Hardware Hacking on a Budget

For many people, one of the bigger hurdles to learning about hardware hacking is the cost involved in acquiring all the necessary gear to get started. In this post, I’ll list out what I believe the bare minimum tools with the best cost-to-value option I’m aware of. There are obviously going to be gaps in capabilities, but the idea here is simple to get started.

This is going to be a somewhat living post where I’ll make changes and updates as necessary. I’ll be looking to add two more sections eventually: Expanding your capabilities, and targets on the cheap.

Also, I’m not going to include a full list of consumables but think about picking up, at minimum, some jumper wires, clips, various header pins, and a chip quik removal kit.

TL:DR Must Have List

Soldering Iron: https://amzn.to/2tUx6GO
Multi-protocol Interface (FT232h): https://amzn.to/2UqyyfV
Logic Analyzer: https://amzn.to/2TlXVmC
Universal Programmer: https://amzn.to/2zaKzgv

I’m writing this post from the hotel bar while on-site for some hardware testing (Many devices work together in a way that testing on-site made more sense). I brought my entire badge hackers kit but only needed items listed to acquire the firmware from all of my target devices, some of which led to remote attacks against the devices or their infrastructure.

Soldering Iron: https://amzn.to/2tUx6GO

The linked soldering iron is the TS100 (aka Pro32). This soldering iron is not the cheapest, but it’s the best soldering iron sub $80. It’s open-source and firmware is upgradable. This iron lives in my traveling kit and I use it often clients “require” on-site testing of their hardware. It’s good enough to remove and re-solder a TSOP 48 pin flash chip hungover. No Joke.

FT232h: https://amzn.to/2UqyyfV

The FT232h is, simply put, my single most used interface. While it is primarily a UART device, it uses FTDI’s MPSSE (Multiple-Protocol Synchronous Serial Engine) which allows it to speak, you guessed it, multiple additional protocols over serial including: JTAG, SPI, and I2C. I’ve never seen this breakout crest the $25 mark and it’s easily worth double that. I even keep one in my car, cause you never know.

Logic Analyzer: https://amzn.to/2TlXVmC

This is the only item I’m listing that I haven’t personally testing. The linked board is a very cheap logic analyzer that is supported by sigrok (an open-source LA software). This blog is about cheap and this is about as cheap as it gets. That said, according to sigrok’s supported hardware page, this device is a clone of the Saleae Logic Analyzer (my personal go-to). While the Saleae is not cheap, it’s worth it. I highly suggest upgrading when it’s financially feasible for both moral and practical reasons.

Universal Programmer (TL866II+): https://amzn.to/2zaKzgv

My TL866II+ has gotten a lot of work, especially with the adapters. I often find that the easiest way into a device is simple to remove it’s firmware storage devices and dump out their contents. This may not be the absolute cheapest universal programmer out there, but it does have the benefit of being hackable to add support for additional chip variants.

Bootable Breakout

I’m currently (at the time of writing this) performing a security assessment of an ESP32-based embedded device for a client. While this assessment is not purely hardware focused, gaining access to the device’s firmware is a primary goal as reversing firmware is often an easy way to identify other vulnerabilities.

The ESP32 supports JTAG and the target device routes the JTAG pins to a client-proprietary breakout. While it’d be completely possible to solder leads onto the breakout’s pads, I was having trouble with shorting due to how close the pads were to each other. Additionally, the ESP32 is a QFN form-factor meaning that, while externally accessible, the pins on the chip are tiny and I’m nowhere near good enough to solder to them directly.

My next thought was something along the lines of “It’d be really nice if this were on a breakout board.” The problem with a breakout board is that, while I could (assuming it’s enabled) get JTAG to work, the ESP32’s peripherals wouldn’t be there including any external storage (in this case, an EEPROM).

There are solutions where I could dump the ESP32’s internal storage via JTAG and external storage via SPI, but I would potentially miss out on any interesting information in RAM as the ESP32 wouldn’t boot correctly without the EEPROM. Or I could breakout everything to breadboards and connect them all up, but that’d take some time and would be subject to smoke-letting should I make certain mistakes.

Instead I found another solution using a standard time-vs-cost trade off… Why spend a lot of time breadboarding everything when I could spend a little money on a development board and replace the necessary components.

Enter the Widora-air ESP32 development shield: https://amzn.to/2H2Ly7s (sorry, I got the last one available on Prime for the moment). This little guy had the primary things I needed in a breakout: A spot for the ESP32, a spot for the EEPROM, and all the ESP32 pins broken out. Additionally, it gave me USB to serial so I didn’t have to wire up UART to monitor what was going on.

I removed the ESP32 and EEPROM from my target device and replaced them onto the Widora-air then wired everything up to my JTAG adapter. I also cloned Espressif’s fork of OpenOCD, which had full support for the ESP32. (I also spent about 10 minutes trying to take this picture).

Widora-air + JLink

Everything worked exactly as I hoped as I was able to start carving out ROM and RAM for some vulnerability hunting.

OpenOCD output

While, I got everything working well enough, there are still missing peripherals and potentially some interesting bits of memory that I’m missing because of that. But due to this little trick, I have a head start and have confirmed JTAG is enabled. Knowing JTAG is enabled makes the prospect of some painstaking soldering to the proprietary breakout feel less daunting.

Modding MiniPro To Support Unsupported Variants

Several months ago, during a hardware device assessment, I encountered a TC58NVG2S0HBAI4 NAND EEPROM which hosted the firmware of the target device. The problem I had was that my MiniPro Universal Programmer did not support this specific variant. It did however, support several similar variants from the same vendor.

For those who may be unaware of the MiniPro, it is a cost effective universal programmer with support for 10’s of thousand of chips and variants. The latest MiniPro, the TL866II+, is available for around $50-$60 but also can come packaged with numerous adapters and sockets for around $100-$120.

The following is a quick on how to modify the MiniPro’s chip info .dll to change the necessary information to support this variant. Couple things to note first though. This method does not “add” support so much as it replaces an existing configuration meaning you’ll end up removing support for the source chip. Also, I make no guarantees that the offsets used here work for other chips, but the guess-and-check methodology should still apply. Lastly, I’ll refer to all TL866 models as MiniPro, same for the software. Where differences exist, I’ll note that then. Oh, and make backups, lots of them.

Modding the .dll

Before we get started, we need a few things. We need to find the .dll to modify and we need the datasheets for our source and target chip variants. For older TL866 models you’ll find InfoIC.dll in your MiniPro installation directory. For the newer TL866II+, you find InfoIC2plus.dll in the Xgpro installation directory. In my case, I installed both C:/. The datasheets for the chips are:

According to the first sentences of each datasheet, the primary differences were the sizes of pages and blocks. I also figured it was safe to assume that the pinouts were identical. The source chip info in MiniPro matched the datasheet.

Source Chip Info in Xgpro

Source Chip:

  • Page Size: 2048
  • Spare Size: 64
  • Pages Per Block: 64
  • Blocks: 4096

Target Chip:

  • Page Size: 4096
  • Spare Size: 256
  • Pages Per Block: 64
  • Blocks: 2048

I used IDA Pro, but any hex editor should do. Upon opening the .dll in IDA, I noted a very large data section. I opened the strings few to quickly find the section I wanted to modify.

IDA Strings View of Source Chip

Each chip’s info section appeared to be 73 bytes long and started with the chip name in ASCII. Here is the unmodified source chip:

	 x0 x1 x2 x3 x4 x5 x6 x7  x8 x9 xA xB xC xD xE xF
	 ------------------------------------------------------------------
0x00|54 43 35 38 4E 56 47 32  53 33 20 40 54 53 4F 50  TC58NVG2S3 @TSOP
0x10|34 38 00 00 00 00 00 00  00 00 00 00 00 00 00 00  48..............
0x20|00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 21  ...............!
0x30|00 00 00 00 00 00 00 00  A0 00 00 00 00 21 40 08  ........á....!@.
0x40|08 00 00 00 00 08 00 00  00 10 00 00 40 00 01 01  ............@...
0x50|98 DC 00 00 00 00 00 00  02 00 00 00 40 00 00 00  ÿ_..........@...
0x60|08 00 00 00 F8 00 00 00  13 00 00 00 00 00 00 00  ....°...........
0x70|01 00 00 00 									  ....

After some experimentation, I determined that the sizes were stored in little endian, in the following locations:

0x44-0x45: Page Size
0x48-0x49: Blocks
0x4C-0x4D: Spare Size
0x5C-0x5D: Pages per Block

If we check the locations in the chip info, we see that 0x44-0x45 equals 0x0800 or 2048. 0x48-0x49 and 0x4C-0x4D equal 0x40 or 64. And 0x5C-0x5D equal 0x1000 or 4096.

Modified each of those section to set the correct values for my target chip and successfully dumped the contents.

Reading target chip, contents not shown due to protect client

Methodology TL;DR

The methodology here is pretty straight forward. If you want to “add” support for a chip, simply look for another chip variant or at least something that would have the same pinout or physical form factor to use as your source chip.

Once you have a source chip, determine the differences by comparing datasheets.

Take your source values and convert to little endian base 16 and look for for those numbers in the source chip’s section of the MiniPro .dll. Be sure to make a backup first.

Save your edits, open mini pro, and confirm your changes are correct.

Dump contents of your target chip and profit or whatever.