
Ask HN: If you wanted to 'hardware jailbreak' a device, how might you do this? - hwhatwhatwhat
Most rootings&#x2F;jailbreaks that have been widely released use software vulnerabilities to escalate privilege.<p>If instead you had access to the hardware of a device, and could make any reasonable modification or intervention, how would you approach this? What techniques are used for this class of attacks?<p>(Reasonable modifications might be things like soldering extra components, removing ICs, using oscilloscopes and data loggers - but not, say, decapping chips and imaging them in an electron microscope as presumably those resources are a lot more limited.)<p>More practically, how might you do this on recent devices such as latest, flagship iOS, Android, or Windows Phone handsets? Are there any good, educational examples of this?
======
dpeck
One of the best approachable writeups I've found on getting started in
reversing embedded devices is an old gem from Matasano. Retsaot is Toaster,
Reversed: Quick 'n Dirty Firmware Reversing -
[http://www.woodmann.com/forum/archive/index.php/t-11707.html](http://www.woodmann.com/forum/archive/index.php/t-11707.html)

That should give you a little bit of a feel for it. Its a fun rabbit hole to
spend a few years down.

------
breakingcups
Most commonly you can find either a RS232 port (not the regular one, a 3.3v
one!) or a JTAG port through which you might be able to influence the software
running on it.

For example, I managed to flash OpenWRT on my otherwise unflashable router
that way.

Another (even more hardware-y) approach is to dump flash chips containing
ROMs. With those roms in hand you might be able to find a vulnerability to
exploit, or you could replace the rom chip with a socket in which you can
place your own modified roms.

Bunnie famously broke the Xbox classic security by building his own hardware
to sniff the (until then thought to be unsniffable) HyperTransport bus. He
wrote a very interesting book about it and it's free nowadays:
[http://bunniefoo.com/nostarch/HackingTheXbox_Free.pdf](http://bunniefoo.com/nostarch/HackingTheXbox_Free.pdf)

~~~
Vexs
You can get a lot off rom chips, it's always the second thing I go for after
serial ports- and if you run into a password on the serial port, than it's
probably (often hardcoded) in the rom.

Sometimes they don't include headers and the like, so looking up a pinout and
soldering to the IC helps in that case too- tapping into the serial
connections between chips can reveal a lot too.

------
fulafel
Here's a good start for chip level stuff

"Fault attacks on secure chips: from glitch to flash"
[https://www.cl.cam.ac.uk/~sps32/ECRYPT2011_1.pdf](https://www.cl.cam.ac.uk/~sps32/ECRYPT2011_1.pdf)

------
ManlyBread
Video game consoles used to do this with modchips and sometimes design flaws,
this might be a good starting point for your research.

