This course is our recommended course for people who are new to hardware and hardware security. This course will cover all of the basics of hardware protocols, decoding and analysis. Additionally it will provide an introduction to many aspects of hardware and embedded security. Students will learn how to sniff, analyze, decode and inject common serial protocols, halt, debug, and single step CPUs, as well as dumping various types of memories. The hardware necessary for this course can be reused for many other introductory, intermediate and advanced level courses offered through Advanced Security Training.
Each day will feature roughly 2 hours of theory and 4-5 of a hands-on hardware CTF to be performed by participants.
All of the flags illustrated as part of these course are common embedded vulnerabilities that have come up on numerous occasions when testing client products during audits.
- Basic digital electronics theory and practices targeted to entry-level hardware hackers
- How to read a datasheet, schematic, and identify components on a PCB
- What is UART and how to build your own UART transmitter in embedded Linux and a microcontroller
- What is SPI and how to use embedded Linux tools like flashrom
- How to write a SPI driver from scratch to fully appreciate the protocol
- How I2C differs from UART and SPI and how to bit bang I2C to inject bits on the wire
- CPU debug protocols including JTAG and SWD
- Black box reverse engineering with a CTF like challenge
Day 1 will begin with identifying key components on the PCB, understnading the boot process, interfacing with the bootloader and the Operating System. Participants will learn how to interface to an embedded system, commmunicate with the bootloader and drop into a linux shell on the device. Day 1 will also familiarize participants with several of the most common security issues in embedded linux systems.
- Halt the system during boot in the bootloader
- Override security parameters of the bootloader
- Get a root password for remote login into the system
- Identify additional serial interfaces on the device
Day 2 Focuses on common embedded protocols and common embedded peripherals. Participants will learn how to identify embedded protocols and decode embedded protocols. Additionally the software interfaces to many of these peripherals be emulated in software. Participants will also learn about memory-mapped I/O and memory mapped perihperals.
- Use GPIO to change the LED state on boot on a device
- Identify the serial protocols
- Decode the serial communication
- Find a debug shell
Day 3 will focus on common interfaces to memories and security perihperals. Participants will learn how to enumerate embedded peripherals of a system and extract data from any attached peripherals. Day 3 will offer participants an opportunity sniff and mitm the communications on the board. Participants will also get an opportunity to implement a malicious peripheral bypassing system secuirty.
- Bypass a brute force counter in memory
- Exctract the security credentials from memory
- Sniff security credentials during use
- Implement a malicious peripheral
Day 4 focuses on extracting firmware from the device. Participants will learn how to use the FlashROM tool to extract SPI Flash. Participants will also learn how to use OpenOCD and connect to the JTAG interface of the board. Using OpenOCD participants will learn the primary commands for debugging, single stepping and reading memory from the target.
- Dump the contents of the flash using FlashROM
- Analyze the flash dump
- Extract the contents of memory with OpenOCD
- Bypass a security check using OpenOCD
- Digilent Arty Z7 board. We recommend the 7020, but a 7010 will suffice. (Digilent, Digikey, Farnell)
- Digilent RTC Pmod (Digilent, Digikey, Farnell)
- Digilent SPI Flash Pmod (Digilent, Digikey, Farnell)
- microSD card (at least 4GB, but not greater than 32GB)
- microSD reader/writer that works with your PC/laptop, for example this one.
- micro USB cable to connect your PC/laptop to the Arty Z7
All of the above is available as a cart from either Digikey:
Additionally students should get a:
- USB Logic Analyzer compatible with Sigrok PulseView (Sparkfun, Amazon, Digikey). These are white-labeled. If yours looks similar to this one it will likely work.
- Jumper wires M/M, M/F, F/F. For example these.
Note, due to the ongoing pandemic and shipping difficulties, you will have to order your hardware yourself.