hardware hacking

Training Details

2-DAY TRAINING, 3-4 SEPTEMBER @ MEERVAART AMSTERDAM
TICKET PRICE: €1500 EX BTW + €250 HARDWARE KIT

After this course you will be able to take devices apart and dump the firmware from all kind of chips. By engaging in hands-on activities, you will learn how to identify hidden debug interfaces, bypass password protections and gain root access on the device. You will be able to perform a power glitching attack to bypass the readout protection of protected chips and despite the demanding content, no prerequisites are required. We leave no-one behind and learn everything from scratch. You will be able to do it. Trust me.

This course is for everyone who wants to get into - or advance their skills - related to IoT hacking.

Course Overview

Day 1:

We start with a multimeter and get familiar with basic electrical components on a device. We talk about soldering and what to consider while doing it. We get familiar with datasheets and dive into the protocol analysis of UART, SPI and I2C. We also learn different ways to identify these interfaces on the board and use our logic analyzer to observe the signals. Sniffing the wire already reveals us information about the firmware or secrets like a Bitlocker key. We finish the day by interacting with the debug interfaces to control the device.

Day 2:

Day two will be all about firmware dumping and gaining root access on a device. We start with an introduction into common storage types and how to dump uncommon ones. Students will learn methods like interrupting the bootloader, using debug interfaces or repacking the firmware to get root access on the target.

The huge firework of this day is the power glitching attack against a locked chip. Students will learn how it works and build it from scratch to extract the firmware of a protected chip. No complex setup or SDK – not even C/C++ is required.

If you ever wanted an easy way into this topic, this is your opportunity. This course is an intense learning experience which also covers advanced topics, but it is very beginner friendly. It is based on seven years of experience in IoT hacking and contains techniques you will profit from your whole career.

Who should attend?

This course is an entry level course but also teaches advanced techniques where intermediate participants profit from. No background related to hardware hacking is required.

Prerequisites

Students should be familiar with basic linux commands.

Software Requirements

A Ubuntu VM will be provided (x86/x64) that contains all the necessary tools. The VM can be used with VMware Fusion and Virtual Box.

Hardware requirements

Students should bring a laptop with:

• Admin Privileges
• 40 GB of free disk space
• Two free USB ports

Hardware Kit

Students are provided with a hardware kit, worth over €300, which they can keep after the training. This hardware includes:

• Microscope
• Multimeter
• Opening-Kit (Screwdriver, Tweezers, etc.)
• Raspberry Pi Pico (incl. Debugger)
• Logic Analyzer
• Multi-Purpose-Board (SPI / UART / I2C / etc.)
• Router
• ESP32 and STM32 boards
• Cables / Clips / Resistors / MOSFET / etc.

Students also receive a digital course book, which covers all the performed attacks in deep. It can be used as a reference during this course.

Detailed Agenda

Day 1:

PCB – Board

• Common components (Resistors, Capacitors, etc.)
• Multilayer Board Structure
• Probing with a Multimeter
• Board Schematics
• Modifications (Gaining Access to Data Lines)
• Safeties (Shorts, Ground-Loops)

Soldering

• Soldering Iron vs Hot Air Station
• Required Components (Solder / Flux / Desoldering Braid, etc.)
• Safety (Glasses / Fume Extractor / Lead vs Lead Free / etc.)
• Tiny Soldering under a Microscope (0,3 mm)

Chips

• Identification (Logos and Labels)
• Package Formats (QFP / TSOP / DIP / etc.)
• Pinout and Datasheets
• Configuration - Modes (SPI, Pin Settings, etc.)
• Difference between SoC and MCU
• Decapping (Analyzing the Structure)

Protocol Analysis

• Logic Analyzer (Hard- and Software)
• Signal Calculations (Symbol / Baudrate / etc.)
• Signal Sniffing with a Logic Analyzer
• Protocol Analysis - UART, SPI and I2C
• HydraBus Introduction (Hard- and Software)
• Signal Interaction - Sending SPI Commands (UART / SPI / etc.)

JTAG / SWD

• Introduction to JTAG and SWD
• Attaching a Debugger (GDB – Proxy)

Day 2:

Firmware

• Storage Types (eMMC / NAND / NOR / etc. )
• Firmware Dumping (eMMC / NAND / NOR / Unknown Chips)
• Firmware Extraction and Analysis

Gaining Root Access

• Update Process - MitM ( SSL / StartTLS / etc.)
• Signal Interrupts ( UART/ Flash Read / etc. )
• Firmware Modification (Apply Root Backdoor)
• Bootloader – Uboot (Environment Variables / Memory Write)
• Software Vulnerabilities

Power Glitching

• Read Out Protection (Datasheet)
• How to Create a Precise Voltage Drop
• Timing (When to Glitch)
• Built the circuit (Raspberry Pi Pico)
• Glitch - Firmware Dumping (Protected Chip)