Hacking IoT & RF Devices with BürtleinaBoard™
Yet another Multipurpose Breakout Board to hack hardware in a clean and easy way!
Few months ago I have presented #FocacciaBoard: a similar multipurpose breakout board that uses the famous FT232H to handle multiple protocols commonly found in (I)IoT devices (i.e. UART, JTAG, SWD, SPI, I2C).
Despite #FocacciaBoard is extremely useful during my night-to-night hardware hacking needs… there is another set of tools I cannot live without: pin enumeration ones. The two most used are JTAGulator (awesome commercial product developed by Joe Grand) and BUSSide (a marvelous piece of FOSS developed by Dr. Silvio Cesare).
BUSSide is exactly what you need if you don’t feel comfortable yet to spend yet 160€ for the JTAGulator (which I heavily recommend once you will improve your Hardware Hacking skills and start targeting complex devices).
That’s why I created#BürtleinaBoard: to have a more usable breakout-board around BUSSide software framework.
Intro to BUSSide:
BUSSide is a software framework developed for ESP8266 , running on a NodeMCU board which allows a python client on your laptop to communicate (mostly through bit-banging) with different hardware components through different protocols (i.e. UART, SPI, I2C and JTAG).
What makes BUSSide an irresistible toy to always have around in your hardware hacking lab is that has the capability to discover/enumerate the right pins for multiple protocols.
Imagine the scenario where you have target with exposed some debug pins or test points… but there is anything written on the silk-screen that may help you figure out what is what. What do you do?
Attach a Logic Analyzer to passively figure out what’s going on.
Actively Enumerate them with JTAGulator or BUSSide.
Flashing BUSSide firmware inside the NodeMCU is quick and easy:
# apt-get install esptool # git clone http://github.com/BSidesCbr/BUSSide.git # esptool --port /dev/ttyUSB0 write_flash 0x00000 BUSSide/FirmwareImages/*.bin
Of course, you can also use esptool on Windows or Nodemcu-flasher
Once flashed, you can attach the NodeMCU on the BürtleinaBoard and then connect it to the laptop through a USB micro cable.
How to Run BUSSide:
# cd BUSSide/Client # ./busside.py /dev/ttyUSB0
Afterwards you will be greeted by the (pretty straight-forward) BUSSide menu.
Let’s say you have a new target and you cannot figure out which is the pinout of the UART console and you are too lazy to deal with a locig analyzer…
Grab your Bürtleina board, attach those pins to the target either through dupont cables or hook probes and run BUSSide Client. It will allow you to enumerate the RX pin, then the TX one and finally to use the BUSSide itself as UART to USB (i.e. passthrough mode).
At this point you can either continue hunting JTAG pins (if any) or try to dump the SPI Flash (which contains the Crown Jewels. A.k.a. his majesty, the Firmware).
Grab a SOP8 clip or Hook Probes, attach to the SPI Flash and start dumping it. In a couple of minutes you should get extracted the firmware.
Of course, you can always try to also hunt-down the JTAG…
Some of you at this point may have wondered… why there is a CC1101 board attached to BürtleinaBoard?!
Well… look at it as an easter-egg that allows you to do some basic RF Hacking.
Flashing one of the SmartRC-CC1101-Driver-Lib’s examples is very trivial with Arduino IDE.
If you have read so far… means you are thinking to try the BurtleinaBoard! Good! You can find Gerbers, Schematics and 3D Case at https://burtleina-board.whid.ninja
For more stuff feel free to follow https://twitter.com/whid_ninja
As usual I will try convincing the Chinese Manufacturer that brought to life WHID, WHIDelite and FocacciaBoard to start the production of a small batch of BurtleinaBoards for the folks that are too lazy or too scared to make their own. #StayTuned!
If you wonder how looks like a Bürtleina and how to make it, I left here the receipt: https://www.poderecasale.com/en/burtleina/
Buon apetito! :)