Hardware hacking is the process of taking a physical piece of hardware, taking it apart to see what makes it tick, and then either modifying it to make something new or using the gained knowledge to exploit weaknesses in the hardware design. Entire communities have been built upon this process (A large one is the maker community) and now its time to join them!
First a brief history lesson
Before we dive into how to hack hardware, the different components, and the process of hacking it, a basic understanding of the physics of electricity are necessary. (Note this is a very quick and dirty lesson on electricity and there is always more to learn). First off we have voltage, voltage is the difference in electrical potential energy between two points.
V = I * R
Above is ohms law which states voltage (V) equals current (I) times resistance (R). Both of which are things I will get to soon. What’s important to understand is that circuits have an certain amount of voltage that needs to be supplied in order for them to operate, this is called the bias voltage. A circuit’s documentation will also specify an operating range for the voltage at which it is safe to run the parts at.
Resistance is what it sounds like, it is how resistant a material is to transferring an electric charge and is measured in Ohms. Current is how much charge is flowing though the circuit and is measured in amperes (or amps for short) . The importance of these two values goes hand in hand because certain parts run better with higher or lower currents (Some parts explode when you run too much current through them). Ohms law can be rearranged to help tell you the values you need to know.
I = V/R R = V/I
In ohms law, delta V (change in voltage) can be substituted for V to figure out resistor values (I will explain resistors more when I talk about components).
Lets talk about an LED, an LED has a bias voltage of 2.2v and safely operates at 20mA (.02 amps), If you wanted to power it safely from a 3.3v power supply you can calculate the resistor value you would need as so: (The following math assumes two significant figures)
R = 3.3 - 2.2 / .02 R = 55 ohms
Congrats you just figured out you need a 55 ohm resistor.
Components and tools
Now that you have learned some basics physics, its time to move on to the tools you will need to hack some hardware.
Starting with a list of tools:
- Multimeter: Used to measure voltage, resistance and current
- Soldering Iron: Used to assemble/dissemble circuits
- Breadboards: Used to prototype circuits
- Bus pirate: Can be used for a slew of things like OCD (On chip Debugger), SPI (Serial Peripheral Interface), JTAG (Named after the group that developed it; Is another programming/debugger interface), and ISP (In-circuit serial programmer) (These will be introduced more in level 2)
Moving on to a list of components and what they do:
- LED: Light Emitting Diode
- Resistor: Raises resistance in a circuit
- Capacitor: Charges and discharges at a given interval, used to lessen demand on a power supply
- IC: Integrated circuits. What most people think of as “chips”
- EEPROM (Electrically Erasable Programmable Read-Only Memory): Embedded devices use these as a means of storage.
- Timer: Oscillates at a given frequency
- Microcontrollers: Tiny little computers. Sometimes they are just CPUs (Central Processing Units), other times they include ram, and flash storage. Popular platforms are..
- Crystals: Oscillate at a given frequency, similar to a timer
- Transformers: Used to convert between voltage levels
- Diodes: Used to limit current flow in one direction
Level 0: Baby Steps
Before you go taking apart any devices or adding on to them, it’s first important to understand how to build your own devices. I suggest starting with an Arduino nano (At the time of writing a pack of 3 nanos are 13-14 dollars on Amazon). From there you can use a resistor, an LED, and some jumper wires to build a circuit which you can program to blink. As simple this may seem it is a perfect beginners project into the world of digital electronics. From this you have already learned the following:
- How to program a microcontroller
- How to build a simple circuit
- Prototyping on a bread board
each of which are extremely valuable skills for hardware hacking. In this step, I am not going to re-write something that I think the Arduino foundation has already written extremely well in in detail. Follow the steps in the following tutorial to get started with Arduinos.
Level 1: Taking apart/building upon other circuits
Hopefully by now you have made a few different Arduino programs to control various circuits of your design. (See the link above!) Now it is time to move along to the next steps of the hardware hacking process. The first thing you want to do when looking at an unknown circuit is to start looking for any ICs. If you find them, chances are they will have some kind of text on them — generally the part number for that IC. As soon as you identify the part number, Google it! If you’re lucky, you will find documentation about that IC. Reading through IC documentation can seem scary, but begin with finding the following tidbits of information first:
- Operating voltage
- Pin outs (What certain pins on a microcontroller/IC are used for)
- Operating currents
- What the IC is used for
Figuring out those things can help you to figure out more about what the individual parts of a circuit are doing. From there you can start to mod the circuit. For example, say you wanted to be able to make your TV remote rechargeable. You could just buy rechargeable batteries, or you could measure the output voltage of the batteries in the remote and then build in a LIPO battery pack with USB charging capabilities.
Is this easier? No. More educational and fun? Yes.
Another somewhat easy hardware hacking project would be to create modded video game controllers. (Just be sure not to cheat when playing online.) To mod a video game controller, all you would need to do is measure the operating voltage using a multimeter and then program and wire-up a mircocontroller (that operates at an appropriate voltage) to various inputs on the controller to simulate user interaction. Now you have a DIY controller mod chip!
Level 2: Attacking the hardware
Okay, so the majority of the blog thus far has talked about modding and building onto hardware which is fun and has its own uses. Now let’s talk about going on the attack and violating the security of the hardware (using some simpler attack vectors).
After going through and determining the various ICs in the circuit for the device you are planning on attacking, you can create a plan of attack. When looking at the circuit, you may be able to identify things called test pads on the PCB (Printed Circuit Board). Test pads are used by manufacturers to automate testing of device PCBs in the factory, but sometimes debug interfaces are left enabled in production devices. This is done to allow for debugging on a device returned because of hardware malfunctions. The problem with this is that it gives attackers the potential ability to dump device firmware and begin the software reverse engineering process.
You may be wondering what I mean by debugging interfaces. Earlier, I said I would talk more about SPI, JTAG, and ISP — well, those are examples of different hardware communication protocols which sometimes can be used for debugging. You can connect to one of these interfaces by determining what pads correspond to what wire in the communication protocol standard (sometimes they are labeled, other times you need to use something like a logic analyzer to determine what is what), soldering a jumper wire from the pad to a breadboard, hooking it up the correct corresponding pin of a bus pirate, and then running the correct tools.
If the embedded device you are trying to hack happens to have an EEPROM model, you can also use a bus pirate to extract the contents of the EEPROM. After extracting the contents of the EEPROM, you can run a command line tool like binwalk on the bin file to search for any embedded filesystems. A common thing to see in embedded devices is Linux with some kind of read-only filesystem like SquashFS. Using binwalk, you can extract these artifacts and then start to search through the device for weaknesses (root password, encryption keys, etc).
As a ending note for Level 2, there are more complicated hardware attacks that can be performed against embedded devices, but I am not going to cover them because I do not have the money to afford the necessary hardware to perform some of these attacks. I mean, the explanation for some of them are large enough to fill up their own blog post.
Now go out there and hack some hardware!
With love and root shells – wolfshirtz