-3000 FPGA
Introduction to NanoBoard-3000 FPGA Introduction to NanoBoard-3000 FPGA
Introduction to NanoBoard-3000 FPGA
 
iWave Systems Techologies Pvt Ltd: Products- Software BSPs
iWave Systems Techologies Pvt Ltd: Products- Software BSPsiWave Systems Techologies Pvt Ltd: Products- Software BSPs
iWave Systems Techologies Pvt Ltd: Products- Software BSPs
 
How to Install ESP8266 WiFi Web Server using Arduino IDE
How to Install ESP8266 WiFi Web Server using Arduino IDEHow to Install ESP8266 WiFi Web Server using Arduino IDE
How to Install ESP8266 WiFi Web Server using Arduino IDE
 
Adafruit Huzzah Esp8266 WiFi Board
Adafruit Huzzah Esp8266 WiFi BoardAdafruit Huzzah Esp8266 WiFi Board
Adafruit Huzzah Esp8266 WiFi Board
 
IoT Hands-On-Lab, KINGS, 2019
IoT Hands-On-Lab, KINGS, 2019IoT Hands-On-Lab, KINGS, 2019
IoT Hands-On-Lab, KINGS, 2019
 
Scada Strangelove - 29c3
Scada Strangelove - 29c3Scada Strangelove - 29c3
Scada Strangelove - 29c3
 
Hyperchem Ma, badbarcode en_1109_nocomment-final
Hyperchem Ma, badbarcode en_1109_nocomment-finalHyperchem Ma, badbarcode en_1109_nocomment-final
Hyperchem Ma, badbarcode en_1109_nocomment-final
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
 

Andere mochten auch

Health Benefits of Pomegranate: This Fruits Fight against Cancer, Arthritis, ...
Health Benefits of Pomegranate: This Fruits Fight against Cancer, Arthritis, ...Health Benefits of Pomegranate: This Fruits Fight against Cancer, Arthritis, ...
Health Benefits of Pomegranate: This Fruits Fight against Cancer, Arthritis, ...Fitness for Life
 
Las etapas de dirección
Las etapas de direcciónLas etapas de dirección
Las etapas de direcciónrosalinda1970
 
Estadísitca
EstadísitcaEstadísitca
Estadísitcaaleyambon
 
What's This React Native Thing I Keep Hearing About?
What's This React Native Thing I Keep Hearing About?What's This React Native Thing I Keep Hearing About?
What's This React Native Thing I Keep Hearing About?Evan Stone
 
7 conseils pour bien choisir votre lave-vaisselle
7 conseils pour bien choisir votre lave-vaisselle7 conseils pour bien choisir votre lave-vaisselle
7 conseils pour bien choisir votre lave-vaisselleMon Choix Malin
 
factors modifyng drug effcts
factors modifyng drug effctsfactors modifyng drug effcts
factors modifyng drug effctsPrathyusha Rani
 
Proposal a new Business(IT Training Center)
Proposal a new Business(IT Training Center)Proposal a new Business(IT Training Center)
Proposal a new Business(IT Training Center)Rafayet Hossain
 
Actividades de Melocotón en almíbar 16 17
Actividades de Melocotón en almíbar 16 17Actividades de Melocotón en almíbar 16 17
Actividades de Melocotón en almíbar 16 17Blanca Valerio
 
Trabajo ef entrenamiento
Trabajo ef entrenamientoTrabajo ef entrenamiento
Trabajo ef entrenamientoMiguel Martinez
 
Cloud Security
Cloud Security Cloud Security
Cloud Security Carestream
 

Andere mochten auch (20)

Health Benefits of Pomegranate: This Fruits Fight against Cancer, Arthritis, ...
Health Benefits of Pomegranate: This Fruits Fight against Cancer, Arthritis, ...Health Benefits of Pomegranate: This Fruits Fight against Cancer, Arthritis, ...
Health Benefits of Pomegranate: This Fruits Fight against Cancer, Arthritis, ...
 
Las etapas de dirección
Las etapas de direcciónLas etapas de dirección
Las etapas de dirección
 
Emociones toxicas
Emociones toxicasEmociones toxicas
Emociones toxicas
 
Estadísitca
EstadísitcaEstadísitca
Estadísitca
 
What's This React Native Thing I Keep Hearing About?
What's This React Native Thing I Keep Hearing About?What's This React Native Thing I Keep Hearing About?
What's This React Native Thing I Keep Hearing About?
 
Visita al Maria Espinalt
Visita al Maria EspinaltVisita al Maria Espinalt
Visita al Maria Espinalt
 
7 conseils pour bien choisir votre lave-vaisselle
7 conseils pour bien choisir votre lave-vaisselle7 conseils pour bien choisir votre lave-vaisselle
7 conseils pour bien choisir votre lave-vaisselle
 
Planeacion de ventas
Planeacion de ventasPlaneacion de ventas
Planeacion de ventas
 
factors modifyng drug effcts
factors modifyng drug effctsfactors modifyng drug effcts
factors modifyng drug effcts
 
Proposal a new Business(IT Training Center)
Proposal a new Business(IT Training Center)Proposal a new Business(IT Training Center)
Proposal a new Business(IT Training Center)
 
Tarea seminario III
Tarea seminario IIITarea seminario III
Tarea seminario III
 
Каталог 04/17
Каталог 04/17Каталог 04/17
Каталог 04/17
 
Placa
Placa Placa
Placa
 
Siderurgia
SiderurgiaSiderurgia
Siderurgia
 
Actividades de Melocotón en almíbar 16 17
Actividades de Melocotón en almíbar 16 17Actividades de Melocotón en almíbar 16 17
Actividades de Melocotón en almíbar 16 17
 
Eleven
ElevenEleven
Eleven
 
Kit media i24news.tv
Kit media i24news.tvKit media i24news.tv
Kit media i24news.tv
 
Trabajo ef entrenamiento
Trabajo ef entrenamientoTrabajo ef entrenamiento
Trabajo ef entrenamiento
 
Cloud Security
Cloud Security Cloud Security
Cloud Security
 
Desafios e perspectivas para a abertura e expansão do Mercado Livre de Energia
Desafios e perspectivas para a abertura e expansão do Mercado Livre de EnergiaDesafios e perspectivas para a abertura e expansão do Mercado Livre de Energia
Desafios e perspectivas para a abertura e expansão do Mercado Livre de Energia
 

Ähnlich wie BSides Indy 2017 - Hardware Hacking - Abusing the Things

Insecure Obsolete and Trivial - The Real IOT
Insecure Obsolete and Trivial - The Real IOTInsecure Obsolete and Trivial - The Real IOT
Insecure Obsolete and Trivial - The Real IOTPrice McDonald
 
Thotcon 0x8 - Hardware Hacking on a Budget
Thotcon 0x8 - Hardware Hacking on a BudgetThotcon 0x8 - Hardware Hacking on a Budget
Thotcon 0x8 - Hardware Hacking on a BudgetPrice McDonald
 
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh OjhaKazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh OjhaYogesh Ojha
 
Asia 14-garcia-illera-dude-wtf-in-my-can
Asia 14-garcia-illera-dude-wtf-in-my-canAsia 14-garcia-illera-dude-wtf-in-my-can
Asia 14-garcia-illera-dude-wtf-in-my-caninjenerzntu
 
GETTING STARTED WITH DATABASE SECURITY ASSESSMENT TOOL
GETTING STARTED WITH DATABASE SECURITY ASSESSMENT TOOLGETTING STARTED WITH DATABASE SECURITY ASSESSMENT TOOL
GETTING STARTED WITH DATABASE SECURITY ASSESSMENT TOOLMinh237839
 
Tools Of The Hardware Hacking Trade Final
Tools Of The Hardware Hacking Trade FinalTools Of The Hardware Hacking Trade Final
Tools Of The Hardware Hacking Trade FinalPriyanka Aash
 
Lecture Slide (1).pptx
Lecture Slide (1).pptxLecture Slide (1).pptx
Lecture Slide (1).pptxBilalMumtaz9
 
FIPS 140-2 Validations in a Secure Enclave
FIPS 140-2 Validations in a Secure EnclaveFIPS 140-2 Validations in a Secure Enclave
FIPS 140-2 Validations in a Secure EnclavewolfSSL
 
OT Security - h-c0n 2020
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020Jose Palanco
 
DEF CON 27 - PHILIPPE LAULHERET - introduction to hardware hacking extended v...
DEF CON 27 - PHILIPPE LAULHERET - introduction to hardware hacking extended v...DEF CON 27 - PHILIPPE LAULHERET - introduction to hardware hacking extended v...
DEF CON 27 - PHILIPPE LAULHERET - introduction to hardware hacking extended v...Felipe Prado
 
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...CODE BLUE
 
Hacker's and painters Hardware Hacking 101 - 10th Oct 2014
Hacker's and painters Hardware Hacking 101 - 10th Oct 2014Hacker's and painters Hardware Hacking 101 - 10th Oct 2014
Hacker's and painters Hardware Hacking 101 - 10th Oct 2014Takeda Pharmaceuticals
 
Track 5 session 3 - st dev con 2016 - mechanisms for trusted code execution...
Track 5 session 3 - st dev con 2016 - mechanisms for trusted code execution...Track 5 session 3 - st dev con 2016 - mechanisms for trusted code execution...
Track 5 session 3 - st dev con 2016 - mechanisms for trusted code execution...ST_World
 
We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.DefCamp
 
DefCon 2012 - Gaining Access to User Android Data
DefCon 2012 - Gaining Access to User Android DataDefCon 2012 - Gaining Access to User Android Data
DefCon 2012 - Gaining Access to User Android DataMichael Smith
 
Peter Gutmann Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015
Peter Gutmann Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015Peter Gutmann Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015
Peter Gutmann Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015CSO_Presentations
 

Ähnlich wie BSides Indy 2017 - Hardware Hacking - Abusing the Things (20)

Insecure Obsolete and Trivial - The Real IOT
Insecure Obsolete and Trivial - The Real IOTInsecure Obsolete and Trivial - The Real IOT
Insecure Obsolete and Trivial - The Real IOT
 
Thotcon 0x8 - Hardware Hacking on a Budget
Thotcon 0x8 - Hardware Hacking on a BudgetThotcon 0x8 - Hardware Hacking on a Budget
Thotcon 0x8 - Hardware Hacking on a Budget
 
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh OjhaKazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
 
Asia 14-garcia-illera-dude-wtf-in-my-can
Asia 14-garcia-illera-dude-wtf-in-my-canAsia 14-garcia-illera-dude-wtf-in-my-can
Asia 14-garcia-illera-dude-wtf-in-my-can
 
IOT Exploitation
IOT Exploitation IOT Exploitation
IOT Exploitation
 
GETTING STARTED WITH DATABASE SECURITY ASSESSMENT TOOL
GETTING STARTED WITH DATABASE SECURITY ASSESSMENT TOOLGETTING STARTED WITH DATABASE SECURITY ASSESSMENT TOOL
GETTING STARTED WITH DATABASE SECURITY ASSESSMENT TOOL
 
Prezentare tcs2011
Prezentare tcs2011Prezentare tcs2011
Prezentare tcs2011
 
Tools Of The Hardware Hacking Trade Final
Tools Of The Hardware Hacking Trade FinalTools Of The Hardware Hacking Trade Final
Tools Of The Hardware Hacking Trade Final
 
Lecture Slide (1).pptx
Lecture Slide (1).pptxLecture Slide (1).pptx
Lecture Slide (1).pptx
 
Tos tutorial
Tos tutorialTos tutorial
Tos tutorial
 
FIPS 140-2 Validations in a Secure Enclave
FIPS 140-2 Validations in a Secure EnclaveFIPS 140-2 Validations in a Secure Enclave
FIPS 140-2 Validations in a Secure Enclave
 
OT Security - h-c0n 2020
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020
 
DEF CON 27 - PHILIPPE LAULHERET - introduction to hardware hacking extended v...
DEF CON 27 - PHILIPPE LAULHERET - introduction to hardware hacking extended v...DEF CON 27 - PHILIPPE LAULHERET - introduction to hardware hacking extended v...
DEF CON 27 - PHILIPPE LAULHERET - introduction to hardware hacking extended v...
 
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
 
Hacker's and painters Hardware Hacking 101 - 10th Oct 2014
Hacker's and painters Hardware Hacking 101 - 10th Oct 2014Hacker's and painters Hardware Hacking 101 - 10th Oct 2014
Hacker's and painters Hardware Hacking 101 - 10th Oct 2014
 
Track 5 session 3 - st dev con 2016 - mechanisms for trusted code execution...
Track 5 session 3 - st dev con 2016 - mechanisms for trusted code execution...Track 5 session 3 - st dev con 2016 - mechanisms for trusted code execution...
Track 5 session 3 - st dev con 2016 - mechanisms for trusted code execution...
 
3rd Lecture
3rd Lecture3rd Lecture
3rd Lecture
 
We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.
 
DefCon 2012 - Gaining Access to User Android Data
DefCon 2012 - Gaining Access to User Android DataDefCon 2012 - Gaining Access to User Android Data
DefCon 2012 - Gaining Access to User Android Data
 
Peter Gutmann Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015
Peter Gutmann Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015Peter Gutmann Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015
Peter Gutmann Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015
 

Kürzlich hochgeladen

Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 

Kürzlich hochgeladen (20)

Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 

BSides Indy 2017 - Hardware Hacking - Abusing the Things

  • 1. “HACK MODE” ENABLED HARDWARE HACKING ON A BUDGET BSIDES INDY 2017 PRICE MCDONALD
  • 4. OK, SO HARDWARE SECURITY SUCKS… BUT WHY FOCUS ON THE HARDWARE?
  • 6. WHERE DO WE GET THE THINGS? • Beta Programs • https://www.betabound.com/tp-link-router- private-beta/ • https://beta.linksys.com/ • https://www.beta.netgear.com/signup/ • Flea Markets • Ebay • Craigslist • Garage Sales
  • 8. TAMPER RESISTANCE/DETECTION/ALERTING They mean different things, but may not matter either way.
  • 10. COMPONENT IDENTIFICATION(2) • EOL 802.11G router SoC (System on Chip) • 200 Mhz MIPS32 core • Supports Serial or Parallel Flash • One JTAG and two UART Ports • 336 ball FBGA (Fine-pitch Ball Grid Array) • 32M-BIT Parallel NOR Flash Memory • 3V only • 48-pin TSOP (Thin Small Outline Package) • CMOS DDR400 RAM • 66-pin TSOP II
  • 11. COMPONENT IDENTIFICATION TIP AND TRICKS The image part with relationship ID rId5 was not found in the file.
  • 13. FINDING GROUND • Using the MultiMeter we can figure out which of the pins on our headers connect to ground and which have voltage. GroundVoltage Specifically 3.3v • Got Ground?
  • 15. COMMON INTERFACE TYPES • UART - Universal Asynchronous Receiver/Transmitter • SPI – Serial Peripheral Interface • I2C – Inter Integrated Circuit • JTAG – Joint Test Action Group – Hardware Debugging Interface • CAN – Controller Area Network (Cars/ATM/etc) • RS232- Serial Interface used on many legacy devices
  • 16. PINOUT REVERSING • SALEAE LOGIC ANALYZER • ~100 BUCKS ON THE LOW END @ HTTPS://WWW.SALEAE.COM • ALSO, EDU DISCOUNTS AVAILABLE UP TO 50% DEPENDING ON MODEL. • KEEP IN MIND THAT LOGIC ANALYZERS ARE SAMPLING WHICH CAN CAUSE ARTIFICIAL DATA DEPENDING ON THE SAMPLING RATE AND THRESHOLDS. • WORKS FOR I2C, UART, SPI, JTAG, CAN, ETC, ETC
  • 17. SALEAE LOGIC UI • Using the Saleae logic analyzer we can watch the pins during boot to check for voltage spikes during. This is a good indication of either a UART, I2C or SPI connection. System Boot Likely the boot log being transmitted over
  • 18. SALEAE LOGIC - DECODERS GIVEN that we SUSPECT Async Serial (UART) we will select that analyzer
  • 19. SALEAE LOGIC - DECODING Among small embedded devices 115200 is a very common bit rate so it is an easy guess. But we will also cover a more automated way of determining bit
  • 20. SALEAE LOGIC – DECODING(2) We must also ensure we are configuring the device to analyze the appropriate channel (which are color coded as long as you connect them
  • 21. SALEAE LOGIC – OUTPUT As you can see we are successfully decoding the output from the UART serial connection on our Broadcom chip.
  • 22. OR, HAVE YOU HEARD OF THE JTAGULATOR? • Created by Joe Grand @ http://www.grandideastudio.com • ~180-200 Bucks
  • 23. CONNECTING TO INTERFACES • Bus Pirate • Less of a learning curve • Slower transfer speeds • Supports UART, SPI, I2C and JTAG • Shikra • No UI but faster transfer speeds as a result • Supports UART, SPI, I2C and JTAG • TIAO USB Multiprotocol Adapter • No UI but faster transfer speeds as a result • Supports UART, SPI, I2C, JTAG, RS-232 • Supports multiple connections from same device • Slightly less reliable in my experience
  • 25. CONNECTING TO UART The command used to connect to a UART serial adapter will vary by device and OS but will generally be similar to the command below. sudo screen /dev/[device id] baud rate Or the the case of the Device ID below for the Shikra: sudo screen /dev/ttyUSB0 115200
  • 26. WE NOW HAVE SHELL! HOPEFULLY But now what?
  • 29. FILE SYSTEM FIDDLING Why is my root a mtdblock? But wait, what is an mtdblock? • MTD is a "Memory Technology Device. • Unix traditionally only knew block devices and character devices. Character devices were things like keyboards or mice, that you could read current data from, but couldn't be seek-ed and didn't have a size. Block devices had a fixed size and could be seek-ed. • A mtdblock is a block device emulated over an mtd device. Source: Wikipedia
  • 30. FILE SYSTEM FIDDLING(2) Often times embedded device manufacturers leave important file systems unmounted. Another good Resource: http://wiki.in-circuit.de/index.php5?title=Flashfilesystem_
  • 31. PILFERING FILE SYSTEMS But, How do we get the file system off of the target device?
  • 33. Ultra quick JTAG primer • JTAG stands for (Joint Test Action Group) which was formed in 1985. • The following pins are required for JTAG use: • TDI (Test Data In) • TDO (Test Data Out) • TCK (Test Clock) • TMS (Test Mode Select) • The TCK Pin (Test Clock) is what keeps the clock for the state machine. • THE TMS Pin (Test Mode Select) is what determines when and how the State Machine advances depending on it’s relative position during each clock cycle. Source: Wikipedia
  • 34. OPTIONS FOR CONNECTING TO JTAG Good Better Best $45 $60-$600 $5000- $20000
  • 36. HOW TO CONNECT WITH OPENOCD The command to initiate openocd is : openocd –f interface – f target But now what? There are errors and stuff!!!!! #openocd on
  • 37. HOW TO CONNECT WITH OPENOCD(2) Silly openocd! That’s more like it J
  • 39. MY PET PROJECT == CEREAL
  • 40. REVERSE ENGINEERING • Binary Ninja • Free version available • Limited Architecture Support • Learn one IL to reverse them all • Ida Pro • Paid Version required for disassembly • ARM decompiler available but $$$$ • Also very good debugger • Radare2 • Free multiplatform support • No decompiler available
  • 43. OTHER NICE TO HAVES
  • 44. • http://www.grandideastudio.com/hardware-hacking-training/ • http://www.xipiter.com/training.html • https://www.eevblog.com • http://www.embedded.com/electronics-blogs/beginner-s-corner/
  • 46. CONTACT INFORMATION TWITTER: @PRICEMCDONALD LINKEDIN: LINKEDIN.COM/PRICEMCDONALD EMAIL: PRICEMCDONALD@GMAIL.COM