Hardware Hacking with Andrew "Bunnie" Huang. Notes from O'Reilly Emerging Technology Confernece 2003 tutorial. Cory Doctorow doctorow@craphound.com -- Hardware hacking makes us more technologically literate and improves hardware security. A lot of people think that putting screws in a box is all the heardware security you need -- no one will ever unscrew the box. The advent of the integrated circuit and hardware that was too small to examine with the naked eye hampered hardware tech. But then we got FPGAs and rapid prototyping of code. When fine-pitch surface-mount tech came about, it drove a lot of hackers to software. The late 90s with the advent of high-integration chips where you couldn't even see the pins and everything was all on a few number of chips made it even harder. What could a common person do with this sort of tech? It was very discouraging. Ball Grid Array tech is completely inaccessible to hobbists. Hidden connections, buried traces. Today with high-integration chips, it's difficult (not impossible) to manually probe and modify. Optical inspection of chips ineffective when line widths are smaller than visible light, aplus, it's really expensive to make your own. Board speeds are astronomical: memory running at 200MHz, serial bus at Gb speed, processor busses at 400MHz -- these speeds require finesse. The packaging is insane: chip-scale fully hidden connectivity, package pithces of a few 100 microns. Societal pressures have mounted against hackers, and state of the art hhacking equipment is expensive. State of the art is defined in part by what gets thrown out by corps and ends up in swapmeets. But hardware hacking ISN'T impossible! The downturn is slowing down the rate of progress. There's insane price-competition in prototyping services. Rapid proto is going down to under $100, 4-layer boards for $50, BGA and ispect for $100, FPGAs are $10. Excess inventory in retail is driving prices down. Mere mortals can buy tantalum capacitors now! IC analysis services are cheap -- you can get a photo of the guts of a chip for < $100. Hardware hacking trends: * Cheap PCBs: new no-touch services, send your design over the Internet, and a 2-layer bd is only $20, and a 4-layer board is $50. * Software for designing boards: depreciated packages are on the market, though they're still about $999 -- like circuitmaker.com. Demos expire after 30 dyas. You can re-install them every 30 days. There are good student discounts. There's some free software with limited capabilities. ExpressPCB will give you a free tool that will output designs that will only work with their service. * FPGAs -- they're like ASICs (Custom silicon, very high performance, high density. inaccessible to hackers, very expensive). But FPGAs are programmable logic arrays that can go very high performance computing. They used to be very expensive, but Moore's Law has driven the cost WAAAAAY down. They can be self-testing! They're gaining ground on ASICs and the price/gate is dropping. High performance IO support. You can get 10^6 gates (a 486) for $20-30. * FPGA design tools are free. Intense competition has driven vendors to provide them for free. * A hacker can build a system on a chip. A $10 FPGA can hold a custom 32-bit microprocessor and peripherals. This is a $10 ASIC. * Soldering: is it really that hard to solder them onto a board? No. Your hands have more resolution than your eyes can see. A low-power microscope greatly aids soldering. The solder wants to stick to the metal, not the plastic -- physics is on your side. * Probing boards is hard: the SMDs are too small! You can solder a probe wire with a microscope, or you can use an expensive probe adapter. You can use a cheap SMD grabber. Finally, you can build your own probe. Bunnie built a $60 prober that analyzed the ex-box chip. * ICs have long been the hardest thing to crack. But IC designers make mistakes and they need repair and inspection tools. Focused Ion Beam tools fire ions at the surface of chip, which knocks electrons off, creating an image of the surface of the chip. * Voltage contrast microsopy can read data out of a secured Flash ROM, even with a metal-mesh overtop. * An analysis like this costs $1K-$10K * Chip decapsulation (removal of chip pkg) requices concetrated hot acid. Don't try this at home. But someone else will do it for $100. * There are back-doors in many chips installed by electronics contract mfgrs. They design for test/manufacturability and install backdoors to do it. They want full visibility into system state, visual inspectibility, access to key signals -- this helps them AND hackers.They put in test structures for diagnotics. * JTAG -- lets you virtually cut chips out of the board without touching a soldering iron. Standards-defined, but can be proprietary per-chip. * A lot of these devices have serial ports, or developers' back doors. Sega had one. * You can mass-produce your hardware hack. Solder stencil: $400/board-side. Pick and place programming: $200. Machine time $0.25/component. They'll manufacture in low-volumes for $10-$20/board. Costs scale well. Lots of excess capacity in the mfgrs and they'll take small orders. * There are lots of sideband attacks: hardware leaks info. Power supply fluctuations, visible radiation from LEDs and CRTs. Collect lots of samples over time and compare against a local copy of the hardware and the chip yeilds its secrets. -- The value of a secret is not obvious. A video game is worth $50, but the business model is worth $1BB -- defeating one defeats the other. Implications for TCPA/Pd: The challenge is installing secure hardware in a hostile envrionment. Likely defeated with mace producable, easy-to-install hardware mods. Is this really worth the investment? -- [[BREAK]] -- Intro to designing hardware. Why FPGAs? Easiest to get into, can be programmed in C-like syntax. Readily avail. starter pkgs: Xilinx and Altera have educations promos You can get a starter kit -- board, FPGAs, tools -- for <$200. An FPGA is a Field Programmable Gate Array -- can be reprogrammed in the field, in your hands. Lets you build any piece of digital logic, up to the number of gates in the FPGA. Some FPGAs come with embedded microprocessor cores. Buy an eval board, get almost what you need for <$200, this demo uses Xess XSA-100, www.xess.com FPGA design tools are free! Verilog is a design language that's a lot like C. [[Lots of code samples and flowcharts -- I can't really take notes from here on in.]] [[Bunnie just spent about 15 minutes programming an FPGA to blink and LED, then put a camera on the board and showed it blinking. It was deceptively awe-inspiring: hardware, reprogrammed, in realtime -- almost a smart-matter moment.]] FPGAs are eminently over-clockable. The FPGA in the X-Box hack ran at 400% clockspeed. A researcher reverse-engineered Xilinx's chip and wrote a very fast compiler for self-modifying code. He wrote a genetic algorithm and the designs generated by it (to recognize a 1KHz tone) were really illegal and hard to understand, but it worked really well. His objective is to fill in the empty space on FPGAs with logic used to optimize the remaining gates for some task, using evolutionary algorithms -- he thinks he can place optimal designs in microseconds. It's very easy to share code-modules -- like libraries in code -- that you can make available online. There are lots of free/open cores (opencores.org) as well as commercial cores. These are cool for embedded controllers, games, brute force cryptoprocessors, logic analyzers. [[Demos a Game-Cube sniffer he wrote in his hotel room last night after getting off the plane.]] [[He just scooped the Game-Cube's ROM contents as it booted. Now he's showing it.]]