Beyond The Logic

The Art of Hardware Hacking and

Reverse Engineering

https://almaszaman.com
 Almas Zaman
Information Security Researcher
and Adjunct Assistant Professor
Objectives

Chapter 1 Chapter 2 Chapter 3

Concept and UART Firmware Dumping Persistent

Communication and Reverse backdoor, SCARA
Engineering and Others

From Basic …Towards Pro

Chapter 1
Smart devices around us!
Start HACKING with a Router

• An Embedded Device
• An RTOS
• An IoT or IoT Gateway
• A part of a SCADA System
Auditing the PCB

• ESMT M14D5121632A
• DDR3 SDRAM (64 MB)

• Winbond
25Q64CSIG
• Flash Memory (8
MB)
• MediaTek MT7628NN
• 580 MHz CPU (system-
on-chip - SoC)

• Possible UART
Interface

Front Back
Finding the UART Oscilloscopes/logic Analyzer/Multimeter

The UART (Universal Asynchronous

Receiver/Transmitter) interface
typically consists of four basic
connections

• RX: Receive data

• TX: Transmit data
• VCC: Power supply
• GND: Ground
Connecting Devices Using the UART TTL Converter

Soldering Header Pins

Connected to the computer

USB to UART TTL Converter
Communication at 115200 bps and we got the boot log
Analysis of the boot log
• U-Boot 1.1.3 (Oct 20 2017 - 20:54:23)
• Board: Ralink APSoC DRAM: 64 MB
• find flash: GD25Q64B
• Ralink UBoot Version: 4.3.0.0
• DRAM component: 512 Mbits DDR, width 16
• DRAM bus: 16 bit
• Total memory: 64 MBytes
• Flash component: SPI Flash
• Estimate memory size =64 Mbytes
• Linux version 2.6.36 (tomcat@buildserver) (gcc version 4.6.3
(Buildroot 2012.11.1) ) #1 Fri Oct 20 20:57:40 CST 2017
• The CPU feqenuce set to 580 MHz
 But…We Have a Problem!
It Is Not Responding to Keyboard Input
Lets Investigate: What is this R18 in RX ?

Missing resistor (R87) in TX

A surface-mount
resistor (R18) in
RX
It’s a 1kΩ SMD: Let’s Desolder It and Try Again!

1kΩ Resistor We desoldered it…

Boom!!! We got the shell
What's inside?

Busybox
Utilities List

Root User
Chapter 2
Interfacing and Reading the SPI with Programmer

• Winbond 25Q64CSIG
• Flash Memory (8 MB)

CH341A/CH347 Programmer
but… We chose the Hardest one

My Old Raspberry Pi Zero W

Connecting Winbond 25Q64 to Raspberry Pi GPIO

Winbond 25Q64 Raspberry Pi Pin

CS Pin 24
MISO Pin 21
WP or HOLD or
Pin 1
VCC (Wire high)
Ground (Wire low) Pin 39
WP or HOLD or
Pin 1
VCC (Wire high)
Winbond 25Q64 Pinout WP or HOLD or
Pin 1
VCC (Wire high)
SCLK Pin 23
MOSI Pin 19

Pin Connections
Raspberry Pi Zero w Pinout
Wiring With Winbond 25Q64 And Raspberry Pi GPIO
Final Setup
Spark Again!!! Dumping Firmware from Winbond
25Q64 (dump.bin)
Extract the firmware (dump.bin) with Firmware Mod Kit

Filesystem
Web UI of the Router
Encrypted XML File
Disassembling libcmm.so with a SRE tool
Found DES Algorithm

Copying the
Encryption Key 8
bytes
Decrypt with OpenSSL
Chapter 3
Creating Backdoor for MIPS Architecture (L-Backdoor)
From Open source
Make a loader (loader.sh) to execute after 30 second
Adding A Task During The Boot Process In (rcS)
Building the Malicious Firmware
Now, It’s Ready For Writing Via SPI, Or You Can
Upload It As A Device Update
SCADA or Malicious Hardware as a Supply Chain Attack

Rooppur Nuclear Power Plant

Why Hardware Hacking is
Difficult
1. Complexity of hardware design 15. Variability between hardware models
2. Specialized knowledge required 16. High entry barrier for beginners
3. Proprietary technology 17. Lack of standardized methodologies
4. Need for physical access 18. Difficulty in debugging hardware issues
5. Robust security measures 19. Incompatibility of components
6. Specialized tools and equipment 20. Time-consuming processes
7. Firmware complexity 21. Difficulty in accessing detailed schematics
8. Resource intensity 22. Interdependency of hardware and software
9. Legal and ethical issues 23. Environmental factors affecting hardware
10. Risk of irreversible damage 24. Potential health hazards (e.g., soldering
11. Evolving technologies fumes, handling chemicals)
12. Limited community and resources 25. Requirement for custom-built solutions
13. Precise technical skills needed and many more…
14. Difficulty in sourcing parts
Analyticalab.io – Working With Hardware and IoT
Any Questions

> nc –lvp 1337