image image
Javier Vazquez Vidal Picture
Henrik Ferdinand Nolscher Picture

Low-Level Hardware Reversing

27th to 29th April 2020 | 3 Days


TRAINER

Javier Vazquez Vidal & Henrik Ferdinand Nolscher


OBJECTIVE

This training is oriented for those who have from little to no knowledge on how a system can be reversed on a hardware level. You want to hack an embedded device? Not too fast! To fully understand an embedded system, you must first know how it works on a physical level. The objective of this training is to provide the attendees with a starting point on pure and low- level hardware hacking. You will learn how to start with firmware reverse engineering, but the focus of the first two days is an in-depth explanation of digital signals, protocols, and some hex file dumping, which make up the core of every embedded system.

Additionally, there will be exercises to practice the acquired skills, by attacking a custom victim board. Starting from the second day, trainees will also work on real-world devices guided by our experienced instructors. This includes an introduction to common software tools that hardware hackers use. After successfully completing this training, the attendees will be able to find basic attack vectors on the physical layer of an embedded system and know how to use common hardware hacking tools. Finally, an outlook is given on future defensive measure and how they could be attacked.

COURSE OUTLINE

Module 1: Electronics Theory for hackers – in other words, how not to destroy your target, how to set it up etc.

Module 2: The Logic Analyzer – Analyze your target system on the lowest level and see how components communicate using the Logic Analyzer. You will use the logic analyzer to identify protocols and decode them!

Module 3: Different Types of low-density Memory – Flash and EEPROMs, what they are used for, how they work and how to analyze them. Lots of data dumping involved!

Module 4: Protocols, Second Round – How to deal with SD cards / EMMCs, How to deal with high-speed protocols or other, less common protocols.

Module 5: Practical Soldering and Rework Skills – Learn how to remove and replace different kinds of electric components using various methods and common tools.

Module 6: Non-Cryptographic Protections – Backdoors and how to spot them (Production vs. Retail backdoors). An overview of cheap protections that manufacturers can use to make attacks harder and how we defeat them. Finding and using debugging ports.

Module 7: Reversing IoT Firmware – Microarchitecture overview. What is the difference between desktop software and embedded firmware. Reversing ARM firmware, by example.


Module 8: Cryptographic Protections – What crypto-based security mechanisms are out there and how to defeat them (different kinds of firmware signature schemes, their limitations, secure boot etc.). What is TOCTOU. Practical examples.


WHAT TO BRING?

  • Laptop
  • Win7 OS as host or VM. You can also use our Virtual Machine image (VMWare, only)
  • Termite terminal installed, or some other software to interface with serial ports (picocom, minicom etc.)
  • Saleae Logic Analizer (any model)
  • Latest Saleae Beta software installed
  • 4 GB RAM minimum
  • Bringing a mouse is highly recommended, as well as bringing a USB hub
  • Any device that the attendees would like to test the newly acquired skills on (routers, IP cams, etc.)

WHAT TO EXPECT?

  • Learning how components work and communicate on the low level
  • Understand how an embedded system works
  • Perform basic reversing exercises which will be useful in the real world
  • Learning how to spot common mistakes of manufacturers

WHAT NOT TO EXPECT?

  • Becoming an expert hardware hacker in three days
  • Decaff coffee
  • Disappointment

ABOUT TRAINERS

Javier Vazquez Vidal
Javier is passionate about technology and specializes in hardware and embedded systems security. He studied Electromechanics and Telecommunications, developing a passion for electronics and technology since his youth. He has been part of several projects that involved well-known hardware, but his first public work was released at Black Hat Arsenal USA 2013, the ECU tool. He also presented the CHT at Black Hat Asia 2014, a tool to take over the CAN network, and shown how a smart meter can be fully compromised at BlackHat Europe 2014. He is currently working as a IT Engineer, and has worked for companies such as Airbus Military and Visteon.

Henrik Ferdinand Nolscher
Ferdinand has been very passionate about information security ever since he was young, and hardware security is a big field of interest for him. In the past, he has been working with Javier in numerous embedded security projects and together, they presented the CANBadger, a novel automotive hacking tool, at Blackhat and DefCon 2016.