Hardware Hacking Bootcamp

Matthew Alt "wrongbaud"
In-Person Training | August 3 - 6 | 4 days

BOOK NOW

Hardware Hacking Bootcamp

Matthew Alt "wrongbaud"

Book Now

This course is designed to teach the fundamentals of hardware reverse engineering and analysis. With a focus on understanding the low-level protocols that make up embedded systems, students learn how interfaces such as SPI, UART, JTAG, SWD work while developing tools to interface with these protocols. All hardware is provided for this course, and all tools are kept by the students upon completion of the course.

ABSTRACT

Have you ever wondered how to go from opening up an embedded device such as your home router or an old cell phone to extracting valuable data? If so, then this course is for you! This four-day course reviews the fundamentals of hardware reverse engineering and analysis. With a focus on reverse engineering protocols that comprise embedded systems, students learn how interfaces such as UART, SPI, JTAG, and SWD work while developing and using tools to interface with these protocols. Through interfacing with these protocols, students learn how to extract flash memory, interact with hardware-level debuggers, and modify the boot process of the target systems included in the kit

INTENDED AUDIENCE

💡
This course targets IT professionals and security researchers who want to learn more about how hardware-level debuggers work and how to approach them as a reverse engineers. Students should be familiar with the Linux command line and comfortable with a scripting language like Python. C experience is also helpful but not required. While some hardware experience will be beneficial, it is not necessary for this course.

KEY LEARNING OBJECTIVES

After participating in this course, students will have experience with the following:

  • Non-invasive hardware analysis (component identification/documentation)
  • Tracing and identifying points of interest on PCBs
  • Analyzing, instrumenting, and decoding standard embedded protocols such as SPI, UART, I2C, SWD
  • Extracting firmware over multiple interfaces
  • Unpacking/analyzing binary images
  • Reverse engineering and instrumenting hardware debug interfaces
  • Modifying, repacking, and re-flashing firmware

COURSE DETAILS

AGENDA

This course is built on practical exercises. Students will first instrument the target devices manually using Python-based tooling and pre-existing tools. An outline and task list for each module can be found below.

This course includes multiple modules, one for each protocol of interest. For each module, we will perform the following:

  • Protocol Overview and Analysis
  • Understanding and Reviewing Captured Protocol Traffic
  • Protocol Analysis from a Reverse Engineering Perspective
  • Tools for Reverse Engineering Specific Protocols
  • Practical Attacks and Applications on Provided Targets

After each protocol module, students will attack the included targets to reinforce what was learned in the analysis segment. Using this knowledge, students will perform hardware attacks on the targets included in their kits.

Module 1: Fundamentals / Tool Review

  • Review tools and equipment needed for hardware hacking
  • LAB: Calculating Voltage, Resistance and Continuity
  • Printed Circuit Board Construction and Reverse Engineering
  • LAB: Reverse Engineering PCBs in Kit
  • Component Identification and Documentation

Module 2: Universal Asynchronous Receiver Transmitter (UART)

  • UART protocol overview
  • Identify UART transactions at the signal/protocol level
  • How to identify and detect an active UART on a PCB
  • LAB: Calculate an unknown baud rate
  • LAB: Create and utilize UART analyzers in Pulseview
  • LAB: Use the Raspberry PI as a UART interface
  • TARGET EXERCISE: Discover and interface with a UART on the router

Module 3: Bootloaders and U-Boot

  • U-Boot history and overview
  • Linux boot process review and deep dive
  • Understand the U-Boot environment and console commands
  • LAB(S): Manipulate environment variables to gain access to systems
  • TARGET EXERCISE: Interface with target U-Boot Console and perform initial analysis
  • TARGET EXERCISE: Script U-Boot console interactions to extract flash data

Module 4: Serial Peripheral Interface (SPI)

  • SPI protocol overview
  • Identify SPI transactions at the signal/protocol level
  • LAB: Set up an SPI decoder with a logic analyzer
  • LAB: Manually extract SPI flash with Python
  • LAB: Extract SPI flash with flashrom
  • TARGET EXERCISE: Extract target SPI flash with flashrom

Module 5: Firmware Analysis and Dissection

  • Overview of common firmware image structure
  • Approaching a new firmware image as a reverse engineer
  • LAB: Extract segments of interest from firmware images via binwalk and dd
  • LAB: Extract components of interest from the router firmware image
  • LAB: Patch and modify router firmware image to gain advanced access

Module 6: Joint Test Action Group (JTAG)

  • JTAG specification and state machine review
  • JTAG for reverse engineers
  • TARGET EXERCISE: Enumerate and identify pins on an undocumented JTAG pinout via BYPASS and IDCODE scans
  • TARGET EXERCISE: Interface with a JTAG TAP using urJTAG and OpenOCD
  • TARGET EXERCISE: Write a custom OpenOCD config file for the target device
  • TARGET EXERCISE: Extract memory via JTAG, manually and via pre-existing tools
  • TARGET EXERCISE: Utilize JTAG to escalate privilege on a Linux-based target
  • TARGET EXERCISE: Utilize JTAG to list processes on a Linux-based target

Module 7: Serial Wire Debug (SWD)

– SWD specification and protocol overview
– SWD for reverse engineers
– TARGET EXERCISE: Identify a Serial Wire Debug interface
– TARGET EXERCISE: Write a custom OpenOCD config file for the target device
– TARGET EXERCISE: Interface with SWD via OpenOCD
– TARGET EXERCISE: Identify an unknown ARM SoC via SWD
– TARGET EXERCISE: Extract firmware via SWD
– TARGET EXERCISE: Modify and upload new firmware via SWD

Each module corresponds with a real hardware target included in the kit; targets include:

  • MIPS Travel Router
  • ARCompact 64GB SSD
  • ARM-based USB controller
  • Arcade Cabinet
  • ARM-based single-board computer

KNOWLEDGE PREREQUISITES

Students should be familiar with the Linux command line and comfortable with a scripting language like Python. C experience is also helpful but not required. While some hardware experience will be beneficial, it is not necessary for this course.

REQUIREMENTS

Hardware

  • 2 x USB Ports (minimum)
  • 32GB of RAM, if running virtual machine

Software

  • Administrator access
  • Pulseview Software
  • Saleae Software
  • The ability to configure a network interface

ABOUT THE TRAINER

Matthew began his reverse engineering career in the aftermarket automotive industry, searching for vulnerabilities in engine control units' diagnostic protocol implementations. Next, he worked at MIT Lincoln Laboratory, where he led a team focused on embedded systems analysis. While at MIT, matthew was awarded the outstanding contributor award for his technical contributions. You can find other examples of his work and teaching style on his personal blog, the VSS Research Blog and through the free Ghidra course he authored at HACKADAY.

https://twitter.com/wrongbaud
https://www.linkedin.com/in/matthew-t-alt/
https://github.com/wrongbaud
https://voidstarsec.com/blog/on-the-road