A guide towards hardware hacking methodology – Part I

Hardware hacking can be really interesting and fun to do and often times a person can become helpless if he does not follow the right approach. In this blog, we intend to guide you through the process of hardware hacking. A direction of how to approach a hardware device and what all steps you need to follow in order to extract useful information from the device.
The following are the steps involved in a Hardware hacking methodology:
1 Information gathering and reconnaissance
The first step is identify all the elements present on the device hardware and then look online and try to identify the datasheets for those elements.
Once you find the datasheet, tons of information can be found about the target in the datasheet.
In many popular hardware devices, you might be able to find information online.
2 Identify the communication interfaces
Information is shared among the devices with the help of common protocols. It is always useful to identify them.
The protocols are divided in two groups
1) Serial
in a Serial interface, the data gets transferred one bit at a time, which even though slower than parallel, but has an advantage of requiring a lesser number of pins.
2) Parallel
Parallel interfaces allow multiple bits of data exchange are happening at the same time, thus requiring a large number of pins to facilitate that

3 Finding hardware communication techniques
The pinouts which we need to identify are Tx, Rx, GND and Vcc.
1) GND (Ground): The first step is to identify the GND which does not require any power and can done by using the multimeter on continuity mode and then connecting the red probe to one of the pins and the black probe to a metallic surface. Try to test out each of the pins, and once you hear a beep sound, that pin is the GND.
2) Tx (Transmit): This requires to power on the device. Following the previous procedure of sticking the black probe to metallic surface and the red probe to each of the pins, once a voltage fluctuation is observed and rests on a high value will give you the Tx.
3) Vcc (Voltage Common Collector): The pin which has a constant high value upon sticking the red probe and keeping the black probe on a metallic surface is the Vcc.
4) Rx (Receiver): The pin which has significantly less voltage upon sticking the red probe and keeping the black probe on a metallic surface is the Rx.
4 Connecting the device to our system
In order to maintain a communication between the device and the attacking system middle device needs to be connected which can be a UART or a raspberry pi.
UART: UART stands for Universal Asynchronous Receiver/Transmitter. It’s not a communication protocol like SPI and I2C, but a physical circuit in a microcontroller, or a stand-alone IC. A UART’s main purpose is to transmit and receive serial data.

The following connections should be made in order to maintain a communication.
Vcc – Vcc
Tx – Rx
Rx – Tx

Raspberry pi: The Raspberry Pi is a low cost, credit-card sized computer that plugs into a computer monitor or TV, and uses a standard keyboard and mouse

The following connections should be made in order to maintain a communication.
Vcc – Vcc
(GPIO are the general purpose I/O pins which can be used for any general purpose)
5 Software exploitation using connected hardware
Any IoT device you use, you will be interacting with firmware, and this is because firmware can be thought of as the actual code that runs on an IoT or embedded device
here you can either extract the firmware or dump (download) the contents from the firmware. If you manager to extract the firmware, you can have access to sensitive information (user info, passwords) and directories that were present on the device.
6 Backdooring
Finally after having access to shell, you can maintain the access by uploading a payload in order to use the device in future.

We hope you find this blog useful. Here is the link for our next blog in hardware hacking series.

Author: Mohammad Usman Rais (Cyber Security Intern)

3 thoughts on “A guide towards hardware hacking methodology – Part I”

  1. I like the helpful information you provide in your articles. I will bookmark your weblog and check again here regularly. I am quite certain I will learn lots of new stuff right here! Best of luck for the next!

    1. Thanks for the valuable feedback. We have uploaded our second blog in regards to hardware hacking series. You can check it out on our blog section. Feel free to ask any queries regarding our blog posts. All the best!

  2. Pingback: Firmware Analysis (hardware hacking series) - Part II - Blog | Securium Solutions

Leave a Comment

Your email address will not be published. Required fields are marked *