Course Overview

Day 1:

We start with a multimeter and familiarize ourselves with basic electrical components on a device. We talk about soldering and what to consider while doing it. We will read datasheets and dive into the protocol analysis of UART, SPI and I2C. Additionally, we will learn different methods to identify these interfaces on a board and use our logic analyzer to observe the signals. Sniffing the wire can already reveal information about the firmware or secrets like a bitLocker key. We finish day one by interacting with debug interfaces and taking control over a IoT device.

Day 2:

Day two will be all about firmware dumping and gaining root access on a device. We start with an introduction into common storage types and how to dump uncommon ones. You will learn how to bypass password protections, interacting with debug interfaces or how to repack the firmware to get root access on the target.

The highlight of this day is the power glitching attack against a locked chip. Students will learn how it works and build it from scratch to extract the firmware of a protected chip. No complex setup or SDK – not even C/C++ is required. We will do all of this in 20 lines of python.

Day 3:

The final day of this training continues with a more advanced glitching attack. We will apply our knowledge of day two on a different chip. This time, we will extract the firmware in small chunks, which is very satisfying to watch. We finish day three of an extensive training by recapping what we have learned and build our own circuit to fuzz a proprietary protocol of an IoT device. 

If you ever wanted an easy way into complex topics mentioned above, this is your opportunity. This course offers an intense learning experience that also covers advanced attacks while being very beginner friendly. It is based on eight years of experience in IoT hacking and contains techniques you will profit from your whole career.

Agenda

Day 1

PCB – Board

• Common components (Resistors / Capacitors / etc.)

• Multilayer Board Structure

• Probing with a Multimeter

• Board Schematics

• Modifications (Gaining Access to Data Lines)

• Safeties (Shorts, Ground-Loops)

Soldering

• Soldering Iron vs Hot Air Station

• Required Components (Solder / Flux / Desoldering Braid / etc.)

• Safety (Glasses / Fume Extractor / Lead vs Lead Free / etc.)

• Tiny Soldering under a Microscope (0,3 mm)

Chips

• Identification (Logos and Labels)

• Package Formats (QFP / TSOP / DIP / etc.)

• Pinout and Datasheets

• Configuration - Modes (SPI / Pin Settings / etc.)

• Difference between SoC and MCU

Protocol Analysis 

• Logic Analyzer (Hard- and Software)

• Signal Calculations (Symbol / Baudrate / etc.)

• Signal Sniffing with a Logic Analyzer

• Protocol Analysis - UART, SPI and I2C

• HydraBus Introduction (Hard- and Software)

• Signal Interaction - Sending Commands (UART / SPI / etc.)

JTAG / SWD

• Introduction to JTAG and SWD

• Attaching a Debugger (GDB – Proxy)

Day 2

Firmware

• Storage Types (eMMC / NAND / NOR / etc. )

• Firmware Dumping (eMMC / NAND / NOR / Unknown Chips)

• Firmware Extraction and Analysis

Gaining Root Access

• Update Process (SSL / StartTLS / etc.)

• Signal Interrupts ( UART/ Flash Read / etc. )

• Firmware Modification (Backdoor Firmware)

• Bootloader – Uboot (Environment Variables / Memory Write)

• Software Vulnerabilities

Power Glitching

•  

• Read Out Protection (Datasheet)

• How to Create a Precise Voltage Drop

• Timing (When to Glitch)

• Built the Circuit (Raspberry Pi Pico)

• Glitch - Firmware Dumping (Protected Chip)

Day 3

Power Glitching - Chip I (Demo)

• Identify Bypass Capacitors

• Board Preparation (No Soldering - Sensepeek)

• Setup the Raspberry Pi Pico (MOSFET)

• Performing the Glitching Attack

Advanced Power Glitching - Chip II

• Read Out Protection (datasheet)

• Bootloader Settings

• Chip Interaction (UART Commands)

• Glitch - Firmware Dumping (Protected Chip)

Fuzzing Proprietary Protocols

• Recap (Signal Calculations / MOSFET / Encodings)

• Protocol Rebuilding (Symbolrate / Baudrate)

• Fuzzing & Observing (Logicanalyzer)

Students will receive a hardware kit which is worth 400 €.

This kit includes:

• Microscope

• Multimeter

• Opening-Kit (Screwdriver, Tweezers, etc.)

• Raspberry Pi Pico (incl. Debugger)

• Logic Analyzer

• Buspirate rev5 (SPI / UART / I2C / etc.)

• 2x Router

• STM32 / NRF52 Boards

• Cables / Clips / Resistors / MOSFETS