Art of Reverse Embedded Engineering: 27C3 Chaos Communications Congress

We came across the proceedings of the 27C3 Chaos Communications Congress held at Berlin Germany; which can easily be considered at the heaven for the Hackers. Innovators Nathan Fain and Vadik presented their topic JTAG/Serial/FLASH/PCB Embedded Reverse Engineering Tools and Techniques.
http://www.youtube-nocookie.com/v/8Unisnu-cNo?fs=1&hl=en_US
Its of for-most importance to any one looking out to modify and alter the functionality of the Embedded devices. This also helps to understand what is called as the “Leaky Abstractions” which applies to security flaws seen in software and hardware alike.
The presenters here discuss about various types of techniques that can be used to find the debug interfaces such as Serial (UARTs), JTAG and also reprogramming of the Flash. They also dive into some of the intuitive techniques that are used by Hardware hackers to find out missing parts that can help enhance functionality and alter the use for Artistic purposes. And guess what we go gaga about Arduino again. Its simple and most used in all the presentation. With some minor alternations the Arduino becomes the hacker tool to reverse engineer the hardware. In specific one of the clones used is Teensy++ which is Modified for 3.3V to be used for the sniffing purpose. A great big cache of know how and lots of exciting finds have a look at the links.
To find the Presented material at the Conference here is Link:
https://events.ccc.de/congress/2010/Fahrplan/events/4011.en.html
The Detailed Wiki page containg explanation of the Hacks used is given in following Link:
http://events.ccc.de/congress/2010/wiki/Embedded_Analysis

Some of the Important Tools:
1. RS232enum is a Arduino based program that can be used to scan and find serial on 30+ pins, vias (through-holes) and pads. Load the sketch onto Arduino and then open a serial console at 115200 buad to interface to this tool.
2. JTAGenum (code, further documentation) can be used to find JTAG amongst a set of 30+ pins, vias or pads. The standard JTAG instructions (IDCODE, BYPASS) are used to scan for pins.
3. Parallel Flash Dumper used to extract the entire Hex code from a given Flash chip through CFI. The hardware is quite simple and made by breadboarding some shift registers drawn in Fritzing.
4. DePCB an PCB reverse engineering tool that is used to make a net list of the given PCB with the available images. Its presently available only for 2 layers but the team has a plan using Heat Signatures to make it for multiple layers.

Apart from this there is lots of info on the wiki page for you to ponder on and gain access to your own next embedded device. Best of luck Hacking !!

Advertisements

About boseji

Bharteya Anusandhankarta ( Indian Researcher)
This entry was posted in electronics, embedded, hacking, innovation, programming, Technology, tools, tricks, tutorial, utilities. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s