Hacking IoT devices with Focaccia-Board: A Multipurpose Breakout Board to hack hardware in a clean and easy way!

Prologue

Even before the appearance of the word (I)IoT, I was breaking hardware devices, as many of you, with a multitude of debuggers (i.e. stlink, jlink, RS23–2-2USB, etc.). It was always a PITA bringing around a device that does UART-to-USB, another that supports JTAG or SWD, a SPI reader/dumper, etc.

Luckily for all of us, FTDI released the lovely FT232H chipset which does support all of them in one-single-chip. Hurray!

One of the cheapest boards embedding the FT232H on the market is the FT232H CJMCU, which cost less than 10 EUR!

FT232 CJMCU (Easily available on ebay, amazon or Aliexpress)

Though, there was still a couple of drawbacks:

• Every-time I had to remember which Pin was doing what. For each of the protocols! (i.e. UART, JTAG, SWD, I2C, SPI).
• There were not Pull-Up resistors on the PCB.
• Some Pins used for a protocol have to be short-circuited to operate with other protocols (i.e. I2C or SWD).
• Too many flying cables when you need to connect to some testing DuPont wires (example below).

DIY breadboard to keep flying cables more in order.

During last Xmas holidays I thought: “That’s enough, I am done. I need a proper breakout that will save my time”. And that’s how Focaccia-Board came to life!

Assembled Focaccia-Board

Main Features:

• Easy to access Pins for all supported protocols: UART, SPI, I2C, JTAG, SWD.
• Voltage Selector to easily switch from 3.3V to 5V.
• Support for SOP8/SOP16 Clips (in order to dump SPI Flashes without desoldering them from the target device)
• Support for SOP8/SOP16 sockets adapters.
• A multi-purpose breadboard-like set of pin headers/sockets and terminal blocks to help you dealing with flying cables (i.e. lower part of the PCB). Note: this is not wired with the FT232H anyhow, is up to you.

Some Practical Use-Cases

Focaccia-Board Vs Fingbox (UART):

Last year you may remember me disclosing this lovely bug in FingBox ( a super-duper IoT Security Appliance that is supposed to protect your LAN-connected devices from attackers):

In this first use-case, I used Focaccia-Board (from now on a.k.a. F-B) for debugging the UART console, which was easily accessible on the FingBox’s PCB.

As showed below the Uboot output was easily available and lead to enough insights to discover the way to get root.

Focaccia-Board Vs WinkHub (JTAG):

The next use-case is showing how to easily connect to the target device over JTAG in order to live-debug or even dump the entire flash memory.

Focaccia-Board connected to the WinkHub’s JTAG.

Once identified the correct JTAG Pinout (i.e. TDI, TDO, TMS, TCK, etc…) and the correct OpenOCD’s config files for both F-B* and the target device, we can run it with the command: 

sudo openocd -f ft232h_jtag-swd.config -f target_device.cfg

*The right config file for F-B is in its Github repo.

Focaccia-Board’s JTAG successfully attached to WinkHub.

Focaccia-Board Vs WHID Injector (SPI Dump):

This time you will see how easy is to use F-B to conduct some Forensics against a Weaponized Mouse containing my beloved WHID-Injector.

Weaponized Mouse with WHID-Injector and USB HUB.

Once obtained the suspicious mouse and confirmed it was weaponized, I proceeded in identifying the SPI flash and removing it from the PCB.

Next step was to use the SOP8 socket on the Focaccia-Board to dump the SPI Flash content.

In order to dump the Flash content you have to fire the following command: 

flashrom -p ft2232_spi:type=232H -r spi_dump.bin

(Reminder: In case of Forensics acquistion is always recommended to acquire the Flash content with the WP (Write Protect) Pin disabled (see jumper on the PCB) thus we are 100% that the content of the Flash will not be modified during the operation. And therefore sure that is forensically acceptable as evidence.

Of course we can also use a SOP8 Clip to dump it.

And here the results of the dump and some initial Forensics analysis of it. As you see plenty of artifacts left-over by the attacker.

SPI dump and Forensics Analysis of it.

In some cases is also possible to dump a SPI Flash directly from the PCB of the target device (though, is discouraged, unless you manage to keep the target’s CPU in a reset state and thus unable to talk with the SPI Flash itself).

Example of SPI dump with SOP16 clip directly from the target’s PCB.

Focaccia-Board Vs Smartlock (Multi-purpose Breadboard):

At last, an example of how to use the lower part of F-B’s set of pin headers/sockets & terminal blocks against a smartlock during some forensics investigation scenario.

Smartlock
connected to its debugger through the F-B’s
breadboard

In this case, the FT232H is not involved. I just used the lower part of F-B’s PCB to connect those ugly flying cables that were non-standard DuPont wires.

Successfully dumped the smartlock’s firmware.

And after having successfully dumped the firmware we can proceed at extracting some valuable evidences for the forensics case.

Artifacts extracted from the FW analysis: Smartlock Passwords & User’s Logs.

Overall

Focaccia-Board is nothing extraordinary. But it saves my time while hacking (I)IoT targets. And that’s enough to be considered a valuable asset in my lab.  Hope you will enjoy it too!

P.S. I am going to ask WHID-Injector & WHID-Elite manufacturer if interested to bring it to life at the usual affordable price for the folks out there that have no time or capabilities to print the PCB themselves.

#StayTuned & Follow @whid-injector on Twitter!

The original post is available in Medium:

https://medium.com/@LucaBongiorni/hacking-iot-devices-with-focaccia-board-8c4e009ed488

About the author: Luca Bongiorni

Luca is working as Principal Offensive Security Engineer and in his spare time is involved in InfoSec where the main fields of research are: Radio Networks, Hardware Reverse Engineering, Hardware Hacking, Internet of Things and Physical Security. He also loves to share his knowledge and present some cool projects at security conferences around the globe. At the moment is focusing his researches on bypassing biometric access control systems, ICS Security and Air-Gapped Environments