Hacking IoT & RF Devices with BürtleinaBoard

Yet another Multipurpose Breakout Board to hack hardware in a clean and easy way!

Disclaimer: due to a complaint from the citizens of my native city in Italy… I had to rename #PiadinaBoard into #BurtleinaBoard :P

Few months ago I have presented #FocacciaBoard: a similar multipurpose breakout board that uses the famous FT232H to handle multiple protocols commonly found in (I)IoT devices (i.e. UART, JTAG, SWD, SPI, I2C).

Despite #FocacciaBoard is extremely useful during my night-to-night hardware hacking needs… there is another set of tools I cannot live without: pin enumeration ones. The two most used are JTAGulator (awesome commercial product developed by Joe Grand) and BUSSide (a marvelous piece of FOSS developed by Dr. Silvio Cesare).

That’s why I created#BürtleinaBoard: to have a more usable breakout-board around BUSSide software framework.

Intro to BUSSide:

Repo: https://github.com/BSidesCbr/BUSSide

BUSSide is a software framework developed for ESP8266 , running on a NodeMCU board which allows a python client on your laptop to communicate (mostly through bit-banging) with different hardware components through different protocols (i.e. UART, SPI, I2C and JTAG).

What makes BUSSide an irresistible toy to always have around in your hardware hacking lab is that has the capability to discover/enumerate the right pins for multiple protocols.

Imagine the scenario where you have target with exposed some debug pins or test points… but there is anything written on the silk-screen that may help you figure out what is what. What do you do?

  1. Mutlimeter all-the-things.
  2. Attach a Logic Analyzer to passively figure out what’s going on.
  3. Actively Enumerate them with JTAGulator or BUSSide.

Flashing Firmware:

Flashing BUSSide firmware inside the NodeMCU is quick and easy:

# apt-get install esptool
# git clone http://github.com/BSidesCbr/BUSSide.git
# esptool --port /dev/ttyUSB0 write_flash 0x00000 BUSSide/FirmwareImages/*.bin

Of course, you can also use esptool on Windows or Nodemcu-flasher

Once flashed, you can attach the NodeMCU on the BürtleinaBoard and then connect it to the laptop through a USB micro cable.

How to Run BUSSide:

# cd BUSSide/Client
# ./busside.py /dev/ttyUSB0

Afterwards you will be greeted by the (pretty straight-forward) BUSSide menu.

Practical Examples:

Let’s say you have a new target and you cannot figure out which is the pinout of the UART console and you are too lazy to deal with a locig analyzer…

Grab your Bürtleina board, attach those pins to the target either through dupont cables or hook probes and run BUSSide Client. It will allow you to enumerate the RX pin, then the TX one and finally to use the BUSSide itself as UART to USB (i.e. passthrough mode).

At this point you can either continue hunting JTAG pins (if any) or try to dump the SPI Flash (which contains the Crown Jewels. A.k.a. his majesty, the Firmware).

Grab a SOP8 clip or Hook Probes, attach to the SPI Flash and start dumping it. In a couple of minutes you should get extracted the firmware.

Of course, you can always try to also hunt-down the JTAG…

At this point, with JTAG & UART pins known, we can use a combination of #FocacciaBoard & #BürtleinaBoard to have full access to the IoT Target.

Disclaimer: due to a complaint from the citizens of my native city in Italy… I had to rename #PiadinaBoard into #BurtleinaBoard

Well… look at it as an easter-egg that allows you to do some basic RF Hacking.

With the LSATAN’s repo you could easily replicate some of the previous PoCs I have created for #WHIDelite

Flashing one of the SmartRC-CC1101-Driver-Lib’s examples is very trivial with Arduino IDE.

For more stuff feel free to follow https://twitter.com/whid_ninja

P.S.

As usual I will try convincing the Chinese Manufacturer that brought to life WHID, WHIDelite and FocacciaBoard to start the production of a small batch of BurtleinaBoards for the folks that are too lazy or too scared to make their own. #StayTuned!

P.P.S.

If you wonder how looks like a Bürtleina and how to make it, I left here the receipt: https://www.poderecasale.com/en/burtleina/

Buon apetito! :)

Non aetate verum ingenio apiscitur sapientia / Omnia silendo ut audeam nosco / There is no deduction for excellence / Tweets are my own