The Hackers Lab - Where's the logic?

Good morning fellow readers,

Preface

I decided to write another beginner tutorial before we’re stepping into deeper water, so everyone who’s interested in following has basically the same knowledge base when it’s getting more complex. If you’re more advanced and already know what I’m writing about now I’d still appreciate some feedback about the writing itself.

Intro

Last time we got to know the Bus Pirate who can be seen as a “stupid doer”. He does what you are telling him to do, much like the cool kids in high school who stole the car because they wanted to belong to the cool gang./s
This time we’re taking a closer look at the silent kid in the back row. He’s the thinker and he tries to understand his surroundings.
Some people may think now? “What the heck is he talking about?” “Am I still on 0x00sec?” Don’t worry friend you’re in the correct place.
So what am I talking about?
The answer is the logic analyzer. He can be seen as the pre-step before communicating with hardware e.g. through the Bus Pirate.

Excursion

So before we can connect a gadget(e.g.: Bus Pirate, Logic Analyzer) to a debug port we have to find one of those right? Since this is a basic step and most likely not worth an article on its own, due to the fact that most of the work done here is trying and researching yourself. Hence I’ll add this little section here.
So the question is How to find a debug port? I’ll give a short step by step list I usually take. It may vary when the complexity of the hardware rises.
1.) Open the casing. Duh…
2.) Try to identify common debug ports on the mainboard.
2.1) But How? Well e.g.: UART or JTAG are fairly easy to spot right away due to their mostly used standard pinout. See below for more information.
2.1.0) Always try to identify a GND pin first using a multimeter!
3.) Try to find eye-catching/suspicious looking pinouts
3.1) If you found some use a multimeter/oscilloscope to find a data signal. Then it’s fairly easy to tell what Port you’re having in front of you depending on the amount of other pins next to the data signal pin.
4.) If you’re not making any progress try looking for a mainboard label and find a datasheet!

UART:

JTAG:

The Logic Analyzer

(Here is another affordable one I used myself at the beginning: Open Bench Logic Sniffer

So what is a logic analyzer? In the end it’s nothing more than a gadget who captures digital signals and forwards them to a software on your computer (Hardware -> logic analyzer -> PC). As I tried to depict just now, there’s NO communication happening between them, just listening.
Depending on the software you can analyze the captured signal further by selecting common protocols, adding start and end points, etc. The software then tries to make any sense out of your choices and the signal it received.
If it does make sense you will be rewarded with a decoded signal. This will usually be in ASCII or Hexadecimal.

So what?

A decoded signal can be enough to determine to plan the next steps in the reversing process, since the boot procedure you may have captured has “sensitive” information as learned last time already:

• You wanna read from the Flash chip but don’t know at which address? The boot log may reveal this
• You wanna know which architecture is used ? The boot log may reveal this.
• You wanna know what processes are started? the boot log may reveal this!
• …
  As you can see even when having no possibility to communicate with the hardware, a decrypted data signal can expose the hardware you’re looking almost fully!

Demo

To show you a first short example: I had a router and identified a typical looking UART debug port, so I connected my logic analyzer. Basically just the data signal pin (TxD) is needed. That explains why I have just one channel in the picture below:

First I configured my UART protocol to match the BAUD rate and set most of the other values to standard values:

The BAUD rate plays an important role. If it’s set wrong one may NOT see any useful decodings.

As one can see I have captured a nice looking data signal and for each section the logic analyzer software already tried to decode the UART protocol in hex format. That doesn’t look very helpful does it? Wrong, just converting the hex to ASCII and add the decoded characters together makes a nice looking text full of information:

As one can see its a router by AVM with a 2.6.32.60 Linux kernel and MIPS architecture. Also lots of hardware related information already can be extracted from the except. The whole log is a lot longer until it reaches a point where is written: “Press Enter to active console”.

Conclusion

As you can see being able just to understand what is going wile your hardware boots can be of major interest. It’s much like you have binary blob and trying to make any sense of the unpacked binaries/files or any source code you found inside just by looking at it.
In the end the procedure I gave here should not be seen as ‘fix’. Everyone has their own way of doing things and this is what worked for me in the past.

It might be already planned for the future but I just want to say it either way in case it’s not.

These hardware gadget write-ups that you guys have been posting lately are cool indeed. But something is missing. A demo. I’d assume that these sort of posts want to attract the readers in order to get their hands dirty, which is a great idea and I fully support that. But, how can you convince someone to spend time on something they don’t know about without showing them what it’s really capable of?

Now you might tell me “well, people can google a tutorial about it”. Sure, that’s fair. This is just a suggestion to make those posts more “complete”. Take it or leave it.

I hope you get my point.

No offense,
Peace and love.

@_py point taken. I’ll add a demo later.

I ordered a bus pirate and a logic analyzer to take over my ISPs Router. If it works, I will do a tutorial/writeup from a beginners side of view.

Hi @ricksanchez

Good introduction. Some comments

Even when I think, most of the people had understood what you meant in that sentence I would like to clarify that a logic analyser is intended to be used with digital signals. It will not work with analogue signals. The “whatever form the signal may be present” is a bit misleading.

I’d like to mention that there are stand-alone logic analysers. Sometimes, you do not need a computer. It is true that in the last years there is a trend to use a computer for the visualization and processing of the traces but that is not always the case and in fact, professional equipments are usually stand-alone. It is likely that the computer is just inside the box but from an user point of view they look like one single thing. Same happens with oscilloscopes or spectrum analysers.

Finally, in my opinion, the very first thing you have to do is to find the board GND… otherwise you will have troubles with your data in general. In case some reader haven’t noticed, the UART picture in the post was edited. You will be very lucky if you find a labelled pin in a device board… The easiest way to find a ground pin is using a multimeter… as I guess you are going to talk about multimeters at some point so I will stop here ;).

Congrats for the series and thanks for the Demo section. I think the post have improved a lot with it. It would also be nice if you guys add some specs in the posts. For instance, for the Open Bench Logic Sniffer (I’m a proud owner of one ) you may include the maximum sample rate, number of channels, input voltages… A quick summary of the relevant information within the post will be useful.

Keep it up!

you’re absolutely correct with the signal having to be digital. I will edit the post above so it won’t deliver false information.

For the stand alone logic analyzers. There might be some, I’ve never seen one or used one though, maybe too young or not working in the correct environment who knows .

The GND is essential that’s also correct and yes a multimeter is the easiest way to identify one. I’m doing the exact same when first trying to identify a debug port. I somehow got focused too much on the data signal because that’s where the logic analyzer shines that I forgot to mention the importance of the GND…

The Demo sections are indeed needed. I will include one in every new article in the future!
Oh and regarding the specifications. If the article were solely about the OBLS I’d 100% agree but I thought i keep it as general as I can get. I just mentioned/pictured him there because hes affordable and a good piece of hardware for beginners I used myself. Since this series is still in the “beginner area” I included the OBLS as an example

Anyway everything you said is correct and will be done in the future :)!

Also I’m disappointed with the quality of this article of mine. A lot of misused words or bad phrasings…
I will improve with the next one and proof read more carefully.
Thanks for all the input and I still hope people found it somewhat useful/interesting!

Cheers

In all honesty, do not be disappointed. It is very good that somebody is push the hardware hacking area in the community. I see it as a key set of skills for hacking, at least for what hacking means to me

Reading your post is clear you have done the stuff and you know what you are talking about. Each post will be better than the previous… that is how it is for all of us.

Fully understand your point w.r.t OBLS. I just mentioned that because, for somebody new to this topic, it may look like this 50 bucks little guy will to the same that a 50K big guy and at first glance it may look confusing. But it is indeed the author prerogative to write the content as s/he wish

P.S.: Just type “logic analyser image” in google and you will see a couple of those standalone guys. Basically if you need to deal with very fast links… the USB or even a PCI bus in a computer will not have enough BW to transfer the data you are capturing… even if you capture and then transfer the data… you will need a bunch of memory that also rises the price

True but on the other hand I thought we’re dealing here with humans capable of thinking and reading
Anyways I get your point.

These are way too big and look like a freaking microwave. But okay I get why they might be needed.

Absolutely loving this article of yours! Honestly, I had no idea how to hack hardware or why it could be useful, but my eyes are certainly beginning to open up!

I’m more geared toward infiltration, grab the data, rootkit the computer, and get out. However, I can now see many more opportunities that hardware hacking has for persistent monitoring and data capture. Again, great article!