Hardware Hacking - the Basics Pt. 1

Hardware Hacking - the Basics Pt. 1

NB Like pretty much everything on my site, I’m not writing this for the technically unititiated. Fair warning, if the first few bits are hard, it’s probably meant to be that way. Pro tip - if you don’t know all the acronyms that start in 3 paragraphs, this isn’t for you.

What is hardware hacking precisely?

Put simply, it’s a way of hacking that concentrates on the devices themselves, as opposed to just a particular application or service. In normal, modern, IT-based environments, we use keyboards to type, we use monitors to see what’s going on, and we use GUI’s to interact with a computer and tell it what to do.

In hardware hacking, we don’t really care about this. What we want is to be able to look at the hardware directly, and interact with the firmware system itself. This gives us a low-level of access to be able to find out how the particular device operates under the hood.

But what’s different?

Well, really, not much. LFI, RCE, BoF, XSS, CSRF, SSRF, XXE, etc. all work the same. There’s nothing ‘special’ about hardware hacking in that respect. What’s different is the routes that you take to get there, and the ways you can influence a process in memory or at rest.

To illustrate, let’s take an example. Suppose we think we have command execution on the device, say a router, and it’s in a ‘usual’ place such as the ‘ping something’ functionality in the web application. Before we write a CSRF exploit to run this unauth on a simulated victim’s machine, we want to know that it is indeed running our commands. Router manufacturers have grown aware of attacks such as this, and so have implemented iptables firewalls to prevent out-of-band disclosure (like doing an nslookup test), and no errors are reported to the web interface when we try and do something that we shouldn’t.

If you’ve accessed a dormant development header then you can have it write to your device and see the ouptut. What’s a ‘development header’? Well, these are basically parts of a PCB (printed circuit board) that were used in the development of the board. Commonly UART or some other serial interface, they are most commonly configured to give you a shell (often r00t).

So what do we do that’s different? Well, we’ll try a payload something like this:

http://router.admin/services.php?ping=127.0.0.1;%20echo%20"test"%20>%20/dev/ttyS0

(this is a completely made up example…)

If we look at our UART console and see that test has appeared, we’re on to something. We know we have command execution, and we know that fully exploring this is worthwhile from a research point of view.

Don’t I need a lot of theory?

Probably, but in many ways, the best way to learn is by doing, especially in this case. That said, it can’t hurt to be familiar with electronic basics - I was going to write a ‘War and Peace’ overview, but then realised a quick google search would pull up much better guides than I could write. Here’s a (growing, I hope) list:

• Instructables: Electronics - this is a nice guide.
• Instructables: How to Solder - nice overview of how to solder. Quite an essential skill.

Digital vs. Analogue Electronics

This is the a brief overview, and a quick web search will find you much more information.

The difference from our point of view is the way in which information is encoded. In analogue electronics, different voltage levels carry some level of information - think of a microphone recording sound or a speaker reproducing the same sound.

The microphone (essentially, an inverted speaker) vibrates according to the pressure waves that are the invisible thing we perceive as sound. This vibrations take place in a magnetic field, and they vary an ouput voltage as a direct result of the sound waves hitting a microphone diaphragm. The opposite process is how speakers work, to the letter. But how is this different from digital music?

Well, in digital systems we have two states - ‘on’ and ‘off’. That’s it. So, you can see why binary is such a big thing in computing - it’s how we store digital information. So, so record sound digitally, we take the sound wave, which is a continuous series of voltages, and chop it up. We then take each ‘slice’ and calculate the average voltage for that tiny (in the milliseconds) period of time, and write that number down in digital storage. This is then our digital sound file (there is a wealth of wonderful mathematics explaining why and how these things work so well).

To reproduce the sound, we reverse the process, and modulate the voltage of a system acording to these digital values for the same period of time. Easy.

So, think about what we have to be able to do these conversions:

• A regular clock signal to regulate the ‘chopping up’ of the analogue waveform
• A reliable output voltage with which we can reliably detect ‘1’ vs. ‘0’
• A protocol that is easily reproducible and implement to keep costs of the electronics down, but reliable at the same time.

… you get the idea. And these things are all inherent to our digital devices through and through. The protocols we’ll describe will exhibit these properties.

Resistance is not Futile…

…it’s cumulative and a right bitch. Remember this. The only formula you need is

\[R = \frac{V}{I}\]

which is the electronics equivalent of $F = ma$ in physics.

Resistance represents a constant drain on power in a circuit, and is given symbol ‘R’ and measured in Ohms. A voltage, or ‘potential difference’ is a measurement of energy in a system, and is given the symbol ‘V’.

However, you have to have something to give the energy to, and these are electrons - perfectly spherical little particles we have all heard of. The amount of electrons is called the ‘charge’, measured in Coulombs and is usually given the symbol ‘Q’.

We usually talk about a ‘current’ in a circuit, measured in Amperes, or Amps for short, and given the symbol ‘I’. This is the ‘rate of change’ of electrons - like the rate of change or current of a river. This means that a circuit with 1 Amp of current has 1 Coulombs worth of charge flowing past any given point per second.

Now think about the formula from above - $R = \frac{V}{I}$. If we increase the voltage of the system but not the current, then we naturally increase the resistance. If we increase the current, and maintain the voltage, then the resistance falls. Rearranging, $\frac{V}{R} = I$, so for a fixed voltage circuit, if we introduce a restance (like adding a resistor) then we reduce the current flow around the circuit.

NB These are the kinds of games physicists play when they encounter formulae. It’s a very good way of interpreting mathematics to see how it impacts the real world. But remember, maths is a human construction!

Here are some useful formulae:

• \[I = \frac{\Delta Q}{\Delta t}\]
• \(V = \frac{W}{Q}\) where $W$ is ‘Work done’, measured in Joules
• $Watt = I^2 R $

But we’re not here to do maths…

Ok. I’m in. What do I need?

That’s a very open question, but here are some key pieces of equipment I’ve found the most useful. This list will be updated on occasion, so if something isn’t here now, it may well be soon…

I should point out here that I am to do this in the cheapest way possible - I don’t really believe in spending hundreds of coins on kit that is usually single use. As such, tere are usually cheap Chinese derivatives that do the same thing, but with much less reliability. These can be found on AliExpress, usually.

Basic kit

These are the things I find useful for doing PoC’s and getting going in general:

• Wire - just plain, thin, insulated wire
• Enamelled wire - this is useful for tapping into very small contact points where larger wire would pull the contact off
• Soldering iron - get a decent one if you can, but really any will do, once you learn how to do it.
• Solder - solder is an amalgum of a few metals, predominantly tin. Cored solder is essentially a very thin pipe filled with a substance called flux. The flux is used to reduce oxidation of either the wire metals (copper) and the tin-based solder itself. Tin is very sticky to clean metal, but not to metal-oxides (like copper oxide); however, at the temperatures we’re talking, copper oxidises (‘browns’) very quickly, which would prevent a decent join. Flux mitigates this.
• Array of Components - having a ‘base stock’ of resistors, capacitors, LEDs, and transistors of various types and values is very useful when working with electronics. You can buy ‘electronics starter kits’ that are full of useful bits and pieces that regularly come in handy.

Test Equipment

There are lots of things that go here, so let’s get to it.

Voltmeter

These are great pieces of kit. They let you find out the broad structure of a circuit, find power rails - these are usually traces that go from the power input of a device and deliver power uniformly to all circuits - there can be multiple for different voltage requirements on a single board - where ground points are, whether two points have continuity, ratings of components, and with practice, likely candidates for test/development points.

Getting a decent one is advised - they cost around $25-30, and can be bought anywhere as they’re not very specialised kit.

Oscilloscope

My favourite piece of kit! I don’t own a fancy one (though you can get them second hand and quite cheap), but the two I down own I love.

An oscilloscope is a tracking, visual voltmeter. It lets you choose a test point, and then track the test point’s voltage for a period of time. With this, you can ‘see’ waveforms as a voltage over time graph.

They also have useful functions, such as ‘slope triggers’ - where you can have it record for a fraction of a second as and when it detects a ‘slope’ or ‘change in voltage’, usually indicating a circuit powering up or trying to communicate.

We’ll make much use of these, as well as logic analysers…

Logic Analysers

My other fave device. These are multi-channel digital oscilloscopes, essentially.

‘Digital oscilloscopes’?? Yes - they let you track the ‘logic’ of a chip or circuit by adding ‘taps’ to assess the voltge. These are particularly useful for tracking what different legs of an IC (Integrated Circuit - a ‘chip’) are doing, and then reverse engineering what the protocol in use may be, or even pulling data by applying software analysers and decoders.

JTAG finders

[ The JTAGulator and friends are very useful, but the second-hand one I got doesn’t work. As such, I still do this by hand. I know I need to change this, so watch this space!]

Protocol Boards

I struggled to find a name for these, but this seems to fit best. In hardware hacking, you need ways for your computer to ‘speak’ the protocols you’ll come across. As such, I’ve termed such devices ‘protocol boards’ to illustrate that they are used to ‘speak’ to devices over various protocols that you may encounter.

Bus Pirate

SUPERB! Very versatile. A little slow, compared to new versions, but there are some Polish manufacturers making these at very reasonable prices.

The Bus pirate speaks many protocols, and lets you communicate over UART, SPI, and even basic JTAG with a single device. Very versatile, and long lasting.

In the words of Alan Partridge, “Nice!”. 0xFF out of 0xFF, would recommend to a friend.

UART to USB converters

UART is the most common ‘serial’ interface; so common that when we say ‘serial line’ we usually mean UART. As such, a dedicated UART to USB converter is a must, as they will be in contsant use.

They’re also very low cost. Down side is, they’re easy to blow the chips on, so buy a few.

Bits and pieces

These are handy pieces of kit to have around.

Arduinos

Either the Nanos, Teensy’s, or Arduino Uno’s - they’re very useful for creating proofs of concept devices or for programming basic ‘glitcers’ even. The Arduinos are devices you compile C into bytecode and load onto the arduino boards as flash files. As such they are ‘single purpose’ devices that can easily (and intentionally) be repurposed time and time again.

They also easily interface over SPI and have boatloads of re-useable code online for basic functions to implementations of HCI (Human Computer Interface - keybards, etc.) impersonators all over the place.

Get one of each, as they’re fairly inexpensive, esp. the immitations.

Breakout Boards

From temperature sensors to RFID Readers, there are loads of breakout boards, usually designed to add funcitonality to Aruidino-like boards. They usually speak SPI or I2C, so are easy to integrate into projects for infinite reasons.

These can be brough in bulk as ‘arduino starter kits’ sold en masse.

Raspberry Pi’s or like computers

Sometimes an arduino doesn’t give enough control or accuracy. Where arduino’s leave off, RasPi’s and their like derivatives pick up. They let you set up Wi-Fi clients/AP’s, web clients that you can script, or any other way in which you’d want to simulate a ‘client’ or ‘server’ the target device can speak to, and you can do this with the ease of a BASH script.

Summary

This is the first step, and really only a -vvv equipment list and background overview for hardware hacking.

Hopefully we’ll get onto something meatier soon ;-)