Security
Security¶
https://jcjc-dev.com/2016/04/08/reversing-huawei-router-1-find-uart/
Looking up Chips¶
FCC Search:
FCC Chip Lookup
Searchable FCC ID Database
Data sheets:
https://www.alldatasheet.com/
https://www.datasheets360.com/
Note
Chips may have a film over it that makes it visible to polarizing lenses.
Exploits/Attacks¶
Cold Boot¶
When quickly resting the computer most of the memory is retained.
Note
there may be some bit flips
Memory Scrambling:
- The Integrated Memory Controller Uses a Key to scramble the data that is written to the physical memory.
- During a Reboot the key is changed and any memory that is read would be garbage.
- https://dfrws.org/sites/default/files/session-files/2016_EU_pres_lest_we_forget_-_cold-boot_attacks_on_scrambled_ddr3_memory.pdf
DMA Attacks¶
https://github.com/carmaa/inception
https://github.com/ufrisk/pcileech
https://github.com/ufrisk/MemProcFS/
Note
This can be blocked when Intel’s VT-d BIOS setting is enabled. If you get into the bios you can disable this.
https://www.synacktiv.com/en/publications/practical-dma-attack-on-windows-10.html
Boot Attacks¶
- Check BIOS Settings are not password protected
- Check BIOS Order Change
- Check Secure Boot
- Check If password is bypassable
- https://bios-pw.org/
Kon-Boot¶
https://kon-boot.com/
Note
This can be blocked with Full Disk Encryption
LAN Responder Attacks¶
TPM Attacks¶
https://pulsesecurity.co.nz/articles/TPM-sniffing
https://labs.f-secure.com/blog/sniff-there-leaks-my-bitlocker-key/
https://mkukri.xyz/2024/06/01/tpm-gpio-fail.html
https://github.com/nccgroup/TPMGenie
- Check the TPM datasheet
- If have SPI listen to the SPI data
- If getting on the SPI bus is hard use another chip on the SPI bus. It might all be connected to each other
- Try using the https://github.com/FSecureLABS/bitlocker-spi-toolkit to extract the captured SPI
- The Volume Master Key (VMK)
Note
This works on TPM 1.X*
Note
This does currently work on bitlocker with TMP 2.0 because bitl;ocker does not support parameter encryption*
Note
This does not work when the TPM uses a PIN or a Startup key (usually a file on a USB drive)
Hardware Crypto Wallets¶
Cracking Hardware Crypto Wallets
Tools¶
Soldering Iron:
PINECIL – Smart Mini Portable Soldering Iron
Weller WE1010NA
Hakko® FX-951
Hakko® FX-888D
Solder:
Kester24-6337-8806 245
Flux:
AMTECH NC-559-V2-TF
Hot Air Station:
- Quick 957DW+ Hot Air Station (580 Watt)
- 858d rework station
Desoldering Hand Pump:
- Engineer® SS-02
- DSLogic U3Pro16
- ZD-915
Logic Analyzer:
- Saleae Logic Pro 8
JTAG/SWD Debugger:
- Flyswatter2
- JTAG/SWD debug probe with USB interface
- JTAGulator
- The Shikra
- Adafruit FT232H Breakout - General Purpose USB to GPIO, SPI, I2C - USB C & Stemma QT
Flash Programmer:
- XGecu TL866II Plus USB High Performance Programmer
- FlashcatUSB Classic Memory Programmer
- BGA Programmer
Power Supply:
- KORAD KA3005P - 30V, 5A DC Linear Power Supply
Bluetooth:
- Bluefruit LE Sniffer - Bluetooth Low Energy (BLE 4.0) - nRF51822 - Firmware Version 2
Extras:
- Fume Extractor
- Hakko FA400-04
- Isopropyl Alcohol
- Anti-static Brushes
- Tip Tinner
Thermaltronics FBA_TMT-TC-2 Lead Free Tip Tinner
- Wire Cutters
Wire Cutter and Stripper-Small DA76070
- Wire-type Tip Cleaner
- Board Holders and Third Hand Tools
- https://www.quadhands.com/
- https://www.stickvise.com/
- Kapton tape
New All in one tools¶
https://www.crowdsupply.com/1bitsquared/glasgow
Software¶
[Saleae Logic Analyzer(https://www.saleae.com/downloads/)
Open On-Chip Debugging, In-System Programming and Boundary-Scan Testing