2016 - Steve Lord - Building your own hardware for hardware hacking

all right well thanks for having me guys and just like to thank everybody who's been involved in setting up besides Manchester making it happen it's really really quite a pleasure to be here and I'd also like to thank DOM and hacker fantastic doing a superb talk on zero sleep I'm this guy I'm Steve Lord for that I can only apologize I have no slides and the reason I have no slides is not because I'm unprepared I mean I am unprepared not just for this talk but just in general it's because I'm going to talk about hardware hacking it's a very different type of hardware hacking to say the the talk you saw earlier and the talk I want to talk about is a thing

I want to talk about is actually building your own hardware for hardware hacking so it's great to pull things apart but actually building something yourself from the ground up is quite a different way of looking at things and you learn a lot in that process and for a lot of people the idea of building your own general-purpose computation device from scratch with a printed circuit board and everything else is quite scary but in actual fact it's not that hard in fact I can do it so you can do it I want to talk a little bit about a thing called the minimalist electronic learner or Mel now the Mel is a device that I'm currently building the goal of the mail

is to provide a general-purpose computation device with a few parts that anyone can put together it's not exactly leading-edge technology it's got a KA of storage space small amount of RAM in the order of a few bytes but it's only got about eight parts and it's all through-hole which means that anybody who's never sold it before can pick it up hold it together and start using it but this talk isn't about the mail this is talk really about the thing before the mail because the mail is a general-purpose hardware hacking device and this is a specific application of the prototype now I have a few things with me today that I was hoping to show

you but I appear to have left some of the parts at home so instead I'll focus on the on the thing I'm gonna show you which is the hideous now the idiot is a human interface device iö toolkit and imagine a married kind of the finished general-purpose hardware hacking thing the hideous is a specific application of the Mel and hopefully I put this under that you should be at sea I'll try turning that around see if we get that right nope we'll try again a when though alright so the hit i/o toolkit is a device that is a general-purpose human interface device USB hacking tool built from the ground up the idea is that it will simulate any slow

speed USB device pretty much it also just by the fact of the technology that's used happens to be completely and totally compatible with certain classes of USB device so it's totally compatible with the Adafruit trinket the digispark and the taina saw so let me have a look and see if I can bring up some stuff about the components on here no that's not right that's not right that's also nothing

because I can't see up there it's a bit hard for me to walk through okay so up on the top of this thing we have going down from the middle of the top to the right there's a set of holes that's mostly decorative but it also will work as a way of expanding the hideous so if you wanted to go and interface to hitting it with another microcontroller such as the esp8266 that comes with Wi-Fi built in so that you could create a head device like a keyboard that could be remotely controlled over Wi-Fi you could do it with this at the top next to it you can see there's a row of eight silver things

with a black thing in the middle that is the core of both both the hidhir and the Mel and that is the eighty tiny 85 now the eighty tiny 85 is a microcontroller made by at mill and that's partly where the name Mel comes from other part of the name comes from my grandmother's initials the below that we have think we've got a check that's my eyesight's not that good I was out drinking me Dom last night I've got a couple of diodes there zine diodes which I'll talk about in a minute I've got a capacitor another diode another capacitor on the bottom we've got a row of resistors and then right at the end we've got LED one and two and

led two is just a power light LED one is a user programmable light so again when starting to play around with USB you may find that you want to get some sort of feedback in the hardware and the whole point of that LED one is to provide a way of providing that feedback all of this stuff is pretty cheap though if I was ever to release this as a final product it will probably retail at about 5 pounds however it's going to be given away for free or 44 come so let me start with the breadboard prototype so when you're designing a circuit has anybody here ever designed Hardware before awesome guys so when you're designing a

circuit what you'll commonly find is that there's a type of prototyping called bread boarding which you look something like this and this was my very first implementation of the Mau and you can see there's a couple of Zeena's there's a couple of resistors there's the chip and there's a little USB connector now USB as a standard is a steaming pile of dog turd from an electrical perspective it's a royal pain in the backside compared to other buses it's it's like the redheaded stepchild and the reason for this is that the voltage fluctuates the current fluctuates it's a nightmare so when you have a circuit and you want to interface over USB you have to regulate current voltage all kinds of

things and there's the right way to do this which would be to use something like a linear switching regulator that will that will provide you with a voltage and then there's the cheap way to do it that is to take a couple of Zener diodes and drop everything down to 3 point 6 volts the keep away still is to go and get some red LEDs and use them as diodes to go and replace the zena's to have a forward drop of about 2.2 volts out of the 5 volts coming in that presents a whole bunch of problems many of which I encountered and that's why there aren't two LEDs there I wanted to try and make the parts for the

mail as few as possible I really wanted to it be something that anybody can put together in about 20 minutes and I try to get away with not using as much kit as I could so the zena's are needed otherwise you run the risk of frying the USB host then you need a third diode on the VCC pin to stop frying the USB host many USB hubs gave their lives for this project not shown here are a pair of capacitors which you also need for smoothing out current and voltage fluctuations without that you run the risk of nuking the board many eighty tiny chips also sacrifice their lives but when it came to actually building

the PCB

when it came to actually building the PCB there's a different story I learned from my mistakes and most importantly learn how to create new ones does anybody here ever used a thing called Kai CAD yeah you poor poor souls I tried but the learning curve is just it it's get it was getting in the way of actually doing stuff in a reasonable time frame that's not a good prize let me see if I can there we go let's start with a schematic showing in fact yeah there we go so this is a design schematic and for anybody who's never seen one of these before this is basically a way of saying how the board is pinned together

anyone here believe in magic you should believe in magic because we live in a world where things think using poisons and and tell the time by vibrating crystals so what we have in here is we've got our smoothing capacitors that weren't on the breadboard had cause no ends of problems with things just going put and not in a good way we have our USB over at the top there and what the USB does is you can see we've got our ground which is the ground signal we have a 5 volt which is VCC and there's a diode to stop things from going back in we have a USB em in usb P now they're commonly referred to

as D plus and D minus but many people who've built similar boards refer to them as M and P so I thought I'd go the convention for this sort of board you've got the two zena's which go to ground and again that's to stop stuff from going where it shouldn't and to smooth things out we've got two resistors to work on smoothing some other bits out and just keeping things calm we hit the eighty tiny which does all of our hard work and then we have coming out from the pins we have LED one and led two with current limiting resistors on the way and then when it comes to it we have if I switch the

board view there we go then we have the board the goal is to make something that you can fit in a credit card walk you know credit card slot on the wallet unfortunately because the capacitors that I'm using when you assemble it it's probably not going to work well in your wallet but it's still a nifty little size and it's a very much a work in progress now what we have to do from that schematic to the board is we have to lay all the parts on the board and then we have to wire the parts together and the way that we wire these things together as we put tracks on the board so you can see that we have this card

edge here and the reason that we have the USB PCB connector on the card is that it saves about two pounds between twenty pens and two pounds depending on how you look at it but that connects the USB you can see that there's lines coming down that go into the different components on the board and ultimately you've got this six pin header at the top which will be replaced with an eight pin header hopefully for the final version I made the big mistake of not documenting which pin is which which is yeah she's no it's a bit crap really because we're connecting directly to the USB connector the board has to be an unusual thickness it has to be 2.5 4

millimeters thick or as my American friends would call it nor point 1 of an inch the the strip of buyers can be used to go and put your own things and if you want but I'm unsure as to whether or not they're they're going to be useful as they'll be bound to earth on the other side there's also a risk that the solder mask will corrode over time where the PCB connector is so as you put things in and out things will start to fall apart I'm not really selling this very well but basically as well because we're doing this on the board what will happen is if you plug this directly into a computer a

lot of the time it won't work and that's because again USB is a steaming pile of donkey turd it's it's really a ghetto bus because this is a gross abuse of the specs but a lots of USB ports on devices are actually not standard like MacBooks for example have far more recessed ports than they should be so when this gets plugged into a Mac the contacts don't actually reach where they should so the way around this is to use a USB extension cable and again it's more for testing than for general purpose actual evil things so see so as we blew Peter here's one I made earlier let me show you how its programmed right so there are several things that

we need to do to get this to work and to actually start hacking USB with it the first thing that we need to do is that we need to go and install the arduino ide the second thing is we need to go and add support for the digispark because this is in digispark mode we need to create an in system programmer which is just a simple SPI type circuit that we can flash a bootloader onto we need to then write our code possibly drink some tea swear at the code make it compile and then we can upload it and have some happy act fun and games so I'll just show you how to set this up

me being out there okay so all we do is we go into preferences and there's a set of URLs for additional boards and we want to add the digi stump URL which you can see here

then all we need to do is go to the board manager and install the digit stump support and from that point on we can program this has a digits back now in order to make this work as a trend kick you have to install the trinket bootloader in order to make it work as the digispark we have to install a digispark bootloader digispark uses a common bootloader called micronucleus and i will show you how to install micronucleus

there we go okay so

we've got a hex file and then what we use is we use a tool called AVR dude we use the in system circuit programming from well to basically flash the bootloader on and then we can start uploading it as though it's a almost normal Arduino in order to get this up and running I'll just switch over let's build an isp circuit now there are two ways we can do this we can use a proper ISP programmer or we can use an Arduino I have lots of Arduino so I don't mind killing them I'm just going to show you what that circuit looks like and what these eighty Tiny's look like hopefully yep okay fortunately unfortunately you can't

really see the text that says what the chips are but on each of these chips there's a little circle on one side and that signifies pin zero or pin one depending on how you count just move over to here get down at one point one yeah so you've got pin one in in AVR pilant in the top left and that contains the okay yeah that's the reset pin then we have pin four so I guess if we start from the top left yep so if you look at the top left there you can see pin 1 pin 4 which is the ground pin 5 which is on the bottom right which is PB 0 a lot of people use an AVR will refer

to this as pin 0 but on the physical layout it's pin 5 so cool so I'm just gonna refer it as PB 0 PB 1 going up and PB 2 and then VCC at the top right so anti-clockwise it's a simple circuit to setup it's reasonably well documented and then all you need to do is when you're ready just straighten the legs out this bad boy [Music] we just pop our chip on board

yep so we've got the chip on the board you see the legs match up make sure you're good right way around looks like nothing's gonna go zap I think is crossed now smoke we're winning okay right so gonna cheat a little bit by looking at my history

and then switch back over

all right let me I'm big in this for you

all right so this friendly-looking command line is all you need to flash the bootloader

there we go and basically I'll just walk through what that what that's doing so effectively we're saying that we're going to run an AVR dude which is a programming tool with a specific comm file lots of verbosity we're programming an 80 tiny 85 chip we are going to use this particular serial port we want to set a baud rate of 19 200 board and then we're going to set these fuse values and then we're going to upload the micronucleus bootloader now the fuse values there's three fuses that you need to set on an AVR there's the low fuse high fuse and extended fuse and they configure the AVR microcontroller so the digispark has one set of fuse settings

Trinket has another if your programmable raw raw 80 tiny you'll set your own based on what you need and what we're setting is low fuse oxc 1 - 0 x DD e fuse oxf e and in english what that means is that we're setting the brownout detection to brown out to point 7 volts we're enabling SPI bass download which we need in order to upload the bootloader we are enabling self programming which means that the chip can be rewritten again and again we're disabling reset so we lose a pin in the process but it allows us to reprogram over USB and then we're going to set the internal PLL clock to run at sixteen point five megahertz so if I run this

and the demo gods are smiling II all right lots of stuff flashing up on the screen and what that's doing is it's uploading the micro nucleus hex and flashing the setting fuses to the values that we need so if we were going to do something in the wild with this let's say a practical application and this would be you want to create device to go and do hid attacks but the Mel's quite large so you want a smaller thing you can recreate that circuit and all of this is going to be publicly available and create a smaller board that fits the you know the format that you want you can then go and set the fuses so that

the hidden text can't be reprogrammed and can't be read from the chip so no one could pull the chip out and see what was actually on there I mean hypothetically they could but without scraping the top off and photographing the die and doing some weird and wacky things it's not going to happen so now that we've got the fuses on let's see if we can get a basic blinker chip working so I switch this bit off here and I think I need to switch back over

pull this out

now if I put this here can anyone see the the knotch about there on there on the dips and the dip there so if you can't that's basically that tells you which way up the chips meant to be so you want that not on the top right let me see if I can make this a bit bigger for you no I guess not but basically we want the notch on the top right to go in and I'm doing this with my hands which you shouldn't really do but these chips are about 50 pence each so if it goes wrong just get another one alright so now we've got our chip back in and it's the right way up

I'll then go and get this there we go okay now I've got me USB plugged in the next thing to do is to

I'm just going to bring up a Windows VM

all right clipped back over

okay you see if I can zoom in on the code I might not be able to know so I'm sorry Darren alright okay thanks this is font size 16 there we go so this is a piece of code from the digispark and the basic premise of running this is that if a piece of code written specifically for the digispark works then we know that the board is working in digispark mode the waiver what this does is it basically blinks so it puts the LED on for a thousand milliseconds and then off for a thousand milliseconds and in the hardware world this is pretty much hello world so it's not really going to be a very impressive demo

possibly less if it doesn't work but it is going to be a demo so I'm going to flip this back over to the hardware because don't really need me to just hit compile burn and then here it's going to tell me to connect the device so now I flip the power on here

and there we go it's going to start it we can see the blinking it's not as impressive as as a hash prompt maybe but you know it's a start

so now that we've got got the blinking up and running let's see if we can do something interesting with it so USB HID devices work on the basis of having a particular type of at the software level there's a human interface device profile and there are different or class and there are different subclasses of device the most commonly used device classes are keyboard and mouse but there are also things like joystick there are also things like tablet there's also things like MIDI and the way that they work is you define what types of USB rapport are going to be sent between the host and the guest and then you create communication protocol for that and part the reason to

build this is to give people at 44 con something very quick and easy that they can start doing you know keyboard attacks with but also to encourage people to try and do things that are little more wacky so for example it would be perfectly feasible to go and take one of these and turn it into a USB fuzzer for a particular subclass of profiles something that I did on Wednesday was just to iterate through some several things and then my Windows 10 I was just went and booked so it's probably something interesting there what I don't know but being able to go and send those tough reports and corrupt reports allows you to go and

test the drivers on the host and the implementation on the host I'd wrote a thing a while ago to brute force safes because I was staying in a hotel where somebody foolishly had a USB port on the outside of the safe and lo and behold when I connected a keyboard to it and typed in numbers the numbers came up so I just wrote a four-digit brute-force it for it and it you know it ran while while I went down to the down to the bar for a beer and a few hours later I came back and forgot about it woke up the next morning the safe was or not but let's see if we can get something a

little more interesting going on and we'll just demo a basic very simple very stupid hit attack switch that off there as we're not gonna use blinking lights I'll switch back

and go alright ok so when I hit upload what it will do is it will compile and then it will upload now because the way the micronucleus bootloader works and because the way the fuses are set when you power this thing up there's a five-second delay before it will do something and that in that five seconds it's waiting for stuff to be uploaded for this and the reason for this is that while the eighty tiny has the ability to impersonate any protocol at all it does not come with hardware serial support you can implement software serial but there's no actual hardware UART on there so I'm gonna hit compile and put this in and I don't

think you'll be I see it but it's saying running digispark uploader plug-in device now so we'll switch this on connect to Mac

it's already let me just pause that for a moment

all right that's uploaded now which is great so now I'll switch back over to the VM

I'll just go

it's not that I don't trust the Wi-Fi in here or any of you guys it's just that this is a place of wretched villainy and okay no no I don't they really don't want to do that okay just have a quick check to make sure that tinsel networks

okay oh it's something that all works there

alright so we'll switch this on now and connect to Windows

okay I think that's gonna take its time

[Laughter] okay wants to play an advert first screw you YouTube all right so there you go not just for people pulling things apart so so now that we're no strangers to hardware hacking you know the rules and so do i what are the obvious things to do would be to go and does anybody here ever heard of power sploit or the power shell mafia stuff so the obvious thing would be to go and take the power shell mafia github stick it up on a server somewhere and right ahead payload that will then automatically use PowerShell to download say something like the invoke shell code function over ie X download the string and then invoke shell code to go and set

up a meterpreter and then go back and I was planning on getting that done but instead I went out on the beer last night but you can do it it's not hard it's the same sort of thing that you do with the USB rubber ducky 44 con I'm hoping that what we'll be able to do is there's some code that's particularly shonky that i'm writing that will allow you trans to translate ducky scripts into digispark code so you can just go all my ducky script stuff drop that on there to get you up and running and the whole point of this is just to get you something that works in you know under 20 minutes and allows you

to start with hard hacking where you can say actually I put this thing together I sold it all myself there's nothing special to this stuff and then to start exploring with other head things and seeing if you can do things that maybe perhaps bring up something like paint and draw a logo of whatever your favorite thing is or just you know penises or something whatever but to basically have a play with hit systems and have a bit of fun with it and basically we're going to give these away for which walk on and then we'll open source all of the hardware and all the software so if you're not able to come to for each walk on you'll be able

to go and build your own and get your own made somewhere like oh Sh park or ragworm and if you are coming along for the first year we'll be able to go and give you all of the stuff and all of the bits to put it together and if we can find the space we're going to run some workshops as well to assemble these and do some things with them so that's pretty much the entire thing to me for me so yeah I really went and printed out code listings that I was putting in any way so I don't anything else there any questions

not at the moment and not that version so after 44 con there will probably be changes to it and once I've got a bit more code for it I plan to go and make them available generally for sale next year and it will probably be in v2 for ten-pound bracket which I know is a big investment to make but I'm trying to build something that that will be a more general-purpose computing device and with this as the prototype for that realistically it's more about getting feedback on it I want to make sure that there's a full set of software and instructions before I just start selling these things because otherwise people are just gonna stick them in drawers

that rather let people stuck well-documented things in drawers like raspberry PI's then things that were not supported any other questions gentleman over there

so the digispark has a set of functions which I can show you here so you can see this did your keyboard and it's just a really easy way of not having to write your own keyboard library if you wanted to go and use this to do other things you might find that the trinket firmware is better particularly if you want to interface with things like neopixels or things that are developed by Adafruit but then you're potentially going to have to use a different keyboard library if you want to do keyboard stuff I mean to think of it in terms of the non-security stuff you can do you can plug a thermometer into this and you could have it go and communicate

over USB and you know right I mean literally write an email and send it to you telling you what the temperature is or you know have like it like moss from the IT Crowd when the temperature goes over a certain level send me an email saying fire exclamation mark fire exclamation mark any other things okay any other questions

sorry I

can't

all right it sorry gentleman over there

yes yeah so the the actual digispark is cheaper but it's all surface mount and you can get cheap Chinese versions of it for about in the order of around a pound but you don't solder it yourself you don't flash your own bootloader right you don't do all the learning stuff so for the basic hit attack stuff that's great that fits in a thumb drive brilliantly but you've still got that USB PCB bit on the end the thing about this is that if you build a head circuit with this and because all the components are freely available if you if you want to build your own thumb drive if you're okay we've uses something like Eagle or

got a bit Chi CAD you could go and design your own PCB that will fit in there and most people have already done this with similar types of boards and you can program everything on this and then just pull the chip out put it in to the other circuit and it should all work fine all right um any other questions before I am step away and let the next person talk all right [Applause]