Skip to content

Latest commit

 

History

History
395 lines (270 loc) · 16.6 KB

_hardware.md

File metadata and controls

395 lines (270 loc) · 16.6 KB
Raw

Awesome Hardware Reverse Engineering

A curated list of awesome reverse engineering resources to make you better!

Managed by Reversing.ID for the reversing community.

Introduction

Hardware Reverse Engineering focus on circuitry (boards, ICs) and intercomponent relation.

The scope and level of analysis can be vary greatly, some common targets:

  • firmware.
  • board layout.
  • chip circuit design.

Some notable process:

  • teardown: product disassembly, component/subsystem identification
  • interface: protocol monitoring/analysis/emulation
  • firmware: extract/modify code or data
  • circuit: silicon modification

Table of Contents

Books

Electronics, VHDL, and circuit design

Hardware hacking

PCB (Printed Circuit Boards)

BIOS, UEFI, Firmware

Courses

Electronic

Radio Frequency

Channels

YouTube Channel

  • Micah Scott - video logs of Reverse Engineering and repurposing consumer electronics hardware in creative ways.
  • The Signal Path - collections of teardown, repairs, and reviews of lab equipment and prototyping products.
  • GreatScott
  • EEVblog

References

Learning Assembly

Development Boards

Single-Board Computer (family)

Part Search Engine

Protocol List

Inter-circuitry protocol (Internal)

This protocol used for communication between circuit or modules, such as EEPROM, RAM, RTC, sensors, etc.

  • SPI: Serial Peripheral Interface, synchronous protocol with master-slave design.
  • I2C: Inter-Integrated Circuit, synchronous protocol with multi-master and multi-slave support.

System communication (External)

This protocol used for communication between modules or external system.

  • Wired protocol
    • CAN: Controller Area Network, device communication popular in vehicle.
    • USB: Universal Serial Bus
    • UART & USART: Universal Synchronous Asynchronous Receiver-Transmitter
    • RS232
  • Wireless protocol
    • Bluetooth
    • LoRaWAN
    • WiFi
    • ZigBee

Debugging protocol

  • JTAG: Joint-Test Action Group
  • SWD: Serial-Wire Debug, ARM specific protocol

Communities

Bus Interface

  • Shikra - JTAG, SPI, I2C, UART, GPIO
  • Hydrabus - UART, I2C, USB, smartcard, 2-wire, wiegand, SPI, CAN, SDIO, DAC, 1-wire
  • Xpliot Nano
  • Bus Pirate - 1-wire, I2C, SPI, JTAG, UART
  • USB to TTL/UART
  • USBtin - USB to CAN interface.

OBD adapter

  • ObdDiag - open source ELM327 OBD adapter, connect to On-Board Diagnostic (OBD) port for connecting to car's self-diagnostic system.
  • M2 -

Programmers & Flashers

read/write device which contain memory

Universal

Microcontroller/Microprocessor Specific

  • STM32 programmer - enter DFU (Device Firmware Upgrade) mode for programming and debugging
  • AVR programmer

Hardware Debuggers

SWD (Serial Wire Debugger), ARM specific

JTAG (Joint-Test Action Group)

Protocol Analyzers

real-time, non-intrusive monitoring/capture/decoding of wired communication

Multi

USB

CAN

Logic Analyzers

concurrently capturing, visualizing, and decoding large quantities of digital data

Osciloscopes

visual display of electrical signals and how they change over time

Standalone

  • HP/Agilent
  • Tektronix
  • Rohde & Schwarz
  • LeCroy
  • Rigol

PC_based

  • ProcScope
  • USBee
  • PicoScope

Dev & Breakout Boards

Radio Frequency

Analyze, modify, and replay Radio Frequency signal.

General-purpose

  • HackRF - half duplex, 1 MHz - 6 GHz
  • LimeSDR - full duplex,
  • RTL-SDR - RX, 500 kHz - 1766 MHz
  • YARD Stick - half duplex, 300-348 MHz, 391-464 MHz, 782-928 MHz
  • nRF52840 Dongle - dongle which support Bluetooth 5, Bluetooth mesh, Thread, ZigBee, 802.15.4, ANT, and 2.4 GHz proprietary protocols.

Zigbee

Bluetooth

RFID & NFC

Magnetic Strip

  • MagSpoof - wireless credit card / magnetic stripe spoofer

EDA

EDA (Electronic Design Automation) and ECAD (Electronic Computer-Aided Design)

Firmware Extract

Disassemblers & Decompilers

Multi-architecture

Emulators

Full firmware emulator

  • QEMU - Generic and open source machine emulator and virtualizer.
    • ARM-X - Firmware emulation framework based on top of QEMU
    • Firmwadyne - Platform for emulation and dynamic analysis of Linux-based firmware.
  • Kopycat - hardware emulator.

Software Debuggers

Hardware debugger

  • OpenOCD - Open On-Chip Debugger, give GDB support.
  • UrJTAG - Universal JTAG Library

Signal Analysis

Firmware debugger

Traffic Analysis

Communication Protocol

  • I/O Ninja - Professional, scriptable, multi-purpose terminal emulator, network sniffer, and IO monitor.
  • Bettercap - Swiss-army knife for 802.11, BLE, and ethernet network reconnaissance and MITM attacks.
  • CAN (Controller Area Network)
    • CANToolz - Black-box CAN network analysis framework.
  • BLE (Bluetooth Low Energy)
    • btproxy - MITM analysis tool for Bluetooth.
    • BtleJuice - BLE MITM framework.
    • btlejack - BLE swiss-army knife pair with BBC Micro:Bit device.
    • Bluez - sdptool, l2ping
  • ZigBee
    • KillerBee - IEEE 802.15.4/ZigBee Security Research Toolkit.

Radio Frequency

  • Universal Radio Hacker - Investigate Wireless Protocols
  • Inspectrum - Offline radio signal analyser
  • GNU Radio - Software development toolkit for signal processing block to implement Software-Defined Radio and Signal-processing system.

RTOS

Free or Open Source RTOS (Real Time Operating System)

  • TinyOS - A operating system designed for low-power wireless devices, such as those used in sensor networks, ubiquitous computing, personal area networks, smart buildings, and smart meters.
  • ContikiOS - A free Operating System with focus to provide standardized low-power wireless communication for a wide range of hardware platforms.
  • FreeRTOS - A free use Real Time Operating system which is widely used and supports a large number of platforms.
  • RIOT - A free OS for IoT devices providing foundational trust services. The trust services include device identity, sealing, attestation, and data integrity. The term “Robust” is used because the minimal trusted computing base is tiny, and because RIoT capabilities can remotely re-establish trust in devices that have been compromised by malware.
  • RTEMS - Real-Time Executive for Multiprocessor Systems or RTEMS is an open source Real Time Operating System (RTOS) that supports open standard application programming interfaces (API) such as POSIX. It is used in space flight, medical, networking and many more embedded devices using processor architectures including ARM, PowerPC, Intel, Blackfin, MIPS, Microblaze and more.

Commercial RTOS

  • SafeRTOS - Certified version of FreeRTOS by TUEV SUED against IEC 61508 (basic functional safety standard) up to SIL3 (the highest safety integrity level for a single software component), ISO 26262 ASIL D (automotive standard) and EN62304 (medical device standard).
  • INTEGRITY/INTEGRITY-178 - Two commercial RTOS variants targeting to power embedded systems with total reliability, absolute security, and maximum real-time performance. The variant INTEGRYTY-178 has a lot of safety and security certifications.
  • PikeOS - A commercial micro-kernel based operating system with a small footprint and certified for DO-178 (avionics), IEC-61508 (industrial), ISO-26262 (automotive).
  • Rocket - A free embedded operating system specifically designed to quickly and easily build small, intelligent devices in Wind Rivers cloud-based development environment, Wind River Helix™ App Cloud.
  • Nucleus RTOS - Commercial, highly scalable micro-kernel based real-time operating system designed for scalability and reliability.
  • uC/os - µC/OS-II and µC/OS-III are preemptive, highly portable, and scalable real-time kernels. You can test them out for free, but you must pay to put them into a product.
  • TI-RTOS - A real-time operating system for TI microcontrollers, It Includes TCP/IP and USB stacks, a FAT file system, and device drivers, Most of the TI-RTOS components are released under the BSD License.