top of page

Hardware Hacking For Hackers

Hardware Hacking For Hackers | Black Hat HQ

Hardware Hacking


Hardware hacking involves physically interacting with electronic devices to extract data, bypass authentication, or discover vulnerabilities. Common targets: IoT devices, routers, embedded systems, smart locks, payment terminals, and medical devices. This is an article/guide on hardware hacking for hackers.


Core Skill Set


Skill

What You Need

Tools

Soldering

Join wires to test points

Soldering iron, flux, wick

Protocol analysis

Read serial/UART/I2C/SPI

Logic analyzer, oscilloscope

Firmware extraction

Dump flash memory

Bus pirate, flash programmer

Side-channel

Power analysis, timing attacks

Oscilloscope, SDR

JTAG/SWD debugging

Access debug interfaces

JTAGulator, SEGGER J-Link


Essential Tools (Starter Kit ~$300)


Tool

Model (Budget)

Model (Pro)

Purpose

Multimeter

Klein MM300

Fluke 179

Continuity, voltage, resistance

Logic Analyzer

Saleae Logic 8 clone ($15)

Saleae Logic Pro 16

Decode UART/I2C/SPI

Bus Pirate

Bus Pirate v3.6 ($35)

Bus Pirate v5

Serial protocol hacking

FTDI Adapter

FT232RL ($8)

FT4232H ($40)

UART/USB conversion

Soldering Iron

TS-100 ($60)

Hakko FX-888D ($110)

Solder test points

Flash Programmer

CH341A ($12)

TL866II Plus ($60)

Read/write SPI flash

Hot Air Rework

Quick 861DW ($200)

Hakko FR-810 ($700)

Desolder SMD chips

JTAGulator

JTAGulator ($75)

CJTAG

Find JTAG/SWD pins

Oscilloscope

DSLogic clone ($100)

Rigol DS1054Z ($350)

Signal analysis


Phase 1: Physical Reconnaissance


Visual Inspection


1. Remove casing (screws, clips, prying tools)
2. Identify ICs:
   - MCU (main chip, often largest)
   - Flash/EEPROM (8/16-pin SOIC)
   - WiFi/Bluetooth module
   - Voltage regulators
3. Look for test points:
   - Square pads = pin 1 indicator
   - Through-holes labeled: TX, RX, GND, VCC, SWD, JTAG, TMS, TCK
4. Check PCB markings: version numbers, test pads, debug headers

Common Test Point Labels


Label

Interface

Description

TX / RX

UART

Serial console (gold mine)

GND

Ground

Common reference

3.3V / VCC

Power

Supply voltage

SWDIO / SWCLK

SWD

ARM debug

TMS / TCK / TDI / TDO

JTAG

CPU debug

SCL / SDA

I2C

Low-speed peripherals

MOSI / MISO / CS / SCK

SPI

Flash/memory access


Phase 2: UART Serial Console (Easiest Win)


UART is the most common debug interface. If exposed, you get a root shell.


Identify UART Pins (No Label)


Method 1: Multimeter Continuity


1. Set multimeter to continuity mode (beep)
2. Find GND: probe against shield/screw → beep = ground
3. Find VCC: probe against suspected pin → 3.3V (or 1.8V)
4. Find TX: inject square wave with logic analyzer → or probe TX pin manually
5. Tactile approach with logic analyzer: connect all 4 pins → probe

Method 2: Logic Analyzer


1. Connect all 4-6 suspected pins to logic analyzer CH0-CH5
2. GND one channel to known ground
3. Power on device
4. Look for UART signals:
   - TX: 3.3V idle, 0V pulses during boot
   - RX: typically idle at 3.3V with no activity
   - Boot messages: readable ASCII on TX

Connect to UART


bash

# Tools: FTDI adapter (3.3V!) + serial terminal
# WARNING: Many devices use 3.3V logic. 5V kills them.

# Connect:
# FTDI GND → Device GND
# FTDI RX → Device TX  (cross-over!)
# FTDI TX → Device RX  (cross-over!)

# Terminal:
sudo screen /dev/ttyUSB0 115200
# Common baud rates: 115200, 57600, 38400, 19200, 9600
# Auto-detect baud rate:
sudo python3 -c "
import serial
for baud in [9600, 19200, 38400, 57600, 115200, 230400]:
    ser = serial.Serial('/dev/ttyUSB0', baud, timeout=1)
    print(f'Trying {baud}: {ser.read(100)}')
    ser.close()
"

What you'll see:


U-Boot 2023.01 (Feb 15 2024)
DRAM:  512 MiB
Flash: 32 MiB
Net:   eth0
Hit any key to stop autoboot:  3  2  1  0
# BOOT into Linux → BusyBox shell #

If bootloader is interruptible: You can modify boot args, bypass secure boot, or drop to a shell.


Phase 3: SPI Flash Dumping (Firmware Extraction)


SPI flash chips hold firmware. Dump them to analyze for hardcoded creds, backdoors, or vulns.


Identify SPI Flash


Look for 8-pin SOIC chips with labels:
- Winbond (W25Q64, W25Q128)
- Macronix (MX25L...)
- Gigadevice (GD25...)
- Spansion/Microchip
- Often near the main MCU or labeled U3/U4/U5

Pinout Reference


SPI Flash Pinout (Top View, Dot for Pin 1):
┌───┐
│ 1 │ = CS (Chip Select)
│ 2 │ = MISO / DO (Data Out)
│ 3 │ = WP (Write Protect, pull high)
│ 4 │ = GND
│ 5 │ = MOSI / DI (Data In)
│ 6 │ = CLK (Clock)
│ 7 │ = HOLD (Hold, pull high)
│ 8 │ = VCC (3.3V)
└───┘

Dump with CH341A Programmer


bash

# WARNING: Clip onto chip WITH POWER OFF
# Use SOIC-8 clip (test clip, not programming clip if possible)

# Identify chip
sudo flashrom -p ch341a_spi

# Read entire flash
sudo flashrom -p ch341a_spi -r firmware_dump.bin

# Verify
sha256sum firmware_dump.bin

# Analyze
strings firmware_dump.bin | grep -iE "password|admin|key|secret|root|ssh"
binwalk -e firmware_dump.bin  # Extract filesystems

Dump with Bus Pirate


bash

# Bus Pirate v3.6
# Connect:
# CS → CS (MOSI on BP)
# MISO → MISO
# MOSI → MOSI
# CLK → CLK
# GND → GND
# 3.3V → VCC

# In Bus Pirate terminal:
m 5  # SPI mode
1    # Active low CS
1000000  # 1 MHz speed
(0x03)  # Read command
[0x03 0x00 0x00 0x00 0xFF]  # Read 4 bytes starting at 0
# Full dump via script:
sudo flashrom -p buspirate_spi:dev=/dev/ttyUSB0 -r dump.bin

Phase 4: JTAG / SWD Debug Access


If the device has debug interfaces enabled, you can halt the CPU, read memory, and dump code.


Automatic Pin Discovery (JTAGulator)


bash

# Connect JTAGulator:
# VREF → Target VCC (3.3V)
# GND → Target GND
# TDI, TDO, TCK, TMS → Connect to unknown test points
# Or use auto-scan mode

# JTAGulator auto-scan:
# In terminal, enter IDCODE scan mode
# It brute-forces pin combinations
# Output tells you which pins are TDI, TDO, TCK, TMS

Manual JTAG Pin Probing


bash

# Common symptoms of JTAG/SWD:
# - 4/6 pad cluster near MCU
# - Square pad = pin 1 (TCK often)
# - Pins labeled: TMS, TCK, TDI, TDO, SWDIO, SWCLK
# - Pull-up resistors on TMS/TDI

# Verify with multimeter:
# TCK: ~50% duty cycle square wave (1-50 MHz)
# TMS/TDI: pulled high (3.3V)
# TDO: pulsed output during boot
# SWCLK: clock signal
# SWDIO: bidirectional data

OpenOCD (Flash via JTAG)


bash

# Install
sudo apt install openocd

# Config (connect.cfg):
# source [find interface/ftdi.cfg]
# transport select jtag
# set CHIPNAME esp32
# source [find target/esp32.cfg]

# Connect + read flash
openocd -f connect.cfg -c "
    init;
    halt;
    flash read_bank 0 firmware.bin;
    shutdown;
"

# Or dump memory regions
openocd -f connect.cfg -c "
    init;
    halt;
    dump_image ram_dump.bin 0x40000000 0x100000;
    shutdown;
"

ARM SWD (Most Common for Cortex-M)


bash

# SWD uses 2 pins: SWDIO + SWCLK
# Connection:
# SWDIO → SWDIO
# SWCLK → SWCLK
# GND  → GND
# VCC  → 3.3V (target power)

# Use Black Magic Probe or SEGGER J-Link
sudo apt install blackmagic
blackmagic -t /dev/ttyACM0  # Scan target

Phase 5: Side-Channel Attacks


Power Analysis (Correlation Power Analysis - CPA)


bash

# Equipment: Oscilloscope (1 GS/s minimum) + sense resistor
# Place 1-10Ω resistor on VCC line
# Probe across resistor with oscilloscope
# Capture power traces during crypto operations
# Correlate with hypothetical power model of AES/SHA

# Tools: ChipWhisperer ($250-$3000)
# Works best on devices without power regulation

Glitching (Voltage/Clock Fault Injection)


bash

# Glitch power rail to bypass authentication
# Equipment: ChipWhisperer Lite ($250)
# Target: Pin 1 of flash chip VCC during boot
# Momentarily drop VCC below minimum threshold (100ns)
# Result: Secure boot check fails → boots into insecure mode

# Setup:
1. Connect glitch amplifier to target VCC
2. Trigger on target UART boot message
3. Sweep glitch delay + width parameters
4. If chip resets → try different timing
5. If bypass succeeds → get debug shell

Phase 6: Practical Pentest Examples


Example 1: IoT Camera Root Shell


Device: Generic WiFi Camera
Vulnerability: Exposed UART (no labels, but continuity revealed 4-pin header)

Step 1: Identify pins
- Probe continuity: 1 pin = GND (shield continuity)
- Power on: probe TX pin with logic analyzer → boot messages
- Baud auto-detect: 115200

Step 2: Connect FTDI
- FTDI GND → Camera GND
- FTDI TX → Camera RX
- FTDI RX → Camera TX

Step 3: View boot log
U-Boot → Linux → BusyBox
Login: root (no password!)

Step 4: Extract
cat /etc/shadow
cat /tmp/config.dat  (WiFi credentials in plaintext)
strings /dev/mtdblock0  (firmware dump via cat)

Finding: Unauthenticated root UART shell → full device compromise

Example 2: Router SPI Flash Extraction


Device: SOHO Router
Vulnerability: Unprotected SPI flash (chip: W25Q128FV)

Step 1: Clip CH341A SOIC-8 clip onto flash chip (power off!)
Step 2: Dump:
flashrom -p ch341a_spi -r router_fw.bin
Step 3: Analyze:
binwalk -e router_fw.bin
strings _router_fw.bin.extracted/squashfs-root/etc/shadow

Result: Discovered hardcoded root:password123
         Discovered default WiFi PSK in config files
         Found telnetd enabled (backdoor service)

Safety & Best Practices


Critical Rules


1. POWER OFF before connecting/disconnecting probes
2. Double-check voltage levels (3.3V vs 5V vs 1.8V)
3. Use ESD wrist strap for sensitive components
4. Never short VCC to GND (instant death of chip)
5. Start with cheapest feasible attack (UART before JTAG)
6. Document every connection with photos
7. Have a bricked-device budget (expect to kill something)

Anti-Tamper Countermeasures (What you'll face)


Protection

Bypass

Potting (epoxy)

Dremel carving, chemical removal

Locked JTAG fuses

Voltage glitching during boot

Encrypted flash

Extract bootROM + on-die keys

Secure boot

Glitch voltage during signature check

UART disabled

Re-enable via resistor on TX pin


Recommended Lab Setup


Item

Budget Pick

Cost

Multimeter

Klein MM300

$50

Logic Analyzer

Saleae 8 clone

$15

FTDI Adapter

FT232RL

$8

CH341A Programmer

CH341A kit

$12

SOIC-8 Clip

Pomona 5250

$15

Soldering Iron

TS-101

$80

Bus Pirate

v3.6

$35

Oscilloscope

DSLogic clone

$100

Hot Air Rework

Quick 861DW

$200

Total


~$515


Quick Reference Card


Task

Tool

Command/Connection

Find UART pins

Logic analyzer

Probe + power cycle

Connect to UART

FTDI + screen

screen /dev/ttyUSB0 115200

Dump SPI flash

CH341A + flashrom

flashrom -p ch341a_spi -r dump.bin

Auto-find JTAG

JTAGulator

IDCODE scan mode

OpenOCD flash

JTAG + OpenOCD

openocd -f connect.cfg

Analyze firmware

binwalk

binwalk -e dump.bin

Glitch auth bypass

ChipWhisperer

Sweep delay + width


Enroll In Online Cybersecurity & Hacking Classes/Courses | Black Hat HQ

Comments


bottom of page