Hardware

These tools will allow you to explore your target device through the hardware’s various serial bus interfaces or allow you to dump the firmware image from the device for reverse engineering the software. The firmware image is a compressed file, containing the operating system and its files, it may contain interesting things like the code to the web interface that most these devices have. You can then run that dumped code and reverse engineer it on an emulator like QEMU.

Some of the main serial bus interfaces that the following hardware tools can connect to are JTAG, UART, I2C, and SPI. (Please refer to the links on the previous listed protocols to get in-depth explanations of them from a hardware hacking perspective.) Researching all the serial interfaces and their protocols will help you understand how to effectively use following hardware tools for reverse engineering and exploiting IoT devices.

Shikra

Purchase

Resources:

Xipiter’s how to use guide

This device is touted as a more stable tool compared to the Bus Pirate. The hardware is very reliable and stable for connecting to UART, JTAG, and SPI. Many people in the Software Exploitation via Hardware Exploitation community really enjoy using this somewhat lesser known device and is used in the SEXviaHEX training.

If you want to pull the firmware image off a target IoT device for software exploitation then the Shikra is a great tool for the job. Just connect the Shikra to the target device’s SPI chip. You may need an 8-pin SOIC clip to connect the Shikra to the SPI interface.

In the how to use guide linked above, it was claimed to have taken the Bus Pirate 30 minutes to dump a 4MB firmware image off a device compared to just under a minute for the Shikra to do the same job. The Shikra may be something less people are familiar with, but it provides consistent, powerful and fast performance for certain jobs.

Bus Pirate

Purchase

Resources:

Documentation

Forums

Dangerous Prototypes’ tutorial

This is one of the most widely used tools out there right now. At the time of this blog’s posting the Bus Pirate version 4 official firmware development seems to have been abandoned. This has caused a lot of headaches for users struggling to get features to work on version 4 as well as they did on version 3. For example some people have had difficulties with getting JTAG support to work on version 4.

As stated in the documentation link, the version 3 firmware has a strong community effort behind it. As long as there is a strong community backing this tool that community will be committed to fixing and maintaining the firmware of the Bus Pirate. Overall the Bus Pirate is a vey robust tool. Finding someone to help you use it will not be hard, try joining the forums.

JTAGulator

Purchase

Resources:

Joe Grand’s video overview of the tool

Senrio’s explanation of JTAG

Besides looking badass this tool is great for identifying what the the different pinouts and chips do on the target device. When you open up the device it is not going to be obvious what pinouts and chips run which serial protocols. Testing each one with the JTAGulator will help you find your UART, JTAG, SPI, and other serial protocol interfaces.

Facedancer21

Purchase

Resources:

Travis Goodspeed’s blog

GoodFET’s documentation

Not every IoT device is going to have a USB port, but this tool can be very useful when one is available. The Facedancer, besides having a cool name, essentially lets your computer become the USB drive plugged into a device. Within this emulation you can communicate to the target device over the USB bus with Python. Devices often trust USB drives plugged into them so exploring the target device from this perspective can be very rewarding.

Make sure you get all the probes and jumper cables required for connecting the target device to the hacking tool and then back to your computer. Most of these linked articles for these hardware tools show what you will need. The wires and cables will plug onto the pinouts or clip onto different chips. Having a variety of male to male, female to female, and male to female wires is definitely helpful.