Byte-ul Posted January 7, 2017 Report Share Posted January 7, 2017 (edited) The Introductory IoT Hardware Hacking Tool Box Aggregated here you will find some of the most popular tools for reverse engineering embedded electronics, as well as some documentation and tutorials on how to get started using them. If you have been interested in hardware hacking and modding, and even developing software exploits there has never been a better time to jump in and learn. Based on the items listed here I will introduce you to some foundational knowledge so that you can start your journey. The general process to hardware hacking follows a few main steps. First you want to pick a target device that interests you. You may want to pick a device with known vulnerabilities to practice on or a high value target. The Exploitee.rs Wiki has a range of IoT devices with known vulnerabilities and directions on how to exploit them. (Check out this UART to root shell on a Wink hub.) High value could mean that it is a popular consumer electronic device or that comprising it could have have a large impact on safety and privacy. Next you will need to gain access to the hardware’s electronics. This is bit more involved since a lot of devices are physically designed to make it difficult to access the embedded electronics. They have hard plastic shells and hidden screws that require uncommon bits to open. Finally using the following hardware tools you will identify debug ports and serial protocol interfaces, dump firmware, and reverse engineer the target device. Hardware These tools will allow you to explore your target device through the hardware’s various serial bus interfaces or allow you to dump the firmware image from the device for reverse engineering the software. The firmware image is a compressed file, containing the operating system and its files, it may contain interesting things like the code to the web interface that most these devices have. You can then run that dumped code and reverse engineer it on an emulator like QEMU. Some of the main serial bus interfaces that the following hardware tools can connect to are JTAG, UART, I2C, and SPI. (Please refer to the links on the previous listed protocols to get in-depth explanations of them from a hardware hacking perspective.) Researching all the serial interfaces and their protocols will help you understand how to effectively use following hardware tools for reverse engineering and exploiting IoT devices. Shikra Purchase Resources: Xipiter’s how to use guide This device is touted as a more stable tool compared to the Bus Pirate. The hardware is very reliable and stable for connecting to UART, JTAG, and SPI. Many people in the Software Exploitation via Hardware Exploitation community really enjoy using this somewhat lesser known device and is used in the SEXviaHEXtraining. If you want to pull the firmware image off a target IoT device for software exploitation then the Shikra is a great tool for the job. Just connect the Shikra to the target device’s SPI chip. You may need an 8-pin SOIC clip to connect the Shikra to the SPI interface. In the how to use guide linked above, it was claimed to have taken the Bus Pirate 30 minutes to dump a 4MB firmware image off a device compared to just under a minute for the Shikra to do the same job. The Shikra may be something less people are familiar with, but it provides consistent, powerful and fast performance for certain jobs. https://en.wikipedia.org/wiki/Bus_Pirate Bus Pirate Purchase Resources: Documentation Forums Dangerous Prototypes’ tutorial This is one of the most widely used tools out there right now. At the time of this blog’s posting the Bus Pirate version 4 official firmware development seems to have been abandoned. This has caused a lot of headaches for users struggling to get features to work on version 4 as well as they did on version 3. For example some people have had difficulties with getting JTAG support to work on version 4. As stated in the documentation link, the version 3 firmware has a strong community effort behind it. As long as there is a strong community backing this tool that community will be committed to fixing and maintaining the firmware of the Bus Pirate. Overall the Bus Pirate is a vey robust tool. Finding someone to help you use it will not be hard, try joining the forums. https://www.parallax.com/product/32115 JTAGulator Purchase Resources: Joe Grand’s video overview of the tool Senrio’s explanation of JTAG Besides looking badass this tool is great for identifying what the the different pinouts and chips do on the target device. When you open up the device it is not going to be obvious what pinouts and chips run which serial protocols. Testing each one with the JTAGulator will help you find your UART, JTAG, SPI, and other serial protocol interfaces. http://hackerwarehouse.com/product/facedancer21/ Facedancer21 Purchase Resources: Travis Goodspeed’s blog GoodFET’s documentation Not every IoT device is going to have a USB port, but this tool can be very useful when one is available. The Facedancer, besides having a cool name, essentially lets your computer become the USB drive plugged into a device. Within this emulation you can communicate to the target device over the USB bus with Python. Devices often trust USB drives plugged into them so exploring the target device from this perspective can be very rewarding. https://www.sparkfun.com/products/8430 Make sure you get all the probes and jumper cables required for connecting the target device to the hacking tool and then back to your computer. Most of these linked articles for these hardware tools show what you will need. The wires and cables will plug onto the pinouts or clip onto different chips. Having a variety of male to male, female to female, and male to female wires is definitely helpful. https://www.seeedstudio.com/Bus-Pirate-v3-probe-Kit-p-526.html Tools It may not be as interesting as the the hardware tools above, but before you can even get to the IoT device’s juicy electronic guts you need to make sure you have the proper tools to gain access to them. If you are feeling cheap then you can always just skip this last section and smash the IoT device open with a rock. Tempting as that might sound you risk damaging the electronics. Many IoT devices use screws that require tools other than Phillips or flathead. You are likely to encounter Torx security, tri-point, gamebit, and spanner screws to name a few. The screws also require 1–4mm bits to unscrew them. https://www.ifixit.com/Store/Tools/64-Bit-Driver-Kit/IF145-299 64 Bit Driver Kit Purchase The 64 Bit Driver Kit is a highly recommended set of bits that should help get you into most electronic devices much better than 32 bit or 16 bit. This set has about 15 types of screw bits with multiple sizes of each. This might be overkill to add to your tool set, but you probably won’t ever have to buy anymore bits after getting this set! If you know what screws your device has then you can find much smaller kits with the specific pieces you need. https://www.ifixit.com/Store/Tools/Jimmy/IF145-259 Jimmy (spudger) Purchase Another great tool for you you to have on hand when trying to pry these devices open is some type of jimmy. Many of these devices will be sealed closed with some sort of snap together plastic. Using a tool like this can help you pull the plastic shells apart and let you gain access to the electronic goodies inside. If you think this is too much of a uni-tasker then you can fashion a similar tool yourself. Even a sturdy guitar pick could work! Source: https://blog.securityevaluators.com/the-introductory-iot-hardware-hacking-tool-box-389c4605329f#.8thh1ho2h Edited January 7, 2017 by Byte-ul 3 Quote Link to comment Share on other sites More sharing options...
