General Case Study
Scenario: You own a device you want to investigate and maybe modify.
Non-invasive Testing
As told in the Methodology chapter, first you should try non-invasive methods, as opening the device is risky and can break components or the whole device. Hence, start with:
Read the documentation:
Documentation of IoT devices can reveal a lot of the functionalities
For example: Is there a backup function, which writes backups to a SD-card /USB-Stick?
Try to find functionalities, which can be exploited
Try searching for default passwords, which may give access to more functionalities/data
Does the device have a webserver running?
Try to find common vulnerabilities like RCE, LFI etc.
Check with Wireshark / RF Analyzer for any communication of the device
More invasive Testing
If the attempts above are exhausted, we can start with our hardware hacking.
Opening a device comes at the risk of breaking it! Watch out for tamper protection!
To do the basic hardware hacking, you just need:
An multimeter
an UART to TTL USB adapter
jumper cables
and in some cases: a soldering station
After opening the device follow:
Get an overview of what is available of the PCB board
Checkout which chips are used
Google the datasheet of each chip you find (model should be printed on top of the chip)
It can be useful to take a picture of the PCB and label everything you can identify
We should also remove shields which prevent us from seeing the hardware:
Check for connector or test pads (can be quick wins to find a UART/JTAG etc.)
Even better if we find actual pins, where we can connect jumper cables to:
JTAG (where we need more pins) are also very interesting targets
Note: Not all PCBs have these connectors or the interfaces may be disabled.
Check the pinout for the connectors:
Put the multimeter in continuity mode (often a "diode" / "soundwave line" symbol) here on top:
This mode will check if there is a direct connection between two points on the PCB
Put one probe on the connector pad you want to test
The other one goes on the chip (datasheet will tell you what pins are used for UART/SPI/JTAG)
You need to find the GND (ground), TX (transmit) and RX (receive) pins to communicate with UART.
Another method to figure out the pinout is by looking at the voltage of the pins:
GND should be at 0V
TX pin should fluctuate between 2-3V, depending if there is output or not
RX pin can look like the GND pin, since it just waits for data to come in
Now you need to connect the pins using jumper cables to the UART-USB-TTL adapter (make sure RX -> TX and TX->RX, as they have to be reversed). This can be done by soldering the cables onto the connector pins, plug them in or use clamps.
On your PC use the following command to communicate over UART (you may have to adjust the baud rate)
If you see something like this: You done it correctly!
Congrats! You found your first serial connection! Check out the UART chapter on how to use this to dump the firmware from the device.
Resources:
Last updated