Hardware Hacking

Quick-start checklist

1. Permission & scope: Only analyze hardware you own or are contractually authorized to assess.
2. Non-destructive first: Photograph boards; note shielding, test pads, jumpers; avoid cutting or desoldering early on.
3. ESD safety: Use wrist strap/mat; power down; isolate bench PSU; label voltages.
4. Identify buses: Probe for UART, I²C, SPI, JTAG/SWD with multimeter + logic analyzer.
5. Document everything: Pinouts, baud rates, dump hashes, tool versions—future you will thank you.

Primer: common debug buses

Many embedded devices expose test pads or headers for manufacturing or service. Typical interfaces:

• UART: 3–5 pins (TX/RX/GND/[Vcc]); serial console at common baud rates (115200/57600/38400).
• I²C: 2-wire (SCL/SDA) plus GND; often used for sensors/EEPROMs; addresses 0x00–0x7F.
• SPI: CLK/MOSI/MISO/CS; common for flash memories (dump firmware via SOIC clip).
• JTAG/SWD: CPU debug access; can halt/step CPU, read memory, or program flash (if not locked).

Common lab workflows

1) Find a UART console

• Locate 3–4 close pads with 3.3V logic (avoid 5V unless confirmed). GND continuity check.
• Hook a USB-UART adapter; try common baud rates; watch for boot logs.
• If a login prompt appears, check for console-only accounts on test firmware (authorized lab only).

2) Dump SPI flash

• Identify the flash chip (SOIC-8 common). Note voltage (1.8V vs 3.3V) before attaching a clip.
• Use Bus Pirate/GreatFET or a dedicated flasher to read the image; take multiple reads and compare hashes.
• Carve file systems (squashfs/jffs2/ext) and analyze configs, creds, and keys in a lab.

3) I²C/EEPROM inspection

• Scan bus to list device addresses; dump small EEPROMs to inspect calibration/config bytes.
• Document checksums and data structures for safe, reversible tests.

4) JTAG/SWD mapping

• Use JTAGulator (or continuity + datasheet) to identify TCK/TMS/TDI/TDO (or SWDIO/SWCLK).
• Connect a debugger; attempt IDCODE; if unlocked, dump memory regions (lab firmware only).

5) Firmware update interception (authorized)

• Capture update traffic on UART/USB/serial buses; verify signatures and rollback protection.
• Assess whether debug ports remain active in production builds.

Glitching & side-channel (intro)

Glitching briefly disturbs power/clock to bypass checks; side-channel measures power/EM leakage to infer secrets. These are advanced topics—start with dev boards and documented labs (e.g., AES demo targets).

• Clock/power glitch: Time a narrow pulse during a check (PIN compare, signature verify) in a lab rig.
• Simple power analysis (SPA/DPA): Measure current draw while crypto runs on a known target to learn methodology.
• Always lawful: Use demo targets; never attack live production systems.

Defenses & hardening

• Lock debug: Disable JTAG/SWD/UART in production; require signed firmware and rollback protection.
• Segregate secrets: Store keys in secure elements; minimize secrets in general flash.
• Tamper evidence: Epoxy, shields, conformal coatings; detect case openings and wipe volatile secrets.
• Voltage/clock monitors: Detect glitch attempts; randomize timing; constant-time crypto.
• Manufacturing hygiene: Remove factory backdoors; unique per-device credentials.

Troubleshooting

• No UART output: Swap TX/RX, try different baud rates, check for 1.8V logic. Ensure shared ground.
• Flash dump inconsistent: Reduce clip movement, lower SPI speed, power the target steadily; verify with repeated reads & hashes.
• Unknown pinout: Use a logic analyzer during boot; look for rhythmic toggles that indicate clocks or TX pins.
• Target won’t boot after probing: Re-check for shorts; remove clips; restore original jumpers; power cycle.

FAQ

Can I brick a device?

Yes. Work non-destructively, back up firmware first, and practice on dev boards before touching anything critical.

Do I need expensive gear?

No. A USB-UART dongle, a logic analyzer, and a tool like Bus Pirate/GreatFET go a long way. Specialized gear helps later.

Is chip removal required?

Often no—many targets allow in-circuit SPI flash reads via SOIC clips. Chip-off is last resort and requires skill.

Useful references

• Datasheets & reference manuals for your target SoC/MCU/flash
• Bus Pirate, GreatFET, JTAGulator, ChipWhisperer docs & community guides
• File system carving tools for firmware analysis (binwalk, jefferson, unsquashfs)
• Safe lab practices: ESD, PSU current limiting, isolation techniques