Hardware hacking

Tavish Naruka

About meWhat I do: I studied electronics from JIIT and have been working at Baseapp Systems, in Delhi. I do software/system design for embedded systems.

Hardware hacking?

● looking at how a consumer product does what it does

● making something from scratch● making things do what they were not

meant to do.

Outline

● Introduction to some common protocols used in low level electronics (rs 232, spi, i2c)

● Sniffing/speaking these protocols● USB protocol, Sniffing USB● A few interesting hardware hacks● Router hacking

● Chips follow standard protocols● You can google most device datasheets● exception is some chips with limited/restricted distribution

There are a few common protocols you will see in a lot of places

Things follow rules

SPISerial and SPI communication waveforms

Rs 232

Often called just Serial, can be found in many placesOften used as a debug output in systems, or even control terminal.

Often used to just transfer readable text, so you can even read what transfers are going on.

$GPRMC,081836,A,3751.65,S,14507.36,E,000.0,360.0,130998,011.3,E*62

I2C protocolMultiple I2C devices wired together

A sample I2C transaction

● I2c comm. initiated by master, and there is only 1 master at a time

● All devices have a unique address, and they respond to only that

● All transfers require acknowledgement

● Start and stop condition to indicate start/stop of data

A lot of things, memories, wireless chips, all kinds of sensors, batteries, ADCs, even some LEDs, speak I2C or SPI

Also called SMBUS, on PCs

Some places where I2c is used

EEPROM Laptop batteries

Various sensors

Sniffing/Speaking

A logic analyzer connected to a beaglebone

Logic analyzer output on its software tool

Speaking

Arduino - really quick prototyping

PIC32 Fubarino mini

STM32F4 Discovery

FTDI USB serial chips can also do many protocols. Can use C/python libraries

FTDI chips (FT232h ^)

FT232H (module is pic UM232h)● Most often used as usb to serial● Can also do SPI/I2C, GPIO/bitbang● FTDI provides C libraries for using

these● Can do JTAG, openOCD or other

debuggers● code on right -> read 1MB SPI flash

libmpsse, python wrapper over ftdi C libraries(libftdi)

from mpsse import *

MPSSE(SPI0, THIRTY_MHZ, MSB)

Start()Write("\x03\x00\x00\x00")data = Read(0x100000)Stop()

Close()

open('flash.bin', 'wb').write(data)

Some mcu suggestions

Arduino1. Has a serial bootloader, so dont

need programmer2. IDE comes with many ready to use

libraries, not good3. code written in C++, in IDE, which

is not the best text editor4. Don’t really need IDE5. AVR-gcc and clib, avrdude etc.

STM321. ARM cortex M0/1/3/42. GCC arm compilers are free and/or open source3. Need programmer/debugger, but discovery kits

come with one, can also use FTDI chip from last slide as JTAG with Openocd(olimex Tiny-usb jtag etc.)

4. no ide, free to setup anything

Microchip PICs1. Series of 8, 16, 32 bit microcontrollers2. Also have an IDE, based on Netbeans3. no completely free toolchain. Some code

optimizations are paid features4. Provide some libraries for USB stack and

peripherals etc5. Need a programmer, like ICD3, which is a bit

expensive but can program/debug any microchip PIC

Introduction● USB cable has 4 wires, gnd, 5V, D+, D-● When you connect a device to a host, host

does ‘enumeration’● device describes itself to host during this● You communicate with USB device on

“Endpoints”, which are like port number on an IP in a network. Descriptors sent on endpoint 0, which is always present

● After enumeration, host OS may decide to load a driver for device, depending on device class, or if not class, then VID/PID

USBBus 002 Device 003: ID 0079:0006 DragonRise Inc. Generic USB JoystickDevice Descriptor: idVendor 0x0079 DragonRise Inc. idProduct 0x0006 Generic USB Joystick bNumConfigurations 1 Configuration Descriptor:

MaxPower 500mAbNumInterfaces 1 Interface Descriptor:

bNumEndpoints 2 bInterfaceClass 3 Human Interface

bInterfaceSubClass 0 No Subclass Endpoint Descriptor: bEndpointAddress 0x81 EP 1 IN Transfer Type Interrupt wMaxPacketSize 0x0008 1x 8 bytes Endpoint Descriptor: bEndpointAddress 0x01 EP 1 OUT Transfer Type Interrupt wMaxPacketSize 0x0008 1x 8 bytes

Sniffing USB

USB sniffing

● Linux kernel facility called ‘usbmon’

● Sort of like tcpdump for USB● wireshark, vusb analyser are

both free/open source

Wireshark

VUSB analyser

Talking USB

Libusb

http://libusb.info/ or http://libusb.org/

You can talk to a device with a class/subclass or vid/pid not associated with a driver using this library.

C/C++, python

Microcontrollers:most of STM32 seriesmany pic18 and 32atmega32u4 etchave USB device, some have host too

Linux USB gadget API● kernel modules to act as a USB slave(instead of host)● hardware should support usb peripheral, so most

desktops can’t, but many embedded ones can● USB serial, ethernet● USB HID, keyboard, mouse● PTP (picture transfer protocol, like in camera, or android

phones)● sound devices, webcam● File backed storage, mass storage devices

USB mass storage device class as an example

Flash

USB controller

Computer

You plug in a USB pen drive● Enumeration happens on Control endpoint(EP0)● 2 Endpoints(1 IN, 1 OUT) are set up for

exchanging data● Data exchanges are wrapped in SCSI

commands(read, write, disk size etc.)● in linux, kernel loads USB mass storage driver,

which provides a block device interface like /dev/sdb

● linux reads partition table to detect any partitions, if present, /dev/sdb1, /dev/sdb2

● OS auto mounter may mount detected partitions

Android mass storage, uses usb gadgetfs driver in linux. Unmounts microsd partition, makes it available to gadgetfs.

Mp3 players and other devices do this.

Is a means for firmware update in some devices.

Block devicesMBR - first sector 512 bytes

Valid boot sector signature

Partition table● only 4 entries, hence 4

primary partitions● first byte either 0x80 or 0x0,

bootable flag● used by ibm compatible and

other computers during boot

Some tools for seeing binary data:● hd, hexdump● od - read as int uint, chars etc● strings - show printable characters

in file● xxd - hex dump to bin or reverse● file - try to identify type of file● dd - read parts of one file into

another, everything is a file

STM32

US

B p

en d

rive

Layers of Host code● USB host● usb mass storage

driver, bulk only transfer, SCSI

● fat32 layer

SPI Oled displayU

SB

device to pc● Do not know, nor needed to know

all layers in detail● Most of USB stack, and mass

storage driver is from STmicro● fat32 layer is Chan’s fatfs library ● SPI oled initialization

sequence● data write sequence● Character fonts● handling ‘frame buffer’● adafruit had released

similar oled, used code from there

USB device code● Modify code for USB

CDC(or USB serial)● Bulk only transfer,

and maximum packet size(64 bytes, full speed)

● Custom class/subclass(0xff)

● Desktop application uses libusb to communicate

Samsung smart tv:● ARM based, runs busybox based linux system● has software packages like widgets/games

and firmware updates● updates installed via USB pen drive

Some examples

Implemented on Gumstix board● Linux usb file storage gadget● TV reads and checks files● on reading second time, the filesystem

is switched, copying own code onto tv, which it runs as root

Some more examples, CHDK

Canon Hack Development Kit● (2006) Programmer studies

disassembly of firmware upgrade for his IXUS camera

● Figures out a way to boot from SD card

● Dumps firmware of camera by blinking the LED on camera, and reading with a light dependant resistor,

CHDK running on a point and shoot

● Enhancement to camera firmware, doesn’t void warranty, GPL

● Features, RAW images, settings overrides(shutter speed, exposure, ISO), exposure/focus bracketing,

● motion detection, HDR, time lapse● User scripts in Lua, uBasic● can make really cheap trigger using usb cable● On screen displays, live histogram

Unlimited DOF using focus bracketing

HDR, by combining Exposure bracketing

Some more examples

Openkinect

● Microsoft was not willing to release open source/otherwise drivers for systems other than linux for kinect

● Adafruit(which is DIY/hobbyist electronics company) launched a bounty

● they put up dumps of USB traffic from kinect on windows

● protocol reverse engineered, libfreenect

PS3 jailbreak

● Buffer overflow in PS3 USB stack● if device reports smaller descriptor length than

actual, PS3 copies the data into a small allocated memory, causing overflow

● This allowed the jailbreak creators to run arbitrary code on the ps3 somehow

Router hackingRouters have always been closed source

● In 2003 linksys releases WRT54G● turns out it runs linux● community pressure on linksys to release

source because of linux GPL license● Many router firmware projects started after

this

linksys later moved to Vxworks, but people got linux working on new routers too.

OpenwrtMost active router firmware project

Actually a linux distribution for very space constrained systems, and has router specific additions

● has a web interface, like in normal routers● generates images as squashfs/jffs2 filesystem● these are written on flash chips on routers● Based on buildroot/uClibc build system

TP-link WR841ND

SPI flash chipAtheros ar9341 SoC

RAM

Serial port

Inside a typical router

OpenWrt buildroot menuconfig

OpenWrt flash layout4MB SPI flash

For just dumping flash contents, can desolder chip and read.(never have to)Some tools to analyse unknown flash contents:

● Binwalk● Firmware mod kit - uses binwalk

binwalk, firmware-mod-kit

Binwalk scan results

Firmware-mod-kit● it tries to detect different portions in firmware dump● extracts them● you modify them if you want● repacks them, recreating CRCs or signatures again if need be

More examples

Kindle 4 no touchCreate empty file ‘ENABLE_DIAGS’, restart from menu

● Apart from just breaking consumer stuff, this info is useful for making hardware

● Many vendors are selling modules with router SoCs you can use in own projects.

Ex. 8devices.com carambolaHas wifi, runs linuxeasier to put in own projects than these BGA chips

Arduino yun has same ar9331 chip(also has atmega32u4), runs openwrt.

Fon Wireless Ltd., runs a paid wifi sharing network. Their own hardware runs a OpenWrt derivative

A wireless audio receiver

This is a small wifi audio receiver we made.Based on a router SoCs.

● Carambola2 SoM, wifi, 16MB flash, 64MB ram● Custom openwrt● each speaker is an alljoyn audio sink● devices have master/slave modes, each mode has

a config mode● in config mode you can connect to device with

phone using wifi AP● network configuration, DHCP, wifi access point,

switching modes, starting/monitoring services etc handled by custom scripts in Lua, since openwrt code was suitable only for a router.

● Modifications to board specific code for kernel, for LEDs, buttons, etc. hints taken from board specific code for other routers.

Conclusion…

● Devices use standard protocols to communicate● Logic analyzer is useful● You can make routers run your own code