Hacking IoT & RF Devices with BürtleinaBoard

Luca Bongiorni
4 min readJul 27, 2020

--

Yet another Multipurpose Breakout Board to hack hardware in a clean and easy way!

Disclaimer: due to a complaint from the citizens of my native city in Italy… I had to rename #PiadinaBoard into #BurtleinaBoard :P

Few months ago I have presented #FocacciaBoard: a similar multipurpose breakout board that uses the famous FT232H to handle multiple protocols commonly found in (I)IoT devices (i.e. UART, JTAG, SWD, SPI, I2C).

Despite #FocacciaBoard is extremely useful during my night-to-night hardware hacking needs… there is another set of tools I cannot live without: pin enumeration ones. The two most used are JTAGulator (awesome commercial product developed by Joe Grand) and BUSSide (a marvelous piece of FOSS developed by Dr. Silvio Cesare).

BUSSide is exactly what you need if you don’t feel comfortable yet to spend yet 160€ for the JTAGulator (which I heavily recommend once you will improve your Hardware Hacking skills and start targeting complex devices).

That’s why I created#BürtleinaBoard: to have a more usable breakout-board around BUSSide software framework.

Intro to BUSSide:

Repo: https://github.com/BSidesCbr/BUSSide

BUSSide is a software framework developed for ESP8266 , running on a NodeMCU board which allows a python client on your laptop to communicate (mostly through bit-banging) with different hardware components through different protocols (i.e. UART, SPI, I2C and JTAG).

What makes BUSSide an irresistible toy to always have around in your hardware hacking lab is that has the capability to discover/enumerate the right pins for multiple protocols.

Imagine the scenario where you have target with exposed some debug pins or test points… but there is anything written on the silk-screen that may help you figure out what is what. What do you do?

  1. Mutlimeter all-the-things.
  2. Attach a Logic Analyzer to passively figure out what’s going on.
  3. Actively Enumerate them with JTAGulator or BUSSide.

Flashing Firmware:

Flashing BUSSide firmware inside the NodeMCU is quick and easy:

# apt-get install esptool
# git clone http://github.com/BSidesCbr/BUSSide.git
# esptool --port /dev/ttyUSB0 write_flash 0x00000 BUSSide/FirmwareImages/*.bin

Of course, you can also use esptool on Windows or Nodemcu-flasher

Once flashed, you can attach the NodeMCU on the BürtleinaBoard and then connect it to the laptop through a USB micro cable.

How to Run BUSSide:

# cd BUSSide/Client
# ./busside.py /dev/ttyUSB0

Afterwards you will be greeted by the (pretty straight-forward) BUSSide menu.

Practical Examples:

Let’s say you have a new target and you cannot figure out which is the pinout of the UART console and you are too lazy to deal with a locig analyzer…

Grab your Bürtleina board, attach those pins to the target either through dupont cables or hook probes and run BUSSide Client. It will allow you to enumerate the RX pin, then the TX one and finally to use the BUSSide itself as UART to USB (i.e. passthrough mode).

At this point you can either continue hunting JTAG pins (if any) or try to dump the SPI Flash (which contains the Crown Jewels. A.k.a. his majesty, the Firmware).

Grab a SOP8 clip or Hook Probes, attach to the SPI Flash and start dumping it. In a couple of minutes you should get extracted the firmware.

Of course, you can always try to also hunt-down the JTAG…

At this point, with JTAG & UART pins known, we can use a combination of #FocacciaBoard & #BürtleinaBoard to have full access to the IoT Target.

Disclaimer: due to a complaint from the citizens of my native city in Italy… I had to rename #PiadinaBoard into #BurtleinaBoard

Some of you at this point may have wondered… why there is a CC1101 board attached to BürtleinaBoard?!

Well… look at it as an easter-egg that allows you to do some basic RF Hacking.

With the LSATAN’s repo you could easily replicate some of the previous PoCs I have created for #WHIDelite

Flashing one of the SmartRC-CC1101-Driver-Lib’s examples is very trivial with Arduino IDE.

If you have read so far… means you are thinking to try the BurtleinaBoard! Good! You can find Gerbers, Schematics and 3D Case at https://burtleina-board.whid.ninja

For more stuff feel free to follow https://twitter.com/whid_ninja

WHID’s Trainings

The 𝙊𝙛𝙛𝙚𝙣𝙨𝙞𝙫𝙚 𝙃𝙖𝙧𝙙𝙬𝙖𝙧𝙚 𝙃𝙖𝙘𝙠𝙞𝙣𝙜 𝙏𝙧𝙖𝙞𝙣𝙞𝙣𝙜 is a Self-Paced training including Videos, a printed Workbook and a cool Hardware Hackit Kit. And… you get everything shipped home Worldwide! 🌍🔥😎
For more info… ➡ https://www.whid.ninja/store

--

--

Luca Bongiorni
Luca Bongiorni

Written by Luca Bongiorni

The 𝙊𝙛𝙛𝙚𝙣𝙨𝙞𝙫𝙚 𝙃𝙖𝙧𝙙𝙬𝙖𝙧𝙚 𝙃𝙖𝙘𝙠𝙞𝙣𝙜 𝙏𝙧𝙖𝙞𝙣𝙞𝙣𝙜 is live! For more info… ➡ https://www.whid.ninja/store

Responses (1)