## HARDSPLOIT

A Metasploit-like tool for hardware hacking







### Who Are These Guys?



- Julien Moinard
  - Electronic engineer
  - Pentester
  - DIY enthusiast
- For Hardsploit
  - Hardware / VHDL

- Gwénolé Audic
  - Hardware hacking enthusiast
  - Pentester
  - Software developper
- For Hardsploit
  - Graphical interface / DB



### The Fact



The gap between software & hardware security widen since the 2000s

Golden age of software security (since 2000)

- Personal computers
- World Wide Web
- Online sales

Golden age of hardware security (Now?)

- « Internet Of Things »
- Connect everything (fridges to cars)
- Automation devices everywhere



### Question



• Security speaking, is hardware the new software?





### BPALE Hardware Hacking Basic Procedure



- 1/ Open it
- 2/ Fingerprint all the component (RTFD Read The Fucking Datasheets)
- 3/ Use those that may contain data (Online / Offline analysis ?)
- 4/ Perform read | write operation on them
- 5/ Reverse engineering, find vulnerabilities and exploit them





# Global Purpose







### Why?



- Because chips contain interesting data
  - Passwords
  - File systems
  - Firmware
  - •

```
0000000 0000 0001 0001 1010 0010 0001 0004 0128
0000010 0000 0016 0000 0028 0000 0010 0000 0020
0000040 0004 8384 0084 c7c8 00c8 4748 0048 e8e9
0000050 00e9 6a69 0069 a8a9 00a9 2828 0028 fdfc
0000060 00fc 1819 0019 9898 0098 d9d8 00d8 5857
0000070 0057 7b7a 007a bab9 00b9 3a3c 003c 8888
0000090 3b83 5788 8888 8888 7667 778e 8828 8888
00000a0 d61f 7abd 8818 8888 467c 585f 8814 8188
00000b0 8b06 e8f7 88aa 8388 8b3b 88f3 88bd e988
00000c0 8a18 880c e841 c988 b328 6871 688e 958b
00000d0 a948 5862 5884 7e81 3788 1ab4 5a84 3eec
00000e0 3d86 dcb8 5cbb 8888 8888 8888 8888 8888
0000100 0000 0000 0000 0000 0000 0000 0000
000013e
```



### How?



By using electronic buses





# Quick Review



| FUNCTIONALITIES | BUSPIRATE               | JTAGULATOR         | GOODFET         | HARDSPLOIT              |
|-----------------|-------------------------|--------------------|-----------------|-------------------------|
| UART            |                         | Bus identification | *               |                         |
| SPI             |                         | *                  |                 |                         |
| PARALLEL        | *                       | ×                  | *               |                         |
| I2C             |                         | *                  | *               |                         |
| JTAG / SWD      |                         | Bus identification |                 |                         |
| MODULARITY      | Microcontroller         | Microcontroller    | Microcontroller | FPGA                    |
| EASE OF USE     | Cmd line + datasheet    | Command line       | Command line    | Official GUI / API / DB |
| I/O NUMBER      | < 10                    | 24                 | < 14            | 64 (plus power)         |
| WIRING          | TEXT (but MOSI = SDA ⊚) | TEXT               | TEXT            | LED / TEXT              |



**FPGA** memory

### Hardsploit: Communication







# Prototype making



Applying soldering past (low budget style)







# Prototype making



Manual reflow oven (DIY style)







## Prototype V0.1 aka The Green Goblin







## Prototype making (with a budget)



#### • The rebirth









### The board — Final version



- 64 I/O channels
- Target voltage: 3.3 & 5V
- Use a Cyclone II FPGA
- USB 2.0
- 20cm x 9cm





## Organization







## The Graphical Interface (W.I.P)







# Chip module

- Search
- Create
- Modify
- Interact







# Wiring module







# Settings module



| Hardsploit − I <sup>2</sup> C settings 😑 📵 😵 |        |  |  |  |  |
|----------------------------------------------|--------|--|--|--|--|
| 24LC64 PARAMETERS                            |        |  |  |  |  |
| Base address (W):                            | A2     |  |  |  |  |
| Base address (R):                            | A3     |  |  |  |  |
| Frequency (Khz):                             | 400 ▼  |  |  |  |  |
| Total size:                                  | 8192   |  |  |  |  |
| Bus scan:                                    | Launch |  |  |  |  |
| Address                                      | R/W    |  |  |  |  |
|                                              |        |  |  |  |  |
|                                              |        |  |  |  |  |
|                                              |        |  |  |  |  |
| Cancel Save                                  |        |  |  |  |  |

|                    | Hardsploi | t – Bus settings          | <b>9 0 8</b> |  |
|--------------------|-----------|---------------------------|--------------|--|
| 25LC640 PARAMETERS |           |                           |              |  |
| Page size:         |           | Total size (8 bits word): | 4096         |  |
| Frequency (Mhz):   | 1.00 ▼    | Mode:                     | 1 ▼          |  |
| SPI command read:  | 3         |                           | Save         |  |

| Hardsploit − Parallel settin   □ □ ⊗ |                           |  |  |  |
|--------------------------------------|---------------------------|--|--|--|
| P33-65nm PARAMETERS                  |                           |  |  |  |
| Total size:                          | 120000                    |  |  |  |
| Read latency:                        | 1600                      |  |  |  |
| Write latency                        | in nanosecondes           |  |  |  |
| Word size:                           | ○ 8 bits <b>•</b> 16 bits |  |  |  |
| Page size:                           | 0                         |  |  |  |
|                                      | Cancel Save               |  |  |  |



## Command module









### The API



- Free to use API
- Create your own GUI
- Don't use GUI at all
- Use it in your program
- •





### Already available



- Parallel non multiplexed memory dump
  - 32 bits for address
  - 8/16 bits for data
- Helping wiring
- I2C 100Khz 400Khz and 1 Mhz
  - Addresses scan
  - Read, write, automatic full and partial dump
- SPI mode 0,1,2,3 up to 25 Mhz
  - Read, write, automatic full and partial dump
- SWD interface (JTAG)
  - Dump and write firmware of most ARM CPU
- GPIO interact / bitbanging
  - Low speed < 500Hz read & write operations on 64 bits



#### More to come...



- Component & commands sharing platform
- TTL UART Module (RS232 and RS485 with level adapter)
- Parallel communication with multiplexed memory
- I2C sniffing (shot of 4000 bytes up to 1 Mhz)
- SPI sniffing (shot of 8000 bytes up to 25 Mhz in half / full duplex)
- RF Wireless transmission training platform (Nordic NRF24)
- Metasploit integration (module)
- JTAG pinout finder
- 1 Wire
- CanBUS (with level adapter)

• ...



### Concrete case



- An electronic lock system
- 4 characters pin code A − B − C − D
  - Good combinaison Door opens, green L.E.D turn on
  - Wrong combinaison Door closes, red L.E.D turn on





# 1/ Open it







# 2/ Fingerprint







**12C MEMORIES 24LC64** 

STM32F103RBT6



# Online / Offline analysis?









#### Scenario



- Open Hardsploit to create the component
- Connect the component to Hardsploit
- Enter and save the component settings
- Dump the content of the memories
- Change the door password by using commands
- Try the new password on the lock system



## Read | Write operation



• Time for a live demo?



# Parallel bus memory







# 1/ Fingerprint







# 2/ Offline analysis











# 3/ Ready to dump the content









## Thank you!



• To learn more about Hardsploit and follow the development:

## hardsploit.io