Hardware Hacking A primer

Yashin Mehaboobe

Icarus Labs ,CSPF

By Mohesh Mohan

Big Thanks to

Why hack hardware?

•More interesting

•More rewarding

•Usually open entry point into an otherwise secure network

•Interacting with the physical world.

The Raspberry Pi The computer geek’s electronics toy

Why Pi?

•Easily supports a large variety of languages.

•Comes with an Ethernet and USB ports.

•GPIO pins for hardware hacks

•Inbuilt RNG

•Powerful GPU

•Linux!!!!

Specifications Model A Model B

Target price: US$ 25 US$ 35

SoC: Broadcom BCM2835 (CPU, GPU, DSP, SDRAM, and single USB port)

CPU: 700 MHz ARM1176JZF-S core (ARM11 family, ARMv6 instruction set)

GPU:

Broadcom VideoCore IV @ 250 MHz

OpenGL ES 2.0 (24 GFLOPS)

MPEG-2 and VC-1 (with license), 1080p30 h.264/MPEG-4 AVC high-profile decoder and encoder

Memory (SDRAM): 256 MB (shared with GPU) 512 MB (shared with GPU) as of 15 October

2012

USB 2.0 ports: 1 (direct from BCM2835 chip) 2 (via the built in integrated 3-port USB hub)

Video input: A CSI input connector allows for the connection of a RPF designed camera module

Video outputs: Composite RCA (PAL and NTSC), HDMI (rev 1.3 & 1.4), raw LCD Panels via DSI 14 HDMI resolutions from

640×350 to 1920×1200 plus various PAL and NTSC standards.

Audio outputs: 3.5 mm jack, HDMI, and, as of revision 2 boards, I²S audio (also potentially for audio input)

Onboard storage: SD / MMC / SDIO card slot (3,3V card power support only)

Onboard network: None 10/100 Ethernet (8P8C) USB adapter on the

third port of the USB hub

Low-level peripherals: 8 × GPIO, UART, I²C bus, SPI bus with two chip selects, I²S audio +3.3 V, +5 V, ground

Power ratings: 300 mA (1.5 W) 700 mA (3.5 W)

Power source: 5 volt via MicroUSB or GPIO header

Size: 85.60 mm × 53.98 mm (3.370 in × 2.125 in)

Weight: 45 g (1.6 oz)

Operating systems: Arch Linux ARM, Debian GNU/Linux, Fedora, FreeBSD, NetBSD, Plan 9, Raspbian OS, RISC OS,[Slackware

Linux

Mayhem

Numero Uno

WhatDuino

•Open hardware project

•Official versions: Uno, Mega, Duemilanove, Esplora etc

•Compatible: Teensy, TinyDuino, Femtoduino,

•Shields, shields, shields!!!

•Multiple uses, single programming language!

Basic Overview

•14 Digital pins

•6 Analog pins

•Voltage regulated power supply

•Programmed over USB

•Inbuilt LED at pin 13

Shields

Bus Pirate

The ‘Bus Pirate’ is a universal bus interface that talks to

most chips from a PC serial terminal, eliminating a ton of

early prototyping effort when working with new or

unknown chips. Many serial protocols are supported at 0-

5.5volts, more can be added

Bus Pirate : Cool stuff all over the world

• Hack a cheap MD80 video camera, modify the firmware to remove date display

• XDA used Bus pirate to root Meizu MX

• Will_j used bus pirate to act as a transparent USB->serial bridge to a Wavecom GSM modem

• sniff the exchange between an autonomous smartcard reader and a card

• Hacking USB webkeys with Bus Pirate

• IBM Thinkpad T30 Bios password reset with the Bus Pirate by Marcin

• ph1ph1l0u reports success rescuing his Asus laptop from a bad bios flash using flashrom and the

buspirate.

• Bill Farrow fixed the Seagate 7200.11 hard drive firmware BSY bug with the Bus Pirate

Other Players

MK Series

Google

android Mini

PC

Field Programmable

Gate Arrays or FPGAs

like Spartan

MK Series Mini PC

•More Computing power (Single, Dual, Quad cores)

•Super Cheap and small form factor

•Built in Wifi, Bluetooth, HDMI, SD card slots, USB OTG

•Supports Linux

•No GPIO or hackable ports

•Very Little documentation

•Low Quality / Can be easily damaged

FPGAs

•Awesome computing power • FPGAs are reprogrammable silicon chips

• Recompile means rewiring

COPACOBANA version based on Virtex-4 SX 35 FPGAs • Dedicated code breaker for DES and other ciphers

•NSA@home is a fast FPGA-based SHA-1 and MD5 bruteforce cracker

•Bit complicated & Hard to work with

Calling Other Worlds

Out of the box the bladeRF can tune from 300MHz to 3.8GHz

without the need for extra boards. The current open source drivers

provide support for GNURadio among other things, allowing the

bladeRF to be placed into immediate use. This gives the bladeRF the

flexibility to act as a custom RF modem, a GSM and LTE picocell, a

GPS receiver, an ATSC transmitter or a combination Bluetooth/WiFi

client without the need for any expansion cards.

Transmit or receive any radio signal from 30 MHz to 6 GHz on

USB power with HackRF. HackRF can be used to transmit or

receive radio signals. It operates in half-duplex mode: it can

transmit or receive but can't do both at the same time. However,

full-duplex operation is possible if you use two HackRF devices.

bladeRF

bladeRF x115

$650

The bladeRF x115 comes with a larger

115KLE Cyclone IV FPGA that provides

additional room for hardware accelerators

and signal processing chains including

FFTs, Turbo Decoders, transmit

modulators/filters, and receive acquisition

correlators for burst modems.

The mother of all :USRP

• Too pricey > $1000

• Can be used with GNU Radio to sniff GSM

traffic

• could use it to broadcast digital television

• track radio tags,

• even mess with garage door openers

• POC Using a box with at least 27 FPGA’s plan

on constructing a 6+ terabyte rainbow table.

Once complete, any GSM conversation can be

cracked in less than 5 minutes using a single

FPGA.

Dreamz Unlimited!!!

• We will be pretty soon be able to make small

DIY robots equipped with enough hardware to

sniff all wireless communication and even

decrypt them real time… Possibilities are end

less

• A small step on this horizon is a flying drone

called WASP. it's a 'Small Scale, Open Source

UAV using off the shelf components. Designed

to provide a vehicle to project cyber-offensive

and defensive capabilities, and visual /

electronic surveillance over distance cheaply

and with little risk.'

Thank you!!

Questions? Contact:

Facebook.com/MoheshMohan

www.h4hacks.com