Embedded Device Hacking
Start by performing an external visual inspection of the device
FCC ID and other certifications
- Look up the FCC ID at fccid.io website
- Does it reveal additional details about the target
- Internal pictures
- can you figure out what chipsets are being used?
- any exposed interfaces?
- which flash? what protocol does it uses?
- External pictures
- Test cases run on the device
- Frequency which is being used
- any common frequency being used? 433/315 etc.
- Look up the FCC ID at fccid.io website
Markings of compliances and protocols used
External ports and interfaces
- USB
- Ethernet
- SD Card slot
Voltage and Power consumption
Open the device
- Are the screws hidden behind the rubber pads or labels
- Tamper protection mechanisms?
- Can you bypass them - chemical methods ?
- X-Ray ?
- Ultrasonic welding
- What do you see when you open up the device
- Chips
- Various other components
- Copper tracing
- Multi-layered?
Analyzing and Exploiting the device
- Identify the various components on the board
- Read their component numbers and look up online for the datasheets
- What do these component perform?
- Do you see any exposed interfaces?
- Are they labeled?
- Not labeled?
- Scattered across the board?
- Identify the pinouts for the Serial interface
- Multimeter
- Logic analyzer
- JTAGulator
- Connect to the Serial interface using a USB-TTL or Attify Badge
- Identify the baudrate
- Shell
- Authenticated ?
- What all can do you from here?
- Dump the firmware
- Modify values on the device and see if it persists
- Control the device components via the shell
- Is the shell of root privileges?
- Unauthenticated?
- Can you brute force the password?
- Is the password hidden in the firmware?
- Bootloader manipulation attacks
- Authenticated ?
- JTAG
- Find the JTAG pinouts using JTAGulator
- Debug
- Dump firmware
- Write new firmware
- Perform run-time manipulation of the binaries
- Flash
- Dump data from the flash
- Modify and write data back to the device
- Does the device has firmware signature and integrity verification?
- Can it be bypassed?
- Glitching based attacks