VoidStar Security - Hardware Hacking for Reverse Engineers // Matthew "wrongbaud" Alt
In-Person | March 18-21 | 4 Days
BOOK NOWABSTRACT
Have you ever wondered how to go from opening up an embedded device such as your home router or an old cell phone to extracting valuable data? If so, then this course is for you! This four-day course covers the fundamentals of hardware reverse engineering and analysis. Students learn how interfaces such as UART, SPI, I2C, JTAG, and SWD work while developing and using tools to interface with these protocols. Through interfacing with these protocols, students learn how to extract flash memory, interact with hardware-level debuggers, and modify the boot process of the target systems included in the kit.
Labs include extracting SPI/I2C-based flash chips, discovering and gaining access to consoles using UART, and identifying, enumerating, and actuating hardware-level debuggers such as JTAG and SWD. JTAG and SWD labs include leveraging these interfaces to modify a running process via physical memory access and escalating the privileges of a running process. All exercises and laboratories utilize open-source tooling on a Raspberry Pi. Students will learn to use the Raspberry Pi to reverse engineer and exploit all the targets in the kit.
VoidStar Security - Hardware Hacking for Reverse Engineers // Matthew "wrongbaud" Alt
In-Person | March 18-21 | 4 Days
INTENDED AUDIENCE
This course is targeted toward security researchers who want to learn more about the process of firmware extraction and embedded systems analysis. Students should be familiar with the Linux command line and be comfortable with a scripting language such as python. C experience is also useful but not required.
KEY LEARNING OBJECTIVES
- Non-Invasive hardware analysis (component identification, etc)
- Tracing and identifying points of interest on PCBs
- Extracting firmware over multiple interfaces
- Unpacking / analyzing binary images
- Attacking/instrumenting hardware debuggers (JTAG,ETC)
- Modifying, repacking and reflashing firmware
COURSE DETAILS
This course is built on practical exercises. Students will first instrument the target devices manually using Python-based tooling and pre-existing tools. An outline and task list for each module can be found below.
This course includes multiple modules, one for each protocol of interest. For each module, we will perform the following:
- Protocol Overview and Analysis
- Understanding and Reviewing Captured Protocol Traffic
- Protocol Analysis from a Reverse Engineering Perspective
- Tools for Reverse Engineering Specific Protocols
- Practical Attacks and Applications on Provided Targets
After each protocol module, students will attack the included targets to reinforce what was learned in the analysis segment. Using this knowledge, students will perform hardware attacks on the targets included in their kits.
Module 1: Fundamentals / Tool Review
- Review tools and equipment needed for hardware hacking
- LAB: Calculating Voltage, Resistance and Continuity
- Printed Circuit Board Construction and Reverse Engineering
- LAB: Reverse Engineering PCBs in Kit
- Component Identification and Documentation
Module 2: Universal Asynchronous Receiver Transmitter (UART)
- UART protocol overview
- Identify UART transactions at the signal/protocol level
- How to identify and detect an active UART on a PCB
- LAB: Calculate an unknown baud rate
- LAB: Create and utilize UART analyzers in Pulseview
- LAB: Use the Raspberry PI as a UART interface
- TARGET EXERCISE: Discover and interface with a UART on the router
Module 3: Bootloaders and U-Boot
- U-Boot history and overview
- Linux boot process review and deep dive
- Understand the U-Boot environment and console commands
- LAB(S): Manipulate environment variables to gain access to systems
- TARGET EXERCISE: Interface with target U-Boot Console and perform initial analysis
- TARGET EXERCISE: Script U-Boot console interactions to extract flash data
Module 4: Serial Peripheral Interface (SPI)
- SPI protocol overview
- Identify SPI transactions at the signal/protocol level
- LAB: Set up an SPI decoder with a logic analyzer
- LAB: Manually extract SPI flash with Python
- LAB: Extract SPI flash with flashrom
- TARGET EXERCISE: Extract target SPI flash with flashrom
Module 5: Firmware Analysis and Dissection
- Overview of common firmware image structure
- Approaching a new firmware image as a reverse engineer
- LAB: Extract segments of interest from firmware images via binwalk and dd
- LAB: Extract components of interest from the router firmware image
- LAB: Patch and modify router firmware image to gain advanced access
Module 6: Joint Test Action Group (JTAG)
- JTAG specification and state machine review
- JTAG for reverse engineers
- TARGET EXERCISE: Enumerate and identify pins on an undocumented JTAG pinout via BYPASS and IDCODE scans
- TARGET EXERCISE: Interface with a JTAG TAP using urJTAG and OpenOCD
- TARGET EXERCISE: Write a custom OpenOCD config file for the target device
- TARGET EXERCISE: Extract memory via JTAG, manually and via pre-existing tools
- TARGET EXERCISE: Utilize JTAG to escalate privilege on a Linux-based target
- TARGET EXERCISE: Utilize JTAG to list processes on a Linux-based target
Module 7: Serial Wire Debug (SWD)
- SWD specification and protocol overview
- SWD for reverse engineers
- TARGET EXERCISE: Identify a Serial Wire Debug interface
- TARGET EXERCISE: Write a custom OpenOCD config file for the target device
- TARGET EXERCISE: Interface with SWD via OpenOCD
- TARGET EXERCISE: Identify an unknown ARM SoC via SWD
- TARGET EXERCISE: Extract firmware via SWD
- TARGET EXERCISE: Modify and upload new firmware via SWD
Each module corresponds with a real hardware target included in the kit; targets include:
- MIPS Travel Router
- ARCompact 64GB SSD
- ARM-based USB controller
- Arcade Cabinet
- ARM-based single-board computer
Knowledge Prequisites
Students should be familiar with the Linux command line and comfortable with a scripting language like Python. C experience is also helpful but not required. While some hardware experience will be beneficial, it is not necessary for this course.
System Requirements
Hardware
- 2 x USB Ports (minimum)
- 32GB of RAM, if running virtual machine
Software
- Administrator access
- Pulseview Software
- Saleae Software
- The ability to configure a network interface
YOUR INSTRUCTOR: Matthew "Wrongbaud" Alt
Matthew began his reverse engineering career in the aftermarket automotive industry, searching for vulnerabilities in engine control units' diagnostic protocol implementations. Next, he worked at MIT Lincoln Laboratory, where he led a team focused on embedded systems analysis. While at MIT, Matthew was awarded the outstanding contributor award for his technical contributions. You can find other examples of his work and teaching style on his personal blog, the VSS Research Blog and through the free Ghidra course he authored at HACKADAY.