Sometimes, defense mechanisms can be circumvented if you do things that are a little out of the ordinary. For example, read protection in microcontrollers is a fact nowadays, to the point where it is deliberately enabled and used as a primary technical measure to protect intellectual property. The bottom line is that when you connect to a microcontroller through its debugging interface and then request to read its flash memory, it will refuse. However, [Racerxdl] shows us that, in practice, this is not a perfect shield; For some chips, you just want to be a little faster than usual.
Usually, the update and debugging software will have some conversation with the microcontroller and poll the parameters before responding to any direct requests. However, if you skip politeness and get straight to the point after turning on the microcontroller, you can intimidate them enough to give you a byte of their reminiscence before they refuse to cooperate further. Since it can be any byte, it can read the entire flash, one byte at a time.
You must restart the chip before you can progress, so the hardware becomes more than just a SWD interface, and it will take a little longer than reading an unprotected chip in the same way above; Also, of course, the debugging interface will have to be active for this in the first place, which is not the case. However, it is better to pay a few thousand dollars for a factory in China to uncover your chip and read it using a complicated machine.
[Racerxdl] didn’t just write a proof of concept for this attack: they implemented it for one of our favorite chips, the RP2040. As such, you no longer want an STM32 unobtainium to empty an STM32 unobtainium.
To be clear, [Racerxdl] did not design this attack; It has existed for some time. Overall, it’s a glorious reminder that reliable security mechanisms can be thwarted by the simplest tricks. For example, if his chip erases the flash when you unlock his protection, you can only tell him not to.
Here at Hackaday, we offer glorious informative articles about other hardware hacking spaces, and we even have our own university with courses that delve into the topics one-on-one. I have had my own percentage of curtains whose theory and practical facets I have learned. Over the years I have hacked, as it is, for over 13 years. When such documents were not available on a specific topic, I would scour through a bunch of forum pages in search of the main points on an express topic, or spend hours struggling with a complexity that everyone considered obvious.
Today I would like to highlight one of the most comprehensive advances in hardware piracy I have noticed so far: from general principles to technical details, covering all degrees of complexity, uniting theory and practice. This is the Hardware Hacking Handbook, via Jasper. van Woudenberg and Colin O’Flynn. In 400 pages, you will find a total advent to the subversion of curtains as it exists. None of the nuances are taken for granted; Instead, this eBook strives to fill any gaps you may have, placing words for each applicable concept in degrees from top to bottom.
In addition to general principles and examples of hardware hacking, this eBook concentrates on the spaces of fault injection and force investigation: underrated spaces of hardware security that you would be willing to be informed of, given that either practice gives you superforces when trying to take control of the hardware. It makes sense, since those spaces are the center of [Colin] and [Jasper’s] research, and they can give you anything they wouldn’t possibly inform you about elsewhere. You’d do well with a ChipWhisperer in hand if you’re looking to repeat some of the things this ebook shows, but you don’t have to. manuals”→
You can’t always afford to sip tea comfortably while placing an appliance on a fully stocked workbench, where each and every tool is at hand. To fix this problem, [Zokol] stores a first look at a hardware hacking toolkit, the purpose of which is to make hacking sessions as productive as you can imagine, keeping length and weight within moderate limits. There’s no room list yet, but there are some smart tips for creating your own.
To set up an effective hardware hacking toolkit, you will need to conscientiously consider what types of responsibilities you want to carry out and in what order. Once a critical workflow is identified, a set of complementary machinery and hardware resources can be put in position. to meet expected needs. The purpose is to have the mechanism to advance as much as possible in a single session, and to identify any specialized equipment that will be needed later. This way, follow-up sessions can be as effective as possible.
Since hardware hacking is about examining (and in all likelihood changing the behavior) of electronic devices, [Zokol] notes that the first step is to start with external interfaces. This means that common cables and adapters will have to be components. of a hardware hacking toolkit, otherwise, the query may end very soon. The next step is to open the device. Therefore, common equipment and means are needed to handle elements such as adhesives. After that, diagnostic equipment such as multimeters come into play, and the equipment adapts more specialized as the survey progresses. It’s a very practical way to solve the challenge of what to bring. (and what not to bring) in a hardware hacking toolkit, and we can’t wait to see what the latest edition looks like.
Hardware hacking refers to hardware that cannot be opened without damaging it. The Google Stadia controller is one such piece of hardware, and [Zokol] solved the challenge of permanently disabling the microphone by figuring out precisely where to punch a hole.
Back at the 2017 Super Conference, Hackaday editor-in-chief Elliot Williams began his communication on the so-called “Internet of Things” by explaining that the only component he doesn’t like about the concept is the Internet. . . and others cosas. es one that most of us would still agree with today. On the contrary, the situation worsened in the following years. Commercial smart devices are now less expensive and more plentiful than ever, but it turns out little has been done to improve their inherent privacy and security concerns.
But his speech does not serve to denigrate the corporations that generate these gadgets or even the facilities that despite everything have folded and left their consumers with almost dead gadgets. That’s not his style. The central theme of “Nexus Technologies: or How I Learned to Love WiFi” is that a smart home can be something glorious, assuming it works the way you want it to. Elliot argues that between inexpensive modular hardware and open-source software, the average hacker has everything they want to create their own autonomous home automation ecosystem. One that is not only less expensive than what they sell at the Big Box electronics store, but also doesn’t invite any of the company’s giants to the party.
Of course, this has not always been the case. Ten years ago, this would have been almost unimaginable, and five years ago it would have been too expensive to be practical. -Public smart home, explains the advances in hardware and software that have made it not only imaginable at the DIY level, but also accessible. Home devices, would probably be more than willing to throw Big Brother on the street and do IoT on their own terms.
This never-before-seen recording slipped between the cracks in the editing room floor, yet during a recent discovery, it is still applicable today. Take a look at Elliot’s attitude at Nexus Technologies, then check in with us after the break for a deeper dive. Be sure to subscribe to the Hackaday YouTube channel to register for the Hackaday 2019 Superconference live stream starting Saturday, November 16.
Continue “Found Images: Elliot Williams on Nexus Technologies”→
The millennium: a term few used before 1999, but overnight it was everywhere. The turn of the millennium has permeated every aspect of pop culture. We were torn between anxiety, the year 2000 bug that brought the end of civilization announced by Prince, and anticipation: the next PlayStation 2 release.
[q3k] realized a very attractive challenge in capturing the Pwn2Win flag in progress, and overcame it by interpreting the steel interconnect layers that encode a password in a VLSI IC. And not the kind to supplement someone else’s list of connections. extraction code, he did it by writing his own.
The challenge in Pwn2Win CTF came in the form of design files for a hypothetical rocket release code. The traditional IC takes an ASCII string as input and raises a pin if it matches. Probably the simplest way to do this in logic is to enforce a change sign long enough for the bits in the code string, and then connect combinatorial logic that is only read as true when all the individual bits are correct.
(No, you don’t need to implement a password checker this way; that means you can brutally force the password too easily; however, such forced implementations have been noticed in the wild. )
Anyway, let’s go back to our story. After inverting the netlist, [q3k] 320 alternates a string, suggesting a 40-byte ASCII code string. Working backwards in the circuit from the “unlocked” pin to the rockers, he discovered a network of NOR and NAND gates, which were switched to a logical notation and then thrown at Z3 to solve. A few cycles later, he had pulled the password straight out of the silicon!
This sounds like a fun challenge if you like logical design or hardware as opposed to engineering. Of course, you don’t want to write your own equipment to do it, but [q3k] would say it was worth it.
[Films By Kris Hardware] has featured a pretty engaging YouTube series about piracy and ownership of a PogoPlug Mobile v4. Although this has been done many times in the past, it provides a perfect step-by-step tutorial. So far, the series is impressive, explaining in detail how to gain root access to the device through a serial connection.
PogoPlugs are remote devices with an ARM processor running at 800 MHz, which is compatible with the Linux kernel. The edition in question (PogoPlug Mobile v4) has been repurposed in the afterlife for things like an affordable PBX, an OpenWrt router, and even a replacement for Squeezebox. Even if you don’t have a PogoPlug, this can be a wonderful advent for hacking any Linux-based client device.
So far, we’re in the third component of what will be an eight-component series, so there will be more to be informed if it continues. His videos have already explained how to connect via a serial port to the device, how to send commands, configure the device, and prevent it from calling home. This will allow the budding hacker to get the PogoPlug to make their bids. Designed, however, the skills you’re being told here probably won’t be anytime soon.
Continue reading “PogoPlug Hacking: A Step-by-Step Consultant to Owning the Device” →