Hardware Hacking for IoT Devices – Offensive IoT Exploitation

Hardware Hacking for IoT Devices – Offensive IoT Exploitation

In the world of smart devices, IoT devices are becoming more vulnerable to attacks. Hardware hacking is a technique used to exploit IoT devices at the hardware level. One method is UART, a communication protocol used in many IoT devices. By gaining access to UART, attackers can bypass security and gain control over the device’s operating system. This article explores the basics of hardware hacking for IoT devices, focusing on UART-based attacks. Manufacturers need to prioritize hardware security to protect against these types of attacks in our interconnected world.

In this article, we employ a router to access the Command Line Interface (CLI) and delve into the interface’s functionalities.

Displayed below is a front view of the router after disassembling it with a screwdriver and pry tools:

hardware
Front View of Router

The rear side of the router is depicted, showcasing the antenna wire and the absence of other pinouts and chipsets:

hardware
Back View of Router

Getting Started with Hardware Reconnaissance

SDRAM: 

In the image below, the SDRAM is clearly visible which is Winbond SDRAM Memory IC 64Mbit Parallel 166 MHz 5ns 54-TSOP.

hardware
Winbond Chipset

CPU:

The chipset provided is the RTL8196E, belonging to the Realtek RTL8196E family. This chipset seamlessly combines a powerful 400MHz RISC CPU, a five-port Fast Ethernet switch featuring PHY, SDR, DDR memory controller, flash memory controller, USB2.0 controller, and practical peripheral interfaces. Engineered for 802.11n AP router applications, the RTL8196E excels in delivering high performance while maintaining low power consumption.

Features 

  • RISC 400MHz
  • I-Cache 16KB / D-Cache 8KB
  • I-MEM 16KB / D-MEM 8KB

Memory 

  • 16-bit SDR, DDR1 and DDR2
  • SPI NOR Flash

Interfaces 

  • Five 10/100M Ethernet Port
  • One PCIe Gen1 Host
  • One USB2.0
  • Two UART
  • Up to 16 GPIO

RTL8196E-CG Datasheet 

hardware
RTL8196E Processor

WLAN Chip: 

The Realtek RTL8192ER-CG is an 802.11bgn 2.4G single-chip that integrates Wireless LAN (WLAN) and a network PCIe controller. It combines a WLAN MAC, a 2T2R capable WLAN baseband, and WLAN RF in a single chip. The RTL8192ER-CG provides a complete solution for a high-throughput performance and low-power consumption integrated wireless LAN device.

Features 

  • 56-pin QFN
  • 11bgn
  • Integrated PA/LNA/TRSW
  • MIMO Power Saving Mechanism
  • Channel Management and Co-existence

Applications 

This chip is used in TVs, Set-Top/Over-The-Top boxes, IP cameras, as well as WI-FI appliances such as this router.

hardware
RTL8192ER Chipset

Flash Chip:

The chip identified is the EEPROM H25S80 BG 23QD AP3A257.

hardware
Flash ROM chipset

Hardware Object Purpose          Serial 

  • Network Processor                 RTL8196E-CG
  • SD Ram                                    W9864G6KH6
  • WLan Chip                               RTL8192ER
  • Unknown                                  H25S80 BG 23QD AP3A257
hardware
Router PCB

Test Pins:

If we examine the router’s PCB, there are no apparent pads intended for debugging or reversing the router. However, on the back, there seem to be some available pads, possibly meant for testing the router during manufacturing.

hardware

Test Pins

Now, the next step is to identify the specific purpose of each pin among the available test pins. To achieve this, we’ll utilize a piece of hardware called JTAGulator. This is a brute-force toolkit designed to systematically test pins and determine their usage, such as identifying pins associated with protocols like UART, JTAG, and others.

Initially, we require a soldering machine to delicately solder each pin, ensuring there is no unintended short circuiting with neighboring pins.

hardware

Wires Soldered

Next, establish connections from each pin to the JTAGulator, starting from Channel 01 and extending to Channel 09. This encompasses a total of 10 pins, potentially associated with protocols such as UART, JTAG, SWD, and I2C.

hardware

Connection with PCB and JTAGulator

To facilitate the connection, we will install the JTAGulator on the Kali Linux virtual machine.

Installing JTAGulator on Kali Linux

JTAGulator is a specialized tool crafted for hardware penetration testing and analysis, aiding in the identification and location of JTAG interfaces on a target device. Below are the steps to install JTAGulator on Kali Linux.

Step 1: Clone the JTAGulator Repository 

In the terminal, navigate to the desired directory where you wish to clone the JTAGulator repository. Execute the following command to clone the repository:

				
					git clone https://github.com/grandideastudio/jtagulator.git 
				
			

Step 2: Install Dependencies 

Move to the JTAGulator directory and install the necessary dependencies by executing the following commands:

				
					cd jtagulator 
sudo pip3 install -r requirements.txt 

				
			

If you don’t have pip3 installed, you can install it with:

				
					sudo apt-get install python3-pip 
				
			

Step 3: Run JTAGulator 

Once the dependencies are installed, launch the JTAGulator. Ensure you are in the JTAGulator directory and run the following command:

				
					sudo python3 jtagulator.py 
				
			

Note: It might be necessary to run the command with sudo to gain access to specific hardware interfaces.

hardware
JTAGulator Interface in Kali
hardware
UART pins found

To enhance clarity, I have labeled all the pins for better understanding. The Jtagulator successfully identified UART RX and TX, while also pinpointing JTAG signals such as TDI, TDO, TMS, and TCK. For the ground pin, a simple method involves soldering a pad anywhere on the router and using the multimeter in Continuity mode to verify its connection to the ground.

The designated pins for receiving (RX), transmitting (TX), and ground (GND) are labeled below. These pins are utilized to establish a connection for accessing the command line interface.

hardware

Labeled Pins

To establish a connection to the router, connect the TTL to the USB connector using screen software. Ensure proper connection by confirming that the RX of the router is linked to the TX, and the TX of the router is connected to the RX of the TTL to USB connector.

hardware
TTL2USB

Checking whether the USB (TTL2USB) is connected to our Kali Linux machine as ttyUSB0

hardware

Identifying USB in Kali

Great, we can see that the USB is connected to our system. 

hardware
ttyUSB0 listed command

At this point, we can initiate the command to establish a connection with the router.

The typical baud rate for most embedded devices is 115200. To confirm the actual baud rate, we employ the baudrate.py tool on the Kali system. Establishing a connection to the UART involves using the command screen /dev/ttyUSB0 115200. It’s essential to power off the device while executing the screen command.

hardware

Screen Command line

Following the execution of the screen command and powering on the device, it becomes evident that we are receiving incomprehensible data, indicating a misconfiguration of the baud rate.

hardware

Gibberish data

To obtain a accurate depiction of the debugging data, we can start by trying other baud rates, beginning with 9600.

hardware

Screen Command with 9600

Selecting a baud rate of 9600 reveals a distinct set of data; however, it remains unintelligible and cannot be interpreted.

hardware

Gibberish data

Next, let’s attempt a baud rate of 19200.

hardware

Screen Command with 19200

In this instance, no data is being received at the baud rate of 19200.

hardware

Blank Terminal for output

After multiple attempts, the next baud rate we try is 38400.

hardware

Screen Command with 38400

At a baud rate of 38400, a successful connection has been established, and a set of data has been received. The data is now readily interpretable.

hardware

Booting and data in Terminal

In the output, it initiates with the boot process, displaying the message “NVRAM backup initiated” Upon interrupting the debugging process by pressing ENTER on the keyboard, as depicted in the accompanying image, we seamlessly transition into a Command Line Interface (CLI). Within the CLI, we enter a promiscuous mode.

What is Promiscuous Mode?

Promiscuous mode is commonly employed for monitoring network activity and diagnosing connectivity issues. In this mode, a network snoop server can capture and store all packets for subsequent analysis.

hardware

Command Line Interface

Upon encountering the CLI> prompt, an array of commands becomes visible. Noting the presence of “CLI>” in the terminal, entering “help” yields a comprehensive list of available commands.

hardware

Help command in CLI

Upon executing the “ifconfig” command, the following information is obtained:

				
					Inet address: 192.168.0.1 
Bcast: 192.168.0.255
				
			
hardware

ifconfig command in CLI

Examining the CLI> syslog command also reveals that debugging messages for the system, Simple Network Time Protocol (SNTP), and the “Syslog” command originate from the outputs, initiating a diagnostic process for these components.

hardware

syslog command in CLI

By utilizing the CLI> show command in the CLI, a comprehensive list of additional information about the router is displayed. Furthermore, the output provides details on the processes currently running in the system.

hardware

Show command in CLI

Executing the command CLI> realtek reveals details about the chipset. Upon using these commands, networking information, including Ethernet connection, local connections, and bridge connections, is obtained.

hardware

Realtek command in CLI

Next, we proceed to extract data using the command “dump address(size) size length.”

hardware

Dump Command in CLI

Unfortunately, we are unable to visualize any hex dump of data for the specified addresses.

From now on, when using the dump command, let’s specify the limit and try to get data from the memory.

The error “TLB miss (during load and fetch)” occurs when the Translation Lookaside Buffer (TLB) doesn’t have the required translation information for a particular virtual address. This situation prompts a search in the page tables.

hardware

CLI Console with a data limit

At this point, readable data is visible in the dumps.

hardware

Hexdump Data in CLI

Upon connecting the TTL to USB (Transistor-Transistor Logic to Universal Serial Bus) connector and pressing the Enter key along with a specific set of keywords, you gain access to the <Realtek> console. The display may show a watchdog timeout, and the user can initiate an Escape boot sequence, enabling entry into the Realtek console.

SDRAM: The chipset specifies an 8MB SDRAM before it undergoes a reboot due to a watchdog timeout.

hardware

Booting process and Realtek console

For those less familiar with the screen command, an alternative is to utilize the Arduino IDE environment with the appropriate COM port selected. Within the serial monitor, set the baud rate to 38400, and you’ll seamlessly access the CLI, enabling the use of other commands demonstrated earlier in Screen.

hardware
Arduino IDE
TL;DR

In conclusion, this blog provides an insightful walkthrough on exploiting IoT devices through hardware hacking, specifically focusing on UART interfaces in routers. The process involves intricate steps like hardware reconnaissance, identifying and soldering test pins, and establishing a connection using tools like JTAGulator and Kali Linux. It demonstrates how to identify UART pins, connect them using a TTL2USB connector, and utilize various baud rates to access the Command Line Interface. This exploration underlines the importance of robust hardware security in IoT devices, showcasing both the vulnerability of these devices and the methods used for penetration testing and security analysis.

Redfox Security is a diverse network of expert security consultants with a global mindset and a collaborative culture. If you are looking to improve your organization’s security posture, contact us today to discuss your security testing needs. Our team of security professionals can help you identify vulnerabilities and weaknesses in your systems and provide recommendations to remediate them.

“Join us on our journey of growth and development by signing up for our comprehensive courses.”