Hardware Hacking Bootcamp

This five day course is designed to teach the fundamentals of hardware reverse engineering and analysis. With a focus on understanding the low level protocols that make up embedded systems, students learn how interfaces such as SPI, I2C, JTAG, SWD work while developing tools to interface with these protocols. All hardware is provided for this course, and all software tools are kept by the students upon completion of the course.

2022 Public Offerings

Use the links below to register for a public training. Public offerings are taught remotely via Discord.

March 2022 - Sold Out June 2022 - Sold Out September 2022 - Sold Out

Looking for a private offering? Remote and onsite options are available for groups of five or more, reach out to us at contact [at] voidstarsec [dot] com for more information!

Course Objectives

After participating in this course, students will have experience with:

  • Non-Invasive hardware analysis (component identification, etc)
  • Tracing and identifying points of interest on PCBs
  • Extracting firmware over multiple interfaces
  • Unpacking / analyzing binary blobs
  • Attacking hardware debuggers (JTAG,ETC)
  • Modifying, repacking and reflashing firmware
Students will learn how to augment existing tools to work around problems when extracting firmware.

Labs include extracting SPI/I2C-based flash chips, discovering and gaining access to consoles using UART, and identifying, enumerating, and actuating hardware-level debuggers such as JTAG and SWD. Labs are performed on four different real-world targets after introductory protocol labs are performed. Each target was chosen in order to demonstrate a specific protocol, allowing students to gain experience across multiple hardware platforms throughout the course.

All exercises and laboratories are performed using open source tooling on a Raspberry Pi. The Raspberry Pi will be used to attack and exploit all of the targets included in the kit. The tools and techniques used throughout the course were chosen specifically due to their portability across various hardware platforms.

Course Structure

This course includes multiple modules, one for each protocol of interest. For each module, we will perform the following:

  • Protocol Overview and Analysis
  • Understanding and Reviewing Captured Protocol Traffic
  • Protocol Analysis from a Reverse Engineering Perspective
  • Tools for Reverse Engineering Specific Protocols
  • Practical Attacks and Applications on Provided Targets
After each protocol module, a target analysis will be performed to reinforce what was learned in the analysis segment. Using this knowledge, students will perform hardware attacks on the targets included in their kits.

Course Modules

Objectives

  • Objective 1: Understand how PCBs are designed and made
  • Objective 2: Review the various component types that make up PCBs
  • Objective 3: Learn how to determine components and locations of interest
  • Objective 4: Apply the information learned to the analysis of platform one

Objectives

  • Objective 1: Understand Raspberry Pi setup and customization
  • Objective 2: Logic analyzer review and usage
  • Objective 3: Multimeter usage and examples
  • Objective 4: Platform over and target objectives review

Objectives

  • Objective 1: Learn how UART functions and it's common applications
  • Objective 2: Learn how to detect an active UART on a PCB
  • Objective 3: Learn how to calculate an unknown baud rate
  • Objective 4: Learn how to set up UART analyzers in Pulseview
  • Objective 5: Learn how to use the Raspberry PI as a UART interface
  • Objective 6: Discover and interface with a UART on the target router

Labs - Target: Router

  • Calculating Baud Rates
  • Unknown Formatting
  • Python Scripting
  • Router Analysis
  • Console Analysis

Objectives

  • Objective 1: Learn what UBoot is and how it is used
  • Objective 2: Review the Linux boot process
  • Objective 3: Understand UBoot environment and console commands
  • Objective 4: Manipulate environment variables to gain access to systems
  • Objective 5: Script UBoot console interactions with Depthcharge and Python

Labs - Target: Virtual Machine / Router

  • UBoot Shell Exploration and Data Collection
  • UBoot Shell Manioulation / Modifications
  • Memory Extraction via Python Scripting

Objectives

  • Objective 1: Learn how the SPI interface works and what components utilize it
  • Objective 2: Identify SPI transactions at the signal level
  • Objective 3: Identify SPI commands and transactions at a protocol level
  • Objective 4: Set up SPI decoder with logic analyzer
  • Objective 5: Extract SPI flash with flashrom
  • Objective 6: Interface with a SPI device using a custom Python script

Labs - Target: Router

  • Analyzing EEPROM Commands
  • Analyzing EEPROM Reads / Writes
  • Overcoming bus contention / bus takeover
  • Using Flashrom to extract router firmware

Objectives

  • Objective 1: Learn how to perform an initial analysis of a firmware blob
  • Objective 2: Learn to extract segments of interest from firmware images via binwalk and dd
  • Objective 3: Extract components of interest from the router firmware image
  • Objective 4: Patch and modify router firmware image to gain advanced access
  • Objective 5: Learn how to repackage and reflash firmware images

Labs - Target: Router

  • Tool Usage: binwalk and dd
  • Component Extraction
  • DTB Analysis and Decompilation
  • Reconstructing a firmware image
  • Re-flashing a firmware image

Objectives

  • Objective 1: Learn and understand how the I2C protocol works
  • Objective 2: Understand how to approach I2C as a reverse engineer
  • Objective 3: Analyze and review I2C traffic and addressing
  • Objective 4: Practice sniffing I2C traffic for data of interest
  • Objective 5: Extract an I2C based memory device
  • Objective 6: Reflash and modify an I2C based memory device

Labs - Target: Game Cabinet

  • I2C Tooling
  • I2C Traffic Analysis / Reverse Engineering
  • Extracting information with eeprog
  • Modify target flash to gain a high score

Objectives

  • Objective 1: Review and understand the JTAG specification
  • Objective 2: Identify JTAG pins and pinouts using IDCODE and BYPASS scans
  • Objective 3: Actuate and interface with JTAG ports
  • Objective 4: Assess JTAG ports from a black box perspective
  • Objective 5: Extract and modify memory via JTAG manually and via pre-existing tools
  • Objective 6: Develop custom tooling to interface with JTAG TAP manually

Labs - Target: SSD

  • Identifying Potential JTAG Pinouts
  • Identifying Pin Assignments via IDCODE and BYPASS scans
  • Writing an OpenOCD configuration file
  • Memory extraction and control flow takeover via JTAG

Objectives

  • Objective 1: Review and understand the SWD specification
  • Objective 2: Understand how to identify Serial Wire Debugging
  • Objective 3: Learn how to interface with SWD via OpenOCD
  • Objective 4: How to identify an unknown ARM SoC via SWD
  • Objective 5: Extract firmware via SWD
  • Objective 6: Modify and upload new firmware via SWD

Labs - Target: Controller

  • Identifying SWD Connections
  • Interfacing with SWD APs manually
  • MEM-AP Interfacing and Manipulation
  • Interface with SWD vis OpenOCD
  • Memory Access and Control Flow Takeover
  • Flash Extraction and Analysis

Hardware Targets

Students will receive hardware kit including:

  • Raspberry Pi 4, USBC Cable, Power Supply
  • Travel Router (Target 1)
  • Game Cabinet (Target 2)
  • ARM Based USB Console Controller (Target 3)
  • SSD and USB Adapter (Target 4)
  • Breadboard, Logic Level Shfter, Jumper Wires
  • Multimeter
  • Logic Analyzer
  • SOIC8 Clip (For flash extraction)
  • SPI EEPROM, I2C EEPROM

Cinque Terre

Requirements

This course is targeted toward security researchers who want to learn more about the process of firmware extraction and embedded systems analysis. Students should be familiar with the Linux command line and be comfortable with a scripting language such as python. C experience is also useful but not required

Interfacing with the Raspberry Pi requires an available USB port. A virtual machine is also provided to automate the configuration of the Raspberry Pi. Students should be able to load and run virtual machines if they are not comfortable installing Pulseview and configuring an ethernet interface on their host machine.

Reviews

All in all, this course was seriously a game changer for me. This has literally taken me from an infosec employee with near-zero hardware reversing knowledge, to feeling extremely comfortable and excited about diving into some new unknown devices! I can't thank you enough Matthew. I'll continue to rave about your course to friends and colleagues :-)

March Offering 2022

The course was very helpful. I am looking forward to expanding on these skills for IoT devices. The pace of the course made it easier as a software developer with software RE experience to learn.

June Offering 2022

The course was awesome. It’s exactly what I was hoping it would be. I just wish I could’ve taken it in person as I had a few distractions at home (as we all do). Overall, I had a blast in this class and learned a ton!

Sept Offering 2021

This course was awesome. Even though a lot of it was review for me, I still really appreciated how in-depth Matt went into all of the topics. I didn't necessarily have that deeper background into the why and how. The course flew by for me because I found it so engaging. Thank you!

June Offering 2022

Private Offerings

This course can be offered privately (remote or onsite) for groups of five or more students. If you are interested in a private offering of this course please contact us for more information.