Skip to content

Security

Security

https://jcjc-dev.com/2016/04/08/reversing-huawei-router-1-find-uart/

10pcs/set micro IC clamp SOP/SOIC/TSSOP/TSOP/SSOP/MSOP/PLCC QFP SMD IC Chip pin CLIP DIP mini chip set High Quality

Looking up Chips

FCC Search:
FCC Chip Lookup
Searchable FCC ID Database

Data sheets:
Electronic Components Datasheet Search
The World's Most Comprehensive Source of Electronic Component Datasheets and Distributor Pricing

Note

Chips may have a film over it that makes it visible to polarizing lenses.

Source

Exploits/Attacks

Cold Boot

When quickly resting the computer most of the memory is retained.

Note

there may be some bit flips

Memory Scrambling:
- The Integrated Memory Controller Uses a Key to scramble the data that is written to the physical memory.
- During a Reboot the key is changed and any memory that is read would be garbage.
- Lest We Forget: Cold-Boot Attacks on
Scrambled DDR3 Memory

Simple demo illustrating remanence of data in RAM (see Cold boot attack) using a Raspberry Pi. Loads many images of the Mona Lisa into RAM and recovers after powering off/on again.

DMA Attacks

Use FireWire, Thunderbolt, ExpressCard, PC Card and any other PCI/PCIe interfaces for DMA attacks
Direct Memory Access (DMA) Attack Software
Use pcileech with MemProcFS to modify files in physical memory

Note

This can be blocked when Intel’s VT-d BIOS setting is enabled. If you get into the bios you can disable this.
Practical DMA attack on Windows 10

Boot Attacks

  1. Check BIOS Settings are not password protected
  2. Check BIOS Order Change
  3. Check Secure Boot
  4. Check If password is bypassable

Kon-Boot

Bypass Mac and Windows login

Note

This can be blocked with Full Disk Encryption

LAN Responder Attacks

TPM Attacks

Extracting BitLocker keys from a TPM
https://web.archive.org/web/20220223110529/https://labs.f-secure.com/blog/sniff-there-leaks-my-bitlocker-key/
TPM GPIO fail: How bad OEM firmware ruins TPM security
TPM Genie is an I2C bus interposer for discrete Trusted Platform Modules

  1. Check the TPM datasheet
  2. If have SPI listen to the SPI data
    • If getting on the SPI bus is hard use another chip on the SPI bus. It might all be connected to each other
  3. Try using the https://github.com/FSecureLABS/bitlocker-spi-toolkit to extract the captured SPI
  4. The Volume Master Key (VMK)

Note

This works on TPM 1.X*

Note

This does currently work on bitlocker with TMP 2.0 because bitl;ocker does not support parameter encryption*

Note

This does not work when the TPM uses a PIN or a Startup key (usually a file on a USB drive)

Hardware Crypto Wallets

Cracking Hardware Crypto Wallets

Tools

Soldering Iron:
PINECIL – Smart Mini Portable Soldering Iron
Weller WE1010NA
Hakko® FX-951
Hakko® FX-888D

Solder:
Kester24-6337-8806 245

Flux:
AMTECH NC-559-V2-TF

Hot Air Station:
- Quick 957DW+ Hot Air Station (580 Watt)
- 858d rework station

Desoldering Hand Pump:
- Engineer® SS-02
- DSLogic U3Pro16
- ZD-915

Logic Analyzer:
- Saleae Logic Pro 8

JTAG/SWD Debugger:
- Flyswatter2
- JTAG/SWD debug probe with USB interface
- JTAGulator
- The Shikra
- Adafruit FT232H Breakout - General Purpose USB to GPIO, SPI, I2C - USB C & Stemma QT

Flash Programmer:
- XGecu TL866II Plus USB High Performance Programmer
- FlashcatUSB Classic Memory Programmer
- BGA Programmer

Power Supply:
- KORAD KA3005P - 30V, 5A DC Linear Power Supply

Bluetooth:
- Bluefruit LE Sniffer - Bluetooth Low Energy (BLE 4.0) - nRF51822 - Firmware Version 2

Extras:
- Fume Extractor
- Hakko FA400-04
- Isopropyl Alcohol
- Anti-static Brushes
- Tip Tinner
Thermaltronics FBA_TMT-TC-2 Lead Free Tip Tinner
- Wire Cutters
Wire Cutter and Stripper-Small DA76070
- Wire-type Tip Cleaner
- Board Holders and Third Hand Tools
- Ultimate Helping Hands
- The low profile PCB vise
- Kapton tape

New All in one tools

Glasgow Interface Explorer

Software

[Saleae Logic Analyzer(https://www.saleae.com/downloads/)
Open On-Chip Debugging, In-System Programming and Boundary-Scan Testing