| icon |
|---|
play |
Scenario: You own a device you want to investigate and maybe modify.
As told in the Methodology chapter, first you should try non-invasive methods, as opening the device is risky and can break components or the whole device. Hence, start with:
- Read the documentation:
- Documentation of IoT devices can reveal a lot of the functionalities
- For example: Is there a backup function, which writes backups to a SD-card /USB-Stick?
- Try to find functionalities, which can be exploited
- Try searching for default passwords, which may give access to more functionalities/data
- Documentation of IoT devices can reveal a lot of the functionalities
- Does the device have a webserver running?
- Try to find common vulnerabilities like RCE, LFI etc.
- Check with Wireshark / RF Analyzer for any communication of the device
If the attempts above are exhausted, we can start with our hardware hacking.
{% hint style="warning" %} Opening a device comes at the risk of breaking it! Watch out for tamper protection! {% endhint %}
To do the basic hardware hacking, you just need:
- An multimeter
- an UART to TTL USB adapter
- jumper cables
- and in some cases: a soldering station
After opening the device follow:
-
Get an overview of what is available of the PCB board
-
Checkout which chips are used
-
Google the datasheet of each chip you find (model should be printed on top of the chip)
-
It can be useful to take a picture of the PCB and label everything you can identify
.png)
Example layout of an PCB
-
-
We should also remove shields which prevent us from seeing the hardware:
.png)
chips under shield
-
Check for connector or test pads (can be quick wins to find a UART/JTAG etc.)
- Even better if we find actual pins, where we can connect jumper cables to:
.png)
UART pins exposed
- JTAG (where we need more pins) are also very interesting targets
.png)
JTAG-Connector
.png)
UART and JTAG pads found
Note: Not all PCBs have these connectors or the interfaces may be disabled.
-
-
Check the pinout for the connectors:
- Put the multimeter in continuity mode (often a "diode" / "soundwave line" symbol) here on top:
.png)
multimeter
-
This mode will check if there is a direct connection between two points on the PCB
-
Put one probe on the connector pad you want to test
-
The other one goes on the chip (datasheet will tell you what pins are used for UART/SPI/JTAG)
.png)
How to probe
You need to find the GND (ground), TX (transmit) and RX (receive) pins to communicate with UART.
-
Another method to figure out the pinout is by looking at the voltage of the pins:
- GND should be at 0V
- TX pin should fluctuate between 2-3V, depending if there is output or not
- RX pin can look like the GND pin, since it just waits for data to come in
-
Now you need to connect the pins using jumper cables to the UART-USB-TTL adapter (make sure RX -> TX and TX->RX, as they have to be reversed). This can be done by soldering the cables onto the connector pins, plug them in or use clamps.
.png)
UART connection found on PCB
-
On your PC use the following command to communicate over UART (you may have to adjust the baud rate)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
{% tabs %} {% tab title="Linux" %}
sudo minicom -D /dev/ttyUSB0 -b 115200
sudo picocom -b 115200 -r -l /dev/ttyUSB0{% endtab %}
{% tab title="Windows" %} Using PuTTY (Windows):
- Select “Serial” and enter the COM port (e.g., COM3) and baud rate (115200). {% endtab %} {% endtabs %}
- If you see something like this: You done it correctly!
.png)
Example bootlog
Congrats! You found your first serial connection! Check out the UART chapter on how to use this to dump the firmware from the device.