Who ever wanted to learn about Hardware Hacking ? I found this small opensource IoT hacking learning board while I was in a security event. It is designed by @vulcainreo and cost around 45€, more than 300 units were shipped around the world.
Let’s dig into this awesome project and clone the git : https://github.com/Vulcainreo/DVID.git !
First we need to push the correct firmware to start playing with the device, the LED will blink.
We are asked to connect RX to the PD1 pin to get the password, we need to check the Datasheet to know where is the PD1 pin.
The board is using an ATmega328, let’s check the pinout from Wikipedia : https://en.wikipedia.org/wiki/ATmega328, we see PD1 is linked to UART TXD pin.
Using the Gerber file Gerber_BottomLayer.GBL provided in the github we can also see the PD1 pin is linked to Soft Flash TX, I used http://www.gerber-viewer.com to display the file.
A simple wiring to the UART port is enough to connect the DVID to my Kali Linux VM, we can then access i
t through /dev/ttyUSB0. We can check our VM logs using dmesg command.
From there we only need to read the output with Python or with minicom -b 9600 -o -D /dev/ttyUSB0 (use Ctrl A + X to exit).
Firmware - Default Password
A confidential message is stored on the firmware but protected by a default password.
Once again we push the firmware : sudo avrdude -c usbasp -p m328p -U flash:w:defaultPassword.ino.arduino_standard.hex.
Since the challenge is to find a default password, we will connect to the debug interface (UART) of the DVID and try to interact with it. First we need to wire it correctly, remember to pair RX with TX and TX with RX, and do NOT plug the USB if you wire the 5v pin ;)
Using the code from the last challenge we can write a simple script to interact with the device /dev/ttyUSB0. We will iterate over the john wordlist to bruteforce the service until it responds with “ok” instead of “ko”.
And we got it ! Obviously the password is hidden, real one is available here :D
Firmware - Hardcoded Password
A confidential message is stored on the firmware but protected by a password.
We push the firmware with sudo avrdude -c usbasp -p m328p -U flash:w:hardcodedPassword.ino.arduino_standard.hex.
Now we will dump the previously sent firmware, we could just analyse the hardcodedPassword.ino.arduino_standard.hex file but it is not realistic.
Now we have a file dump.hex containing the current firmware, let’s convert it to binary with avr-objcopy -I ihex -O elf32-avr dump.hex dump.elf.
we could also dump the firmware as raw binary with sudo avrdude -c usbasp -p m328p -F -U flash:r:dump.raw:r.
From these dumps we can make a wordlist of every strings in there, then we will try to bruteforce the service by sending everyone of them.
We can reuse the last challenge script, this time we have to remove the s.readline() line since we are blindly attacking the service. Nothing will be outputted on the serial port in case of a good password, we need to pay attention to the screen, fortunately the password is in our small list of 15 passwords.
The time.sleep(10) is very important, we don’t want to flood the board with too many passwords !
Bluetooth - Advertising
A confidential message is stored on the firmware but protected by a password
The goal is to provide a screenshot of the confidential message
Tips: Hey ! Advertise me to know my name
I had to setup my virtual machine correctly to use the Bluetooth dongle provided with the DVID, the following commands were enough to get it running. However I later discovered the BLE was not working as it should be…
NOTE: from there I switched to my Phone and the application NRF Connect. In order to get the flag we have to send the bluetooth name through the serial port.