Hacking IoT & RF Devices with BürtleinaBoard

Pierluigi Paganini July 28, 2020

Yet another Multipurpose Breakout Board to hack hardware in a clean and easy way! How to hack IoT & RF Devices with BürtleinaBoard.

Disclaimer: due to a complaint from the citizens of my native city in Italy… I had to rename #PiadinaBoard into #BurtleinaBoard 😛

Few months ago I have presented #FocacciaBoarda similar multipurpose breakout board that uses the famous FT232H to handle multiple protocols commonly found in (I)IoT devices (i.e. UART, JTAG, SWD, SPI, I2C). 

Despite FocacciaBoard is extremely useful during my night-to-night hardware hacking needs… there is another set of tools I cannot live without: pin enumeration ones. The two most used are JTAGulator (awesome commercial product developed by Joe Grand) and BUSSide (a marvelous piece of FOSS developed by Dr. Silvio Cesare).

BUSSide is exactly what you need if you don’t feel comfortable yet to spend yet 160€ for the JTAGulator (which I heavily recommend once you will improve your Hardware Hacking skills and start targeting complex devices).

That’s why I created#BürtleinaBoard: to have a more usable breakout-board around BUSSide software framework. 

Intro to BUSSide:

Repo: https://github.com/BSidesCbr/BUSSide

BUSSide is a software framework developed for ESP8266 , running on a NodeMCU board which allows a python client on your laptop to communicate (mostly through bit-banging) with different hardware components through different protocols (i.e. UART, SPI, I2C and JTAG).

What makes BUSSide an irresistible toy to always have around in your hardware hacking lab is that has the capability to discover/enumerate the right pins for multiple protocols.

Imagine the scenario where you have target with exposed some debug pins or test points… but there is anything written on the silk-screen that may help you figure out what is what. What do you do?

  1. Mutlimeter all-the-things.
  2. Attach a Logic Analyzer to passively figure out what’s going on.
  3. Actively Enumerate them with JTAGulator or BUSSide.

Flashing Firmware:

Flashing BUSSide firmware inside the NodeMCU is quick and easy:

# apt-get install esptool
# git clone http://github.com/BSidesCbr/BUSSide.git
# esptool --port /dev/ttyUSB0 write_flash 0x00000 BUSSide/FirmwareImages/*.bin

Of course, you can also use esptool on Windows or Nodemcu-flasher

Once flashed, you can attach the NodeMCU on the BürtleinaBoard and then connect it to the laptop through a USB micro cable.

How to Run BUSSide:

# cd BUSSide/Client
# ./busside.py /dev/ttyUSB0

Afterwards you will be greeted by the (pretty straight-forward) BUSSide menu.

Practical Examples:

Let’s say you have a new target and you cannot figure out which is the pinout of the UART console and you are too lazy to deal with a locig analyzer…

Grab your Bürtleina board, attach those pins to the target either through dupont cables or hook probes and run BUSSide Client. It will allow you to enumerate the RX pin, then the TX one and finally to use the BUSSide itself as UART to USB (i.e. passthrough mode).

At this point you can either continue hunting JTAG pins (if any) or try to dump the SPI Flash (which contains the Crown Jewels. A.k.a. his majesty, the Firmware).

Grab a SOP8 clip or Hook Probes, attach to the SPI Flash and start dumping it. In a couple of minutes you should get extracted the firmware.

Of course, you can always try to also hunt-down the JTAG…

At this point, with JTAG & UART pins known, we can use a combination of #FocacciaBoard#BürtleinaBoard to have full access to the IoT Target.

Some of you at this point may have wondered… why there is a CC1101 board attached to BürtleinaBoard?!

          Well… look at it as an easter-egg that allows you to do some basic RF Hacking.

With theLSATAN’s repo you could easily replicate some of the previous PoCs I have created for #WHIDelite:

Flashing one of the SmartRC-CC1101-Driver-Lib’s examples is very trivial with Arduino IDE.

If you have read so far… means you are thinking to try the BurtleinaBoard! Good! You can find Gerbers, Schematics and 3D Case at https://burtleina-board.whid.ninja

For more stuff feel free to follow https://twitter.com/whid_ninja

P.S. 

As usual I will try convincing the Chinese Manufacturer that brought to life WHID, WHIDelite and FocacciaBoard to start the production of a small batch of BurtleinaBoards for the folks that are too lazy or too scared to make their own. #StayTuned!

P.P.S. 

If you wonder how looks like a Bürtleina and how to make it, I left here the receipt: https://www.poderecasale.com/en/burtleina/

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, BürtleinaBoard)

[adrotate banner=”5″]

[adrotate banner=”13″]

About the author: Luca Bongiorni

Luca is working as Principal Offensive Security Engineer and in his spare time is involved in InfoSec where the main fields of research are: Radio Networks, Hardware Reverse Engineering, Hardware Hacking, Internet of Things and Physical Security. He also loves to share his knowledge and present some cool projects at security conferences around the globe. At the moment is focusing his researches on bypassing biometric access control systems, ICS Security and Air-Gapped Environments.



you might also like

leave a comment