Security Embedded is 12+ years of experience in building secure systems. Learn more about how we can help you by exploring Phil's blog or contacting us.

What Are You Leaving on the FR4* Table?

Most IoT hardware isn't reverse engineer resistant. Note how I don't say "reverse engineer proof." This would be a fallacy. As long as you don't control where the hardware is, you can't plan to resist every attack.

Whenever I get a new device in my lab, the first thing I do is open it up. Seems simple, right? Sometimes you have to 'break a few eggs' (or plastic housings) to get at the PCB within.  Usually once you get the PCB out of its housing, the real work can begin.

So after wrangling with the cheap plastic housing, you have something like this:

Of course, the next step is to figure out exactly what parts are interesting to us. This device has a Marvell 88MC200 (U5) microcontroller. This is a simiple MCU based around a Cortex-M3 core. As a bonus, the data sheet and application notes are available to the public. This will be handy when we get to looking at the software. As well, there's a Marvell 88W8801 (U6) wireless controller. Those documents are not available to the public, unfortunately. We're not interested in that part yet, anyways.

The rest of the parts are power-related or passives. Nothing too exciting, so let's look at the back of the PCB.

No actives on this PCB, but here's something interesting: two 100 mil connector footprints. (Note: these were not populated when I got the device - keep a soldering iron handy!). Thanks to the silkscreen, we know which signals on the micro go to which pin.

Of course, picking apart a device isn't as simple as finding JTAG and a serial port. It just makes life a lot simpler. But I didn't have to dig around and track pins back to the MCU. I just had to solder down two 100mil connectors and hook them up to my JTAG probe.

This battle doesn't end here though. There are some rudimentary security mechanisms built into the Marvell microcontroller. Marvell built flash into the device. The lack of external flash means I either need JTAG or some evil code of my own to read out flash contents. Somewhat cleverly, there is a security mode the vendor activated in the factory. This disables the JTAG TAP. We can work around this security mode by finding a password, that we can feed to the boot loader via the serial port.

Our hardware hacking is over for today. It's time to dig in and try to understand how the device does firmware updates. Maybe there's a flaw that's exploitable there so we can read out the key... 

* I don't think I'd ever want a table made of FR4, but let's imagine this for the sake of imagery.

Attacking Firmware Loads

Firmware Updates Gone Wrong: Part 2