├── README.md
└── my_talks
    └── Hardware_Hacking_101
        ├── Exercises.pdf
        ├── Hardware_Hacking_101.pdf
        ├── README.md
        └── course_pack
            ├── HydraFW Binary SPI.pdf
            ├── HydraFW_Default_PinAssignment.png
            ├── NAND
                ├── .DS_Store
                ├── HydraFW NAND Flash guide.pdf
                ├── HydraFW binary NAND Flash mode guide.pdf
                └── Logic
                │   ├── 1.png
                │   ├── 2.png
                │   ├── 3.png
                │   └── Micron-16M.logicdata
            ├── dump_flash.py
            └── tplink
                ├── DS-00088-GD25Q32C-Rev1.6.pdf
                └── board_layout.png


/README.md:
--------------------------------------------------------------------------------
1 | # My Public content
2 | * BSides Munich 2019 Workshop - "Hardware Hacking 101" 
3 | 


--------------------------------------------------------------------------------
/my_talks/Hardware_Hacking_101/Exercises.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rdomanski/hardware_hacking/364a64f49e1afaba28a5a9abf767e9d86cf20f2f/my_talks/Hardware_Hacking_101/Exercises.pdf


--------------------------------------------------------------------------------
/my_talks/Hardware_Hacking_101/Hardware_Hacking_101.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rdomanski/hardware_hacking/364a64f49e1afaba28a5a9abf767e9d86cf20f2f/my_talks/Hardware_Hacking_101/Hardware_Hacking_101.pdf


--------------------------------------------------------------------------------
/my_talks/Hardware_Hacking_101/README.md:
--------------------------------------------------------------------------------
 1 | # Hardware Hacking 101
 2 | License: Attribution-NonCommercial-ShareAlike CC BY-NC-SA
 3 | 
 4 | ## Workshop @ BSides Munich 2019  
 5 | 
 6 | Authors:
 7 | @RabbitPro
 8 | @ickyphuz
 9 | 
10 | Abstract  
11 | The Hardware Hacking workshop is aimed to provide a solid base for everyone who would like to start with hardware hacking but does not know where to begin. The participants will learn how to approach unknown hardware, find and connect to debug ports as well as the process of turning documentation information into an offensive context which is also part of practical assignments during the training. Participants dealing with a mixed bag of theory with a hands-on hacking experience.
12 | 
13 | After the workshop the participant will have enough knowledge to continue hardware hacking on their own. It will also be a good base for further research on the topic.
14 | 
15 | There is no hardware hacking knowledge required from the attendees. However, good knowledge of computer science and linux command line is highly beneficial to complete assignments.
16 | 
17 | Let’s pwn that Router together!
18 | 
19 | Course outline:  
20 | * What tools are used in hardware hacking
21 | * How to read the design of the hardware board (PCB)
22 | * What are the UART and JTAG interfaces and how can they be used for hardware hacking
23 | * What is SPI protocol and how to use it to dump the memory of the device
24 | * What are the differences in memory types
25 | * How to analyze the firmware
26 | * How to read data sheets
27 | 
28 | Special Thx to @Frozen_Maize for providing class support and to @bvernoux for extra NFC shields
29 | 


--------------------------------------------------------------------------------
/my_talks/Hardware_Hacking_101/course_pack/HydraFW Binary SPI.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rdomanski/hardware_hacking/364a64f49e1afaba28a5a9abf767e9d86cf20f2f/my_talks/Hardware_Hacking_101/course_pack/HydraFW Binary SPI.pdf


--------------------------------------------------------------------------------
/my_talks/Hardware_Hacking_101/course_pack/HydraFW_Default_PinAssignment.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rdomanski/hardware_hacking/364a64f49e1afaba28a5a9abf767e9d86cf20f2f/my_talks/Hardware_Hacking_101/course_pack/HydraFW_Default_PinAssignment.png


--------------------------------------------------------------------------------
/my_talks/Hardware_Hacking_101/course_pack/NAND/.DS_Store:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rdomanski/hardware_hacking/364a64f49e1afaba28a5a9abf767e9d86cf20f2f/my_talks/Hardware_Hacking_101/course_pack/NAND/.DS_Store


--------------------------------------------------------------------------------
/my_talks/Hardware_Hacking_101/course_pack/NAND/HydraFW NAND Flash guide.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rdomanski/hardware_hacking/364a64f49e1afaba28a5a9abf767e9d86cf20f2f/my_talks/Hardware_Hacking_101/course_pack/NAND/HydraFW NAND Flash guide.pdf


--------------------------------------------------------------------------------
/my_talks/Hardware_Hacking_101/course_pack/NAND/HydraFW binary NAND Flash mode guide.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rdomanski/hardware_hacking/364a64f49e1afaba28a5a9abf767e9d86cf20f2f/my_talks/Hardware_Hacking_101/course_pack/NAND/HydraFW binary NAND Flash mode guide.pdf


--------------------------------------------------------------------------------
/my_talks/Hardware_Hacking_101/course_pack/NAND/Logic/1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rdomanski/hardware_hacking/364a64f49e1afaba28a5a9abf767e9d86cf20f2f/my_talks/Hardware_Hacking_101/course_pack/NAND/Logic/1.png


--------------------------------------------------------------------------------
/my_talks/Hardware_Hacking_101/course_pack/NAND/Logic/2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rdomanski/hardware_hacking/364a64f49e1afaba28a5a9abf767e9d86cf20f2f/my_talks/Hardware_Hacking_101/course_pack/NAND/Logic/2.png


--------------------------------------------------------------------------------
/my_talks/Hardware_Hacking_101/course_pack/NAND/Logic/3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rdomanski/hardware_hacking/364a64f49e1afaba28a5a9abf767e9d86cf20f2f/my_talks/Hardware_Hacking_101/course_pack/NAND/Logic/3.png


--------------------------------------------------------------------------------
/my_talks/Hardware_Hacking_101/course_pack/NAND/Logic/Micron-16M.logicdata:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rdomanski/hardware_hacking/364a64f49e1afaba28a5a9abf767e9d86cf20f2f/my_talks/Hardware_Hacking_101/course_pack/NAND/Logic/Micron-16M.logicdata


--------------------------------------------------------------------------------
/my_talks/Hardware_Hacking_101/course_pack/dump_flash.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | 
 3 | import hexdump
 4 | import serial
 5 | import struct
 6 | from binascii import unhexlify
 7 | 
 8 | 
 9 | # Fix the values based on datasheet and hydrabus documentation
10 | HB_MODE_SPI1 = '\xYY' # Set Hydrabus to SPI1 mode
11 | HB_FREQUENCY = '\xYY' # Set Hydrabus to a frequency
12 | NOR_ADDRESS = 0x # Set the address of the first Page to read from
13 | NOR_SECTORS =  # Set the number of sectors on the NOR Flash
14 | NOR_SECTOR_SIZE = # Set the NOR Flash sector size 
15 | 
16 | DEVICE = '' # Set USB device
17 | 
18 | 
19 | #Open serial port
20 | ser = serial.Serial(DEVICE, 115200)
21 | 
22 | #Open binary mode
23 | for i in xrange(20):
24 | 	ser.write("\x00")
25 | if "BBIO1" not in ser.read(5):
26 |     print "Could not get into binary mode"
27 |     quit()
28 | 
29 | # Switch to SPI mode
30 | ser.write(HB_MODE_SPI1)
31 | if "SPI" not in ser.read(4):
32 | 	print "Cannot set SPI mode"
33 | 	quit()
34 | 
35 | ## Frequency 
36 | ser.write('\x04\x00\x01\x00\x00')
37 | ser.write(HB_FREQUENCY)
38 | if ser.read(1):
39 | 	print "Frequency changed"
40 | 
41 | 
42 | fout = open('/tmp/tplink.img', 'wb')
43 | 
44 | 
45 | while(NOR_ADDRESS < NOR_SECTOR_SIZE * NOR_SECTORS):
46 | 		ser.write('\x04\x00\x04\x10\x00')
47 | 		ser.write('\x03' + unhexlify(hex(NOR_ADDRESS)[2:].zfill(6)))
48 | 		ser.read(1) # read Hydrabus status return
49 | 		buff = ser.read(NOR_SECTOR_SIZE)
50 | 		fout.write(buff)
51 | 		print "Reading address %x" % NOR_ADDRESS
52 | 
53 | 		NOR_ADDRESS += NOR_SECTOR_SIZE
54 | 
55 | fout.close()
56 | 
57 | 
58 | ser.write('\x00')
59 | ser.write('\x0F\n')
60 | 


--------------------------------------------------------------------------------
/my_talks/Hardware_Hacking_101/course_pack/tplink/DS-00088-GD25Q32C-Rev1.6.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rdomanski/hardware_hacking/364a64f49e1afaba28a5a9abf767e9d86cf20f2f/my_talks/Hardware_Hacking_101/course_pack/tplink/DS-00088-GD25Q32C-Rev1.6.pdf


--------------------------------------------------------------------------------
/my_talks/Hardware_Hacking_101/course_pack/tplink/board_layout.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rdomanski/hardware_hacking/364a64f49e1afaba28a5a9abf767e9d86cf20f2f/my_talks/Hardware_Hacking_101/course_pack/tplink/board_layout.png


--------------------------------------------------------------------------------