Hardware Basics - why and how to break hardware

hello is that mic working perfect okay so my name is Kieran I'm from NCC group and talk about hardware basics why and how to break hardware so we're gonna quickly we've only got a small 25-minute slot so we're gonna cover why brake hardware doesn't really focus why software people should brake hardware so this talk is mostly focused towards people who've never really dealt with hardware at all if you're a hardware person probably you're not going to anything but yeah we'll see so we're gonna cover tools specifically things in your hands versus tools that we software people normally think of we're going to specifically cover how to get a serial connection on some sort of like IOT device or similar the intention

here is that if you leave this room you should be able to take a device break out of the case and find and connect to a serial connection and if you can take that away from here you're good to go one of the biggest problems with hardware is that a lot of the stuff that's research so that the bigger boys have done getting to that level is it's virtually impossible and it's it's hard to find baby steps in hardware and there's tons of guides how to learn to do web apps and stuff with hardware you tend to have electrical engineering like learning about resistors and logic gates which is kind of super basic and then

there's jumping straight into way and topics but it's hard to find a middle ground so you can leave here and you can do a serial connection great we're gonna briefly cover firmware and J tagging and side-channel stuff we don't have time to do proper dives on this stuff but we've only got a small slot so if you're going to kind of give these other topics a bit of a tickle hopefully you guys will be so excited about that you'll go away and do a bit more learning on this on those things so my background is a potato add five years ish pentesting because over five years mostly a webapp infested guy pointing this slide is to point out that

I'm not Hardware like I came from a normal pen testing background and I still suck at hardware but I'm getting better at it so in the wise words of Jake the dog sucking if somebody is the first step towards being kind of good at something I'm CTL if you're not from the UK that won't mean much to you but that's fine so why break hardware specifically why should not hardware people learn about breaking hardware IOT is everywhere devices are coming thick and fast and we know that they're not very good like the api's generally and not locked down very well and there's all sorts of bugs to be found it's not just a software side

that's going wrong a lot of these vendors they're new to this stuff and they're making basic mistakes a lot of vendors who know about hardware are not making mistakes anymore but now we have all these new devices coming on the market there's all sorts of problems as a target-rich environment the main point for having a non Hardware people learn about hardware is the fact that you can effectively turn what is a blackbox assessment into a white box by which if you have a root shell you can pull down binaries and you can get like the web Apple something you can pull it straight down and analyze it offline versus trying to bash your head against

whatever the target is a lot of the heavy lifting has been done by Hardware people who as soon as they get a root shell they're done like that's the hardware things get a root shell hey I'm finish whereas a software people once they have a root shell they have access to the vise and most people are scared of it which means that there are fewer people doing it that sounds great but hardware is expensive it's kind of a myth getting into hardware is not expensive you only really need a multimeter USB TTL is a USB serial converter one of these guys you can pick these up on on eBay for like five bucks a soldering iron and some some wires and

jumper cables breadboard would be handy but you can get cracking for twenty to fifty bucks twenty to fifty bucks is not going to buy you good equipment let's make that clear but if you're just starting out that's that's fine we don't need good equipment yet there are all these really cool shiny tools that everyone wants to talk about and these are cool shiny tools but you don't need to dive in and buy this stuff straight away and if you have a use for them there's no real reason to just diving by these straight away the one sort of exception is logic analyzer I'm here there are two by a logic analyzer you're looking at maybe 100 bucks plus from a

proper vendor hypothetically it may or may not be possible to download the software from the logic analyzers from a reputable vendor and then by a Chinese knockoff which would put the logic analyzer back in this slide but I can't confirm or deny whether that will be feasible or whether that would work FPGA is a really cool tool it allows you to effectively build your own tools and field programmable gate array we're going to talk very briefly later on so serial connections let's dive straight in so serial connections are all sorts of things everywhere they're used by embedded developers to debug their their board when they're when they're being when they're being made and so we can do

exactly the same thing can provide you access to a bootloader and it allows you to view the boot process as it happens which can then give you some clues later on which hopefully at the end of it will give you an interactive shell so we're going to specifically talk about the you are universal asynchronous receiver transmitter Universal is obvious it works on all sorts of chips asynchronous just means there's no external clock you don't know what that means doesn't really matter receiver transmitter means that there's two-way communication so that you can use a individual transmit pin an individual receive pin essentially it allows the the chip receiving all of its information in parallel and it just

allows you to access that across one wire and effectively just allows us to talk to the vibe and through the device so the finder you our first stop is just gonna be crack up in the case which causes problems about half an hour ago when I got the lid stuck on here and you're gonna look at the thing you're gonna be looking for probably four pins in a line there's no guarantees manufacturers do weird stuff sometimes the you are isn't nicely laid out for you but yeah hopefully you're gonna have four pins in a line so this is the device it's just like a travel router well I have lying around that was going to be like a poor man's Wi-Fi pineapple

and ended up not becoming anything so lying around so I'm here you're gonna look at this this is this so I got a bit lucky here this was like my first try at pulling stuff apart and there's a you up what right there all what looks like a uart port right there you know four nice pins laid out and yeah so that's a pretty good indication that's probably the kind of thing we're looking for so from here we're going to work on the assumption that that is exactly what we're looking for we need to work out which of these four pins is what so you can do this again like this at the point of this talk is that you

can do a lot of this stuff on a budget so the proper way of doing is working out these pins is with a logic analyzer but if you don't have one there's a kind of ghetto way of doing it with a multimeter so you stick your multimeter to continuity mode or its continuity saying and then effectively what it does is when there when the circuit is complete you get a beep so you're gonna take one probe and pop it on a ground somewhere like a shield on this device and then you're gonna put pointing the other probe and poke it in in the holes and when you get a beep that's the ground a quick kind of guide it's C the

third pin so P one is labeled so we p1 at the top and the third pin has kind of a cross on it on the slide it reads the scene real life it's much harder if you can see that on a pin that's going to be your ground but check anyway so once you've got your ground you're gonna plug the device in turn it on and then you're gonna using your multimeter on a voltage thing you're gonna stick one probe in the ground either the one you just found or the shield doesn't really matter and you're gonna probe the others whichever one is running at the voltage of the device is the one you want so

probably three point three but doesn't necessarily have to be so the transmit pin is transmitting data so any digital signal is going to be a nice square Sigma right where the the traffic can is turning off and on it's going from 1 to 0 which means it's going from three point three down to zero and three point three to zero which on your multimeter is going to give you an average voltage of something like one point there in two point five volts depending how much data is coming out the thing Rx is sometimes slightly harder to to work out because vendors do slightly weird things so on this particular device when TX goes low so when the the on the

trailing edge of the the the signal Rx goes high very very briefly which i think is a Gore is a grounding issue but I bought went and bought another one of these because I thought maybe as my device and they both do it so maybe the ground gives you with the device I don't know if you've got logic analyzers going to make it super easy again your Rx isn't necessarily going to be easy to to work out with the TX is gonna have a nice square signal depending on their turn them on how much date was coming up with time you can also look at the data sheet of the the chip and follow the

lines for which pin at which if these handy tip here I've actually had another handy tip from this fine gentleman a blue t-shirt sometimes these pins are full of solder when you get when you get the board don't try and disorder them you can drill them out or melt the solder and use a D solder vacuum-pump thing to pull the solder up because if you try and melt all the soda just kind of melt your board have a bad time okay so connected the UART so we have a quick video not this one

okay I know how sit well helpful mouth okay so we're just going to screen command tell it which device we're pointing at that is this USB serial converter and you're going to have your TX pin on here wire to the RX pin on the device and vice versa then we're going to set the board rate which kind of flash away pretty quickly but so the board rate is just the this frequency the speed at which you're going to speak to the device there are a few different baud rates that's probably the most common there are tools out there that all like board board finders where I'll try and brute force if you get the wrong baud rate you'll just get

garbled output nothing nothing bad is going to happen so see here where it says at the bottom root auto booting one second that's relevant later we'll come back to that so all this kind of garbage comes spitting out I said sometimes you get Clues here about another way to if this isn't easy for you if you don't get dropped into a shell sometimes you're looking through the output here can give you some clues of how you might be able to it's a break the thing so if you're lucky you'll get drop straight into a root shell in this instance that isn't the case you get a login prompt I started writing a serial brute poster

for this and then I found that you the creds are online and the a lot of vendors use the same creds across across everything so once you've got a vendors creds often they'll be they'll be used across all their devices so from here you can kind of check what you've got a stripped-down shell here it's not like a full Linux distro but we have access to TFTP in a second and so you've got a method to pull files off and do whatever whatever else you want to do there's CFPB other one so yeah that's great we win okay the the slides are here by the way just so that this still makes sense without the videos so yeah if you're

lucky you'll get a root shell hooking it maybe not so that's great we've got a shell you can hopefully go do this and you were really inspired to all the other things so firmware to get a hands on phone we've got a few different options you boot is one potential way of getting access that pot work we're saying or doing in one second a lot of a lot of the time is possible from there to boot into a new boot console there's a you boot talk like just before here they're probably discussed this way better than I do so if you hit the Escape key you potentially get dropped into UV or some other commodity for this particular

device the TPL because it's tp-link device I think they had like a glitching technique to to skip that and their son yeah another way to grab firmware is via a JTAG so again it's another hardware debug point that's potentially accessible provides access to the firmware but it does all sorts of other cool things which is why it's on on device so for example it's possible to do like a border scan to make sure each of the pins are chip they're soldered correctly you can also physically remove the flash chip so this has kind of been order of difficulty here and there's also a few other like crazy ways of doing this but again baby steps and once

you've got the phone where you can reverse engineer it that's like way outside the scope of this talk so yeah finding the thing back to looking looking on the board again you're probably looking for a 2 by 5 or 2 by 10 pin array and if I just do weird stuff here and sometimes you don't actually have access to the pins at all they're they're not in a nice array head so the perfect example I said manufactures do weird stuff you're probably looking for X&Y this isn't a 2 by 5 or 2 by 10 it's 2 by 6 but anyway the pins you're looking for RTD RI t do TC k and TMS there is no handy dandy way of working

these out with a multimeter or anything so you're gonna be looking probably for like a jtagulator is gonna be your best bet to determine which one is which however you can read the datasheet and work out and on the datasheet it will tell you which pin is which and then you can just hopefully just trace the lines back and work out where they go even if you don't have a handy pin out here often you may have seen PCBs with wires soldered seemingly randomly to the board if you can just follow the trace from the pin to where it goes on the board then you can just solder straight on top of that onto the onto the tray

using some super fine wire like speaker wire or something is is the best thing so that's JTAG on firmware like I said we don't have time to do it properly but there we are so side channel is all about thinking outside the box with my handy visual demonstration where you have to join up all the dots using only four lines and the only way to do it is to go outside the box so split mostly into two categories you can see lots of different ways when I prefer to split is passive and active so passive you're measuring something probably even with passive stuff you're gonna have to physically interact with the boy gonna have to make

changes to the board but you're not changing anything on the chip as it's happening you're just measuring certain things and then you've got active side channels that's where you're physically making changes to the chip as it's running so maybe you can like again a lot of this stuff are really high level stuff that are like crazy legit crypto analysis stuff but the point here is that they don't have to be a lot of these stuff aren't necessarily out of the reach of people were just starting to learn about this stuff so timing attacks you're gonna analyze the time take theat a task like I said this is useful like genuine crypto attacks but it can also

be used against like a bad password or PIN and implementation we're gonna measure the time delay between the policy would you give it and the response say now you've got the wrong password or the wrong pin or whatever so I actually half consider bringing a safe to demonstrate this but it wasn't logistically feasible so it's basically just a a fancy blue post attack so here we have a giant diagram where you can imagine this is some sort of string compare function on it on a pin code where it checks each character in turn so if you get the first character wrong you get thrown out straight away if you get the first three right and you get to

the fourth character you've gone through more code so there's more time there's more code to go through which takes longer and so if you can measure that accurately enough using something like an FPGA potentially you can infer data back so in this example the pin on the target is let's say one two three four so you send 0 0 0 0 and you get a response back 59 so that doesn't tell you anything you've got only one data point so then we try one more on one and then we get a reply back in 70 which means we've got something right we don't know whether we've got one or four right at this point so we'll try one two one zero zero

zero and we get back in the same time which tells us okay we're going to got one right because it's it matches then we try one two zero zero what I mean and again we this point we still don't really know whether we've got two three or four right or a number for X we've got I think correct but we we can infer that probably we've only got the first two because the time delay is very similar your time delays probably aren't going to line up that neatly in real life but it's just a kind of a quick example so glitching or fault injection it's the same thing depending who you who you speak to who you learned it from

we're going to tamper with the chip potentially for skipped instructions this technique can also be used to like zero out registers and things like that with like very precise e/m that's again that's that's like high-end stuff but you can kind of make this work with on a budget so this example is going to work with the FPGA that I have here that it was like 25 maybe 30 bucks or something using the open-source ice storm tool chain so manufacturers will go out of their way to try and stop accidental glitching with voltages you getting you're probably gonna have to make modifications to the the board or potentially just lift the pin and access it directly because they need

manufacturers know that messing with voltage is going to mess with that chip so they'll try and stop natural e/m or whatever else that could cause problems so you're gonna have to undo a lot of that work to make this work in real life and yeah this is probably gonna require a lot of trial error so this is a very quick POC that a friend of mine named mr. Dean jerk helped me put together

so on on the right is just an Arduino so there's a an Arduino chip with the ant mega check off the board and on the Arduino and then you just run jumper cables from the chip to the board so this is still connected but you then have access to interrupt with the power line on the ground line or whatever so on the left is just a quick sketch that's doing some basic maths because at this point we didn't really know how the glitching is going to work and then it just outputs the the APIs for serial on the right on the right there so that just kind of carries on for a little while and then we're gonna blow up

quickly and the the FPGA at this point is driving another transistor on on a separate board I'll show you the vera log in a second but so when you run the big glitch binary it uploads that code to the FPGA and so what that will do is periodically cut the power to the to the ground line which we've intercepted which will then effectively turn the the so that's the the vera log which will turn the power off to the chip very quickly but not quick enough that the power dies it so it doesn't die it just messes up what it's doing at that point so very briefly this is Vera log which is a it's not a coding language it's

more of a hardware description language so essentially all it's doing is creating a counter and then cutting the power for the quick situation which is fine at 75 so it's just 75 cycles of the of the countess and nothing actually happens here for quite a while this method is obviously a pretty rubbish way of doing things because you have no control over when your glitch is going to happen and if you have some sort of trigger mechanism which is what the chip which were is like perfect for be honest but again chip whispers expensive device this proves that you can make glitching work on on a budget and so at the bottom that is just kind

of gradually updating well the hell's my mouse there is you fast forward a bit this is gonna be such an anticlimax ready here it comes this is what I did want to do a live demo because this is complete off more often than not this will just break the it would just break the device in order to stop transmitting at all that it definitely does it there we go so here it's mess with the counter and then it carries on which is exactly the kind of thing we want we don't we don't kill the device we just want to make it do something and in this instance we have virtually no control over what it

actually does it's unfortunate but it's a basic example that proves glitching can work on cheap cheap devices on the owner on a budget okay so on that instance we're gonna we're going to assume that the previous example with the timing that's pretty easy to defeat that you just add in instead of checking individual string each character individually you check the entire string together all you hash it or you do something like that in that instance something like glitching will be perfect because because potentially we can skip that check and jump straight to the do the thing if we can skip that instruction time it correctly then we can jump in in a way we go

so to summarize getting started is relatively easy it's not as complicated as you think there are baby steps you can do to kind of jump in there's a whole bunch of resources out there to help but they are harder to find them for say like web app testing or whatever open wrt are a bunch of folks who like hell bent on getting open source firmware on every single thing in the whole wide world and exploit ears are a bunch of guys who've done some crazy Def Con talks but a lot of their guides on the wiki quite easy to follow and it's fun and there's bugs so yeah oh yeah that's me that's me that's my email

that's my Twitter that I don't really use but feel free to tweet me and yeah that's us thanks a lot [Applause]