Hardware Hacking: Extracting Secrets from Physical Devices

by

Hardware hacking is the discipline that bridges the digital and physical worlds. When software security controls are bypassed, when data is encrypted and unreachable over the network — the hardware often still holds the keys. Debug ports left enabled in production firmware, unencrypted NAND flash chips, UART consoles spitting out root shells — physical devices are routinely less secure than the software running on them. This guide covers the fundamentals of embedded device security research.

Understanding Embedded Devices

Most IoT devices, routers, smart TVs, and industrial controllers run embedded Linux or RTOS on ARM or MIPS processors. They have circuit boards with identifiable components: flash memory chips (NAND/NOR/eMMC), processors, RAM, and debug interfaces. The goal of hardware hacking is to access the running system or extract its firmware for analysis.

Essential Hardware Toolkit

  • Logic analyzer — Saleae Logic or cheap clone (~$10). Capture and decode serial communications
  • UART/USB adapter — CP2102 or CH340G (~$3). Connect to UART debug ports
  • Multimeter — Identify voltage levels, continuity, ground pins
  • Soldering iron — For attaching wires to test points
  • Bus Pirate or Flipper Zero — Swiss army knives for hardware communication
  • Flashrom + SOIC clip — Read/write flash chips directly without desoldering

UART: The Easiest Attack Surface

UART (Universal Asynchronous Receiver-Transmitter) is a serial communication interface. Almost every embedded Linux device has a UART debug console that was used during development. Many manufacturers forget to disable it in production firmware, leaving a full root shell accessible to anyone with three wires and a $3 adapter.

# Step 1: Identify UART pins on the PCB
# Look for groups of 3-4 through-holes or test points near the processor
# Common pin arrangements: GND, VCC, TX, RX
# Use multimeter: GND shows continuity with metal chassis
# TX pin oscillates at ~3.3V or 5V during boot (measure with multimeter on DC)

# Step 2: Determine baud rate
# Common: 115200, 9600, 57600, 38400
# Use a logic analyzer to capture boot output and auto-detect baud rate

# Step 3: Connect USB-UART adapter
# Device TX -> Adapter RX
# Device RX -> Adapter TX
# Device GND -> Adapter GND
# DO NOT connect VCC unless device needs to be powered from adapter

# Step 4: Open serial terminal
screen /dev/ttyUSB0 115200
# Or: minicom -s (configure port and baud rate)
# Or: picocom -b 115200 /dev/ttyUSB0

# If lucky, you see Linux boot messages and end at a root shell:
# BusyBox v1.30.1 (2021-06-15) built-in shell (ash)
# root@device:/#

Firmware Extraction

Method 1: Download from Manufacturer

# Many vendors post firmware updates publicly
# Search: "site:vendor.com firmware download" or "vendor model firmware"
wget https://vendor.com/downloads/firmware_v2.3.4.bin

# Analyze with binwalk
binwalk firmware_v2.3.4.bin
# Output shows file structure: compressed filesystems, kernel, etc.

# Extract everything
binwalk -e firmware_v2.3.4.bin
# Creates _firmware directory with extracted contents

# Explore the extracted filesystem
ls _firmware_v2.3.4.bin.extracted/
# Look for: etc/passwd, etc/shadow (credentials)
# etc/ssl/ (certificates and keys)  
# usr/bin/ (application binaries)
# www/ or var/www/ (web interface code)

Method 2: NAND/NOR Flash Chip Reading

# Identify flash chip: read the markings on the chip, look up datasheet
# Common chips: Winbond W25Q128 (SPI NOR flash), Samsung K9F (NAND flash)

# Read SPI NOR flash with flashrom and a SOIC-8 clip (no desoldering needed)
# Attach clip to chip while device is POWERED OFF
flashrom -p ch341a_spi -r firmware_dump.bin
# This reads the entire flash chip content

# Verify read was successful (read twice and compare)
flashrom -p ch341a_spi -r firmware_dump2.bin
md5sum firmware_dump.bin firmware_dump2.bin  # should match

# Then analyze with binwalk as above

Analyzing Extracted Firmware

# Find hardcoded credentials
grep -r "password|passwd|admin|root|secret" extracted_fs/etc/ 2>/dev/null

# Check /etc/shadow for password hashes
cat extracted_fs/etc/shadow
# root:$1$xyz$hashedpass:0:0:99999:7:::
# MD5 hashes ($1$) are fast to crack -- use hashcat:
hashcat -m 500 shadow_hashes.txt /usr/share/wordlists/rockyou.txt

# Find SSL private keys (critical finding!)
find extracted_fs/ -name "*.pem" -o -name "*.key" 2>/dev/null
cat extracted_fs/etc/ssl/private/server.key

# Find hardcoded API tokens and cloud credentials
grep -r "AWS|TOKEN|SECRET|api_key" extracted_fs/usr/ 2>/dev/null

# Identify SUID binaries (privilege escalation paths)
find extracted_fs/ -perm -4000 2>/dev/null

JTAG: The Debug Interface

JTAG (Joint Test Action Group) is a hardware debug interface that allows full control over the processor: stop execution, read and write memory, dump flash, and even bypass secure boot. Finding and using JTAG is more involved than UART but gives deeper access when needed.

# JTAGulator: automated JTAG pin identification
# Connect to all suspected test points, JTAGulator brute-forces pin assignments

# OpenOCD: open source JTAG software
# Once JTAG is connected, OpenOCD gives GDB server access to the processor
openocd -f interface/ftdi/um232h.cfg -f target/your_target.cfg

# In another terminal: connect GDB to running processor
gdb-multiarch vmlinux
target remote localhost:3333
# Now you can: halt, step, read memory, extract running kernel
monitor halt
monitor dump_image memory_dump.bin 0x00000000 0x01000000

Real-World Findings from Hardware Hacking

  • Routers with UART shells: Dozens of consumer routers ship with UART root shells enabled. Plugging in a $3 adapter gives root access without any credentials
  • Shared TLS certificates: Security researchers have found routers from the same manufacturer sharing identical SSL private keys baked into firmware — millions of devices with the same key
  • Hardcoded backdoor credentials: Huawei, Netgear, D-Link devices have all had hardcoded maintenance accounts discovered through firmware analysis
  • Unsigned firmware updates: Devices that accept any firmware file without signature verification can be permanently compromised with a malicious update

Hardware security is the last line of defense — and for many devices, it is no defense at all. As IoT proliferates into critical infrastructure, understanding how to test physical devices is an increasingly valuable skill that combines electronics knowledge with traditional security research.