Introduction to Hardware Hacking and Reverse-Engineering

Learn the basics of Hardware, Hardware Protocols, Hardware Hacking, Embedded Security and Reverse-Engineering

Training starting at

$1,800.00

with one of our subscriptions

Language

English

This course is our recommended course for people who are new to hardware and hardware security. This course will cover all of the basics of hardware protocols, decoding and analysis. Additionally it will provide an introduction to many aspects of hardware and embedded security. Students will learn how to sniff, analyze, decode and inject common serial protocols, halt, debug, and single step CPUs, as well as dumping various types of memories. The hardware necessary for this course can be reused for many other introductory, intermediate and advanced level courses offered through Advanced Security Training.

Each day will feature roughly 2 hours of theory and 4-5 of a hands-on hardware CTF to be performed by participants.

All of the flags illustrated as part of these course are common embedded vulnerabilities that have come up on numerous occasions when testing client products during audits.

Topics Covered during this Course

  • Basic digital electronics theory and practices targeted to entry-level hardware hackers
  • How to read a datasheet, schematic, and identify components on a PCB
  • What is UART and how to build your own UART transmitter in embedded Linux and a microcontroller
  • What is SPI and how to use embedded Linux tools like flashrom
  • How to write a SPI driver from scratch to fully appreciate the protocol
  • How I2C differs from UART and SPI and how to bit bang I2C to inject bits on the wire
  • CPU debug protocols including JTAG and SWD
  • Black box reverse engineering with a CTF like challenge

Day 1: Hardware Reverse-Engineering, Boot Loaders, Embedded Linux and UART

Day 1 will begin with identifying key components on the PCB, understnading the boot process, interfacing with the bootloader and the Operating System. Participants will learn how to interface to an embedded system, commmunicate with the bootloader and drop into a linux shell on the device. Day 1 will also familiarize participants with several of the most common security issues in embedded linux systems.

Capture The Flag

  • Halt the system during boot in the bootloader
  • Override security parameters of the bootloader
  • Get a root password for remote login into the system
  • Identify additional serial interfaces on the device

Day 2: Embedded Protocols and Peripherals

Day 2 Focuses on common embedded protocols and common embedded peripherals. Participants will learn how to identify embedded protocols and decode embedded protocols. Additionally the software interfaces to many of these peripherals be emulated in software. Participants will also learn about memory-mapped I/O and memory mapped perihperals.

Capture The Flag

  • Use GPIO to change the LED state on boot on a device
  • Identify the serial protocols
  • Decode the serial communication
  • Find a debug shell

Day 3: Sniffing Embedded Memories

Day 3 will focus on common interfaces to memories and security perihperals. Participants will learn how to enumerate embedded peripherals of a system and extract data from any attached peripherals. Day 3 will offer participants an opportunity sniff and mitm the communications on the board. Participants will also get an opportunity to implement a malicious peripheral bypassing system secuirty.

Capture The Flag

  • Bypass a brute force counter in memory
  • Exctract the security credentials from memory
  • Sniff security credentials during use
  • Implement a malicious peripheral

Day 4: FlashROM and JTAG

Day 4 focuses on extracting firmware from the device. Participants will learn how to use the FlashROM tool to extract SPI Flash. Participants will also learn how to use OpenOCD and connect to the JTAG interface of the board. Using OpenOCD participants will learn the primary commands for debugging, single stepping and reading memory from the target.

Capture The Flag

  • Dump the contents of the flash using FlashROM
  • Analyze the flash dump
  • Extract the contents of memory with OpenOCD
  • Bypass a security check using OpenOCD

Hardware Requirements

  • Digilent Arty Z7 board. We recommend the 7020, but a 7010 will suffice. (Digilent, Digikey, Farnell)
  • Digilent RTC Pmod (Digilent, Digikey, Farnell)
  • Digilent SPI Flash Pmod (Digilent, Digikey, Farnell)
  • microSD card (at least 4GB, but not greater than 32GB)
  • microSD reader/writer that works with your PC/laptop, for example this one.
  • micro USB cable to connect your PC/laptop to the Arty Z7

All of the above is available as a cart from either Digikey:

Additionally students should get a:

  • USB Logic Analyzer compatible with Sigrok PulseView (Sparkfun, Amazon, Digikey). These are white-labeled. If yours looks similar to this one it will likely work.
  • Jumper wires M/M, M/F, F/F. For example these.

Note, due to the ongoing pandemic and shipping difficulties, you will have to order your hardware yourself.

Training by Josh Datko and Dmitry Nedospasov

Josh Datko is an embedded systems engineer, security researcher and former submarine officer. Josh is best known for his part in the NSA Playset, as well as his research into cryptocurrency wallets.

Dmitry is a hardware hacker, hardware design engineer, security researcher, speaker, and reverse-engineerer. Dmitry did his PhD in the field of IC security and PUFs.

Feedback by

David

19 November 2021

From the perspective of an embedded software engineer, The Introduction to Hardware Hacking and Reverse-Engineering is a training no embedded systems developer should miss. It offers a good introduction to the challenges of securing embedded systems. Will recommend this training to my colleagues.

Can't attend? All of our trainings are also available as a private classes for your company.

Access all of our classes and profesionally edited recordings.
All of our courses are also available as private trainings.
Courses are offered multiple times in different timezones.