Intro to the Hackers lab
As asked in the The Hackers lab - Rpi Edition by @VVid0w, he and I will now collaborate when writing this series about hardware and essentials a hacker should have to solve the task efficiently
Today with a 100% fresh portion about debugging/reversing
What is a Bus Pirate?
Aye Captain you’ve come to the right place to learn about it. But first things first. It doesn’t have a wooden leg, a parrot and doesn’t own a mighty boat.
So what is it?
“The Bus Pirate is an open source hacker multi-tool that talks to electronic stuff”.
The special thing about the Bus Pirate is that he supports multiple protocols:
-
1-Wire
-
I2C*
-
SPI
-
JTAG
-
Asynchronous serial
-
MIDI
-
PC keyboard
-
HD44780 LCD
-
2- and 3-wire libraries with bitwise pin control
- Scriptable binary bitbang, 1-Wire, I2C, SPI, and UART modes
On top of that its a very affordable piece of hardware. So for every person who wants to explore the depth of debugging or reversing a piece of firmware on an embedded device this might be a good tool to start with!
Use cases
So basically you are trying to identify a debugging port on your piece of hardware and hook your Bus Pirate to it.
And now what?
Next step is firing up a serial port communications program, so if you don’t have one yet an example for that would be minicom. Theres also picocom, cutecom and many more.
After connecting the Bus Pirate to the computer for the first time you need to check if it was recognized and on what serial port it is operating. Usually it will be something like ‘ttyUSB0’.
When firing up the communication tool one need to check if the ‘communication device (our Bus Pirate)’ is set to the correct port -> e.g.: ttyUSB0 from the example above.
Afterwards the Bus Pirate offers a variety for configuration possibilities for each protocol ( depending on which one you choose ). When everything is set and done one can start the hardware the Bus Pirate is wired to.
In the example below an older router was examined and an UART debug port was found.
When starting the hardware with the Bus Pirate attached one can see the complete boot procedure which is done, for example:
- what hardware is used
- at which address the boot process starts
- and much more.
You might question yourself now why to do all the hard work with identifying a debug port and buying a Bus Pirate?
I’ll give you an answer. You will be rewarded with a shell to explore on the hardware like shown below.
From here the real fun starts! One can:
- explore the complete firmware
- what binaries are on board
- where are sensitive information located e.g.: encryption stuff or standard passwords
- …
Demo
hooked up my Bus Pirate to an old router of mine and started minicom:
After a while within the boot procedure a line appeared which said: “Please press Enter to activate this console”
This is what we want, because here we have (almost) full control over the system, even when the provided set of commands is limited one can still try to trick the system in doing something it never wanted to
A next step could be dumping information or the whole firmware over the found debug port.
##Questions:
- What gadgets do you use for debugging hardware? Any favorites?
- Should I continue this series with a more in depth article about:
2.1 How to find a debug port?
2.2 How to dump firmware/ interesting information ?