Security
Security¶
https://jcjc-dev.com/2016/04/08/reversing-huawei-router-1-find-uart/
Looking up Chips¶
FCC Search:
FCC Chip Lookup
Searchable FCC ID Database
Data sheets:
Electronic Components Datasheet Search
The World's Most Comprehensive Source of Electronic Component Datasheets and Distributor Pricing
Note
Chips may have a film over it that makes it visible to polarizing lenses.
Exploits/Attacks¶
Cold Boot¶
When quickly resting the computer most of the memory is retained.
Note
there may be some bit flips
Memory Scrambling:
- The Integrated Memory Controller Uses a Key to scramble the data that is written to the physical memory.
- During a Reboot the key is changed and any memory that is read would be garbage.
- Lest We Forget: Cold-Boot Attacks on
Scrambled DDR3 Memory
DMA Attacks¶
Use FireWire, Thunderbolt, ExpressCard, PC Card and any other PCI/PCIe interfaces for DMA attacks
Direct Memory Access (DMA) Attack Software
Use pcileech with MemProcFS to modify files in physical memory
Note
This can be blocked when Intel’s VT-d BIOS setting is enabled. If you get into the bios you can disable this.
Practical DMA attack on Windows 10
Boot Attacks¶
- Check BIOS Settings are not password protected
- Check BIOS Order Change
- Check Secure Boot
- Check If password is bypassable
Kon-Boot¶
Note
This can be blocked with Full Disk Encryption
LAN Responder Attacks¶
TPM Attacks¶
Extracting BitLocker keys from a TPM
https://web.archive.org/web/20220223110529/https://labs.f-secure.com/blog/sniff-there-leaks-my-bitlocker-key/
TPM GPIO fail: How bad OEM firmware ruins TPM security
TPM Genie is an I2C bus interposer for discrete Trusted Platform Modules
- Check the TPM datasheet
- If have SPI listen to the SPI data
- If getting on the SPI bus is hard use another chip on the SPI bus. It might all be connected to each other
- Try using the https://github.com/FSecureLABS/bitlocker-spi-toolkit to extract the captured SPI
- The Volume Master Key (VMK)
Note
This works on TPM 1.X*
Note
This does currently work on bitlocker with TMP 2.0 because bitl;ocker does not support parameter encryption*
Note
This does not work when the TPM uses a PIN or a Startup key (usually a file on a USB drive)
Hardware Crypto Wallets¶
Cracking Hardware Crypto Wallets
Tools¶
Soldering Iron:
PINECIL – Smart Mini Portable Soldering Iron
Weller WE1010NA
Hakko® FX-951
Hakko® FX-888D
Solder:
Kester24-6337-8806 245
Flux:
AMTECH NC-559-V2-TF
Hot Air Station:
- Quick 957DW+ Hot Air Station (580 Watt)
- 858d rework station
Desoldering Hand Pump:
- Engineer® SS-02
- DSLogic U3Pro16
- ZD-915
Logic Analyzer:
- Saleae Logic Pro 8
JTAG/SWD Debugger:
- Flyswatter2
- JTAG/SWD debug probe with USB interface
- JTAGulator
- The Shikra
- Adafruit FT232H Breakout - General Purpose USB to GPIO, SPI, I2C - USB C & Stemma QT
Flash Programmer:
- XGecu TL866II Plus USB High Performance Programmer
- FlashcatUSB Classic Memory Programmer
- BGA Programmer
Power Supply:
- KORAD KA3005P - 30V, 5A DC Linear Power Supply
Bluetooth:
- Bluefruit LE Sniffer - Bluetooth Low Energy (BLE 4.0) - nRF51822 - Firmware Version 2
Extras:
- Fume Extractor
- Hakko FA400-04
- Isopropyl Alcohol
- Anti-static Brushes
- Tip Tinner
Thermaltronics FBA_TMT-TC-2 Lead Free Tip Tinner
- Wire Cutters
Wire Cutter and Stripper-Small DA76070
- Wire-type Tip Cleaner
- Board Holders and Third Hand Tools
- Ultimate Helping Hands
- The low profile PCB vise
- Kapton tape
New All in one tools¶
Software¶
[Saleae Logic Analyzer(https://www.saleae.com/downloads/)
Open On-Chip Debugging, In-System Programming and Boundary-Scan Testing