DEF CON Safe Mode IoT Village - Deral Heiland - Getting Started Building an IoT Hardware Hacking Lab

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

in the lab we're going to be covering everything from kind of the basic level to the advanced level when this thing's all with i'm going to be uh jumping on iot village discord where you'll be able to ask me more questions i also everything we're going to talk about a show today i actually have a price list it's kind of an amazon type price list showing a lot of well not just amazon but various places that you can buy this stuff that'll give you an idea of course if you shop around you'll be able to get some of this stuff cheaper so let's go ahead and talk about what our gender is today so we've broken this up into a number of categories disassembly and assembly of hardware tools for taking things apart soldering desoldering equipment a magnification uh which may come in handy if you have that perfect eyesight more power to you but for some of us that may not have great eyesight or getting a little older uh magnification plays a big role into how we can actually see things and do soldering at surface mount level type technology we're going to be looking at monitoring devices and technology debugging tools and now i'm going to cover probably one of the most important ones it's the odds and ends the pieces and the parts that make your life way much easier in a lab and awfully the the pieces and parts build within your lab as you kind of work through of the various aspects of testing things you go hey if i bought this little item here this header this plug this switch it would make my life easier so you start building up a good ensemble of those type of text we're going to be talking about those at the end also which i think is very important but let's go ahead and jump out over to a screen and let's go ahead and get a camera going in here and see how this works oh that's kind of interesting hi control there we go that's much better so let me get out of the way the camera so you all can see me so so again uh this is kind of my lab and we want to start off with looking at tools to take things apart uh to start with a screwdriver set uh these things are critical uh and i would recommend i had a previous screwdriver set if i can get it apart that did not have a box for it and one of the things i found out is they're literally laying all over the place because i never had one good place to put them or they ended up in a bag somewhere and all disjointed so get something you can pop them in and out and it holds them real well uh this has uh straight slots phillips the other thing you want to consider is star tips there's a number of small iot devices when you go to take them apart we'll have the star pattern tips so you want to take that into consideration as a big component when you're doing this and then you can get you can get some other small tool kits this is one i had sitting in my thing over here uh and i didn't even know i had it so it's a good breakout with some basic sockets um needle nose uh some of these uh different heads stars phillips straight slots a little bigger size than the small ones that may come in handy and then also when you start thinking about it kind of wrenches and different things like this a set of cutters is always good so you want to have a good assortment of these and every once in a while i have a tendency to lose these things so i end up buying more sets of them over time also something to consider is a pair of good cutters now i've had wire cutters before small ones like this but i like these because the tips are way much thicker these things are actually great and they come in handy for not only cutting wire but here's an example of a bracelet type thing a tracker that was hermetically sealed this came in really handy for cutting through some of the plastic very durable i've used this for removing shielding that are over components where i need to get access to shielding so having something can cut through metal and plastic and durable and the tip on this doesn't chip up so having something like that is pretty critical the other thing you want to consider is sponges so what's a spudge so this one i've managed to lose half the stuff that's in it but this one has little fiberglass sponges in it and these are pry tools that you can use for prying things open these are all fiberglass several are kind of mangled because they've been beat up pretty heavy i also have some small metal thin spudges in here and some ones that look like um kind of the tip guitar picks those come in handy for popping plastic cases and i also bought a kit and this one's been really handy that is uh basically metal ones so you have to be careful with these because they can like seriously hurt you if you're not careful or do some damage to the equipment but these come in really handy for opening certain cases uh removing certain uh plugs or connectors or things like that so having a good set of spudges is pretty good most of these are fairly inexpensive eight nine ten dollars you can often get a set of these i seen some much bigger nicer sets that run in the 20 30 dollar range but always you could have a set of these it'll make it very important when you're actually opening stuff up now the ultimate tool what happens when you end up with a case where you can't easily clip it open you can't easily spudge it open there's no screws in it it is like a stick i've had cases that were actually eighth inch to 3 8 inch thick casing that would waterproof what do you do so in those cases what i like to do is good old-fashioned dremel tool now you can get these in various prices this one's probably the last one i got uh which is reasonably new my last one was cheaper i think i paid like 35 for like a decade ago i finally burnt it up and had to go out and buy another one and since i obviously make more money now i went ahead and bought a better dremel tool so uh if you were actually at the rsa event when we were working in the iot village we had a lot of light bulb type tech that we were playing with and this is what i used to cut those uh good old-fashioned light bulbs apart that contained iot based technology in those so that's kind of the the general hardware type stuff the next thing we want to get to this is the price list that we want to get to before we jump into some other area or start asking questions i want to talk about some of the soldering type tools or equipment so there's a number of solutions you can do from a soldering perspective you can buy soldering irons in all kinds of different prices years ago i used to have like three or four soldering irons and they were all fixed um heat levels or fixed wattage i think i had one it was 25 i had one it was 45 had one it was like 75 and i think it had one would clear up to 100. those worked for me back then but as you know technology advanced you start getting into surface mount devices it becomes inherently more difficult to use those uh they're a little more cumbersome so i always recommend actually picking one up that is kind of variable heat so you can change change the heat on it and if i don't smash everything in this lab in the process this is one you often will see a lot of people have and i've used this as a hako and i've i used this one for several years like two or three years it's variable heat it worked for the most point and you can get a lot of tips for it but as i got more more advanced and more uh into more detailed type work uh my biggest problem with this was heat recovery so uh when i went with really fine tips and i was soldering on something that was a ground the problem i had was this device could not keep the heat level up and it would make things harder and so when you can't keep the heat the heat recovery is terrible or not really good on a device it causes you to spend more time on the device more time on the chip more time on the leg and it leads the damage of the components you can easily end up pulling leads and stuff like that so to keep the actual uh time on device down i actually cranked the heat of this thing all the way up high as it would go and that made it possible for me to work really quick that kind of works for me other people will do other things when they're dealing with this but then i finally decided i wanted to move on and i think these are right around 100 bucks great product in my opinion for an entry-level starter and it works pretty good now there are other vendors that produce soldering equipment and one of the ones i went with so you can move some stuff out of the way here i went with a weller so the welder unit hopefully you can see it is setting back here i think this is a wx01 or wx02 it actually has two soldering irons on it when i purchased it it came with a single soldering iron this does i think want to say 65 75 watts somewhere around there it's pretty good works great this thing's capable of pushing out 150 watts of power so you can run two irons i turned around and actually purchased a micro iron so you can see this tip is really fine on the probably can't even see it on the tip of my finger it's pretty small this is actually brilliant works really good the difference is this is a very expensive unit i think the retail on this was like twelve hundred dollars uh you can get it on sale and shop around you can probably get it down around 800 or less so that's kind of where we want to think about soldering gear uh you want to be able to have some good soldering gear that will actually do what you want to do you want to be able to deal with surface mount devices small components large components you need good heat recovery good starter unit is hako you can also get smaller range wellers that'll work pretty good so i would shop around and ask other people that have different equipment what they use you'll find out a lot of people use the heco but you'll find a lot of people are fans of weller or some of the other products so i definitely encourage you when you get ready to go out there if if that's if that works for you hey it works for you get it use it i used it for like two and a half years and i loved it had no problems other than the heat recovery issue so so where do we go from there so the next area i want to talk about um now let's go ahead and start off with asking some questions so um jonathan are there any questions out there yes so um looks like right off the bat here um we've been talking a lot about like sharp tools and hot ends on the uh solder iron things like that one question that came up was what kind of safety equipment do you keep on hand with your lab and do they include things such as maybe like goggles first aid kit fire extinguisher so i don't have a first aid kit uh well i do have a first aid kit it's my wife uh she knows how to use 911. hopefully she won't have to do that but for safety equipment there's some other things to think about uh obviously when you're soldering um you don't want to have breathe all of the the nasty smoke that's a health and safety issue so i would recommend a fan so here's actually a fan that you can purchase that happens to be on a articulated arm so this works pretty good uh the other thing i have in my actual lab uh it's not within the picture range but let me see if i can pull it off here is a uh is a good old-fashioned fire extinguisher so and i also have safety goggles uh and safety gear associated with that so i would definitely recommend uh that if you set up a lab where you're going to be using hot equipment and sharp equipment or whatever the case may be you want to be able to put out any fires that may actually show up luckily i've never had to actually um use this fire extinguisher and speaking on that same thing it comes in handy when you start thinking about uh soldering the gear this particular soldering gear here if you go away from it after a period of time it shuts off which is nice the hakko does not so are there any other questions or you want to move on from here let me see here taking a look at the list i think we're okay okay to move on okay good so let's go ahead and jump into the next thing and that is kind of magnification so what kind of gear is available for actually magnifying or looking at things i have a number of things that i use uh one of them happens to be uh these goggles so so they have adjustable eyepieces on them you can turn a light on this is good for close-up looking so you have to hold the item up close so you can't really do any soldering with that but that comes in handy uh for quick examination of devices one of the other things i have have in here i haven't used it in a while but i used to use it quite a bit and that is a pin camera this is a usb pin camera that i can shine into things it goes into smaller places uh works pretty good uh i also have a a actually a borescope an endoscope that can actually be put through small holes and you can actually see stuff that one's kind of packed away right now the other equipment that i have is uh and you may have seen this if you've been to the iot village where rapid seven is working uh this is a device that comes in pretty handy um small bench camera with a screen you can actually magnify it has variable settings on it you can focus it you can also hook a usb up to it and feed it into a tv in this particular case i went ahead and actually covered this with rubber the purpose of the rubber in this case is to protect it so i could actually put energized equipment on here and look at it also so some of the other equipment i have is this is a another usb microscope and there's so many on the market you know which one's better than another one gosh you know that one's kind of a hard one you can spend anywhere from 20 or 30 bucks up to three or four hundred dollars for one of these uh i've seen these that would go clear to 5000 x which was absolutely amazing you could actually see the runs on a silicon chip with it so it was kind of amazing but that's again a very high end so but when we get into something bigger something you want to solder under um this is the more expensive solution right here which is a microscope this is a great microscope that i have this one does um everything from 3x i believe all the way up to 90x has ability to mount a camera on it it's variable focal length and you can actually slide it in and out which makes it really handy uh for this type of work for uh magnification and uh and i do a lot of surface mount device work underneath this i've used this for reball and bgas and stuff like that but this is an expensive unit and they vary in price based on whether you go uh up to the higher caliber this like i said this is 90x it's about a 600 unit but if we kind of kind of move away from that and go what can somebody who's entry level or right above entry level looking for a good scope here's one i used for a number of years and i loved it so this here is also an amp scope this one will do 10 to 20 x power it is a fixed focal length this device costs about 185 dollars and is a brilliant piece of equipment i have several of these that i use in various training that i've done in the past and i would recommend if you're looking for a scope and you don't have the big money look at something like that look at amp scopes and look at what they have to offer from a price point and i think this uh model here was 185 and it worked like a champ again i used it for a number of years uh but then i kind of got greedy and wanted something as like super ass cool so um i went ahead and bought this for work in my lab so what else can we dig into here um i think some of the most important thing we want to talk about in the area of soldering is to look at some of the other components that you may need for action soldering and when you get into soldering it's kind of critical you want to be able to you want to have typical solder so let's go ahead and switch out the screen so we can actually dig into some of this stuff a little closer then we'll pop back to the other screen because we can actually show this stuff a little better here so here from the solder standpoint uh there's a number of different brands out there this particular brand is sticks one half doesn't another but i would get the small stuff this one here happens to be the 0.3 uh millimeters i use lead solder i hate lead-free solder some people may like it i think it's horrible to work with so i think this works much better in every case that i've ever worked with and you also want to get solder wick solder wick comes in really handy for removing and cleaning solder off the board but when you're thinking about actually removing solder and you want to dig in and remove surface mount devices the ultimate solution for removing surface mount devices in my opinion easily is this product right here if you have not used this chip quick surface mount device removal kit uh you're missing out this will make life much easier it comes with a flux so you put the flux on it and then it comes this looks like solder uh this is not solder it's way more brittle it's a low temperature metal and what it'll do is it'll absorb the solder and it'll keep the temperature down low so let's say you're actually trying to move a tsop 48 which is a 48 pin um typical memory chip that is soldered down with 48 pens it's kind of hard to keep 48 pins uh melted but with this stuff once you put it on there you can easily spread it across each one of the leads dump it on there pretty good and it'll stay melted and you can lift the chip completely off the device it's a true lifesaver so so let's kind of move on any questions do we have any questions from the audience jonathan any questions from the audience looks like the question list is empty here one quick thing that did come up uh you mentioned earlier you're gonna provide a parts list but one high level question most of the parts that you've just mentioned now such as like the chip quick and solder you generally purchase that going through maybe like spark fun or maybe through amazon again knowing that you're going to provide the parts list just a high level question yeah typically when i buy this stuff um i'm i'll be honest with you everyone i i'm kind of lazy i'm an amazon kind of guy uh i can usually turn stuff around and a lot of times amazon has stuff available uh quicker so if amazon has it available within 24 hours 48 hours i'm going to pay that little extra and have that sent to me quickly but yet you know you can go off and buy this stuff from a number of vendors a number of organizations that sell these type of products um hacker groups hacker organizations technology organizations aliexpress uh for a lot of the stuff you're gonna see today you can easily just order it and have it straight ships from china um but again i have a tendency to be a little lazy and when i want it i like want it now i don't want to wait a week for it because if i think i need it i need it now and that's usually how i go with amazon so you'll see a lot of the links on here going off to amazon or weller or some of the other places for equipment manufacturers and buying it that way okay so let's kind of uh let's kind of move on here so the next area we want to look at is monitoring equipment so we start thinking about monitoring equipment you know uh how do we how do we gain access to circuit boards and how do we start looking at data uh one of the first things is kind of that usb to serial uh component and uh and i think a lot of people online are probably familiar with these these are reasonably inexpensive it's a bus pirate uh and this will give you give you that level of access to be able to look at start looking at devices one of the other things i'm not a big fan of this i have a tendency to like using this in a different way there's other software you can actually install on these and actually turn these into debuggers for atmel chips so if you need to debug or a re-date off an atmel chip uh you can easily take these and put i think it's sdk 500 v2 uh software on it i think we demoed this last year at uh at the iot village was hands-on exercises that actually did that uh we're using reprogrammed uh bus pirates so that's pretty good uh the other thing uh and i'm a fan of this i i have a whole box of these sitting around here uh and it's the chakra the shaker has a lot of capabilities and here's kind of the little data sheet that comes with it so we have we have the uart we have jtag and you can use openocd that and you can use spi for actually reading reading memory off chips and this device comes in really handy i typically use this for uart and like i said i actually i love this device quite a bit uh and then there's other uh other things you can do there's other ftdi devices that can be used uh here's just a couple i have in my lab that i purchased for other purposes and reasons uh and then there's another one i have this one i bought not too long ago i guess it's probably about three or four months ago and this one actually has four uarts built into it so it is a usb it has four uarts and you can switch in between three volts and five volts so you can either hook them up here or hook them up into the actual plug jacks this is nice you plug it in and four uart functions show up uh this makes it much more easier for hooking into multiple connection points on an actual device for doing uh uart testing or analysis uh people have seen the work that i did on interchip communication i like to use one of these works out pretty good for capturing multiple uarts for analysis as data as it flows through a system and also let's go ahead and move on to logic analyzers so i want to point out that uh jonathan is actually going to be speaking tomorrow evening is it tomorrow evening or tomorrow morning jonathan yep tomorrow evening and he's doing uh he's going to do a talk on uh using uh logic or logic analyzers so there's a lot of different logic and illusion by uh i think jonathan has has one of these he's actually going to show he has another one um these are cheap this is like 12 bucks it does like 24 24 25 megahertz uh another one that i have uh this one is this cele uh this is their uh four uh four channel one it's no longer being manufactured but saleh had a whole stinking warehouse full of them uh and they're selling these these are more pricey they're 100 bucks but it's a sale this is high quality now what i use is i do have a sale i have the eight channel um the eight channel uh i think this is like 600 this is the i think it's 100 megahertz uh eight channel this one's the actual pro uh works great for everything i'm doing in the lab and if you're not doing it for uh for a job and you're just a hacker or whatever in your education and you're learning you can actually get an edu kind of version of this which will save you a significant amount of money when it comes to logic analyzers so um also some of the things you may you may want to consider earlier you may have seen the o scope and that was in the back of my room i have an o scope i use it sometimes for basically uh signal chasing but uh other than that i don't use it that much for most of the tech that i have but when it when you want one it's nice to have one and they come into a number of price ranges anything from you know typical ones you can run off your desktop or laptop with a small plug-in board all the way to high-end digital built-in logic analysis type of stuff in the thousands of dollars the one i have uh was the textronics i'm a big fan of textronic since i came from the military and i think mine was like five or six hundred dollars and i believe it was a 50 megahertz box and it works pretty good so moving from there another area as a hacker that you want to get into is often the rf stuff you want to start digging into rf so one of the big rf areas is often bluetooth low energy so these are the go-to bluetooth dongles these are csr8510s these are the ones that'll work with pretty much any any of the bluetooth developed software out there they have the right chip sets in them but these will only go up to i believe 4.2 version i don't think they'll support five i don't think i have anything here actually at sports 5 right now it's something i need to add to my lab myself so that's one of them another thing is uh the nordic the nordic makes a dongle that you can use with nrf connect their desktop product and this happens to be it i think i paid 25 or 35 dollars for this so i would recommend having one of these for bluetooth this has a lot of cool capabilities and there's a number of development boards and testing boards that are available out there that give you the ability to take what you're doing with bluetooth to almost any level you want another device i have that actually like uh it's pretty good this is a hulong this is about a hundred dollars i think it was um this device um i've had it for a couple years so hopefully they'll come out with a newer version of sports 5. but this gives you the ability to and it has to be run on a windows box gives you the ability to capture bluetooth so it'll actually see the the announcements coming out on bluetooth and it will actually let you pick one of the devices out of the list of bluetooth low energy devices and as soon as it once you pick it out it'll start to output all that stuff to wireshark directly uh and then once uh it'll actually capture the pairing process and the entire authenticated process um basically i don't want to say man in the middle but capturing all of the data and outputting it correctly to wireshark for analysis so it's probably one of the best ones out there nrf uh there was a used to be a nrf sniffer i think was sniffer that was available that would run on a desktop this thing's like way better this actually has all three uh ble channels so it picks up all the data it doesn't miss that much data so it makes it a lot much better so would recommend that and of course if you get into some other stuff having the um ubertooth1 is probably good i haven't used this in a while uh i heard people complaining that really updates on the software or follow-up work on the software arena hasn't been done which is kind of sad because i think it was a very very brilliant capable tool but hopefully they'll continue supporting that and we'll see some new capabilities come out in reference to that moving from that typically i don't have a ton of things i think here we have a yardstick which is uh under under the gigahertz range capturing and then of course and i know i have laying around here somewhere which i have no idea where it's laying at i'm like terrible in my lab but i have a oh there it is i have a hacker rf that may come in handy for some people that are really want to do um the work dealing with rf communication so i'd recommend buying what you can afford you know finding an area that fascinates you on the hardware hacking area and to spend as much in that area that you can afford for the best tools i would recommend shopping around some of these tools here may have newer versions there may be better release products out there this is constantly a changing field what i bought a few years ago doesn't necessarily meet the needs now in a lot of cases so i often find myself as i'm doing new projects and new testing uh that i have to go out and actually uh buy new equipment and new hardware it seems to be an unending process it's kind of like being uh married and a homeowner you're always looking for an excuse to buy new tools for around the house it's the same way as a hardware hacker you're never going to be content until you have all the all the tools ever made on the face of the earth but shop wisely and i think you could do a pretty good um gathering up the needed stuff being able to do the work so there's one other area before we take a quick break and actually look at um or has some questions another tool let's not forget critical tools a multimeter literally i don't think there's ever on any engagement or any testing or any device i've tore apart where i was hacking on where i didn't use a multimeter these are cheap you don't need an expensive one mostly i use this on the continuity field for actually tracing out runs on boards and stuff like that comes in very handy i also use it for checking voltages prior to hooking stuff up to make sure that i'm matching the voltages correctly because that can really screw things up if you get it wrong uh also moving from there let's go ahead and quickly uh cover the area dealing with debuggers matter of fact let's kind of stop right there and uh before we get into chip readers and debuggers and see if there are any questions yeah open oh good yeah it looks like a couple a couple popped up here um so yeah uh i guess uh first question we have here um is this is with regards to the uh physical non-rf signal quality um that we're speaking of of earlier um so you'd mention the oscilloscope um and also i know that you've mentioned that you aren't really uh going too in depth with it these days because you don't really need it so i'm curious or excuse me the question's asking um i am curious would your answer to that be the sale does okay for that sort of thing and would you recommend a sale over an oscilloscope uh the answer that is yes i think my go-to is with uh saleh logic analyzer 100 now uh for almost everything i'm doing almost everything i'm looking at is digital uh sales come out with the um oh gosh what was the name of it i'm losing my mind here uh just second oh yeah uh their logic uh logic tool which is what interacts with the cele they came out with logic too uh and the cool thing with logic too uh it basically uh it basically gives so much more features to the actual product and one of the features is kind of continue streaming instead of capturing uh just capturing data like you often often will do this will actually let you loop that capture so it continues to run so i find myself taking a logic analyzer and using it like a probe looking for ongoing signals timing signals and stuff like that uh clock signals that are ongoing burst traffic because i can easily stop on something and as this thing continues to run see burst traffic so literally it gives me a way to do some digital signal tracing maybe it's not the uh the most effective way but i think it's the most cost effective way so definitely would recommend if you're going to spend the money buy yourself a good logic analyzer that besides the multimeter or is the item that i inevitably use on every engagement and every testing that i do any other questions or is that it that's it all right so let's go ahead and let's jump into uh chip readers so hey you happen to have a device and it has a flash memory chip and you want to be able to get the data off that flash memory chip what are you gonna do it with so there's a lot of inexpensive solutions out there this one here is an actual tl866 plus this comes with a slew of sockets that go in for it this is like a t-stop socket and they get eight pin or 16-pin sockets and then eight pin sockets list goes on and on there's like 30 20 or 30 sockets you actually get with the socket that i purchased that is actually a uh oh gosh there you go it's uh wson socket so you drop it in these are a little more pricey but the the tl 866 is not that expensive um i think i paid 130 bucks for the one that i have here although when you buy this and it comes with this particular um this particular socket this tsop 48 socket this will not work for all tsop48 which is typically nand flash chips so you need to go out and buy this one to go with it and you can get these off aliexpress or maybe some other sources and this is the uh get it right there dand08 socket uh and typically typically this is the socket that's used on the chips that have literally a larger memory you start getting in at you know 128 meg 256 meg chips and higher um you're actually going to go over to this socket here that seems to be the case so uh that's one of them that i have like i said i have several chip readers i can't remember the number this covers i think it's like seven or eight thousand different chips that are actually supported by this so does it cover every chip that i encounter the answer to that is no uh does it cover a large number of them yes it does i mean it probably covers uh two-thirds of them that i come across uh one of the other chip readers i have is this rt809h so the rt809h here it is here similar a little bigger physical construction this one comes in handy you cannot use you can use these sockets so all of the inline sockets that came out of the tl866 that are straight pin to pin wiring and don't contain any kind of circuitry you can use them on this but if it happens to be the tsop 48s those actually had circuitry built into them so you have to buy a socket that will actually work on it uh and this is a straight pin for pin one so i use this one typically um as a backup there's times that the tl8 tl 866 doesn't work or doesn't have what i'm looking for so i jump over to this one it works pretty darn good uh also this one you can get various sockets for here happens to be a socket for it this was like a 40 socket this is a bga this is a 63 ball bga nand flash memory socket i think i played 45 and had that shipped over from aliexpress from china uh the crazy thing is i ordered it right when this whole covet thing uh hit this fan uh so so it took like two months to get to me versus the typical um 30 days that i often have up wait or shorter time period so that's one of the readers so some of the other readers i have uh in in my arsenal here is dealing with um embedded multi-uh chip packages and in embedded mult uh embedded multi uh multimedia controllers so these you actually find a lot when you're dealing with uh in bedded systems and especially some consumer grade iot these uh are actually for reading bj's this is an embedded um multimedia chip for 153 ball bga so you open it up uh you drop the chip in there plug it in it's usb 3. plug it into your computer hit this button here and that ship will mount up just like a file system it'll mount up just like an sd card will mount up and it'll actually mount the entire file systems on the device most of the time and from there you can quickly recover the data sometimes you can alter the data one of the exercises i did i actually use that to pull the data and then use one of these in all data and then dd'd it back to the actual chip and then rebuild the bga put it back on the device to gain root level access so these are great and they come in a number of different sizes so that's uh known as a embedded multi-chip package type thing again you'll find these in a lot of devices that means it contains both ram and flash memory in the actual chip but these ones are kind of pricey like 135 dollars there is a cheaper version this is pretty much the same thing but it's done up just like an sd card so and then you just plug it in like an sd card into your computer and it'll mount the chip up just like a file system now these ones are a little cheaper i think they're well under a hundred dollars like 90 bucks or something like that also uh if you need to deal with embedded multi-chip package are embedded multimedia chips i would recommend doing a little googling on that because this example here people have actually built these so there's ways to build these of course you may have to dead bug the chip which means you're going to need a good a good microscope because you end up soldering to the pads of the chip on the underside but there's only like five connections or four connections that have to be made on the chip and you can literally uh actually read it so there's a lot of documentation out there so you can take the hacker mode and save yourself a lot of money but again it'll take a lot more time so um any questions there on uh chip readers and again most of these chip readers were 120 to 140 dollars right around there one question that came up um with regard to the uh the chip readers here that i'm seeing is uh um i i and this is a little bit of a backfill i do apologize uh one question that came up earlier is is it actually worth picking up an old bench top logic analyzer off ebay or going with with some of the newer usb tools um cost is a limiting factor for this individual uh you know i don't know enough about uh any of the benchtop logic analyzer tech that you're talking about i haven't worked with any of those um i typically most of stuff i did with is the the the usb stuff i mean if you're looking for a logic analyzer just to give it a try i'll be honest with you a lot of these when you start getting into these smaller ones 24 megahertz i have not used this so obviously it's 12 dollars from a logic analyzer standpoint this gives you an entry point just to get familiar and i think the logic programs put out by sailing will actually work on these and there's a couple other ones and jonathan's going to talk about this in more detail tomorrow so i definitely swing by his presentation i would start off if money's limited i mean can you come up with 12 bucks give one of these things a try i bet you nine times out of 10 on most standard consumer grade iot this is going to be fine i've only run into issues when i'm dealing with commercial level devices where a megahertz rating like this would not have worked so just an example that makes sense and another backfill question here asher says such a great lab darryl one question what do you use for on-chip debugging other than the chica oh on-chip debugging uh yeah we're actually getting to that next uh if you want to do uh on chip debugging um or or pulling firmware out of the chips and all that type of stuff that's the next section uh that we're gonna dive into okay perfect and i think we'll put a pin on that question because it sounds like it'll be answered next question here reads what are these readers used for what are you reading off these chips sorry noob thank you oh there's nothing wrong with that man i mean we were all learning at one time uh five years ago i i couldn't have told you any of this stuff at all so um so so what we're doing is is uh these chips i'm talking about uh are flash memory chips this is where the embedded devices holds its operating system it's also where it holds configuration settings and data associated uh with the functionality of that device so if you want to be able to pull off the firmware for some kind of offline analysis you want to do some offline debugging with with ida pro or something like that then you need to be able to extract the firmware um so to be able to extract the firmware you need to gain some level of access chip readers come in handy for doing what i consider uh off-board reading so you d you de-solder the chip remove it from the board drop it into the reader dump all of the memory out of that chip and then you solder the chip back on the board i have a tendency uh since i'm fairly uh good at soldering and de-soldering and stuff like that that i'll often do that uh i will literally just pull the chip versus trying to do it in circuit because i found it's sometimes much easier uh in some cases not always but in a number of cases uh the only time it's more difficult uh is when you're dealing with like a ball grid or rated chip a bga chip where the pins are underneath so when you remove it uh the complexity of putting it back on um is fairly complex so hopefully that answers that question makes sense and one final question here daryl um it's it's asking about the flipper zero um individuals asking what are your thoughts on the upcoming flipper zero is it a great asset or a gimmick kickstarter problems apply flipper zero i don't think i've seen that have you seen that have you looked at it yeah it looks super interesting actually i'm i'm additionally not familiar with it looks super slick looks like you can do a lot of hardware analysis with it um i think it looks kind of cool it's very powerful for sub 1 gigahertz from what i'm seeing there it looks somewhat similar to the yardstick with maybe a few additional um features but it looks pretty slick in my opinion yeah like i mentioned there is always new tech being developed so often i don't dig into those unless it happens to be on my table or something i need to work on and then i go out looking and i try to look for the right tool the right solution the one that's going to help me do the job the easiest and the quickest so hey great thanks for bringing that up i'll have to look at that once we get offline here yeah and daryl um we actually had the uh the inventor of the flipper zero present our event back in may so anyone who's listening you can always check that video out as he goes through all the features and so the story of why he built it outstanding sam thank you very much we'll check that out so kind of moving on from there um just wanted to get into some debugging uh there was some area i did miss earlier and we may jump on it at the end if we have time but we'll start with uh debuggers uh the first thing i want to look at is uh not necessarily a debugger but pretty darn close to it uh this is fairly pricey about 150 to 170 dollars it's a j tag later uh i have not used this in a while don't ask me why i guess i hadn't need to figure out where the jtag connections are in a while but if you're in a bind and you need to figure out if there's any exposed jtag connectors on a chip that you can't identify this is the tool for doing it you just plug all these in here you hit reset go you have some software you can run on this thing and it gives you the ability to go through all the uh all of the testing sequences for all the different wiring combinations that you could possibly generate by plugging this thing in uh and checks for uh various jtag connections uh can also be used for uart i don't use it for uart typically that's easy enough to uh spot with a logic analyzer uh fairly quickly but yet a good tool to have in your arsenal if you're doing a lot of especially if you're doing a lot of debugging devices where you can't identify whether a jtag's available they also added some features to this that will actually go through and do i o testing so it'll do a series of tests information feed and restraint and capture based on identifying the various ios on a processor so that's also a great feature so when it gets into a logic anal or not logic analyzer but debuggers how can i interact with the chip uh how can i interact with the processor uh and there's and and some of them may be hey how can i pull firmware out of a processor that actually has flash in the processor which seems to be the thing i often do i have a whole slew of debuggers i got dozens and probably a dozen of them laying around here somewhere for various things um but there's one that i have that's like a go-to at least mainly for arm processors and that's a j-link uh j-length seeger j-link is a great product this is a commercial version uh these are kind of pricey and based on the speed uh and the capabilities of the hardware uh the price goes up and up i think this one was like six hundred dollars can easily go upwards of a thousand or more uh for the solution but there is hope uh if you're interested in the seeker j-link and you are basically a student or somebody learning you can buy the edu version when i first started learning uh and wasn't using it for commercial use i purchased that it was like 70 has all the similar capabilities it's its speed of data reads probably not as fast but it's pretty good another thing i do uh is a habit of mine is i always uh tape the pin out for all of the pins on some of these devices because i rarely throw a 20 pin plug in there and use it i often use single plugs because i often will use this for not only for standard jtag but i use it for a serial wire serial wire debug our cj tag this will do uh cj offset also which is a subset of jtag that is also uh like serial wire debug but uh so so if you're like me and you can't memorize all these pins on everything uh actually doing a printout and stick them in the back is a nice little feature that i use to help speed me along but again it's a great product and for mainly arm processors i go to on this but then also i will use various debuggers for different products so if you ti ti chips the cc debugger i can't remember what this was 20 30 it wasn't that much and it happened to be a case where i was dealing with some ti chips and i'm like i just buy the thing put it in my lab i have it another one which we demoed last year and that was dealing with the xds xds-110 which is a another ti debugger i really didn't want uh and i wanted to expose people to the xds-110 from a debugging standpoint but i didn't want to buy the full-blown one because it's like 110 120 dollars um but it turns out that they made the small development kit type thing for a sensor tag and the one you buy for that is basically a stripped down model uh there's no case there's some features turned off but it works the same way and this was like fifteen dollars versus a hundred and some dollars uh and it worked pretty good and i kind of got this idea because i bought uh i was doing some research on a ti chipset and i for a vendor and so i bought the development kit and develop kit had an xds built into the chip on the development kit which got me interested in doing this and that's why i kind of shared that stuff last year and let people do uh the hands-on now i have a number of debuggers around here but you know a debugger is what it is it's a debugger typically what i do is when i encounter a chipset the first thing i do is i go out and go okay if i was a developer on this product line for this chipset how would i do it what product would i use what does a vendor recommend for interacting with their hardware uh their chips and then i go out and check it out do they have guidelines for using a j-link then i use a j-link do they have a specialized debugger like pic processors do which is basically in circle serial programming it's basically spi um if that's the case then get those so i have i have several of those uh laying around here uh the uh pick kits is what they're called so i try to find out what the developer community uses for a particular product and if i can afford it and it's inexpensive i buy that or i buy the next alter level alternate to actually use and that's typically the approach that i use i found out if i'm trying to deal with the chipset and i'm using somebody else's debugger um it has a tendency to not always do what i expected to do it doesn't always give me the information that i get from the development community on the product or from the vendor on the product and it adds a level of complication and i'm able to find way more resources if i use what the development community uses uh on that product but the reality that's not always feasible there's been a number of times where i've gone hey here's a chip uh you go out and you try to find out what the development community use them for and find out it costs ten thousand dollars and you can only buy it from the vendor in cases like that then hey if it's an arm use an arm if it's something else uh you know go go all the way down and use use one of these and then use open ocd if you have to whatever it takes but i tendency have to dive into what the actual person producing uses i want to move on real quick because we're running uh a little behind and i want to get this next phase uh because i know the well matter of fact never mind we can do that get any questions yeah looks like one question cropped up here um josh asks do you happen to have any books videos or any learning material that you recommend to start learning iot hacking oh gosh that's kind of a hard one um i've uh i'm not a i'm not a big book person uh to be honest uh what i typically do is i i'm definitely a google and youtube kind of guy um everything that i've wanted to learn uh you know an example i wanted to learn how to re-solder a tsop 48-pin chip back onto a circuit board i'm like damn this is going to be hard i can't go solder each pin so i went on went on youtube and looked it up and go how do i do this and there's like three or four videos out there and then i watch those videos and it's the same way if i want to learn how to use uart i go check out some of the videos on finding new art and looking for you art same way with logic analyzers and it's typically the approach that i do and i still do that to this day anytime i'm working in engagement or testing a product and i go how do i interact with this i haven't done this before because you know even though i've been this in four years i constantly encounter things that i haven't encountered before i first i go out and find out who else has done this has it been done before um has anything similar to it been done before and that's kind of my approach if you're trying to and i know there's a lot of learning kits out there but i'd also recommend oh gosh where is that hold on i would recommend looking at some inexpensive products just to play around with and i'm going to throw some pictures up here um and like these these right here fix me 300 millimeter router type things let's pop one of these things out here oh that's one thing about my lab it's like a ton of gear so this one actually uses it's a little router device so we have these chips on here so it has a lot of things you can interact with there's ethernet there's usb it actually has uart so uart's actually marked on here if you look there's it says tx and rx and then i found the ground this runs open wrt it actually has a flash memory chip right here so here's a chance to figure out how to get the memory out of the device here's a chance to play with this in this case here root doesn't have a password on it so in that case there you really uh as soon as you get the console it's going to be root level access but you can change that and then try to get around it this device is like 20 bucks and i would recommend getting something like this and starting out by just going hey this is a meta tech chip what does that mean data sheets this here is a ram chip find the data sheets this is a flash memory chip find the data sheets read those data sheets and kind of learn and play around and experiment and if you screw it up throw it in the trash can and uh go spend another 20 bucks hopefully that answered the question okay here's another one but i don't think the gl mango is even available anymore but it's the same product just relabel different another question cropped up here was uh i think it's kind of an extension of that question do you have any go to youtube channels do you follow anyone on social media oh gosh uh yeah from social media i i'm a twitter guy um so you can find me on twitter my handle's percent p-e-r-c-e-n-t underscore x uh yeah please follow me um uh if if you're one that tweets a lot of political stuff uh there's nothing wrong with that i just not a big fan of that just to be aware of it i i want to see mostly technical stuff so if you're doing technical stuff out there that's kind of cool i i'll probably follow you back but yeah that's one thing i do i do not follow any youtube channels i'm usually all over the map whatever i'm working on at that time and i need to learn something specific then i go out and search and i never look at one single example if there's a dozen examples out there i'll usually look at three or four of them and get three or four different viewpoints on how to approach something or how somebody's done that uh and then experiment with my own ways and own methods and try to build from that uh we've also uh at rabbit seven i put out a number of uh blogs um so if you use my name daryl highland uh and search for rapid seven blogs uh i think we put out a whole series last year actually pulling firmware from microcontrollers like four of them covering four different type of microcontrollers four different software packages four different debug type devices so uh every once in a while i'll do that type of stuff too okay so uh i want to move on to odds and ends this is kind of a big one so when you're doing uh work on uh devices it comes down to often needing a lot of strange stuff now the first one is wire i don't know how good the video is out there but this is 40 gauge wire and to be absolutely correct about this i hate this but this stuff comes in handy for soldering into microscopic small circuits for tapping into them so currently i'm working on a project right now where i have to tap into an intel i3 processor i'm trying to uh and the only way to do it is the pads are like point three millimeters so i am actually using this under a microscope and soldering it up and at the end of this uh thing here i'll show you what i attach it to when i'm done which will be a lifesaver so that comes in handy if i'm doing something else that's bigger from a wire standpoint i use this this is a wire wrap wire i don't even know vt corporation and i found this it comes in all of these different strands this is covered with a really fine plastic coating that 40 gauge wire earlier was covered with lacquer a real thin coat of lacquer keep it from short now this stuff will melt that's on the outside of this but when you're looking for like 30 gauge wire you need to find wire wrap if you buy standard 30 gauge wire the actual insulation going around the wire will be thicker than the wire itself and will get in the way uh when trying to solder to small uh circuit pads to tap into it uh the other thing is you know when you open up a device you start thinking about headers you need to attach headers uh and this become a nightmare over the years or at least early on when i first started because i was seeing all kinds of stuff so uh i went out and tried to get samples of both 2.54 millimeter headers so this can be plugged into the board and soldered in and then you just plug into it for the places there are headers um what if there happens to be dual header so then i bought some dual headers to have those i have boxes of these things laying around so on top of that what happens if it's a surface mount header for 2.5 more millimeter so if you look at this it actually has see how the bottom is sticking out there it's actually gull winged so there you go and then we do the same thing for 1.27 millimeters single single row double row and these are the most common and trust me there's people that produce other headers um that you want to kill them when you get them because these things won't fit in in a gall wing one so yeah i went out and kind of purchased all of this stuff over time i didn't do it in one day it's like hey i need headers they're 1.27 i need gall wing headers and then went out and bought them the other thing that is a lifesaver and that is glue glue comes in really handy because when you're attaching small wires to a board and you snag the wire you pull the wire you can easily rip the pad clear off the board which will happen to you anyways but this will help prevent it this glue here uh works like a champ so here is here's some 30 gauge wire that i've attached to this device here uh and you can see i was um hold on a second i'm looking for a poker here so right here you can see this is glue so i put a dab of glue on there and it holds the wires and it prevents me from tearing the pads out from this circuitry it works like a champ if you need to move the glue it peels right off it takes a little force but it'll peel off clean off the circuit board and it's actually brilliant uh for what you need to do some of the other things uh that we're gonna need you're gonna need uh wire so these are jumper wires you can get these male to male female to female and they just peel off so i have bundles of these and when i'm done using one i throw it away because if you keep plugging it in plugging it in plugging it in after by the end of the day it'll start weakening to the point where it will give you problems you keep trying to use it there's nothing worse than losing three or four hours trying to figure out why something doesn't work and find out uh your plug is just wore out so i usually get bundles of these and then you'll find them scattered all over the floor because i just throw them on the floor when i'm done i'd also recommend breakout boards quick breakout boards are for quick for doing various projects and stuff like that and that's kind of sweet and then let me see oh gosh yeah here's here's some stuff i bought on a project a while back i ran into a project where i need usbs so um literally went out and bought usb breakouts so you can buy these little kits for like five six bucks okay and it gives you the ability to do usb breakouts so that you can solder up connections on these things and be able to tap into various usbs kind of the reason why i needed that it turned out that the device that i pulled apart was an industrial device and it had a solid state drive in it the solid state drive wasn't a ata it was uh basically usb uh and it was kind of a weird wire out wire out structure so from here i was able to jump it out the way i wanted it to to fit the usb uh properly and was able to use that to tap into the actual device and effectively be able to read the data off of it pretty effectively so that worked pretty good uh here's some um these are a little expensive but they've come in handy a few times these are micro grabbers and they go i can use them on a logic analyzer or some other kind of testing equipment i have a set of these that i've put together i think these were like 20 bucks a piece but they have a 0.5 millimeter pitch comes in handy for small stuff and then the big item i think this is really critical this is a test board i built these and i would recommend building test boards to meet your particular needs um in the projects you're working on uh it'll come in it'll be very vital to actually be able to do it so if we look at this from this test board we have two sides of this so we can take the wire and we can hook into here these are screw terminals so you can screw the wire in here and instantly you have two headers to put test equipment on this one over here is similar this one has jumpers in the middle this one's isolated with a switch these are isolated with jumpers so once you attach the jumpers or through the switch you get connections all the way across so if it's turned on then i basically get four headers i can tap into this also makes it possible and where i've done interchip communication testing where i actually come off the circuit board here route through here and i go back to the circuit board and then i cut the runs on the circuit board making all the traffic flow through this and it gives me the ability to turn on and off the flow on a circuit board for analysis and the ability to hook multiple pieces of test equipment up for analysis and again i built these get these boards um you can see where they're broke right here so that they require a switch or a jumper to do them and uh these come in extremely handy i've built four or five different ones but having these screw terminals are a lifesaver for connecting up things so i'd recommend building some of your own jigs and test equipment any questions uh looks like a high-level question kind of cropped up here um this was with regard earlier to when you're speaking towards like the ftdi devices um the question is what software do you use in order to start talking to these devices and again this is with regard when you're talking about the sheikra those types of hardware devices oh what i'm use so if you're using the sheik or if you're using jtag then you're obviously going to use like open openocd is probably one of the best ones that you're actually going to use is openocd for it when it comes to uart there are so many uh console programs out there uh it's literally kind of hard to say which one is the best one uh i have a tendency to use um gosh cool term and i use it on my mac uh if you're on a linux system i would just use screen uh for interacting with a with a usb uh usb uart connector as an example uh for the logic analyzers uh the manufacturers produce software called logic select does uh there's the older version and there's uh logic two which is pretty good so for standard uarts again uh there's tons of programs out there find the one that works best for you and uh or if you're on a linux box issue screen uh screen has ability to interact with uh tty usb 0 tty usb21 ever how many uarts you have connected up and also set the associated bald rate right within screen when you get into logic analyzers um you know like j-link j-link produces its own uh uh not logic analyzer and i'm sorry debuggers j-link produces his own software same way with cc debug also individual manufacturers of certain ships will produce their own software to interact with their chips over j-link nordic is one of them nordic produces software to connect to their nrf 5152 series chips they can get it as command line or you can get it as with a user interface type thing and it actually will leverage the j-link so a lot of the manufacturers will also produce custom software to interact with their chip using uh no standard uh logic analyzer or debuggers that are available out there any other questions that is it all right

Info

Channel: DEFCONConference

Views: 1,502

Rating: undefined out of 5

Keywords: DEF, CON, DEFCON, DEF CON, hacker conference, security conference, information security conference, information security, conference speakers, hackers, hacking, hacking videos, security research, DEF CON 28, DEF CON Safe Mode, IoT Security, IoT Village, Internet of Things, Deral Heiland

Id: ztYnPAl3kCE

Channel Id: undefined

Length: 73min 48sec (4428 seconds)

Published: Sun Aug 16 2020