Introduction to Hardware Hacking and Reverse-Engineering

Learn the basics of Hardware, Hardware Protocols, Hardware Hacking, Embedded Security and Reverse-Engineering

Training starting at

$1,800.00

with one of our subscriptions

Language

English

This course is our recommended course for people who are new to hardware and hardware security. This course will cover all of the basics of hardware protocols, decoding and analysis. Additionally it will provide an introduction to many aspects of hardware and embedded security. Students will learn how to sniff, analyze, decode and inject common serial protocols, halt, debug, and single step CPUs, as well as dumping various types of memories. The hardware necessary for this course can be reused for many other introductory, intermediate and advanced level courses offered through Advanced Security Training.

Topics Covered during this Course

  • Basic digital electronics theory and practices targeted to entry-level hardware hackers
  • How to read a datasheet, schematic, and identify components on a PCB
  • What is UART and how to build your own UART transmitter in embedded Linux and a microcontroller
  • What is SPI and how to use embedded Linux tools like flashrom
  • How to write a SPI driver from scratch to fully appreciate the protocol
  • How I2C differs from UART and SPI and how to bit bang I2C to inject bits on the wire
  • CPU debug protocols including JTAG and SWD
  • Black box reverse engineering with a CTF like challenge

Day 1 - Electronics Fundamentals

  • Introduction to electronics -- what is a PCB, IC, LED, and other fun acronyms.
  • How to blink an LED from hardware and from memory mapped IO
  • What is a logic analyzer and how does it work
Introduction
  • Introduction and welcome!
  • Overview of electronics safety for low voltage devices
  • High level overview of a FPGA SoC (no FPGA knowledge or background is required for this class!)
  • Tour of Integrated Circuits (ICs): categories of ICs, packages, and design patterns
Assignment 1: Guided Printed Circuit Board (PCB) Reverse Engineering
  • Students will identify all major components on their Digilent Arty Z7 and attempt to determine their function
  • Instructors will conduct a guided walkthrough of the schematic and relevant design files
  • Together, we’ll go over datasheets for the identified components and discuss datasheets types in the electronics industry
  • How to blink an LED the easy way (with a button!)
  • But now, how to blink an LED in software?
  • Overview of memory mapped IO
  • PEEK and POKE for the modern era
  • Students will conduct research to find the addresses of the GPIO peripheral
  • Students will determine the register interface for the GPIO peripheral
  • Then, students will write a driver to toggle their LED
Logic Analyzer Theory, Operation, and Usage
  • What is a Logic Analyzer and how does it work?
  • How to use PulseView, the open source, cross platform, signal analysis software
Assignment 3: Logic Analysis of basic protocols
  • To prepare for more complicated protocols, students will implement, debug, test, and monitor a basic protocol based on GPIO
  • Students will add a Morse code encoder on top of their GPIO driver
  • Students will then send basic messages with their software
  • Using their logic analyzer, students will measure and observe their waveforms
  • Students will decode their Morse with PulseView to confirm they can work with the logic analyzer

Day 2 - Hardware Protocols Part 1, UART and SPI

  • How to serialize data over low-speed signals
  • UART: What is it and how do we send and receive these bits over the wire?
  • SPI: How send and receive SPI data with a focus on extracting flash chips
Sending data from one IC to another
  • Serial vs parallel buses
  • How to serialize data signal traces
  • UART: what is it and why it is here to stay
Assignment 4: Decoding UART with the logic Analyzer
  • Students will use PulseView to decode the UART signals providing their terminal session
  • They will measure and understand the different paraments of UART such as baud, parity, and start and stop bits
Introduction to bit banging
  • What is bit banging and why would you use this?
  • Emphasize that bit banging is a great way to fully understand a hardware protocol
Assignment 5: Write a UART transceiver via bit bang
  • Students will write from scratch a UART transmitter using the bit bang methodology
  • They will debug their development with their logic analyzer
  • Students will use an embedded linux serial decoder to confirm they are sending the correct bits
SPI vs SPI
  • What is the SPI protocol and where is it used?
  • What are different kind of “SPI Flash” chips?
  • What is NOR vs NAND flash and how does this compare to an eMMC?
  • What are some tools used to read and write these flash chips?
  • SPI drivers on microcontrollers vs microprocessors with embedded Linux
Assignment 6: SPI flash with flashrom
  • Students will investigate the different methods of using flashrom on an embedded Linux system
  • Students will use flashrom to read and write data to an external SPI flash with SPI dev
Assignment 7: Write an SPI driver via bit bang
  • Students will write from scratch a SPI transceiver using the bit bang methodology
  • They will debug their development with their logic analyzer
  • Students will compare the results of their bit bang driver to the data retrieved from embedded Linux

Day 3 - Hardware Protocols Part 2, I2C and JTAG

  • The I2C protocol -- what it’s used for, why it’s so popular, and why it’s different from the rest
  • How I2C works from an embedded Linux perspective and via bit bang
  • How to debug a CPU via JTAG or SWD
I2C Protocol
  • How does I2C differ from the other serial protocols?
  • What is an open drain bus?
  • Bus Arbitration: It’s just not for lawyers
  • How would one modify, spoof, and intercept I2C data
Assignment 8: Linux I2C tools
  • Using i2c-tools, students will read and write an EEPROM from linux and set/read a real time clock
  • Using their logic analyzer, students decode and monitor their I2C traffic
  • Students will determine where and how I2C is enabled via the Linux device tree
Assignment 9: I2C from scratch
  • Students will write from scratch an I2C transceiver using the bit bang methodology
  • They will debug their development with their logic analyzer
  • Students will compare the results of their bit bang driver to the data retrieved from embedded Linux
CPU Debug Protocols
  • What is JTAG?
  • What is SWD?
  • Why are these debug protocols a concern from a security perspective?
Assignment 10: Demonstration of various debug tools
  • Instructors will demonstrate various debug tools that perform both JTAG and SWD
  • Instructors will show both hobbyist and “professional” debug tools and enumerate the differences
  • Instructors discuss and demonstrate various mechanisms for disabling (and re-enabling) debug access.

Day 4 - Blackbox Reverse-Engineering of Embedded Systems

  • A CTF-like event where students are given a black box system and have to reverse engineering it using the skills acquired during the previous three days.
  • Students will have to observe and decode new protocols
  • Students will have to exploit common embedded system security mistakes.
  • The entire day is focused to the CTF -- at the end all flags will be revealed

Hardware Requirements

  • Digilent Arty Z7 board. We recommend the 7020, but a 7010 will suffice. (Digilent, Digikey, Farnell)
  • Digilent RTC Pmod (Digilent, Digikey, Farnell)
  • Digilent SPI Flash Pmod (Digilent, Digikey, Farnell)
  • microSD card (at least 4GB, but not greater than 32GB)
  • microSD reader/writer that works with your PC/laptop, for example this one.
  • micro USB cable to connect your PC/laptop to the Arty Z7

All of the above is available as a cart from either Digikey:

Additionally students should get a:

  • USB Logic Analyzer compatible with Sigrok PulseView (Sparkfun, Amazon, Digikey). These are white-labeled. If yours looks similar to this one it will likely work.
  • Jumper wires M/M, M/F, F/F. For example these.

Note, due to the ongoing pandemic and shipping difficulties, you will have to order your hardware yourself.

Training by Dmitry Nedospasov and Josh Datko

Dmitry is a hardware hacker, hardware design engineer, security researcher, speaker, and reverse-engineerer. Dmitry did his PhD in the field of IC security and PUFs.

Josh Datko is an embedded systems engineer, security researcher and former submarine officer. Josh is best known for his part in the NSA Playset, as well as his research into cryptocurrency wallets.

Can't attend? All of our trainings are also available as a private classes for your company.

Access all of our classes and profesionally edited recordings.
All of our courses are also available as private trainings.
Courses are offered multiple times in different timezones.