VSS: Beginners Guide to Building a Hardware Hacking Lab

Introduction

One of the most common questions that I get during a training is:

“What do we need to build out an initial hardware hacking lab?”

Of course, the answer to this question can be heavily tailored based on the goals of the team and their targets, but I wanted to attempt to document what would make for a good starter lab. The following document aims to outline the basic requirements for well rounded embedded systems laboratory.

In this list, I will focus on devices that I and a few others regularly use for hardware pen testing and research. I will list a range of devices covering various budgets.

It should be noted that the following recommendations are my opinion, and none of the links below are affiliate links or anything of the sort. My goal is to help people build out their first lab, not to make money. This guide will also be maintained at the GitHub repository located here - please submit pull requests with your suggestions and favorite tools!

Contributors

Throughout the development of this guide, I was lucky enough to have some really sharp people offer to help me proofread and provide recommendations for some of the gear listed in this write up, I’ve included their names/handles below:

• Jeremy Hong
• Arsenio Menendez
• Stu Kennedy
• Ian Hanschen
• Dreg

Workbench

First and foremost, you will require a place to perform your work. Depending on your needs this might be a small section on your desk, or you may want an entirely separate workbench. When it comes to choosing a workbench, you’ll quickly find that you can spend a lot of money on a high end standing desk, especially if you’re looking for a larger one. One place you might consider looking is Home Depot / Lowes, I am a big fan of their Husky standing workbench and am currently using two of them in my office.

If you’re looking for something more traditional, I have also built a handful of workbench setups using IKEA tabletops and legs, this is a very popular option for workstations.

Item	Price	Link
Husky Adjustable Height 46in-72in Workbench	$268.00-$398.00	Link
Ikea LAGKAPTEN Tabletop	$49.99	Link
Ikea ADILS Leg	$7.50	Link
Ikea Drawer Unit (ALEX)	$109.99	Link

Note: The IKEA drawer units have mounting holes on top of them for attaching to IKEA tabletops which makes assembly extremely simple, and you get the added benefit of extra storage.

ESD Protections

The last thing that you want to happen is for you to accidentally destroy a device with static electricity, In order to avoid this, it is always a good idea to get an ESD wrist strap or an ESD protective mat.

Note: Not all silicone mats that you will find on Amazon are actually anti-static, please make sure that you read the description of the mat that you are going to purchase if ESD protection is a high priority for your workspace (which it should be!)

Item	Price	Link
ESD Wrist Strap	$9.99	Link
ULine ESD Wrist Strap	$18	Link
Bertech ESD High Temp Mat	$44.30	Link
STATFREE UC2 Anti-Static Mat	$138.53	Link
ULine Assorted Mats	$80-$1000	Link

DigiKey has a number of high quality ESD mats that you can find here.

Soldering

Whether you are tearing down a new router or looking for a new target to perform fault injection, you will need to solder at some point during your hardware hacking journey. Soldering is the process of joining metal surfaces with “solder”; creating a conductive connection between the two soldered points. Soldering is useful when populating unused debug pin headers or connecting wires to points on your target circuit board that you wish to interact with.

Soldering Irons

When looking for a new iron, it is essential to keep your goals in mind:

• Are you mainly focusing on smaller surface mount device (SMD) rework projects?
• Will you be working with larger/older components that may need a lot of heat to remove?

Ideally, you want an iron with adjustable temperature and removable tips. These can be purchased relatively cheaply from Amazon and other online vendors. I recommend one with an emergency timeout in case you forget to turn off your iron after some late-night soldering.

Low Cost

Below is a very solid starter kit from Amazon, which makes for a good beginner iron. Before buying a more expensive iron, use this iron to learn proper care and maintenance.

• KSGER T12 Soldering Station

Two other solid options for a beginner iron (at a slightly higher price point) are the Hakko FX888D and Weller WE1010NA. The WE1010NA is the successor to the venerable Weller WES51, which has since been discontinued.

For a portable option, the TS-100 or TS-101 is an excellent choice. These are great for travel, have interchangeable tips and are relatively low cost.

High Cost

For high-end soldering or jobs that require you to solder to smaller components, such as 0402 components, a JBC CDS station with intelligent heat management and sleep/hibernation modes can’t be beaten. This is the station that I have used for quite a while now, and it has been highly reliable and easy to maintain. With this station, you can also get tweezer tips for SMD components, making these jobs much more manageable. It also can be connected to other JBC accessories, such as a fume extractor and other JBC handles.

• JBC CDS Soldering Station
• Additional Tips / Cartridges

If you have the funds to spare, the JBC DDPE 2-Tool station is great because it lets you have multiple tools active simultaneously. This station comes with micro tweezers and a T210 precision handle, which is compatible with a wide variety of cartridges.

• JBC DDPE 2-Tool Station

Hot Air Stations / Hot Plates

Hot air stations and hot plates can both be used when doing SMD rework. Hot plates work as you might expect, they require surface to surface contact in order to heat the target device, allowing for either solder paste or a traditional iron to be used to bond the solder to the contact pads. These of course have some disadvantages, if you are working with a system that has plastic connectors, housings or is a two sided PCB with components on each side you will not be able to effectively use a hotplate without risking damaging the target. Hot plates can be used in conjunction with a hot air gun in order to “preheat” your target, making component removal easier.

Low Cost

Introductory hot plates are relatively low cost, the Soiiw Microcomputer Soldering Preheating station is a great place to start as it has built-in temperature control and display (helpful for letting others in the lab know that the plate is on!).

If you are going for a lower-cost hot air rework station, there are plenty on Amazon. I have used the YIHUA 959D and have had no issues with it. Others have recommended the QUICK 957D Rework Station, which also has excellent reviews!

High Cost

You will need a hot air station for BGA rework or other package removal. Like a standard soldering station, these can vary in price/quality. A higher-end hot air rework station will allow for precise temperature and airflow control; they will also have a wider variety of hose attachments, allowing for the removal/replacement of smaller components. When working with standard embedded systems, the JBC TESE is an excellent rework station that has multiple suction tips and hose sizes included:

• JBC TESE

Of course, if you are looking to do a lot of SMD rework and reflow on PCBs, you may want to consider the SRS System SMD Rework station.

This kit includes an arm, allowing for hands-free operation, as well as a preheater. A preheater is a device used to (as you might have guessed) pre-heat the PCB from below, allowing things to be soldered more easily.

The full table of all of the recommended kits can be seen below:

Item	Price	Link	Description
TS-100	$54.99	Link	Low cost, portable soldering iron
Soiiw Microcomputer Soldering Preheating station	$67.99	Link	Low cost pre-heating set up for BGA rework
KSGER T12 Soldering Station	$69.99	Link	Introductory soldering iron with interchangeable tips
Sparkfun 8508D Hot-Air Rework Station	$99.95	Link	Low-cost hot air rework station
QUICK 957D Rework Station	$125.00	Link	Low-cost hot air rework station
JBC CDS Soldering Station	$595	Link	Mid range JBC soldering station
JBC DDPE 2-Tool Station	$1700	Link	JBC station that allows for multiple tools active and includes micro-tweezers and a T210 precision handle
JBC TESE	$2,690	Link	High end hot air rework station with multiple suction adapters
SRS System SMD Rework Station	$5,750	Link	Full SMD rework station, including an manueverable arm and preheater

Soldering: Practice Kits

These kits are a great way to get comfortable soldering smaller devices and components. One thing I like to recommend is to solder, desolder, and then solder again. This will give you practice with removing parts and adding them!

Item	Price	Link
Soldering Practice Kit	$9	Link
Soldering Practice Kit 2	$9	Link

Soldering Accessories

Item	Price	Link	Description
KOTTO Fume Extractor	$39.99	Link	Used to extract solder fumes, relatively portable for travel soldering
Desoldering Braid	$9.99	Link	Used to remove solder from a target, helpful when cleaning up QFP packages
Tip Tinner	$8.00	Link	Used to re-tin oxidized soldering iron tips, crucial for maintaining a working tip
Magnet Wire	$7.99	Link	Tiny wire, used for connecting to cut traces or small vias on PCBs
30 AWG Wire Wrap Wire	$11.99	Link	Small AWG wires, convenient for soldering to small pads, etc.
Kapton Tape	$11.98	Link	Heat resistant tape, helpful for protecting other components when doing hot air rework
ChipQuik SMD 291 Flux	$15.95	Link	Flux removes oxides and enhances solder flow, increasing the reliability of solder joints
Engineer Solder Suction Device	$18.97	Link	Used to remove solder

Bonus: Learning to Solder

Below are some YouTube videos to help you learn how to solder if you’ve never attempted it.

• Soldering Crash Course: Basic Techniques
• SMD Soldering Tutorial
• BGA Reflowing for Absolute Beginners

Hackaday has a great article here about SMD rework and reballing.

Multimeters

Regardless of the types of components and targets that you’re working on, you will need a multimeter. This is what you will use for your initial survey of your device for things such as measuring voltage, resistance, current and checking for continuity. When choosing a multimeter, make sure that you review the available voltage and current ranges and that they match the ranges of your expected targets. Some multimeters will also have an “auto-range” feature, which will attempt to automatically select the appropriate range for measuring voltage/current/resistance, etc. This feature can be helpful when measuring unknown voltages; it will save you a few button presses when measuring points on a target. The two multimeters listed below are the ones that I keep in my toolbox. I have also included different probes sets, allowing smaller pads/pins to be measured.

Item	Price	Link
Micsoa Multimeter Test Leads Kit	$20.99	Link
Crenova MS8233D	$29.99	Link
Fluke High Precision Probes	$94.99	Link
Fluke 115	$220	Link

If you’ve never used a multimeter before, Sparkfun has a great tutorial here that can help get you up to speed and measuring in no time!

Microscopes/Magnification

When tearing down a target for the first time, you first want to locate and document all of the part numbers. Part numbers and PCB markings can sometimes be challenging to see with the naked eye, so having a cheap benchtop microscope or hand held loupe is never a bad idea. These will also come in handy when removing or modifying small components. Hand held loupes are great for quick identification of components.

Item	Price	Link	Description
Handheld Jewellers Loupes	$15.00	Link	Small handheld jewellers loupes, various magnification, useful for part identification
Plugable USB Microscope	$37.74	Link	Small USB compatible microscope, useful for some soldering and part identification, compatible with most desktop operating systems (in my experience)
AMScope USB Microscope	$78.99	Link	Small USB compatible microscope, useful for some soldering and part identification
MisVision Trinocular Microscope	$251.92	Link	Benchtop microscope 7-45x zoom, check out the review here
Aven Desktop Microscope	$697.91	Link	8-25x microscope with a built-in screen, helpful for soldering to small packages and doing BGA rework
MANTIS Serices MCH-001 Microscope	$1,310.00	Link	High-powered microscope with interchangeable lenses, mounting arm, and lenses are sold separately

Oscilloscopes

While multimeters help us measure various signals on our target device, an oscilloscope can help us capture and visualize these measurements. When selecting a scope, you need to consider what the use case will be. Will you be doing differential power analysis or power trace captures? Or are you more interested in capturing other types of analog waveforms over a longer period? The main variables to look at when selecting an oscilloscope are:

• Channel Count - How many channels can you capture on
• Memory Depth - This is how long you can capture for
• Sample Rate - How fast the analog signal is sampled
• Bandwidth -Maximum frequency of an input signal that can be passed through the analog front end (probe)

Without enough bandwidth, you will capture what appears to be a distorted signal, and with too slow of a sample rate, you risk data loss.

Remember: According to the Nyquist sampling theorem sampling rate should be at least 2x the frequency of your target signal at a minimum!

An excellent introductory scope can be purchased for ~$500; all big manufacturers offer something in this range. For example, the SIGLENT SDS1104 is an excellent starting scope with a bandwidth of 100MHz and a sample rate of 1GSa/s. I’ve listed a few options below, ranging in price from lowest to highest, and included a few tables from some of the manufacturer’s websites as well:

Item	Price	Link	Description
Signlent SDS1104X	$399.00	Link	Great starter scope, easy to use, SCPI compatible
Rigol MSO5354	$1,999	Link	High-bandwidth and sample rate, less memory than the SDS2000X series, 16 digital channels for internal logic analyzer
SDS2000X	$2,999	Link	High bandwidth, 2GSa/s sampling rate, large memory depth, HDMI out, SCPI compatible
SDS6204A	$60,000 +	Link	Extremely high capture rate and bandwidth, decoders and other features can bring the price to $100k easily

Note: Many modern oscilloscopes can be upgraded via software. For example, many will have built-in logic analyzers and signal decoders. These will come at an extra cost; decoders are typically $100-$400, depending on the protocol, and other software upgrades can be purchased to unlock things like faster sample rates and increased bandwidth, etc. It’s easy for a 2k-4k oscilloscope purchase to turn into a 10k purchase once all the upgrades and add-ons have been included.

Example Specifications: Rigol

Below are some specifications from the RIGOL MSO5000 line:

The MSO5354 is an excellent deal for this line, especially considering the 350MHz bandwidth and the 8GSa/s sampling rate. I have this in my lab and use it regularly.

Example Specifications: Siglent

Here is a similar specification table from the SIGLENT SDS2000 line:

The Siglent and the Rigol have great options for the prices listed above. Make sure that you pick an appropriate scope per the types of targets you anticipate analyzing.

Logic Analyzers

Let’s say you identified a fluctuating voltage sequence with your multimeter and decided to look at the signal with your oscilloscope. After viewing the signal with the oscilloscope, you saw sequences of high and low pulses that look something like this:

We will need a Logic Analyzer to make more sense of this signal capture. Logic analyzers are used when analyzing digital signals; they can take sequences of high and low voltages and translate them into a stream of logical 1s and 0s. This stream of 1s and 0s can then be analyzed and decoded via software to display packet structures and more user-friendly data to the user. When choosing a logic analyzer, we need to consider the following:

• Channel Count - How many channels can be analyzed at once?
• Sampling Rate - How quickly can we sample data?
• Hardware Sampling Depth / Memory Depth - How long can we sample?
• Threshold Voltages - What voltage ranges are compatible with this device?

When analyzing standard COTS devices that utilize SPI, eMMC, etc., the Kingst and DSLogic series logic analyzers will work 90% of the time. The Saleae has a well-polished software interface, including APIs for writing decoders and instrumenting captures. The analog capture features of the Saleae are also beneficial when debugging lower-level issues. Despite being the most expensive analyzers listed here, they are worth purchasing if your budget allows it.

Item	Price	Link	Description
LA 1010	$69.99	Link	The Kingst LA series are suitable introductory logic analyzers, they are pulseview compatible and can also use the Kingst proprietary software
DSLogic	$149.00	Link	DSLogic is a series of USB-based logic analyzer, with max sample rate up to 1GHz, and max sample depth up to 16G. It uses an open-source fork of Pulseview
Analog Discovery 2	$229.00	Link	Multi-function USB Oscilloscope, Logic analyzer, signal generator and power supply
Saleae Logic 16	$1500	Link	Logic analyzer with variable logic levels, analog capture capability, and highly user-friendly software

Oscilloscope Vs. Logic Analyzers

Another common question that often comes up as we review the tools in class is

What is an oscilloscope used for, and what is a logic analyzer used for? Don’t they both measure signals?

While the short answer is yes, they both measure electronic signals and visualize them for human consumption; there are a few key differences.

1. Oscilloscopes are useful for analyzing analog waveforms, that is, data that is steadily changing over time

2. Logic analyzers are used to analyze digital signals and convert high/low voltage pulses into a sequence of 0s and 1s that we can attempt to interpret.

So, how do we choose what tool to use? For example, let’s say we are measuring a voltage source on a particular target we are trying to glitch. If we want to monitor the fluctuations of the voltage line, we should use an oscilloscope. The oscilloscope will let us observe the voltage over time, allowing us to see the small period where the voltage drops to a low value and then returns to normal. See the image below, where the purple line represents the voltage line being glitched:

We can also use oscilloscopes to characterize and capture power traces. For example, see the following power trace that was captured from the Trezor (purple line):

In the previous two examples, we measured a signal oscillating between a range of values and not just HIGH or LOW. There are fluctuations, rising and falling sequences, and other interesting patterns that we could not catch with our logic analyzer as the logic analyzer looks for either a high or low voltage and reports the results back to the user as a digital signal.

For an example of when we might use a logic analyzer, let’s revisit the oscilloscope capture from before:

Notice that there are not nearly as many strange shapes or fluctuations in this signal; the line either appears at a high or low voltage at any given time. While some oscilloscopes can decode digital signals like this, they often are limited by how much memory they can use for a capture. So that means that if you’re trying to capture UART traffic on a Linux system that takes 60 seconds to boot, you would need a large amount of memory / a costly scope. Also, if you wanted to extract the data from the stream or try to decode it using custom plugins, getting access to the digital signal is a headache (Note It is possible, but logic analyzers greatly simplify this process for us). This is a perfect use case for our logic analyzer if we want to extract the data being encoded in this digital signal.

The Logic analyzer can sample for much longer because it samples a signal, reports whether the sample is high or low, and does not report back the exact values in between. Note that what defines high or low can often be configured within your logic analyzer software, but the analyzer will still report back either a 0 or 1. Because the logic analyzer is not concerned with all the values in between, it requires significantly less memory to capture over long periods.

To illustrate this, let’s revisit the older blog post we published last year. The following video shows that the voltage levels fluctuate around 3.3V and eventually return to idle at 3.3V.

If we were to capture this signal with an oscilloscope, it would look very similar to the screenshot we referenced earlier. However, there is one problem - this system takes about 90 seconds to boot, and ideally, we want to capture all of the traffic in a way that allows us to analyze it. This is where our logic analyzer will come in handy.

After connecting our logic analyzer to the signals referenced in the blog post, our logic analyzer software (Pulseview) captures the following:

With this traffic captured, we can set up a decoder to get human-readable values out of this signal, as shown below:

Now, we can export this data to a text or binary file for further analysis.

So, in summary - when we want to capture digital signal traffic such as SPI, UART, I2C, JTAG, etc, we use a logic analyzer. If we want to analyze the shape of the waveform or we are investigating an analog signal such as a power source or audio signal, we use an oscilloscope.

Clips / Jumpers / Probes

Sometimes, we have to connect to specific pads or pins to analyze the signal on our target device, but that does not always require soldering and removing components. Probing test pads and reading flash chips in-circuit can significantly reduce the debugging/analysis time when performing firmware patches or testing PoCs. Below are some helpful items that I use when soldering/connecting to new targets. The PCBite kit is handy as the fine-tip probes will often save you from needing to solder to test pads when performing initial analysis.

Item	Price	Link	Description
Premium Silicone Jumper Wires	$11.95	Link	Used to make breadboard connections, etc
Pomona SOIC8 Clip	$18.19	Link	Used to clip onto SOIC8 packages
Pomona SMD Grabber Pin	$21.79	Link	Useful for grabbing individual pins of small packages such as QFP microcontrollers, etc.
KOTTO Helping Hands	$23.99	Link	Useful when soldering to smaller devices
XKM-S EX Hook Pin Grabbers	$30.06	Link	Helpful for grabbing pins of SOIC8 chips and other packages with wide footprints
PCBite Kit	$190	Link	Handy magnetic probe kit with PCB holders and pogo pins

Power Supplies

When picking a power supply, you need to consider the power requirements of your targets. Be sure to review the voltage and current limitations and choose an appropriate supply based on the targets you will analyze. Some power supplies have options like Over-Current Protection (OCP), which is a feature that prevents a power supply from providing more current than it can handle. Some power supplies will also include a Remote Sense feature that is used to regulate the output voltage at the target load. This compensates for the voltage drop across the cables connecting the power supply to the target load.

Item	Price	Link	Usage
KC3010D	$49.99	Link	Low cost introductory power supply
Hyelec 30V 5A Switching DC Bench Power Supply	$56.99	Link	Adjustable power supply with output enable line
RD6006	$85.00	Link	Low-cost front end for power supply, can be used with an old ATX supply or other DC barrel jack power supplies
Siglent SPD1168X	$265.00	Link	Power supply with programmable output and voltage sensing, also SCPI interface
Rigol DP832	$399.00	Link	Three channel power supply (30V/3A		30V/3A, 5V/3A)
Keysight E36233A 400W Dual Output Supply	$3,569	Link	High wattage dual output supply, 30V/20A/400W, SCPI interface
BK Precision 9140 32V / 8A / 300W Triple-output Bench Power Supply	$1,940	Link	High current, high power, Ethernet/LXI interface, three outputs, compact

JTAG / Debug Adapters

Perhaps during your teardown, you discovered a set of test points or debug headers that you believe might be for hardware-level debugging, such as JTAG or SWD. If you’re trying to get hardware-level debugging working on a target, it is always a good idea to see what OEM tools are available. I’ve compiled a list below of some of the more generic tools I keep in my toolbox. Most of these are ARM-focused, as many other JTAG tooling for different architectures will often involve purchasing specific hardware/software or utilizing OpenOCD.

Item	Price	Link	Usage
FT2232H Breakout Board	$14.95	Link	Generic interface board, capable of SPI, I2C, UART, etc
STLink	$22.16	Link	Easy to work with, largely focused on STM32, but can be used as a generic SWD adapter with OpenOCD
Tigard	$49.00	Link	Open source FT2232H-based, multi-protocol, multi-voltage tool for hardware hacking.
Black Magic Probe	$74.95	Link	Open source JTAG probe, can be used with OpenOCD
JLink	$529.12	Link	Extremely sound software support, supports a large amount of ARM chips, has built-in level shifting
Lauterbach	TBD	Link	Extremely powerful JTAG tooling that can be purchased with licenses targeting specific architectures/chipsets

When attempting to utilize a hardware debug mechanism (especially from a black box perspective), there is no “one size fits all” tool. Whether you are accessing a JTAG tap or an SWD peripheral, there are two hurdles that you need to overcome:

1. Can your hardware communicate with the TAP/DAP?
   1. Logic Levels, appropriate speeds, timings, etc
2. Can your software properly enumerate and interact with the TAP/DAP?
   1. OpenOCD, UrJTAG, OEM Tools, etc

The right tools for the job is critical when looking at a new hardware-level debug peripheral. Make sure that you search for OEM software/hardware and always check the latest OpenOCD commits for similar targets.

Flash Readers

So, you have done your initial teardown and identified a non-volatile storage device from which you want to extract some data. Perhaps there is a SPI flash chip or a TSOP 48 parallel flash that you want to extract data from. Many flash readers are available; below is a list of what I have in my lab. The Xeltek is somewhat expensive (it is currently on sale for $995.00), and the individual sockets for different chip packages range from $400-$700, so the cost adds up quickly. However, with that cost comes support from Xeltek and fairly reliable tooling, assuming you are comfortable with BGA rework and re-balling ICs, this may be the right choice for you and your team.

Item	Price	Link	Usage
Transcend SD Card Reader	$10.99	Link	Good for in-circuit eMMC reads, device supports low speeds and 1-bit eMMC modes
CH341A USB Programmer	$13.99	Link	Generic SPI flash programmer, compatible with flashrom
FT2232H Breakout Board	$26.99	Link	Generic breakout board, can be used with flashrom, openocd, etc.
FlashCAT USB Programmer	$99.00	Link	Parallel flash extraction, TSOP48/56
XGecu T56	$199.00	Link	All-purpose flash extraction, SPI, eMMC, NAND, etc
Easy JTAG	$399.00	Link	All-purpose flash extraction, one of the few readers on the market to support UFS extraction
Xeltek Superpro	$995.00	Link	Enterprise flash programmer, high quality, sockets for different chips can be pretty expensive
Dataman 48Pro2 Super Fast Universal ISP Programmer	$1,195.00	Link	Industrial programming tool, expensive, but does consistently work on the supported ICs

In my experience, no flash readout tool works on everything. Some tools are better at certain flash types than others. Having a few options in your hardware hacking toolbox is always a good idea if your preferred tool does not support your target device. If I had to pick two devices from the list above, I would choose the FlashCAT and the XGecu T56; you will have a wide range of target chip coverage between those two.

SBCs / Interface Tools

Having a few generic embedded interface tools in your toolkit is always a good idea. I am a big fan of using embedded Linux SBCs due to their flexibility and the fact that you have an entire OS at your disposal, which can open up opportunities to use your favorite programming language to interact with the standard peripherals. One of the most common Linux-based SBCs, the Raspberry Pi, has been difficult to acquire over the last few years. Luckily, the Armbian project supports other boards, such as the Orange Pi Zero 2 and the Orange Pi 4 LTS. You may not always require a fully featured OS, and you just need a tool that can talk to peripherals. In this case, having FT2232H-based boards, such as the generic breakouts and things like the Tigard, will also come in handy. While the FT2232H is a well known, classic interface IC, the RP2040 is quickly gaining popularity due to its ease of use and availability. The Buspirate, a classic embedded Swiss army knife, recently released a new version that the RP2040 powers (Note that the Link below is for just the PCB and not for the entire product)

Item	Price	Link	Usage
FT2232H Breakout Board	$14.95	Link	Generic interface board, capable of SPI, I2C, UART, etc
Arduino Nano	$24.90	Link	Generic board for learning embedded programming and protocols
BusPirate	$27.85 (PCB Only)	Link	Universal Open Source Hacking Tool
Orange Pi Zero 2	$35.99	Link	Low power general purpose Linux SBC, supported by Armbian
Tigard	$49.00	Link	Open source FT2232H-based, multi-protocol, multi-voltage tool for hardware hacking.
Orange Pi 4 LTS	$77.90	Link	Linux based SBC, supported by Armbian

Fault Injection

Fault injection (FI) involves introducing an error/modification minor enough to cause undefined behavior on a target but not enough to stop the target from operating entirely. This typically involves injecting a high-voltage pulse or temporarily draining the voltage from a targeted power source or “rail” on the target system.

By causing momentary voltage modulations (either above or below the expected voltage), we can force our target system to enter a realm of undefined behavior. An adequately targeted fault can bypass various security checks or other features that may impede an attacker or reverse engineer.

When it comes to FI, I think that Furrtek explained it best here:

Regarding FI, anything capable of pulling a voltage line low or injecting a clock pulse can work. However, depending on your target and attack, you might need advanced timing or protocol triggering, where tools such as the ChipWhisperer become very handy. When learning the fundamentals of fault injection, you cannot go wrong with an introductory ChipWhisperer kit. Their materials and example targets explain the principles behind fault injection and provide a tested, repeatable learning environment. I can’t recommend their materials highly enough. If the ChipWhisperer tools are too expensive for your budget, however, there are other tools that folks have used in the past. I have included the tools in the table below and provided some example blog posts that utilize them to help get you started. We have also published a blog post here as an introduction to FI.

Item	Price	Link	Projects / Blog Posts
RP2040	$4.00	Link	Pico Glitcher, PicoRHG - Xbox 360 Glitch, AirTag Voltage Glitching
PocketBeagle	$35.63	Link	The PocketGlitcher,
ICEStick ICE40 FPGA	$49.00	Link	Grazfather’s LPC Glitch, IceStick Glitcher
ChipShouter PicoEMP	$60.00	Link	EMFI Made easy with PicoEMP
ChipWhisperer Lite	$315.00	Link	Replicant: Reproducing a FI Attack on the Trezor One
ChipWhisperer Husky	$549.00	Link	RL78 Glitching (done by Colin O’Flynn)
ChipShouter Kit	$4125.00	Link	EMFI for Automotive Safety with ChipShouter

There are also plenty of great talks that you can find online about fault injection; I’ve listed some of my favorites below:

• Chip.fail
• Glitched on Earth by Humans
• One Glitch to Rule Them All: Fault Injection Attacks against AMD’s Secure Processor
• NCC Group - An Introduction to Fault Injection

Radio Frequency Tooling and Instrumentation

In the realm of security testing, these tools play a crucial role in assessing and safeguarding the integrity of wireless communication systems and devices. High-cost options provide powerful capabilities for in-depth analysis of various RF signals, allowing security professionals to identify vulnerabilities, intercept and decode wireless transmissions, and assess the robustness of communication protocols. These tools are often employed in academic and research settings for advanced RF security research. On the other hand, low-cost options are accessible solutions that aid in testing and securing more common wireless technologies, including RFID, Bluetooth, Wi-Fi, and various ISM band devices.

High-Cost Options

Item	Price (Approximate)	Link	Description
HackRF One	$300 - $350	Buy HackRF One	A versatile SDR platform for analyzing and testing a wide range of radio signals.
Proxmark3	$250 - $300	Buy Proxmark3	A dedicated RFID/NFC testing and hacking tool, allowing reading, emulating, and modifying RFID/NFC cards.
LimeSDR	$250 - $350	Buy LimeSDR	A flexible SDR platform suitable for RF security research and testing.
USRP (Universal Software Radio Peripheral)	$1,000+	Buy USRP	High-end SDR platforms for advanced RF research and security testing in academic and research settings.
Signal Hound Real-time Spectrum Analyzer	$1,190+	Buy Signal Hound	High-speed spectrum analysis for advanced RF research and security testing in academic and research settings.
Copper Mountain Vector Network Analyzer	$10,000+	Buy Copper Mountain	Specialized instrument for measuring Antennas, RF cables, and RF systems, some instruments with additional options can measure up-to W-Band (75 - 110 GHz)

Low-Cost Options

Item	Price (Approximate)	Link to Buy	Description
Flipper Zero	$150 - $200	Buy Flipper Zero	A multifunctional security testing and hacking tool with RF capabilities, including RFID and NFC testing.
YARD Stick One	$100 - $150	Buy YARD Stick One	A wireless transceiver for sub-1 GHz testing and attacks on ISM band devices and other low-frequency signals.
Ubertooth One	$100 - $150	Buy Ubertooth One	Designed for Bluetooth security testing, particularly capturing BLE packets for security assessments.
RTL-SDR	$20 - $30	Buy RTL-SDR	An affordable and versatile SDR dongle for exploring and analyzing a wide range of RF signals.
Wi-Fi Pineapple	$100 - $200	Buy Wi-Fi Pineapple	Used for Wi-Fi security assessments and creating rogue Wi-Fi access points, often used alongside RF devices.
PortaPack H1	$100 - $150	Buy PortaPack H1	An add-on for the HackRF One that provides a more user-friendly interface for HackRF interactions in the field.
TinySA Ultra	$100 - $200	Buy TinySA Ultra	An affordable spectrum analyzer and signal generator tool, can measure signals up to 12 GHz
NanoVNA	$300 - $789	Buy NanoVNA	Affordable specialized instrument for measuring Antennas and RF Systems, depending on which model it covers most ISM bands under 6 GHz
LibreVNA	$500 - $700	Buy LibreVNA	Affordable specialized instrument for measuring Antennas and RF Systems, offers full 2-port measurements, and covers ISM bands under 6 GHz

Other Helpful Tools

• Overhead lighting
• Helping hands
• Generic Teardown Tools (Ifixit)
  • Kit 1
  • Kit 2
• Mini Electric Drill
• Silicone Mat
• Generic Wire Strippers / Pliers

Conclusion

This write-up covered some of the tools required to build your first hardware hacking toolkit. This by no means is an exhaustive list, and I’m sure there are plenty of alternatives to the devices I’ve listed here.Also, it should be noted that you don’t need all of these tools to start hacking on hardware. Sometimes it makes more sense to buy what you need for a given project and save money for nicer equipment later on. I hope this guide was helpful; I plan to revisit this writeup regularly to update it with new tools. If you think a tool should be added to this guide, feel free to email at contact@voidstarsec.com or on Twitter. A list of just the components discussed here can be found on this github repository, and all pull requests are welcome!

If you are interested in learning more about hardware-level reverse engineering, check out our training course or reach out to us for any consulting needs. If you want to get notified when a new blog post, course, or tool is released, consider signing up for the mailing list. I only send emails when there are actual posts or course updates. Lastly, you can follow me on Twitter for various updates on side projects and classes.