The Hackers Lab - Bus Pirate

Intro to the Hackers lab

As asked in the The Hackers lab - Rpi Edition by @VVid0w, he and I will now collaborate when writing this series about hardware and essentials a hacker should have to solve the task efficiently

Today with a 100% fresh portion about debugging/reversing

---

What is a Bus Pirate?

Aye Captain you’ve come to the right place to learn about it. But first things first. It doesn’t have a wooden leg, a parrot and doesn’t own a mighty boat.
So what is it?
“The Bus Pirate is an open source hacker multi-tool that talks to electronic stuff”.

The special thing about the Bus Pirate is that he supports multiple protocols:

1. 1-Wire
   

2. I2C*
   

3. SPI
   

4. JTAG
   

5. Asynchronous serial
   

6. MIDI
   

7. PC keyboard
   

8. HD44780 LCD
   

9. 2- and 3-wire libraries with bitwise pin control
   

10. Scriptable binary bitbang, 1-Wire, I2C, SPI, and UART modes

On top of that its a very affordable piece of hardware. So for every person who wants to explore the depth of debugging or reversing a piece of firmware on an embedded device this might be a good tool to start with!

---

Use cases

So basically you are trying to identify a debugging port on your piece of hardware and hook your Bus Pirate to it.

And now what?

Next step is firing up a serial port communications program, so if you don’t have one yet an example for that would be minicom. Theres also picocom, cutecom and many more.

After connecting the Bus Pirate to the computer for the first time you need to check if it was recognized and on what serial port it is operating. Usually it will be something like ‘ttyUSB0’.

When firing up the communication tool one need to check if the ‘communication device (our Bus Pirate)’ is set to the correct port -> e.g.: ttyUSB0 from the example above.

Afterwards the Bus Pirate offers a variety for configuration possibilities for each protocol ( depending on which one you choose ). When everything is set and done one can start the hardware the Bus Pirate is wired to.
In the example below an older router was examined and an UART debug port was found.
When starting the hardware with the Bus Pirate attached one can see the complete boot procedure which is done, for example:

• what hardware is used
• at which address the boot process starts
• and much more.

You might question yourself now why to do all the hard work with identifying a debug port and buying a Bus Pirate?

I’ll give you an answer. You will be rewarded with a shell to explore on the hardware like shown below.
From here the real fun starts! One can:

• explore the complete firmware
• what binaries are on board
• where are sensitive information located e.g.: encryption stuff or standard passwords
• …

Demo

hooked up my Bus Pirate to an old router of mine and started minicom:
After a while within the boot procedure a line appeared which said: “Please press Enter to activate this console”
This is what we want, because here we have (almost) full control over the system, even when the provided set of commands is limited one can still try to trick the system in doing something it never wanted to

A next step could be dumping information or the whole firmware over the found debug port.

---

##Questions:

1. What gadgets do you use for debugging hardware? Any favorites?
2. Should I continue this series with a more in depth article about:
   2.1 How to find a debug port?
   2.2 How to dump firmware/ interesting information ?

I own one of these. Extremely useful!

1. The good old digital multimeter & oscilloscope are the tools that makes a hardware hacker. Don’t you dare consider yourself as one if you don’t have these two! To read firmware from PIC’s, I use a “PICKit 2” debugger from Microchip. But the multimeter & oscilloscope are my bae’s because I am not a fan of firmware. I work on the very VERY low level, where everything is just current, magnetism, induction, and other physics. NO software.

2. You should write an article on how to dump firmware. The other thing isn’t that difficult.

-Phoenix750

Good choice for starting the series @ricksanchez

I personally haven’t got a bus pirate. I was considering buying one, but for most of the stuff I do, I can go with a Rpi or my beloved BeableBone and bit-banging interfaces in worst case.

Your both article proposals sounds good… I guess that, at least in the simplest cases, it will be helpful to find debug ports in order to dump firmware…

@anon79434934 sure an article about a multimeter and oscilloscope could follow too! At least some basics on why have them and what are they used for. I’ll check out the “PICKit2” because it doesn’t ring a bell right now.

@0x00pf Thanks. Sure if you have other use cases where you already have appropriate hardware for you don’t need one. But you’re correct for the articles, maybe I’ll just write a longer article including both topics next time!

Awesome article! I’ll be looking into getting one of these sometime soon.

1.) I don’t really do hardware hacking, but I have this thing. I don’t remember what it is, how to use it, or what I got it for…but I have one lmfao.

2.) I absolutely think you should do both! People like me that don’t do much with hardware hacking but are interested in it would benefit greatly from articles like those.

@ricksanchez Sounds great! Gives me time to only focus on physics related to hardware

-Phoenix750

@VVid0w looks like the typical USB to Serial-TTL adapter. Just plug it in your computer and the other end to a serial port, fire minicom and there you go (it is probably Serial TTL so it may be 3.3V or 5V… do not plug it into a 12V RS-232C )

Oh, alright! Thank you! I’ll definitely be opening up some gadgets in my house to see what I can find now.

thanks partner

2.) I’ll do so then, the demand or at least a basic interest seems to be there :). Just give me some time :D!

I love this series. It follows some depth but it doesn’t spoon-feed you.

Many underestimate how powerful having physical access to a device such as a router gives you an insight to it’s design, and therefore any security flaws.

It’s also cool to think you can get root access to your fridge with this method.

I can’t wait to see the next installments of this series. Keep up the good work!

- pry0cc

Thanks pry. I did try to keep it short but informative.
Definitely! Getting root access to any hardware can be devastating and regarding ‘our future’ everything looks like it’ll be having some kind of OS sooner or later which we can access through different means.
I’ll try to push out another article fairly soon.

Great article! I’ ll definitely get one. Could help me to gain access to my ISP’s modem which is so rare that there aren’t any usable exploits

Thanks! And I’m sure you will gain access to that router if there is a debug port on there. There always is a way to access the file system somehow

Currently my favorite is Rigol DS1054Z oscilloscope. The best thing about this particular oscilloscope is that there is a keygen that turns it into much more expensive 100 MHz oscilloscope. So you get a 4 channel 100 MHz oscilloscope for a price of something more like 2 channel and 70 MHz. There are a lot of corresponding videos on youtube.

It’s definitely a very solid option when trying to get into the whole hardware hacking/debugging/maintenance thing!
I was peeking at the same model when trying to fill my shopping basket with tools for my home lab ( still incomplete sadly ).
The “patch” to upgrade it to a better model makes it so worth buying imho, since it offers a great value for price then!

//Edit: for people reading this now since it popped up after so much time:
I do not recommend getting a digital oscilloscope first if you need to watch your money, since it’s one of the more expensive tools to own, especially if you want a more high end one!

Awww, I was hoping it was a tutorial on creating one