One of the most common questions that I get during a training is:
“What do we need to build out an initial hardware hacking lab?”
Of course, the answer to this question can be heavily tailored based on the goals of the team and their targets, but I wanted to attempt to document what would make for a good starter lab. The following document aims to outline the basic requirements for well rounded embedded systems laboratory.
In this list, I will focus on devices that I and a few others regularly use for hardware pen testing and research. I will list a range of devices covering various budgets.
It should be noted that the following recommendations are my opinion, and none of the links below are affiliate links or anything of the sort. My goal is to help people build out their first lab, not to make money. This guide will also be maintained at the GitHub repository located here - please submit pull requests with your suggestions and favorite tools!
Throughout the development of this guide, I was lucky enough to have some really sharp people offer to help me proofread and provide recommendations for some of the gear listed in this write up, I’ve included their names/handles below:
First and foremost, you will require a place to perform your work. Depending on your needs this might be a small section on your desk, or you may want an entirely separate workbench. When it comes to choosing a workbench, you’ll quickly find that you can spend a lot of money on a high end standing desk, especially if you’re looking for a larger one. One place you might consider looking is Home Depot / Lowes, I am a big fan of their Husky standing workbench and am currently using two of them in my office.
If you’re looking for something more traditional, I have also built a handful of workbench setups using IKEA tabletops and legs, this is a very popular option for workstations.
|Husky Adjustable Height 46in-72in Workbench||$268.00-$398.00||Link|
|Ikea LAGKAPTEN Tabletop||$49.99||Link|
|Ikea ADILS Leg||$7.50||Link|
|Ikea Drawer Unit (ALEX)||$109.99||Link|
Note: The IKEA drawer units have mounting holes on top of them for attaching to IKEA tabletops which makes assembly extremely simple, and you get the added benefit of extra storage.
The last thing that you want to happen is for you to accidentally destroy a device with static electricity, In order to avoid this, it is always a good idea to get an ESD wrist strap or an ESD protective mat.
Note: Not all silicone mats that you will find on Amazon are actually anti-static, please make sure that you read the description of the mat that you are going to purchase if ESD protection is a high priority for your workspace (which it should be!)
|ESD Wrist Strap||$9.99||Link|
|ULine ESD Wrist Strap||$18||Link|
|Bertech ESD High Temp Mat||$44.30||Link|
|STATFREE UC2 Anti-Static Mat||$138.53||Link|
|ULine Assorted Mats||$80-$1000||Link|
DigiKey has a number of high quality ESD mats that you can find here.
Whether you are tearing down a new router or looking for a new target to perform fault injection, you will need to solder at some point during your hardware hacking journey. Soldering is the process of joining metal surfaces with “solder”; creating a conductive connection between the two soldered points. Soldering is useful when populating unused debug pin headers or connecting wires to points on your target circuit board that you wish to interact with.
When looking for a new iron, it is essential to keep your goals in mind:
Ideally, you want an iron with adjustable temperature and removable tips. These can be purchased relatively cheaply from Amazon and other online vendors. I recommend one with an emergency timeout in case you forget to turn off your iron after some late-night soldering.
Below is a very solid starter kit from Amazon, which makes for a good beginner iron. Before buying a more expensive iron, use this iron to learn proper care and maintenance.
Two other solid options for a beginner iron (at a slightly higher price point) are the Hakko FX888D and Weller WE1010NA. The WE1010NA is the successor to the venerable Weller WES51, which has since been discontinued.
For high-end soldering or jobs that require you to solder to smaller components, such as 0402 components, a JBC CDS station with intelligent heat management and sleep/hibernation modes can’t be beaten. This is the station that I have used for quite a while now, and it has been highly reliable and easy to maintain. With this station, you can also get tweezer tips for SMD components, making these jobs much more manageable. It also can be connected to other JBC accessories, such as a fume extractor and other JBC handles.
If you have the funds to spare, the JBC DDPE 2-Tool station is great because it lets you have multiple tools active simultaneously. This station comes with micro tweezers and a T210 precision handle, which is compatible with a wide variety of cartridges.
Hot air stations and hot plates can both be used when doing SMD rework. Hot plates work as you might expect, they require surface to surface contact in order to heat the target device, allowing for either solder paste or a traditional iron to be used to bond the solder to the contact pads. These of course have some disadvantages, if you are working with a system that has plastic connectors, housings or is a two sided PCB with components on each side you will not be able to effectively use a hotplate without risking damaging the target. Hot plates can be used in conjunction with a hot air gun in order to “preheat” your target, making component removal easier.
Introductory hot plates are relatively low cost, the Soiiw Microcomputer Soldering Preheating station is a great place to start as it has built-in temperature control and display (helpful for letting others in the lab know that the plate is on!).
If you are going for a lower-cost hot air rework station, there are plenty on Amazon. I have used the YIHUA 959D and have had no issues with it. Others have recommended the QUICK 957D Rework Station, which also has excellent reviews!
You will need a hot air station for BGA rework or other package removal. Like a standard soldering station, these can vary in price/quality. A higher-end hot air rework station will allow for precise temperature and airflow control; they will also have a wider variety of hose attachments, allowing for the removal/replacement of smaller components. When working with standard embedded systems, the JBC TESE is an excellent rework station that has multiple suction tips and hose sizes included:
Of course, if you are looking to do a lot of SMD rework and reflow on PCBs, you may want to consider the SRS System SMD Rework station.
This kit includes an arm, allowing for hands-free operation, as well as a preheater. A preheater is a device used to (as you might have guessed) pre-heat the PCB from below, allowing things to be soldered more easily.
The full table of all of the recommended kits can be seen below:
|TS-100||$54.99||Link||Low cost, portable soldering iron|
|Soiiw Microcomputer Soldering Preheating station||$67.99||Link||Low cost pre-heating set up for BGA rework|
|KSGER T12 Soldering Station||$69.99||Link||Introductory soldering iron with interchangeable tips|
|Sparkfun 8508D Hot-Air Rework Station||$99.95||Link||Low-cost hot air rework station|
|QUICK 957D Rework Station||$125.00||Link||Low-cost hot air rework station|
|JBC CDS Soldering Station||$595||Link||Mid range JBC soldering station|
|JBC DDPE 2-Tool Station||$1700||Link||JBC station that allows for multiple tools active and includes micro-tweezers and a T210 precision handle|
|JBC TESE||$2,690||Link||High end hot air rework station with multiple suction adapters|
|SRS System SMD Rework Station||$5,750||Link||Full SMD rework station, including an manueverable arm and preheater|
These kits are a great way to get comfortable soldering smaller devices and components. One thing I like to recommend is to solder, desolder, and then solder again. This will give you practice with removing parts and adding them!
|Soldering Practice Kit||$9||Link|
|Soldering Practice Kit 2||$9||Link|
|KOTTO Fume Extractor||$39.99||Link||Used to extract solder fumes, relatively portable for travel soldering|
|Desoldering Braid||$9.99||Link||Used to remove solder from a target, helpful when cleaning up QFP packages|
|Tip Tinner||$8.00||Link||Used to re-tin oxidized soldering iron tips, crucial for maintaining a working tip|
|Magnet Wire||$7.99||Link||Tiny wire, used for connecting to cut traces or small vias on PCBs|
|30 AWG Wire Wrap Wire||$11.99||Link||Small AWG wires, convenient for soldering to small pads, etc.|
|Kapton Tape||$11.98||Link||Heat resistant tape, helpful for protecting other components when doing hot air rework|
|ChipQuik SMD 291 Flux||$15.95||Link||Flux removes oxides and enhances solder flow, increasing the reliability of solder joints|
|Engineer Solder Suction Device||$18.97||Link||Used to remove solder|
Below are some YouTube videos to help you learn how to solder if you’ve never attempted it.
Hackaday has a great article here about SMD rework and reballing.
Regardless of the types of components and targets that you’re working on, you will need a multimeter. This is what you will use for your initial survey of your device for things such as measuring voltage, resistance, current and checking for continuity. When choosing a multimeter, make sure that you review the available voltage and current ranges and that they match the ranges of your expected targets. Some multimeters will also have an “auto-range” feature, which will attempt to automatically select the appropriate range for measuring voltage/current/resistance, etc. This feature can be helpful when measuring unknown voltages; it will save you a few button presses when measuring points on a target. The two multimeters listed below are the ones that I keep in my toolbox. I have also included different probes sets, allowing smaller pads/pins to be measured.
|Micsoa Multimeter Test Leads Kit||$20.99||Link|
|Fluke High Precision Probes||$94.99||Link|
If you’ve never used a multimeter before, Sparkfun has a great tutorial here that can help get you up to speed and measuring in no time!
When tearing down a target for the first time, you first want to locate and document all of the part numbers. Part numbers and PCB markings can sometimes be challenging to see with the naked eye, so having a cheap benchtop microscope or hand held loupe is never a bad idea. These will also come in handy when removing or modifying small components. Hand held loupes are great for quick identification of components.
|Handheld Jewellers Loupes||$15.00||Link||Small handheld jewellers loupes, various magnification, useful for part identification|
|Plugable USB Microscope||$37.74||Link||Small USB compatible microscope, useful for some soldering and part identification, compatible with most desktop operating systems (in my experience)|
|AMScope USB Microscope||$78.99||Link||Small USB compatible microscope, useful for some soldering and part identification|
|MisVision Trinocular Microscope||$78.99||Link||Benchtop microscope 7-45x zoom, check out the review here|
|Aven Desktop Microscope||$697.91||Link||8-25x microscope with a built-in screen, helpful for soldering to small packages and doing BGA rework|
|MANTIS Serices MCH-001 Microscope||$1,310.00||Link||High-powered microscope with interchangeable lenses, mounting arm, and lenses are sold separately|
While multimeters help us measure various signals on our target device, an oscilloscope can help us capture and visualize these measurements. When selecting a scope, you need to consider what the use case will be. Will you be doing differential power analysis or power trace captures? Or are you more interested in capturing other types of analog waveforms over a longer period? The main variables to look at when selecting an oscilloscope are:
Without enough bandwidth, you will capture what appears to be a distorted signal, and with too slow of a sample rate, you risk data loss.
Remember: According to the Nyquist sampling theorem sampling rate should be at least 2x the frequency of your target signal at a minimum!
An excellent introductory scope can be purchased for ~$500; all big manufacturers offer something in this range. For example, the SIGLENT SDS1104 is an excellent starting scope with a bandwidth of 100MHz and a sample rate of 1GSa/s. I’ve listed a few options below, ranging in price from lowest to highest, and included a few tables from some of the manufacturer’s websites as well:
|Signlent SDS1104X||$399.00||Link||Great starter scope, easy to use, SCPI compatible|
|Rigol MSO5354||$1,999||Link||High-bandwidth and sample rate, less memory than the SDS2000X series, 16 digital channels for internal logic analyzer|
|SDS2000X||$2,999||Link||High bandwidth, 2GSa/s sampling rate, large memory depth, HDMI out, SCPI compatible|
|SDS6204A||$60,000 +||Link||Extremely high capture rate and bandwidth, decoders and other features can bring the price to $100k easily|
Note: Many modern oscilloscopes can be upgraded via software. For example, many will have built-in logic analyzers and signal decoders. These will come at an extra cost; decoders are typically $100-$400, depending on the protocol, and other software upgrades can be purchased to unlock things like faster sample rates and increased bandwidth, etc. It’s easy for a 2k-4k oscilloscope purchase to turn into a 10k purchase once all the upgrades and add-ons have been included.
Below are some specifications from the RIGOL MSO5000 line:
The MSO5354 is an excellent deal for this line, especially considering the 350MHz bandwidth and the 8GSa/s sampling rate. I have this in my lab and use it regularly.
Here is a similar specification table from the SIGLENT SDS2000 line:
The Siglent and the Rigol have great options for the prices listed above. Make sure that you pick an appropriate scope per the types of targets you anticipate analyzing.
Let’s say you identified a fluctuating voltage sequence with your multimeter and decided to look at the signal with your oscilloscope. After viewing the signal with the oscilloscope, you saw sequences of high and low pulses that look something like this:
We will need a Logic Analyzer to make more sense of this signal capture. Logic analyzers are used when analyzing digital signals; they can take sequences of high and low voltages and translate them into a stream of logical 1s and 0s. This stream of 1s and 0s can then be analyzed and decoded via software to display packet structures and more user-friendly data to the user. When choosing a logic analyzer, we need to consider the following:
When analyzing standard COTS devices that utilize SPI, eMMC, etc., the Kingst and DSLogic series logic analyzers will work 90% of the time. The Saleae has a well-polished software interface, including APIs for writing decoders and instrumenting captures. The analog capture features of the Saleae are also beneficial when debugging lower-level issues. Despite being the most expensive analyzers listed here, they are worth purchasing if your budget allows it.
|LA 1010||$69.99||Link||The Kingst LA series are suitable introductory logic analyzers, they are pulseview compatible and can also use the Kingst proprietary software|
|DSLogic||$149.00||Link||DSLogic is a series of USB-based logic analyzer, with max sample rate up to 1GHz, and max sample depth up to 16G. It uses an open-source fork of Pulseview|
|Analog Discovery 2||$229.00||Link||Multi-function USB Oscilloscope, Logic analyzer, signal generator and power supply|
|Saleae Logic 16||$1500||Link||Logic analyzer with variable logic levels, analog capture capability, and highly user-friendly software|
Another common question that often comes up as we review the tools in class is
What is an oscilloscope used for, and what is a logic analyzer used for? Don’t they both measure signals?
While the short answer is yes, they both measure electronic signals and visualize them for human consumption; there are a few key differences.
Oscilloscopes are useful for analyzing analog waveforms, that is, data that is steadily changing over time
Logic analyzers are used to analyze digital signals and convert high/low voltage pulses into a sequence of 0s and 1s that we can attempt to interpret.
So, how do we choose what tool to use? For example, let’s say we are measuring a voltage source on a particular target we are trying to glitch. If we want to monitor the fluctuations of the voltage line, we should use an oscilloscope. The oscilloscope will let us observe the voltage over time, allowing us to see the small period where the voltage drops to a low value and then returns to normal. See the image below, where the purple line represents the voltage line being glitched:
We can also use oscilloscopes to characterize and capture power traces. For example, see the following power trace that was captured from the Trezor (purple line):
In the previous two examples, we measured a signal oscillating between a range of values and not just HIGH or LOW. There are fluctuations, rising and falling sequences, and other interesting patterns that we could not catch with our logic analyzer as the logic analyzer looks for either a high or low voltage and reports the results back to the user as a digital signal.
For an example of when we might use a logic analyzer, let’s revisit the oscilloscope capture from before:
Notice that there are not nearly as many strange shapes or fluctuations in this signal; the line either appears at a high or low voltage at any given time. While some oscilloscopes can decode digital signals like this, they often are limited by how much memory they can use for a capture. So that means that if you’re trying to capture UART traffic on a Linux system that takes 60 seconds to boot, you would need a large amount of memory / a costly scope. Also, if you wanted to extract the data from the stream or try to decode it using custom plugins, getting access to the digital signal is a headache (Note It is possible, but logic analyzers greatly simplify this process for us). This is a perfect use case for our logic analyzer if we want to extract the data being encoded in this digital signal.
The Logic analyzer can sample for much longer because it samples a signal, reports whether the sample is high or low, and does not report back the exact values in between. Note that what defines high or low can often be configured within your logic analyzer software, but the analyzer will still report back either a 0 or 1. Because the logic analyzer is not concerned with all the values in between, it requires significantly less memory to capture over long periods.
To illustrate this, let’s revisit the older blog post we published last year. The following video shows that the voltage levels fluctuate around 3.3V and eventually return to idle at 3.3V.
If we were to capture this signal with an oscilloscope, it would look very similar to the screenshot we referenced earlier. However, there is one problem - this system takes about 90 seconds to boot, and ideally, we want to capture all of the traffic in a way that allows us to analyze it. This is where our logic analyzer will come in handy.
After connecting our logic analyzer to the signals referenced in the blog post, our logic analyzer software (Pulseview) captures the following:
With this traffic captured, we can set up a decoder to get human-readable values out of this signal, as shown below:
Now, we can export this data to a text or binary file for further analysis.
So, in summary - when we want to capture digital signal traffic such as SPI, UART, I2C, JTAG, etc, we use a logic analyzer. If we want to analyze the shape of the waveform or we are investigating an analog signal such as a power source or audio signal, we use an oscilloscope.
Sometimes, we have to connect to specific pads or pins to analyze the signal on our target device, but that does not always require soldering and removing components. Probing test pads and reading flash chips in-circuit can significantly reduce the debugging/analysis time when performing firmware patches or testing PoCs. Below are some helpful items that I use when soldering/connecting to new targets. The PCBite kit is handy as the fine-tip probes will often save you from needing to solder to test pads when performing initial analysis.
|Premium Silicone Jumper Wires||$11.95||Link||Used to make breadboard connections, etc|
|Pomona SOIC8 Clip||$18.19||Link||Used to clip onto SOIC8 packages|
|Pomona SMD Grabber Pin||$21.79||Link||Useful for grabbing individual pins of small packages such as QFP microcontrollers, etc.|
|KOTTO Helping Hands||$23.99||Link||Useful when soldering to smaller devices|
|XKM-S EX Hook Pin Grabbers||$30.06||Link||Helpful for grabbing pins of SOIC8 chips and other packages with wide footprints|
|PCBite Kit||$190||Link||Handy magnetic probe kit with PCB holders and pogo pins|
When picking a power supply, you need to consider the power requirements of your targets. Be sure to review the voltage and current limitations and choose an appropriate supply based on the targets you will analyze. Some power supplies have options like Over-Current Protection (OCP), which is a feature that prevents a power supply from providing more current than it can handle. Some power supplies will also include a Remote Sense feature that is used to regulate the output voltage at the target load. This compensates for the voltage drop across the cables connecting the power supply to the target load.
|KC3010D||$49.99||Link||Low cost introductory power supply|
|Hyelec 30V 5A Switching DC Bench Power Supply||$56.99||Link||Adjustable power supply with output enable line|
|RD6006||$85.00||Link||Low-cost front end for power supply, can be used with an old ATX supply or other DC barrel jack power supplies|
|Siglent SPD1168X||$265.00||Link||Power supply with programmable output and voltage sensing, also SCPI interface|
|Rigol DP832||$399.00||Link||Three channel power supply (30V/3A||30V/3A, 5V/3A)|
|Keysight E36233A 400W Dual Output Supply||$3,569||Link||High wattage dual output supply, 30V/20A/400W, SCPI interface|
|BK Precision 9140 32V / 8A / 300W Triple-output Bench Power Supply||$1,940||Link||High current, high power, Ethernet/LXI interface, three outputs, compact|
Perhaps during your teardown, you discovered a set of test points or debug headers that you believe might be for hardware-level debugging, such as JTAG or SWD. If you’re trying to get hardware-level debugging working on a target, it is always a good idea to see what OEM tools are available. I’ve compiled a list below of some of the more generic tools I keep in my toolbox. Most of these are ARM-focused, as many other JTAG tooling for different architectures will often involve purchasing specific hardware/software or utilizing OpenOCD.
|FT2232H Breakout Board||$14.95||Link||Generic interface board, capable of SPI, I2C, UART, etc|
|STLink||$22.16||Link||Easy to work with, largely focused on STM32, but can be used as a generic SWD adapter with OpenOCD|
|Tigard||$49.00||Link||Open source FT2232H-based, multi-protocol, multi-voltage tool for hardware hacking.|
|Black Magic Probe||$74.95||Link||Open source JTAG probe, can be used with OpenOCD|
|JLink||$529.12||Link||Extremely sound software support, supports a large amount of ARM chips, has built-in level shifting|
|Lauterbach||TBD||Link||Extremely powerful JTAG tooling that can be purchased with licenses targeting specific architectures/chipsets|
When attempting to utilize a hardware debug mechanism (especially from a black box perspective), there is no “one size fits all” tool. Whether you are accessing a JTAG tap or an SWD peripheral, there are two hurdles that you need to overcome:
The right tools for the job is critical when looking at a new hardware-level debug peripheral. Make sure that you search for OEM software/hardware and always check the latest OpenOCD commits for similar targets.
So, you have done your initial teardown and identified a non-volatile storage device from which you want to extract some data. Perhaps there is a SPI flash chip or a TSOP 48 parallel flash that you want to extract data from. Many flash readers are available; below is a list of what I have in my lab. The Xeltek is somewhat expensive (it is currently on sale for $995.00), and the individual sockets for different chip packages range from $400-$700, so the cost adds up quickly. However, with that cost comes support from Xeltek and fairly reliable tooling, assuming you are comfortable with BGA rework and re-balling ICs, this may be the right choice for you and your team.
|Transcend SD Card Reader||$10.99||Link||Good for in-circuit eMMC reads, device supports low speeds and 1-bit eMMC modes|
|CH341A USB Programmer||$13.99||Link||Generic SPI flash programmer, compatible with flashrom|
|FT2232H Breakout Board||$26.99||Link||Generic breakout board, can be used with flashrom, openocd, etc.|
|FlashCAT USB Programmer||$99.00||Link||Parallel flash extraction, TSOP48/56|
|XGecu T56||$199.00||Link||All-purpose flash extraction, SPI, eMMC, NAND, etc|
|Easy JTAG||$399.00||Link||All-purpose flash extraction, one of the few readers on the market to support UFS extraction|
|Xeltek Superpro||$995.00||Link||Enterprise flash programmer, high quality, sockets for different chips can be pretty expensive|
|Dataman 48Pro2 Super Fast Universal ISP Programmer||$1,195.00||Link||Industrial programming tool, expensive, but does consistently work on the supported ICs|
In my experience, no flash readout tool works on everything. Some tools are better at certain flash types than others. Having a few options in your hardware hacking toolbox is always a good idea if your preferred tool does not support your target device. If I had to pick two devices from the list above, I would choose the FlashCAT and the XGecu T56; you will have a wide range of target chip coverage between those two.
Having a few generic embedded interface tools in your toolkit is always a good idea. I am a big fan of using embedded Linux SBCs due to their flexibility and the fact that you have an entire OS at your disposal, which can open up opportunities to use your favorite programming language to interact with the standard peripherals. One of the most common Linux-based SBCs, the Raspberry Pi, has been difficult to acquire over the last few years. Luckily, the Armbian project supports other boards, such as the Orange Pi Zero 2 and the Orange Pi 4 LTS. You may not always require a fully featured OS, and you just need a tool that can talk to peripherals. In this case, having FT2232H-based boards, such as the generic breakouts and things like the Tigard, will also come in handy. While the FT2232H is a well known, classic interface IC, the RP2040 is quickly gaining popularity due to its ease of use and availability. The Buspirate, a classic embedded Swiss army knife, recently released a new version that the RP2040 powers (Note that the Link below is for just the PCB and not for the entire product)
|FT2232H Breakout Board||$14.95||Link||Generic interface board, capable of SPI, I2C, UART, etc|
|Arduino Nano||$24.90||Link||Generic board for learning embedded programming and protocols|
|BusPirate||$27.85 (PCB Only)||Link||Universal Open Source Hacking Tool|
|Orange Pi Zero 2||$35.99||Link||Low power general purpose Linux SBC, supported by Armbian|
|Tigard||$49.00||Link||Open source FT2232H-based, multi-protocol, multi-voltage tool for hardware hacking.|
|Orange Pi 4 LTS||$77.90||Link||Linux based SBC, supported by Armbian|
Fault injection (FI) involves introducing an error/modification minor enough to cause undefined behavior on a target but not enough to stop the target from operating entirely. This typically involves injecting a high-voltage pulse or temporarily draining the voltage from a targeted power source or “rail” on the target system.
By causing momentary voltage modulations (either above or below the expected voltage), we can force our target system to enter a realm of undefined behavior. An adequately targeted fault can bypass various security checks or other features that may impede an attacker or reverse engineer.
When it comes to FI, I think that Furrtek explained it best here:
Regarding FI, anything capable of pulling a voltage line low or injecting a clock pulse can work. However, depending on your target and attack, you might need advanced timing or protocol triggering, where tools such as the ChipWhisperer become very handy. When learning the fundamentals of fault injection, you cannot go wrong with an introductory ChipWhisperer kit. Their materials and example targets explain the principles behind fault injection and provide a tested, repeatable learning environment. I can’t recommend their materials highly enough. If the ChipWhisperer tools are too expensive for your budget, however, there are other tools that folks have used in the past. I have included the tools in the table below and provided some example blog posts that utilize them to help get you started. We have also published a blog post here as an introduction to FI.
|Item||Price||Link||Projects / Blog Posts|
|RP2040||$4.00||Link||Pico Glitcher, PicoRHG - Xbox 360 Glitch, AirTag Voltage Glitching|
|ICEStick ICE40 FPGA||$49.00||Link||Grazfather’s LPC Glitch, IceStick Glitcher|
|ChipShouter PicoEMP||$60.00||Link||EMFI Made easy with PicoEMP|
|ChipWhisperer Lite||$315.00||Link||Replicant: Reproducing a FI Attack on the Trezor One|
|ChipWhisperer Husky||$549.00||Link||RL78 Glitching (done by Colin O’Flynn)|
|ChipShouter Kit||$4125.00||Link||EMFI for Automotive Safety with ChipShouter|
There are also plenty of great talks that you can find online about fault injection; I’ve listed some of my favorites below:
In the realm of security testing, these tools play a crucial role in assessing and safeguarding the integrity of wireless communication systems and devices. High-cost options provide powerful capabilities for in-depth analysis of various RF signals, allowing security professionals to identify vulnerabilities, intercept and decode wireless transmissions, and assess the robustness of communication protocols. These tools are often employed in academic and research settings for advanced RF security research. On the other hand, low-cost options are accessible solutions that aid in testing and securing more common wireless technologies, including RFID, Bluetooth, Wi-Fi, and various ISM band devices.
|HackRF One||$300 - $350||Buy HackRF One||A versatile SDR platform for analyzing and testing a wide range of radio signals.|
|Proxmark3||$250 - $300||Buy Proxmark3||A dedicated RFID/NFC testing and hacking tool, allowing reading, emulating, and modifying RFID/NFC cards.|
|LimeSDR||$250 - $350||Buy LimeSDR||A flexible SDR platform suitable for RF security research and testing.|
|USRP (Universal Software Radio Peripheral)||$1,000+||Buy USRP||High-end SDR platforms for advanced RF research and security testing in academic and research settings.|
|Signal Hound Real-time Spectrum Analyzer||$1,190+||Buy Signal Hound||High-speed spectrum analysis for advanced RF research and security testing in academic and research settings.|
|Copper Mountain Vector Network Analyzer||$10,000+||Buy Copper Mountain||Specialized instrument for measuring Antennas, RF cables, and RF systems, some instruments with additional options can measure up-to W-Band (75 - 110 GHz)|
|Item||Price (Approximate)||Link to Buy||Description|
|Flipper Zero||$150 - $200||Buy Flipper Zero||A multifunctional security testing and hacking tool with RF capabilities, including RFID and NFC testing.|
|YARD Stick One||$100 - $150||Buy YARD Stick One||A wireless transceiver for sub-1 GHz testing and attacks on ISM band devices and other low-frequency signals.|
|Ubertooth One||$100 - $150||Buy Ubertooth One||Designed for Bluetooth security testing, particularly capturing BLE packets for security assessments.|
|RTL-SDR||$20 - $30||Buy RTL-SDR||An affordable and versatile SDR dongle for exploring and analyzing a wide range of RF signals.|
|Wi-Fi Pineapple||$100 - $200||Buy Wi-Fi Pineapple||Used for Wi-Fi security assessments and creating rogue Wi-Fi access points, often used alongside RF devices.|
|PortaPack H1||$100 - $150||Buy PortaPack H1||An add-on for the HackRF One that provides a more user-friendly interface for HackRF interactions in the field.|
|TinySA Ultra||$100 - $200||Buy TinySA Ultra||An affordable spectrum analyzer and signal generator tool, can measure signals up to 12 GHz|
|NanoVNA||$300 - $789||Buy NanoVNA||Affordable specialized instrument for measuring Antennas and RF Systems, depending on which model it covers most ISM bands under 6 GHz|
|LibreVNA||$500 - $700||Buy LibreVNA||Affordable specialized instrument for measuring Antennas and RF Systems, offers full 2-port measurements, and covers ISM bands under 6 GHz|
This write-up covered some of the tools required to build your first hardware hacking toolkit. This by no means is an exhaustive list, and I’m sure there are plenty of alternatives to the devices I’ve listed here.Also, it should be noted that you don’t need all of these tools to start hacking on hardware. Sometimes it makes more sense to buy what you need for a given project and save money for nicer equipment later on. I hope this guide was helpful; I plan to revisit this writeup regularly to update it with new tools. If you think a tool should be added to this guide, feel free to email at firstname.lastname@example.org or on Twitter. A list of just the components discussed here can be found on this github repository, and all pull requests are welcome!
If you are interested in learning more about hardware-level reverse engineering, check out our training course or reach out to us for any consulting needs. If you want to get notified when a new blog post, course, or tool is released, consider signing up for the mailing list. I only send emails when there are actual posts or course updates. Lastly, you can follow me on Twitter for various updates on side projects and classes.