Let's Have a Board Level Talk (i.e., Hardware Interface Boards)
2:55AM Jul 28, 2020
Our next talk will provide an introduction and survey of existing and future boards used to interface and reverse engineer electronic equipment. We present Bruce Barnett with, let's have a board level talk, ie hardware interface boards.
Good evening. I'd like to say how great it is to be here and to see everyone. Well, I'd like to. So, I'm going to pretend that I'm seeing everyone in the great audience, and you can pretend that you're enjoying this talk. Why learn hardware hacking. He gives you knowledge, he gives you insight to learn how to, for instance, access console's of embedded systems, reflash firmware on brick a device extract and examine the firmware changed the firmware. You can also learn how to reverse engineer systems, which lets you investigate the security of these IoT devices, and really one of the goals is to help improve security of products sold to the consumer. It also gives you the tools to learn how to debug and fix and create your own equipment, your own electronics. So, who should attend this talk. For those who are starting out. What makes sense to buy. After all, some equipments very expensive, and some of its obsolete. And some are difficult to use. So I'm trying to provide some guidance to those who want to get into hardware hacking and also help those who have some experience and looking to maybe learn a few extra tricks or a couple extra techniques that they might find useful, which way to go. So that's what this talk is about. Also, you'll notice that sometimes I describe equipment, and I highlight certain equipment in yellow. I do that because I think it's a good buy. It's a lot of functionality and the price is pretty reasonable.
Well, that's enough about me.
Here is a tool list of equipment that will be useful when you get involved in hardware hacking. You don't need all of it as a minimum you just need a multimeter soldering iron and a protocol board, and that's what I'm focusing on today is the protocol boards, and you can get by with total
40 $50. And as you get more experienced you can add more equipment to your list. What is out of scope is anything to do with wireless no Wi Fi RFID software defined radio. I'm not going to cover any physical layer protocols. I'm not going to cover anything to do with your automobile. No chip layer attacks and no side channel attacks. Since this talk, focuses on hardware protocol boards. These are the protocols that are used to interface to embedded systems. First of all, there is their firmware, or bootloader installation. This is sometimes referred to as in System Programming or Arduino uses the term in circuit System Programming. Other protocol is a serial interface for terminals. I squared c is used for a lot of sensors. And another very useful one is SPI Serial Peripheral Interface This is a high speed protocol that is used for displays and reading and writing flash memory. The j tag protocol is a very complex protocol that allows for the in circuit testing and debugging of chips. A variation is a single wire debug for arm chips. And another protocol we will be taking a look at is USB. Now there's one serial interface. That's very simple and very easy to use. Well, not that easy. And besides, I'm not trying to spoon feed you information. I'm talking about the universal asynchronous receiver transmitter, or you are essentially the terminal. Now a company that developed a very useful chip was ftdi. They developed this chip that would convert a USB interface into a serial interface. It was a bit expensive, and a lot of clones, eventually got developed to copy this chip. ftdi had an interesting response of modifying their windows drivers so if they detected that the chip was a clone, it would prick it
caused a bit of a reaction,
they still make products they still make some very good products out there. And you might see this product still today. They have cables use as I have shown right here that plugs into your USB port, and provides a four wire connection to a serial interface. The, there are some more versatile boards out there that allow you to have more functionality, le DS, and things like that. There is one board I just found out about, and I show a picture of it. It's by DSD tech, and it's based on the RTX 232 Rl chip. And it's only $12. And it provides four different voltage levels on a serial interface which is pretty unusual. And for $12 is much cheaper than the other products like the one for instance that Adafruit sells for 15. Now there are other chips that will do similar things at a lower cost, not quite as versatile as the ones that I've mentioned, we tend to think of electronics, as a big black box. But let's look and decide. There are more than 10,000 different microcontrollers out there, and every vendor has their own preferred solution for programming and debugging. These devices. Sometimes they refer to them as an FET or flash emulation tool. I have listed some of the more popular ones out there and some of them. You may notice can be very inexpensive, you can get a clone of an st link. For instance for $2. There are a few people that prefer to use open source tools. There are many open source programs, they'll give you access to both proprietary hardware and open source hardware. If you want to access capital interface for instance, that's pretty simple, you can just use putty or screen or mini Comm. If you want to access and I to see sensor for instance, you could, first of all, use it to scan to identify the addresses and use some Python libraries to get access to individual sensors. Now if you want to access SPI typically use for reading or writing various flash memory. There's several programs AVR dude we'll do this flash ROM and some Python libraries. Now when it comes to debugging SW D, for instance, you can use programs such as openocd gdb or you or j tech will also work with the J tag interface. And also there are many proprietary hardware reprogramming protocols and AVR dude will work. In many cases, for those protocols. Using proprietary hardware has always been a struggle for hackers. Probably programmers for the ACMA microprocessors were quite expensive $200, for instance. Now some software was developed to make use of these AVR was created by Brian Dean in 2003 but it wasn't until 2009, that the bus pirate and the good fit both came out and I'll talk a little bit more about those later on. dickster Iceland created the USB tiny which is a do it yourself kit of making your own AVR programmer, and you can still get these kits nowadays Adafruit sells one for $22. And I show that one on the left. There's also another one that just got from to pedal electronics, that's cheaper, and it has some nice features at different voltage levels and there's extra protection on that. It only has the one six pin connector while the Adafruit one has both the six pin and the 10 pin connector. I should mention that these programmers are used to put new firmware into Arduinos.
As I mentioned, the bus pirate is one of the first protocol boards, it can understand you art, and you can use it for i squared c and SPI. And just a little bit of j tag. It's a nice device, I really like it. It's very old school but it's very flexible. It has for instance it has a UART based interface that means you just connect to it using putty or screen or whatever. And you have access to all the functionality you don't need additional software to make use of it. It has an onboard pullup resistors that you can turn on and off from your computer. There are different power levels that you can hook it up to, there's an add input pin that you can use to measure voltages, you can even use it as a very simple a Scylla scope. There's macros. A BASIC interpreter, a waveform generator used for data logging, and it works with most open source software such as a viewer to flash ROM Arduino for reprogramming Arduinos, and also for open OCD. Now there's two versions version three is the older one, and that uses a standard cable you can buy these cables such as the one I have shown there and plug it in and make use of it. However, because it's 10 years old. It's running out of memory. There's not a lot. There's not a little extra room. In fact, there are different versions of the firmware and depending on what features you want, you put different firmware in because you can't get everything. Now this version four it has more memory, but it has a different header so you can't use a standard cable, and also to quote one of the developers. It's a little flaky. Now there are some other problems with the bus pirate one the biggest one perhaps is that it's old and slow. For instance for you on a flash ROM, it might take you 30 minutes and on a modern board, this could take 30 seconds. There's also no low level API if you want to get involved into low level programming using Python or something like that. It's a little difficult to do. There are other Multi Purpose protocol boards out there, and several of them use a chip developed by ftdi which I've mentioned earlier. It's the 232 h family, this chip is a multi protocol synchronous serial engine, and it has support for UART SPI j tak and s WD GPIO a lot of functionality in there. Now the first chip they develop the 2000 to 32 has support for simultaneously, two different hardware connections so you can have a JPEG, and an SPI connection and support both of them with the same chip. And the first three boards I've listed below. Use the 2002 32, the other boards use the 232 h chip. And in particular, I want to point out the one on the bottom. Buy company in China CJ MCU, and you can get this board. I've shown a picture of it for between seven to $15 it comes with the headers, you have to solder the headers onto the board yourself. But it's a very functional powerful and low cost chip. There are a few issues. If you want to use a serial interface that's fairly easy because you don't need any additional software to make use of that, you can just use putty to do that without anything special. If you want to use the other protocols, you're going to need some sort of libraries out there but they're available. There are several Python libraries, a couple different ones and they're not quite identical so you have to play around with getting the right one to work with the different one. but all of the open source tools I've mentioned will support this chip. Also, one of the problems is that the tutorials are really spread out all over the place there's not one massive common source that has all this stuff well documented. I was looking for instance, how to hook up an i squared c device to these chips and I had a hard time finding the documentation on there. For instance, you need a couple pull up resistors and you have to add them yourself.
Also this WD was a well documented. And there is another problem, that if you wire up the board that you're debugging. And you hook up one of your power lines on the board to one of your data lines a short amount by accident, it could go through the chip and get into your laptop and possibly damage your laptop or desktop. Now one thing that you can do to protect yourself is to have a hub in between your chip that your your protocol interface board, and your laptop, and if the hub has a fuse on it. That would be good but you don't always know if it has a fuse or not. Now I will mention that one of the boards that I have described on the last page the sheikra that has a built in fuse to protect your laptop from this problem. Now there are two boards that address these issues that you'll should find very useful. The first is a shoe cramp board. So you take your CGA MCU breakout board, and you plug it into this board, and it provides additional functionality. The second board is the focaccia board. You take your CJ MCU breakout board, and you plug it into foccacia board and you have additional functionality as well. Let's talk about how these two boards are similar. They both have jumpers so that you can turn on i squared c mode and to turn on the pull up resistors when you want to use it on when you don't. It also has a jumper select the voltage you want 3.3 versus five volts, and they all have headers so you can plug in i squared c or if you want. The 3.3 volt or five volt or ground, and you want to connect this to your device. Those headers are already there. Now the shoe cramp board on the right. Well, first of all, it's smaller that might be important to you if you're, you know, you're short of space. It also makes all the pins on the, on the ftdi 232 h chip, all the pins are available if you need access to it. It also has one other feature that is nice. It has a built in poly fuse in there to protect your laptop from being damaged by a short on the board under a test. The focaccia board on the left. It has a lot of additional headers, it has for instance a built in header for SW D and j tag and UART so you can just plug something right in. It also has a special spots for a SPI test clip. And if you want to plug in a socket for surface mount devices, you can plug that in and make use of that. There's also extra connectors they provide on the end that you can use as a sort of a mini break breadboard so you don't need additional hardware to hook up a bunch of wires. And I think the labels are much easier to use. It's a bigger board, but it's a lot of convenience in that.
Now, as to the cost. The Akasha board is commercially available you can buy it for $10. Now the, the shoe CRAN board is not, but they provide on their GitHub page directions and how you can get the boards made through a company, and also the parts, and I followed their instructions. You search you have to order five boards and by the way I've never ordered a PCB before. But I found this fairly easy to do so. And since you have to order a minimum of five. I changed the bomb the bill of materials to, which was only had the parts for one board to make it enough parts for five boards so I modified the bomb a little bit, and I used the suggested software and websites to do this company in China, and I used a first time user to dollar coupon. And I was able to get five boards and the parts for all five boards for a total cost of $7 75 cents so that's $1 55. Each, which I thought was a pretty good price. And like I said, it's pretty easy to do. so all you need to do is add your, your ft 232 chip onto the board. Now, there is another big difference. When you solder the header onto your breakout board. The shoe can board, the header goes underneath the chip. In other words, the chip is on the top of the board the header is underneath and when you plug it into the shoe crimp board you can see the chip. The focaccia board, it's the opposite. When you solder the header onto the chip, the headers go on the same side as the chips so when you plug that board onto focaccia board the chip is underneath you don't see the FT 232 chip and the picture there should show the difference. So be aware of that. And both these boards were really make your life a lot easier if you make use of them. I should mention two more things. The first is that since the shoe cram board is a do it yourself. You have to solder it up yourself. There is a couple components that are surface mounted the polyfuse for instance, But the pads are very large so I did not find it hard at all to solder these that those two components onto the board. The other thing is the focaccia board, it has so sockets that you can get different, You know plug in different SMT sockets onto the board and you can get several different eight pin sockets for different size.
So that's very convenient, you could just change the socket plug a different socket in. And if you unsought or surface mount flagship, you can put it into the socket and use that to read or write your, your ROM. There are several specialized boards that I'd like to mention. James Bowman has a company x camera, and he makes these two dedicated boards. They both have Python interfaces and ones just for i squared c The other one is just for SPI. But the nice thing about them is they have a very nice display and they show you the logic levels of what's going on and they measure the voltages on the board, and it could be very useful way to diagnose problems that you have with these sort of devices. Another board that's very useful for professionals, is the J tabulator. One of the problems you have when you're trying to interface reverse engineer board is trying to identify where the J tag or user interfaces are now you can do this, there are some software that you can put on Arduino and make use of this, but there are a limited number of pins that they have the J tabulator has 24 pins. And you can hook up all 24 pins and tell it to do a brute force search of all the different pins and try to identify UART and j tag interfaces. So it really can save time, compared to doing it manually. The Hydra bus is another general purpose board I haven't used myself, but it has a lot of features and I want to mention it and, in particular, it has an NFC shield that some people might find useful. A very good debugger, is the black magic probe. This allows you especially if you cut your own source code and using the gdb debugger already. This allows you to integrate your debugger session into the hardware so you can test your hardware using your own source code. It's like, like st link but this is all open source. It only works with some processors, but it does use the standard canoe software toolchain which is very nice. There are some debuggers you have to use open OCD, as a way to hook things up this you don't need to do that, or different operating systems. Now, One thing to mention at that because open source people have developed clones of this device on Amazon for instance there's something called the CEF probe, which is a lot less expensive, and another one I've seen on tindie the bumpy. That's only $12. I've even had reports of people who have used the $2 st link fee to clone they got from China, and they put some of the functionality of Blackmagic probe onto those devices. I mentioned the good FET before, but that's pretty much obsolete. It's been 10 years and we need something better So Michael Osman created something he's called the Great FET, and this is designed for the future. It has a lot of capability. It's an FPGA based so it's got a lot of performance. There's two USB ports on it which means that you can do some USB protocol hacking. It's got 100 IO pins. It has support for the all the different protocols on there, it has a logic analyzer in there, an A to D. And it has a lot of functionality some things it doesn't have it only has like one voltage level so you need to what they call plug on neighbor boards, onto it to add additional functionality. So there's plans for instance, for radio or IR maybe a software defined radio a level shifters to handle different voltages infrared, you know the the plan for the future for this device. Now one of the things they've done recently with it is that I think it's really, really kind of cool. They've made this as an add on to the software defined radio so you can use your new radio companion, and you'll put this board in. And this allows you to hook up a DSP on to your software defined radio, and for instance they've used this to take a little $2 module hook it on to the great FET as a DSP process it and make it into a guitar preamp. Now there's a lot of other things that this device can do and the software is constantly evolving so it's really a board for the future. There's some functionality there if you like looking at what the next generation board is going to look like. Expect to see a lot of things coming out of the great FET.
I'd like to talk about some of the boards that are coming out in the future. I don't know which ones will handle the flying cars, but there's some still exciting boards out there. For instance, in interested in USB protocol hacking well Originally there was one called the face dancer. And that was replaced by the great FET, it was designed for USB hacking but Kate Temkin has taken the great FET, and she's decided to come up with a specialized board just for USB hacking she's called the you Luna board, and don't know when that's coming out, but you may want to keep an eye out on that. Another board that is supposed to come out is the replacement for the bus pirate called the bus pirate ultra. Apparently it's in beta test I don't know a lot about it but some of the specs do look pretty interesting. Now, one of the things I liked about the bus pirate is that had a lot of the software integrated into the board so made it really easy to use. And this board for instance is going to have, first of all it's going to have both a CPU and an FPGA for performance. There's also a connector for display so you can plug them in display and you might be able to make it a self contained unit. It's going to have a programmable power supply. And it's going to have eight pins and like the bus pirate you can measure the voltage on each of the i o pins. It's going to have. Pull up resistors that you can turn on and off, and it's designed to be like a built in logic analyzer. That, that you can use them would have a second USB connector. If you want to do data collection while you're using it. And that's really exciting, but I have no idea when it's, or if it's coming out. There's another board that I'm really excited about called the glass cow board, and you can sign up on crowd supply to get part of the mailing list to find out when it gets released because it is going to be coming out. Now this is a general purpose board. The way the authors describes it is a combination of bus pirate and bus blaster and logic sniffer all is one. It's got five different voltage levels that you can select from. And it has 16 pins and apparently software wise you can still make the 16 pins connect to anything you don't have to have breed dedicated pins hooked up to particular protocol pins. And it's got an FPGA, and it's supposed to have a lot of functionality, and the estimate right, I saw one estimate of about $100 for this board when it comes out. But there is one of his, his colleagues or one of his friends I guess who's coming up with a board that he's trying to make it more economical is called the Edinburg board, and it uses some lower cost parts and maybe a different manufacturing process to lower the cost of this. And so, both these boards are coming out so keep an eye on those. Now the same person who developed the low cost focaccia board and also made it available for for purchase has hinted on a new board, he called the berlina board and again it looks a little similar in maybe concept where you take these breakout boards and you'll plug it in into this board and add some functionality, all I know about it is this picture and I'm looking at it and it looks like it's got an ESP 8266 chip on there. And maybe a long range radio so this might be a board that can be used for exploring some wireless protocols. So keep an eye out for that. It looks pretty interesting. Now I've hope that I've showed you that you can want to have a multimeter. And I can recommend some low cost multimeters and a soldering iron. And for the cost of maybe $20 more a little bit more you could get yourself a hardware kit that lets you get access and start learning how to do some hardware hacking of embedded systems. Now I've got some particular some recommended resources you might find useful. There's one gentleman from the Netherlands, called eulas, who has a set of streaming videos where he shows people how to do it.
And is called avoiding warranties and for instance the first one I've listed there. shows him how using just a multimeter. and UART interface to identify the UART connections of a W rt 54 G, and he goes through step by step, how he goes about two minutes so that's all your need to get started and what you have some hardware you want to take a look at and the techniques used for that particular router, you can use for other devices as well. So that's a great introduction and he has a whole series of videos showing how he hacks into various devices using inexpensive equipment I have also included Mark Carney's book which is a draft of a book on pen testing hardware and a list of curated resources. There's also a podcast for the unnamed reverse engineering podcasts that you find useful, and I've got my own website, and my own Twitter feed that you might find useful as well.
now you're all set. I've given you a selection of some tools to get some that don't cost too much. Find a device to hack, open it up. See what you can discover, and you don't want to destroy your equipment so remember to find the ground on the device first find all the different ground points, measure the voltages and once you have two voltages then you have a better idea of how you connect your hardware onto this board under test, then you try to discover the interfaces, and you've got the tools you've mentioned the software. Now you can learn how to use the software and find out how you can, you know, read the problem. Try to reverse engineer it, try to look inside the, the for information see what you can learn and be sure to tell your friends what you discover. Here's a list of Twitter feeds that I found very valuable to me as I learned how to use this equipment and want to give thanks to them, and perhaps you can also follow them as well on Twitter. So thank you for hanging on to the end. I hope you found this talk useful, and I'll be glad to answer any questions that I can.
This is, let's have a board level talk with Bruce Barnett. We'd like to invite those of you attending hook 2020 to spruce, your own questions please post your questions to the live stream q&a channel in our matrix chat, and they will be relayed here.
Bruce. We have a question from the audience for you,
the audience member asks you mentioned some of the companies you order from, is it possible to avoid some of the low cost Chinese companies do you have preferred suppliers or mostly just focus on the least expensive.
No. I do a lot of purchased. When I get involved in the early crowd sourcing the crowdfunding stage. I bought a lot of the products, and I do that because I want to support the developers, the people who are doing the hard work, the people who are doing the creative work I try to buy from them, when I can. And if I can't, I try to see if I can buy from some recommended resellers of the product. Whenever possible, sometimes for some of the low cost boards, you know I get them because they're just the $5 or $7 boards, you know, no big deal, but the the higher quality boards the boards that really show the creativity I try to buy them from, from the originators when possible,
member of the audience asks, many hackers try to foster curiosity around youngsters, how would you suggest taking some of your talks ideas to the younger generation.
Well, I think one of the things that I tried to point out is that you can for just a maybe 20 bucks or so in hardware. You can start having some hardware that you can use to start exploring with probing around with. I mean you can also use it to interface to your own, you know, digital Electronics if you want to, you know, debug some Arduino code or something like that, everything the Arduino is always have SPI or i squared c interfaces on them. And you can try to drive them directly yourself and you can also learn to use Python to interface to these things because most of the boards I talked about a Python interface. So you have that as a programming language to play around with. So that's, I think that's a pretty good start for something low cost let them play around with some of these things.
I'm a member of the audience asked so what's your preferred debugging environment. I've used gdb TK to work on an arm seven platform running the experts using j tag for ICD, but I had all the source that I was tracing through. If you don't have the source for the running embedded system then what are you using to do your tracing.
Well I'm gonna have to, you know, pass on that I can't really say
I have a preferred recommendation for that. I think it's best to learn what you know or what you have the resources to to get into my requires some people you know that can give you some guidance or maybe you've got some people from work and you know support some commercial tools you might find useful. So it all depends on your own environment and your own your own teammates,
you're asked, Can you suggest any good USB oscilloscopes.
Ah, well, there's expensive ones and there's cheap ones, the cheap ones tend to go about 50 to 100 bucks or so.
A lot of people have said
that the USB ones are great for portability.
And I think I've got some that all fit in your pocket. But a lot of people say if you really want to learn to use an oscilloscope save up your money and get a real one. There is a one that list price is like $350 the rygel for instance, and I was able to pick it up, you know, use for 200 bucks and if you're talking 50 to 100 bucks for a USB one you can get a real world class, so let's go for channel for 200 bucks you know if you can do that that's what you can do. But other than that, you know, just, just try. I've bought a lot of several USB Scylla scopes and the money I spent all of them put together, or probably could have bought a real Scylla scope.
What, what qualities do you look for in a telescope. If you're, you're shopping.
A lot of people like a, you know, four channel because then you can do some logical logic of what's going on. That's kind of useful
in, in, in this work, you know, especially with some of the protocols like SPI and i squared c and all that for channels with an awful lot,
an audience member asks, some of the audience we're talking about cyber physical systems like battlebots, any guidance on how to approach this.
I'd like to play around with it but I just don't have the time, redundancy redundancy.
Sure, sure. Um, we were asked, Do you have any opinion on the SP tech laboratory,
no I'm not familiar with that.
Oh you know one thing I want to mention one thing that persino board that I was mentioning, just coming out, I just noticed the guy announced that about, about six hours ago, he announced that the board is now an open source board and you get it, he plans to make it available at a low cost, and it has it has you can plug in a node MCU, and then a ti cc 1101 chip for a one gigahertz radio so it's it sounds pretty interesting it's, it's supposed to have the capability of automatic detecting UART interfaces on a board. So that sounds kind of sweet. And one of the things to my Twitter feed, I have a list that I put together for this talk, all the people I've recommended that you follow on Twitter. If you go to my, my Twitter account, I have a list called hope 2020. If you click on that you get all the people that I mentioned at the top that you can follow one click.
Now what's your Twitter username.
remar gr ym RV
member of the audience asks What are your favorite information resources for news about forced forthcoming boards for sharing information about how to use some of these new boards.
This is the Twitter feed, I just mentioned.
That's where I find out about this stuff and I learned about these things so they spin that and you also find out when things are coming out and it gives you some insight as to here's some new boards coming out. Or here's a new crowds crowd funded project that we're working on. So, that's how I keep in touch with these things.
Any in particular comes to mind it's just once you really, really like or get a lot out of
it. Um, I'm really trying to learn as much as I can about these things I'm, I'm trying to study up on better tutorials on them, let people know how to use them. And that's been my goal right now is, is, is learning and sharing what I've learned from this.
We've got a little bit of time left. Please keep your questions coming to the session q&a channel in our matrix chat.
There's there's definitely a lot of activity going on in our matrix chat and I highly recommend that for anybody watching, hope talks just get involved because this hope unlike other hopes you can talk amongst yourselves in the audience without being rude, which is which is neat.
And I'll join in a few, few minutes as soon as they get off this so
we're being asked to repeat the Twitter username for Twitter
feeds GRYMOR a
try m, Li rd. For more on Twitter. And,
yeah, There's on all my slides too. Excellent.
You are. You're watching let's have a board level talk with Bruce Barnett.