Description

This five day course is designed to teach the fundamentals of hardware reverse engineering and exploitation.

Students learn how interfaces such as SPI, I2C, JTAG, SWD work while developing tools to hack and attack these protocols.

Through the labs and exercises, students will learn how to extract firmware, utilize and access hardware debuggers using JTAG and SWD mechanisms, and write their own hardware hacking tools. All hardware is provided for this course and is kept by the students at the end of the course.

Labs include:

• Extracting router firmware
• Enabling console access through firmware modifications
• Performing JTAG/SWD debugging on ARM/MIPS based targets.
• Modifying Xbox Controller firmware through hardware level debuggers.

Course Goals

After participating in this course, students will have experience with:

• Non-Invasive hardware analysis (component identification, etc)
• Tracing and identifying points of interest on PCBs
• Extracting firmware over multiple interfaces
• Unpacking / analyzing binary blobs
• Attacking hardware debuggers (JTAG,ETC)
• Modifying, repacking and reflashing firmware

Students will also learn how to augment existing tools to work around problems that may arise when extracting firmware! Throughout the laboratory exercises students will learn how to extract SPI/I2C based flash chips, discover and gain access to consoles using UART, and identify, enumerate and actuate hardware level debuggers such as JTAG and SWD

Provided Materials

Students will receive a kit including all necessary components to complete the course, the kit includes:

• 1 x Raspberry Pi 4 (preloaded with all necessary software and materials)
• 1 x Travel Router (Target 1)
• 1 x Game Cabinet (Target 2)
• 1 x Game Console Controller (Target 3)
• 1 x SSD
• 1 x Breadboard
• 1 x Multimeter
• 1 x Logic Analyzer
• 1 x Jumper Wire Kit
• 1 x SPI Flash Clip and Probes
• 1 x SPI Flash IC for exercises
• 1 x I2C Flash IC for exercises

Prerequisites

This course is targeted towards security researchers who want to learn more about the process of firmware extraction and embedded systems analysis.

Students should be familiar with the Linux command line, and be comfortable with a scripting language such as python. C experience is also useful but not required!

Due to shipping complications due to COVID19, hardware kits will only be shipped to US residents. If you wish to take the course and want to purchase the target hardware yourself, reach out to contact@voidstarsec.com

Course Structure

This course includes multiple modules, one for each protocol of interest. For each module, we will perform the following:

• Protocol Overview and Analysis
• Understanding and Reviewing Captured Protocol Traffic
• Protocol Analysis from a Reverse Engineering Perspective
• Tools for Reverse Engineering Specific Protocols
• Practical Attacks and Applications on Provided Targets

After each protocol module, a target analysis will be performed to reinforce what was learned in the analysis segment. There are four targets that are used throughout the course that are all represented by the modules shown below. For each target, a specific set of goals are presented, and additional goals are also provided for those who may be more experienced.

Course Outline

Hardware Hacking Intro and Overview

• Embedded Electronics 101
• How Printed Circuit Boards are made
• Analyzing PCBs
• Identifying Components of Interest

Tools of the Trade

• Multimeter Labs
• Measuring voltage and resistance
• Testing for continuity
• Logic Analyzer Labs
• Analyzing Example Captures
• Applying and Writing Signal Decoders

Protocol Session: UART

• Protocol Overview
• UART for Reverse Engineers
• Identifying UART Signals

UART Labs

• Identify and Analyze UART Signals
• Calculate Proper UART Settings
• Gain Shell Access to Target via UART

UBoot Labs

• Review Linux boot sequence
• Understand how UBoot is used in practice
• Examine common misconfigurations / vulnerabilities in UBoot
• Extend UBoot shell interactions with Python scripting

Protocol Session: SPI

• Protocol Overview
• SPI for Reverse Engineers
• Identifying SPI Signals

SPI Labs

• Analyze and Understanding SPI Traffic Captures
• Reconstructing Firmware Images from SPI Traffic
• Extracting SPI Flash
• Reflashing SPI Flash

Firmware Image Analysis

• Finding Data of Interest
• Extracting Filesystems
• Repacking and Modifying Firmware

Target Analysis Lab 1: Root and Route

• Unpack firmware image extracted from target
• Analyze extracted image to find data of interest
• Modify image to allow for more privileged access
• Reflash to target for increased access

Protocol Session: I2C

• Protocol Overview
• I2C for Reverse Engineers
• Identifying I2CSignals

I2C Labs

• Enumerating Unknown I2C Devices
• Analyzing I2C Signals / Reconstructing Traffic
• Extracting I2C Flash
• Reflashing I2C Flash Devices

Target Analysis Lab 2: Where in the World is my Flash Data?

• Extract all data from relevant flash devices
• Analyze images to look for data of interest
• Reflash devices, demonstrating that data of interest has been found

Protocol Session: Serial Wire Debug

• SWD Overview
• SWD for Reverse Engineers
• Interfacing with SWD via OpenOCD

SWD Labs

• OpenOCD Usage and Overview
• GDB and SWD
• Extracting Memory with SWD

Target Analysis Lab 3: Controlling a Controller

• Identify Hardware Level Debug interface
• Use OpenOCD to gain debug access
• Extract firmware via hardware debugger
• Analyze firmware
• Reflash firmware, showing that you have modified it

Protocol Session: JTAG

• JTAG Overview
• JTAG for Reverse Engineers
• Identifying and Discovering JTAG Ports

JTAG Labs

• Enumerate JTAG scan chain
• Identifying JTAG registers
• GDB via JTAG
• Extracting memory via JTAG

Target Analysis Lab 4: SSDs and GDB

• Identify Hardware Level Debug interface
• Use OpenOCD to gain debug access
• Extract RAM via hardware debugger
• Use GDB to set breakpoints and demonstrate control over the target device

Instructor Bio

Matthew Alt is a reverse engineer with a focus on embedded systems. He began his career in the automotive performance industry, searching for vulnerabilities in engine control units and diagnostic implementations. After that, he worked at MIT Lincoln Laboratory in the Cyber Systems Assessment Group as a team lead on a program that focused on embedded systems exploitation and reverse engineering. He currently works as a security consultant for various customers in the realm of embedded and IoT systems. Matthew also generates regular content on his website, with a focus on teaching the low level fundamentals of hardware reverse engineering.

Past public courses that Matthew has taught include Hackaday’s Introduction to Reverse Engineering Software with Ghidra, the recorded versions of these courses can be found on YouTube.

Course Feedback

"Love the course. I really went in with low knowledge and solidly learned something."

"Instructor was really good and knowledgeable - didn't want the class to end so quickly!"

"I just used the skills you taught at the hardware hacking lesson to un-brick old ubiquity edge router. Thank you for that!"

“I have not had that sense of learning and challenge in quite a long time.”

“The course was very helpful. I am looking forward to expanding on these skills for IoT devices. The pace of the course made it easier as a software developer with software RE experience to learn.”

QUESTIONS

Please reach out to contact@voidstarsec.com with questions or inquiries regarding this course!