Hardware Hacking and Reverse-Engineering

This training is ideally suited as a starting point for people that lack experience in hardware …

  • Learn the basics of Hardware, Hardware Protocols and Hardware Hacking.
  • Learn the basics of Embedded Security and Reverse-Engineering.
  • This training is ideally suited as a starting point for people that lack experience in hardware security and will cover all the basics related to security, hardware, firmware, embedded systems as well as embedded operating systems.

Topics Covered during this Course

  • Basic digital electronics theory and practices targeted to entry-level hardware hackers
  • How to read a datasheet, schematic, and identify components on a PCB
  • What is UART and how to build your own UART transmitter in embedded Linux and a microcontroller
  • What is SPI and how to use embedded Linux tools like flashrom
  • How to write a SPI driver from scratch to fully appreciate the protocol
  • How I2C differs from UART and SPI and how to bit bang I2C to inject bits on the wire
  • CPU debug protocols including JTAG and SWD
  • Black box reverse engineering with a CTF like challenge

Hardware Requirements

  • Please purchase either the Digilent Pynq-Z1 board, the Digilent Pynq-Z1 with accessory kit or the Digilent Arty Z7-20 board
  • Digilent RTC Pmod
  • Digilent SPI Flash Pmod
  • microSD card (at least 4GB, but not greater than 32GB)
  • microSD reader/writer that works with your PC/laptop, for example this one.
  • micro USB cable to connect your PC/laptop to the Arty Z7
  • USB Logic Analyzer compatible with Sigrok PulseView (Sparkfun, Amazon, Digikey). These are white-labeled. If yours looks similar to this one it will likely work.

Period: 4 Days

Each day will feature roughly 2 hours of theory and 4-5 of a hands-on hardware CTF to be performed by participants.

Day 1: Hardware Reverse-Engineering, Boot Loaders, Embedded Linux and UART

Day 1 will begin with identifying key components on the PCB, understnading the boot process, interfacing with the bootloader and the Operating System. Participants will learn how to interface to an embedded system, commmunicate with the bootloader and drop into a linux shell on the device. Day 1 will also familiarize participants with several of the most common security issues in embedded linux systems.
Capture The Flag

  • Halt the system during boot in the bootloader
  • Override security parameters of the bootloader
  • Get a root password for remote login into the system
  • Identify additional serial interfaces on the device

Day 2: Embedded Protocols and Peripherals

Day 2 Focuses on common embedded protocols and common embedded peripherals. Participants will learn how to identify embedded protocols and decode embedded protocols. Additionally the software interfaces to many of these peripherals be emulated in software. Participants will also learn about memory-mapped I/O and memory mapped perihperals.
Capture The Flag

  • Use GPIO to change the LED state on boot on a device
  • Identify the serial protocols
  • Decode the serial communication
  • Find a debug shell

Day 3: Sniffing Embedded Memories

Day 3 will focus on common interfaces to memories and security perihperals. Participants will learn how to enumerate embedded peripherals of a system and extract data from any attached peripherals. Day 3 will offer participants an opportunity sniff and mitm the communications on the board. Participants will also get an opportunity to implement a malicious peripheral bypassing system secuirty.
Capture The Flag

  • Bypass a brute force counter in memory
  • Exctract the security credentials from memory
  • Sniff security credentials during use
  • Implement a malicious peripheral

Day 4: FlashROM and JTAG

Day 4 focuses on extracting firmware from the device. Participants will learn how to use the FlashROM tool to extract SPI Flash. Participants will also learn how to use OpenOCD and connect to the JTAG interface of the board. Using OpenOCD participants will learn the primary commands for debugging, single stepping and reading memory from the target.
Capture The Flag

  • Dump the contents of the flash using FlashROM
  • Analyze the flash dump
  • Extract the contents of memory with OpenOCD
  • Bypass a security check using OpenOCD

BOOK COURSE

www.cs-sapar.com

info@cs-sapar.com

Mergenthalerallee 15-21
65760 Eschborn Germany