Hardware Hacking For Hackers
- Biohazard

- 8 hours ago
- 7 min read

Hardware Hacking
Hardware hacking involves physically interacting with electronic devices to extract data, bypass authentication, or discover vulnerabilities. Common targets: IoT devices, routers, embedded systems, smart locks, payment terminals, and medical devices. This is an article/guide on hardware hacking for hackers.
Core Skill Set
Skill | What You Need | Tools |
Soldering | Join wires to test points | Soldering iron, flux, wick |
Protocol analysis | Read serial/UART/I2C/SPI | Logic analyzer, oscilloscope |
Firmware extraction | Dump flash memory | Bus pirate, flash programmer |
Side-channel | Power analysis, timing attacks | Oscilloscope, SDR |
JTAG/SWD debugging | Access debug interfaces | JTAGulator, SEGGER J-Link |
Essential Tools (Starter Kit ~$300)
Tool | Model (Budget) | Model (Pro) | Purpose |
Multimeter | Klein MM300 | Fluke 179 | Continuity, voltage, resistance |
Logic Analyzer | Saleae Logic 8 clone ($15) | Saleae Logic Pro 16 | Decode UART/I2C/SPI |
Bus Pirate | Bus Pirate v3.6 ($35) | Bus Pirate v5 | Serial protocol hacking |
FTDI Adapter | FT232RL ($8) | FT4232H ($40) | UART/USB conversion |
Soldering Iron | TS-100 ($60) | Hakko FX-888D ($110) | Solder test points |
Flash Programmer | CH341A ($12) | TL866II Plus ($60) | Read/write SPI flash |
Hot Air Rework | Quick 861DW ($200) | Hakko FR-810 ($700) | Desolder SMD chips |
JTAGulator | JTAGulator ($75) | CJTAG | Find JTAG/SWD pins |
Oscilloscope | DSLogic clone ($100) | Rigol DS1054Z ($350) | Signal analysis |
Phase 1: Physical Reconnaissance
Visual Inspection
1. Remove casing (screws, clips, prying tools)
2. Identify ICs:
- MCU (main chip, often largest)
- Flash/EEPROM (8/16-pin SOIC)
- WiFi/Bluetooth module
- Voltage regulators
3. Look for test points:
- Square pads = pin 1 indicator
- Through-holes labeled: TX, RX, GND, VCC, SWD, JTAG, TMS, TCK
4. Check PCB markings: version numbers, test pads, debug headers
Common Test Point Labels
Label | Interface | Description |
TX / RX | UART | Serial console (gold mine) |
GND | Ground | Common reference |
3.3V / VCC | Power | Supply voltage |
SWDIO / SWCLK | SWD | ARM debug |
TMS / TCK / TDI / TDO | JTAG | CPU debug |
SCL / SDA | I2C | Low-speed peripherals |
MOSI / MISO / CS / SCK | SPI | Flash/memory access |
Phase 2: UART Serial Console (Easiest Win)
UART is the most common debug interface. If exposed, you get a root shell.
Identify UART Pins (No Label)
Method 1: Multimeter Continuity
1. Set multimeter to continuity mode (beep)
2. Find GND: probe against shield/screw → beep = ground
3. Find VCC: probe against suspected pin → 3.3V (or 1.8V)
4. Find TX: inject square wave with logic analyzer → or probe TX pin manually
5. Tactile approach with logic analyzer: connect all 4 pins → probe
Method 2: Logic Analyzer
1. Connect all 4-6 suspected pins to logic analyzer CH0-CH5
2. GND one channel to known ground
3. Power on device
4. Look for UART signals:
- TX: 3.3V idle, 0V pulses during boot
- RX: typically idle at 3.3V with no activity
- Boot messages: readable ASCII on TX
Connect to UART
bash
# Tools: FTDI adapter (3.3V!) + serial terminal
# WARNING: Many devices use 3.3V logic. 5V kills them.
# Connect:
# FTDI GND → Device GND
# FTDI RX → Device TX (cross-over!)
# FTDI TX → Device RX (cross-over!)
# Terminal:
sudo screen /dev/ttyUSB0 115200
# Common baud rates: 115200, 57600, 38400, 19200, 9600
# Auto-detect baud rate:
sudo python3 -c "
import serial
for baud in [9600, 19200, 38400, 57600, 115200, 230400]:
ser = serial.Serial('/dev/ttyUSB0', baud, timeout=1)
print(f'Trying {baud}: {ser.read(100)}')
ser.close()
"
What you'll see:
U-Boot 2023.01 (Feb 15 2024)
DRAM: 512 MiB
Flash: 32 MiB
Net: eth0
Hit any key to stop autoboot: 3 2 1 0
# BOOT into Linux → BusyBox shell #
If bootloader is interruptible: You can modify boot args, bypass secure boot, or drop to a shell.
Phase 3: SPI Flash Dumping (Firmware Extraction)
SPI flash chips hold firmware. Dump them to analyze for hardcoded creds, backdoors, or vulns.
Identify SPI Flash
Look for 8-pin SOIC chips with labels:
- Winbond (W25Q64, W25Q128)
- Macronix (MX25L...)
- Gigadevice (GD25...)
- Spansion/Microchip
- Often near the main MCU or labeled U3/U4/U5
Pinout Reference
SPI Flash Pinout (Top View, Dot for Pin 1):
┌───┐
│ 1 │ = CS (Chip Select)
│ 2 │ = MISO / DO (Data Out)
│ 3 │ = WP (Write Protect, pull high)
│ 4 │ = GND
│ 5 │ = MOSI / DI (Data In)
│ 6 │ = CLK (Clock)
│ 7 │ = HOLD (Hold, pull high)
│ 8 │ = VCC (3.3V)
└───┘
Dump with CH341A Programmer
bash
# WARNING: Clip onto chip WITH POWER OFF
# Use SOIC-8 clip (test clip, not programming clip if possible)
# Identify chip
sudo flashrom -p ch341a_spi
# Read entire flash
sudo flashrom -p ch341a_spi -r firmware_dump.bin
# Verify
sha256sum firmware_dump.bin
# Analyze
strings firmware_dump.bin | grep -iE "password|admin|key|secret|root|ssh"
binwalk -e firmware_dump.bin # Extract filesystems
Dump with Bus Pirate
bash
# Bus Pirate v3.6
# Connect:
# CS → CS (MOSI on BP)
# MISO → MISO
# MOSI → MOSI
# CLK → CLK
# GND → GND
# 3.3V → VCC
# In Bus Pirate terminal:
m 5 # SPI mode
1 # Active low CS
1000000 # 1 MHz speed
(0x03) # Read command
[0x03 0x00 0x00 0x00 0xFF] # Read 4 bytes starting at 0
# Full dump via script:
sudo flashrom -p buspirate_spi:dev=/dev/ttyUSB0 -r dump.binPhase 4: JTAG / SWD Debug Access
If the device has debug interfaces enabled, you can halt the CPU, read memory, and dump code.
Automatic Pin Discovery (JTAGulator)
bash
# Connect JTAGulator:
# VREF → Target VCC (3.3V)
# GND → Target GND
# TDI, TDO, TCK, TMS → Connect to unknown test points
# Or use auto-scan mode
# JTAGulator auto-scan:
# In terminal, enter IDCODE scan mode
# It brute-forces pin combinations
# Output tells you which pins are TDI, TDO, TCK, TMS
Manual JTAG Pin Probing
bash
# Common symptoms of JTAG/SWD:
# - 4/6 pad cluster near MCU
# - Square pad = pin 1 (TCK often)
# - Pins labeled: TMS, TCK, TDI, TDO, SWDIO, SWCLK
# - Pull-up resistors on TMS/TDI
# Verify with multimeter:
# TCK: ~50% duty cycle square wave (1-50 MHz)
# TMS/TDI: pulled high (3.3V)
# TDO: pulsed output during boot
# SWCLK: clock signal
# SWDIO: bidirectional data
OpenOCD (Flash via JTAG)
bash
# Install
sudo apt install openocd
# Config (connect.cfg):
# source [find interface/ftdi.cfg]
# transport select jtag
# set CHIPNAME esp32
# source [find target/esp32.cfg]
# Connect + read flash
openocd -f connect.cfg -c "
init;
halt;
flash read_bank 0 firmware.bin;
shutdown;
"
# Or dump memory regions
openocd -f connect.cfg -c "
init;
halt;
dump_image ram_dump.bin 0x40000000 0x100000;
shutdown;
"
ARM SWD (Most Common for Cortex-M)
bash
# SWD uses 2 pins: SWDIO + SWCLK
# Connection:
# SWDIO → SWDIO
# SWCLK → SWCLK
# GND → GND
# VCC → 3.3V (target power)
# Use Black Magic Probe or SEGGER J-Link
sudo apt install blackmagic
blackmagic -t /dev/ttyACM0 # Scan targetPhase 5: Side-Channel Attacks
Power Analysis (Correlation Power Analysis - CPA)
bash
# Equipment: Oscilloscope (1 GS/s minimum) + sense resistor
# Place 1-10Ω resistor on VCC line
# Probe across resistor with oscilloscope
# Capture power traces during crypto operations
# Correlate with hypothetical power model of AES/SHA
# Tools: ChipWhisperer ($250-$3000)
# Works best on devices without power regulation
Glitching (Voltage/Clock Fault Injection)
bash
# Glitch power rail to bypass authentication
# Equipment: ChipWhisperer Lite ($250)
# Target: Pin 1 of flash chip VCC during boot
# Momentarily drop VCC below minimum threshold (100ns)
# Result: Secure boot check fails → boots into insecure mode
# Setup:
1. Connect glitch amplifier to target VCC
2. Trigger on target UART boot message
3. Sweep glitch delay + width parameters
4. If chip resets → try different timing
5. If bypass succeeds → get debug shellPhase 6: Practical Pentest Examples
Example 1: IoT Camera Root Shell
Device: Generic WiFi Camera
Vulnerability: Exposed UART (no labels, but continuity revealed 4-pin header)
Step 1: Identify pins
- Probe continuity: 1 pin = GND (shield continuity)
- Power on: probe TX pin with logic analyzer → boot messages
- Baud auto-detect: 115200
Step 2: Connect FTDI
- FTDI GND → Camera GND
- FTDI TX → Camera RX
- FTDI RX → Camera TX
Step 3: View boot log
U-Boot → Linux → BusyBox
Login: root (no password!)
Step 4: Extract
cat /etc/shadow
cat /tmp/config.dat (WiFi credentials in plaintext)
strings /dev/mtdblock0 (firmware dump via cat)
Finding: Unauthenticated root UART shell → full device compromise
Example 2: Router SPI Flash Extraction
Device: SOHO Router
Vulnerability: Unprotected SPI flash (chip: W25Q128FV)
Step 1: Clip CH341A SOIC-8 clip onto flash chip (power off!)
Step 2: Dump:
flashrom -p ch341a_spi -r router_fw.bin
Step 3: Analyze:
binwalk -e router_fw.bin
strings _router_fw.bin.extracted/squashfs-root/etc/shadow
Result: Discovered hardcoded root:password123
Discovered default WiFi PSK in config files
Found telnetd enabled (backdoor service)Safety & Best Practices
Critical Rules
1. POWER OFF before connecting/disconnecting probes
2. Double-check voltage levels (3.3V vs 5V vs 1.8V)
3. Use ESD wrist strap for sensitive components
4. Never short VCC to GND (instant death of chip)
5. Start with cheapest feasible attack (UART before JTAG)
6. Document every connection with photos
7. Have a bricked-device budget (expect to kill something)
Anti-Tamper Countermeasures (What you'll face)
Protection | Bypass |
Potting (epoxy) | Dremel carving, chemical removal |
Locked JTAG fuses | Voltage glitching during boot |
Encrypted flash | Extract bootROM + on-die keys |
Secure boot | Glitch voltage during signature check |
UART disabled | Re-enable via resistor on TX pin |
Recommended Lab Setup
Item | Budget Pick | Cost |
Multimeter | Klein MM300 | $50 |
Logic Analyzer | Saleae 8 clone | $15 |
FTDI Adapter | FT232RL | $8 |
CH341A Programmer | CH341A kit | $12 |
SOIC-8 Clip | Pomona 5250 | $15 |
Soldering Iron | TS-101 | $80 |
Bus Pirate | v3.6 | $35 |
Oscilloscope | DSLogic clone | $100 |
Hot Air Rework | Quick 861DW | $200 |
Total | ~$515 |
Quick Reference Card
Task | Tool | Command/Connection |
Find UART pins | Logic analyzer | Probe + power cycle |
Connect to UART | FTDI + screen | screen /dev/ttyUSB0 115200 |
Dump SPI flash | CH341A + flashrom | flashrom -p ch341a_spi -r dump.bin |
Auto-find JTAG | JTAGulator | IDCODE scan mode |
OpenOCD flash | JTAG + OpenOCD | openocd -f connect.cfg |
Analyze firmware | binwalk | binwalk -e dump.bin |
Glitch auth bypass | ChipWhisperer | Sweep delay + width |




Comments