null Trivandrum Chapter - August 2013 Meet

1. Hardware Hacking
A primer
Yashin Mehaboobe
Icarus Labs ,CSPF
By Mohesh Mohan
Big Thanks to

2. Why hack hardware?
•More interesting
•More rewarding
•Usually open entry point into an otherwise secure network
•Interacting with the physical world.

3. The Raspberry Pi
The computer geek’s electronics toy

4. Why Pi?
•Easily supports a large variety of languages.
•Comes with an Ethernet and USB ports.
•GPIO pins for hardware hacks
•Inbuilt RNG
•Powerful GPU
•Linux!!!!

5. Specifications
Model A Model B
Target price: US$ 25 US$ 35
SoC: Broadcom BCM2835 (CPU, GPU, DSP, SDRAM, and single USB port)
CPU: 700 MHz ARM1176JZF-S core (ARM11 family, ARMv6 instruction set)
GPU:
Broadcom VideoCore IV @ 250 MHz
OpenGL ES 2.0 (24 GFLOPS)
MPEG-2 and VC-1 (with license), 1080p30 h.264/MPEG-4 AVC high-profile decoder and encoder
Memory (SDRAM): 256 MB (shared with GPU)
512 MB (shared with GPU) as of 15 October
2012
USB 2.0 ports: 1 (direct from BCM2835 chip) 2 (via the built in integrated 3-port USB hub)
Video input: A CSI input connector allows for the connection of a RPF designed camera module
Video outputs:
Composite RCA (PAL and NTSC), HDMI (rev 1.3 & 1.4), raw LCD Panels via DSI 14 HDMI resolutions from
640×350 to 1920×1200 plus various PAL and NTSC standards.
Audio outputs: 3.5 mm jack, HDMI, and, as of revision 2 boards, I²S audio (also potentially for audio input)
Onboard storage: SD / MMC / SDIO card slot (3,3V card power support only)
Onboard network: None
10/100 Ethernet (8P8C) USB adapter on the
third port of the USB hub
Low-level peripherals:
8 × GPIO, UART, I²C bus, SPI bus with two chip selects, I²S audio +3.3 V, +5 V, ground
Power ratings: 300 mA (1.5 W) 700 mA (3.5 W)
Power source: 5 volt via MicroUSB or GPIO header
Size: 85.60 mm × 53.98 mm (3.370 in × 2.125 in)
Weight: 45 g (1.6 oz)
Operating systems:
Arch Linux ARM, Debian GNU/Linux, Fedora, FreeBSD, NetBSD, Plan 9, Raspbian OS, RISC OS,[Slackware
Linux

6. Mayhem
Numero Uno

7. WhatDuino
•Open hardware project
•Official versions: Uno, Mega, Duemilanove, Esplora etc
•Compatible: Teensy, TinyDuino, Femtoduino,
•Shields, shields, shields!!!
•Multiple uses, single programming language!

8. Basic Overview
•14 Digital pins
•6 Analog pins
•Voltage regulated power supply
•Programmed over USB
•Inbuilt LED at pin 13

9. Shields

10. Bus Pirate
The ‘Bus Pirate’ is a universal bus interface that talks to
most chips from a PC serial terminal, eliminating a ton of
early prototyping effort when working with new or
unknown chips. Many serial protocols are supported at 0-
5.5volts, more can be added

11. Bus Pirate : Cool stuff all over the world
• Hack a cheap MD80 video camera, modify the firmware to remove date display
• XDA used Bus pirate to root Meizu MX
• Will_j used bus pirate to act as a transparent USB->serial bridge to a Wavecom GSM modem
• sniff the exchange between an autonomous smartcard reader and a card
• Hacking USB webkeys with Bus Pirate
• IBM Thinkpad T30 Bios password reset with the Bus Pirate by Marcin
• ph1ph1l0u reports success rescuing his Asus laptop from a bad bios flash using flashrom and the
buspirate.
• Bill Farrow fixed the Seagate 7200.11 hard drive firmware BSY bug with the Bus Pirate

12. Other Players
MK Series
Google
android Mini
PC
Field Programmable
Gate Arrays or FPGAs
like Spartan

13. MK Series Mini PC
•More Computing power (Single, Dual, Quad cores)
•Super Cheap and small form factor
•Built in Wifi, Bluetooth, HDMI, SD card slots, USB OTG
•Supports Linux
•No GPIO or hackable ports
•Very Little documentation
•Low Quality / Can be easily damaged

14. FPGAs
•Awesome computing power
• FPGAs are reprogrammable silicon chips
• Recompile means rewiring 
COPACOBANA version based on Virtex-4 SX 35 FPGAs
• Dedicated code breaker for DES and other ciphers
•NSA@home is a fast FPGA-based SHA-1 and MD5 bruteforce cracker
•Bit complicated & Hard to work with

15. Calling Other Worlds
Out of the box the bladeRF can tune from 300MHz to 3.8GHz
without the need for extra boards. The current open source drivers
provide support for GNURadio among other things, allowing the
bladeRF to be placed into immediate use. This gives the bladeRF the
flexibility to act as a custom RF modem, a GSM and LTE picocell, a
GPS receiver, an ATSC transmitter or a combination Bluetooth/WiFi
client without the need for any expansion cards.
Transmit or receive any radio signal from 30 MHz to 6 GHz on
USB power with HackRF. HackRF can be used to transmit or
receive radio signals. It operates in half-duplex mode: it can
transmit or receive but can't do both at the same time. However,
full-duplex operation is possible if you use two HackRF devices.

16. bladeRF
bladeRF x115
$650
The bladeRF x115 comes with a larger
115KLE Cyclone IV FPGA that provides
additional room for hardware accelerators
and signal processing chains including
FFTs, Turbo Decoders, transmit
modulators/filters, and receive acquisition
correlators for burst modems.

17. The mother of all :USRP
• Too pricey > $1000
• Can be used with GNU Radio to sniff GSM
traffic
• could use it to broadcast digital television
• track radio tags,
• even mess with garage door openers
• POC Using a box with at least 27 FPGA’s plan
on constructing a 6+ terabyte rainbow table.
Once complete, any GSM conversation can be
cracked in less than 5 minutes using a single
FPGA.

18. Dreamz Unlimited!!!
• We will be pretty soon be able to make small
DIY robots equipped with enough hardware to
sniff all wireless communication and even
decrypt them real time… Possibilities are end
less
• A small step on this horizon is a flying drone
called WASP. it's a 'Small Scale, Open Source
UAV using off the shelf components. Designed
to provide a vehicle to project cyber-offensive
and defensive capabilities, and visual /
electronic surveillance over distance cheaply
and with little risk.'

19. Thank you!!
Questions?
Contact:
Facebook.com/MoheshMohan
www.h4hacks.com