Hardware Hacking
Exploitation
When network and firmware analysis aren't enough, hardware-level access can provide root shells, memory dumps, and complete device compromise through debug interfaces.
Physical Access Required
Hardware hacking requires physical access to the target device. Opening devices may void
warranties and could damage the device. Practice on devices you own first.
Essential Equipment
Basic Kit ($50-100)
- • USB-TTL UART adapter (FTDI/CH340)
- • Multimeter
- • Precision screwdriver set
- • Jumper wires (dupont)
- • Soldering iron + accessories
- • Magnifying glass/loupe
Advanced Kit ($200-500+)
- • Logic analyzer (Saleae or clone)
- • JTAG adapter (J-Link, Bus Pirate)
- • SPI/I2C programmer (CH341A)
- • Hot air rework station
- • USB microscope
- • Oscilloscope (for glitching)
UART (Universal Asynchronous Receiver-Transmitter)
UART is the most common debug interface on IoT devices. It often provides direct console access, sometimes with root privileges.
Identifying UART Pins
UART typically has 4 pins:
┌─────────────────────────────────────┐
│ ○ VCC (3.3V or 5V - don't connect)│
│ ○ GND (Ground - always connect) │
│ ○ TX (Transmit - connect to RX) │
│ ○ RX (Receive - connect to TX) │
└─────────────────────────────────────┘
Identification methods:
1. Look for 4-pin headers (may be unpopulated)
2. Look for test pads labeled TX/RX/GND
3. Use multimeter to find GND (continuity to shield)
4. TX often shows fluctuating voltage on boot
bash
# Finding UART pins with multimeter:
# 1. Set multimeter to continuity mode
# 2. Find GND (continuous with metal shield/ground plane)
# 3. Set to DC voltage mode
# 4. Power on device, measure each pin vs GND:
# - VCC: Steady 3.3V or 5V
# - TX: Fluctuates during boot (data being sent)
# - RX: Steady high (3.3V) or floating
# Using logic analyzer to identify:
# Connect all unknown pins and watch during boot
# TX will show serial data patternsConnecting to UART
bash
# Wire connections (USB-TTL adapter to device):
# Adapter GND -> Device GND
# Adapter RX -> Device TX (cross-connect!)
# Adapter TX -> Device RX
# DO NOT connect VCC (power device separately)
# Find baud rate (common rates: 9600, 19200, 38400, 57600, 115200)
# Using baudrate.py
python baudrate.py
# Or try common rates manually with minicom/screen
# Connect with screen
screen /dev/ttyUSB0 115200
# Connect with minicom
minicom -D /dev/ttyUSB0 -b 115200
# Connect with picocom (recommended)
picocom -b 115200 /dev/ttyUSB0
# Windows: Use PuTTY
# Serial line: COM3 (check Device Manager)
# Speed: 115200UART Exploitation
bash
# Common scenarios after UART connection:
# 1. Direct root shell (best case)
# Device boots directly to:
# root@device:~#
# 2. Bootloader access (U-Boot common)
# Interrupt boot with key press, then:
U-Boot> printenv # Show environment variables
U-Boot> setenv bootargs init=/bin/sh # Boot to shell
U-Boot> boot
# 3. Login prompt
# Try default credentials:
# root:root, admin:admin, root:(blank), admin:password
# 4. Boot log only (no interaction)
# Still valuable - shows services, IPs, kernel version
# Breaking into locked bootloader
# Some bootloaders allow command injection:
U-Boot> setenv bootargs 'init=/bin/sh'
U-Boot> run bootcmdJTAG (Joint Test Action Group)
JTAG provides low-level chip access for debugging, memory access, and firmware extraction. More powerful than UART but harder to use.
JTAG Pinout
Standard JTAG pins:
┌─────────────────────────────────────┐
│ TDI - Test Data In │
│ TDO - Test Data Out │
│ TCK - Test Clock │
│ TMS - Test Mode Select │
│ TRST - Test Reset (optional) │
│ GND - Ground │
│ VCC - Reference voltage │
└─────────────────────────────────────┘
Common JTAG headers:
- 20-pin ARM standard
- 14-pin TI
- 10-pin Cortex
- Unpopulated pads (need to solder)
bash
# Finding JTAG pins
# Use JTAGulator hardware
# Or use OpenOCD with trial and error
# OpenOCD configuration example
openocd -f interface/ftdi/ft232r.cfg -f target/stm32f1x.cfg
# Common OpenOCD commands
> halt # Stop processor
> reg # Show registers
> mdw 0x08000000 # Read memory (word)
> dump_image flash.bin 0x08000000 0x100000 # Dump flash
> load_image new_fw.bin 0x08000000 # Write flash
# Using JTAGulator to find pins
# Connect all potential pins
# JTAGulator will try combinations to identify JTAG
# ARM debugging with GDB
arm-none-eabi-gdb
(gdb) target remote localhost:3333
(gdb) monitor halt
(gdb) x/100x 0x08000000 # Examine memorySPI Flash Extraction
Many IoT devices store firmware on SPI flash chips. These can be read directly to extract firmware.
Identifying SPI Flash
bash
# Common SPI flash chips:
# - Winbond W25Q series (W25Q32, W25Q64, W25Q128)
# - Macronix MX25L series
# - Spansion S25FL series
# - Look for 8-pin SOIC packages
# SPI pinout (8-pin):
# Pin 1: CS (Chip Select)
# Pin 2: DO (Data Out / MISO)
# Pin 3: WP (Write Protect)
# Pin 4: GND
# Pin 5: DI (Data In / MOSI)
# Pin 6: CLK (Clock)
# Pin 7: HOLD
# Pin 8: VCCReading SPI Flash
bash
# Method 1: In-circuit reading (chip stays on board)
# May have issues with other components interfering
# Using flashrom with CH341A programmer
flashrom -p ch341a_spi -r firmware_dump.bin
# Using Bus Pirate
flashrom -p buspirate_spi:dev=/dev/ttyUSB0 -r dump.bin
# Method 2: Chip removal (more reliable)
# Use hot air to desolder chip
# Place in SOIC8 clip or socket
flashrom -p ch341a_spi -r firmware.bin
# Verify read (read twice and compare)
flashrom -p ch341a_spi -r firmware1.bin
flashrom -p ch341a_spi -r firmware2.bin
md5sum firmware1.bin firmware2.bin
# If using Raspberry Pi
# Enable SPI: sudo raspi-config
flashrom -p linux_spi:dev=/dev/spidev0.0 -r dump.binI2C / eMMC
I2C EEPROM
bash
# I2C uses 2 wires: SDA (data) and SCL (clock)
# Common for small configuration storage
# Using Bus Pirate for I2C
# Connect SDA, SCL, GND
screen /dev/ttyUSB0 115200
# Enter I2C mode: m4
# Scan for devices: (1)
# Read EEPROM: [0xA0 0x00][0xA1 r:256]
# Using i2c-tools on Linux/Pi
i2cdetect -y 1 # Scan bus 1
i2cdump -y 1 0x50 # Dump device at 0x50
i2cget -y 1 0x50 0x00 # Read single byteeMMC Extraction
bash
# eMMC is common in newer devices (like SD card but soldered)
# Requires eMMC reader or careful soldering
# Using eMMC adapter (requires chip removal or adapter board)
# Mount as block device
lsblk
sudo dd if=/dev/sdb of=emmc_dump.img bs=4M status=progress
# Some devices have eMMC test points
# Check for CLK, CMD, DAT0 pads near chip
# Alternative: Use device's own interface
# Some devices expose eMMC via USB in special boot modes
# Check for "download mode" or "recovery mode"Voltage Glitching
Advanced technique to bypass security by causing processor faults. Can bypass secure boot, authentication, and encryption checks.
Advanced Technique
Voltage glitching can permanently damage devices. Requires oscilloscope, precise timing,
and significant practice. Start with the ChipWhisperer platform for learning.
bash
# Basic concept:
# 1. Identify target operation (e.g., signature check)
# 2. Determine timing of operation
# 3. Inject voltage glitch at precise moment
# 4. Glitch causes instruction skip or incorrect result
# Tools:
# - ChipWhisperer (hardware + software framework)
# - Custom FPGA glitchers
# - PicoEMP (electromagnetic fault injection)
# ChipWhisperer example workflow:
# 1. Connect target and capture power traces
# 2. Identify vulnerable code section
# 3. Configure glitch parameters (width, offset)
# 4. Iterate until successful bypass
# Common targets:
# - Secure boot signature verification
# - Password/PIN checks
# - Encryption key verification
# - Debug lock bitsHardware Checklist
Initial Assessment
- ☐ Open device and photograph PCB
- ☐ Identify main chips (SoC, flash, RAM)
- ☐ Look for debug headers (UART, JTAG)
- ☐ Check FCC photos for component IDs
UART
- ☐ Locate UART pins (GND, TX, RX)
- ☐ Determine baud rate
- ☐ Connect and capture boot log
- ☐ Attempt shell access or bootloader interrupt
Flash Extraction
- ☐ Identify flash chip model
- ☐ Attempt in-circuit read
- ☐ Desolder and read if needed
- ☐ Verify dump integrity