Scribd
Upload
220 views

Hardwarehacking Slides

Uploaded by

kalico67
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
220 views

Hardwarehacking Slides

Uploaded by

kalico67
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 65

Hardware Hacking, Tweaking, and Bending:

Making Technology Do Things


It Was Never Intended To Do

University of Advancing Technology


November 2, 2005

Joe Grand
Grand Idea Studio, Inc.
joe@grandideastudio.com
Introduction to Hardware Hacking
z Hacker v. Attacker
z What is Hardware Hacking and Reverse
Engineering?
z Legal Issues
z A Brief History of Hardware Hacking
z Challenges and Trends
z Examples of Interesting Hacks

2 © 2005 Grand Idea Studio, Inc.


Hacker v. Attacker
z Hacker: Somebody involved in the exploration of
technology
z Attacker: Malicious goals of theft or illegitimately
breaking into a system
z Terms often confused and hyped (intentionally?)
by media
z Contrary to popular belief, hacking does not have
to be illegal

3 © 2005 Grand Idea Studio, Inc.


What is Hardware Hacking?
z Doing something with a piece of hardware that
has never been done before
– Personalization and customization (e.g., "hot rodding
for geeks")
– Adding functionality
– Capacity or performance increase
– Defeating protection and security mechanisms
(not for profit)
z Creating something extraordinary
z Harming nobody in the process

4 © 2005 Grand Idea Studio, Inc.


What is Hardware Hacking? 2
z Some attempts at defining "hack":
– The Jargon File v4.4.7, The Meaning of Hack,
www.catb.org/~esr/jargon/html/meaning-of-
hack.html
– Dictionary.com, http://dictionary.reference.com/
search?q=hack
– The MIT Gallery of Hacks (Building Hacking),
http://hacks.mit.edu/Hacks/Gallery.html

z It's a noun and a verb!


– Noun: "That Furby hack was really cool."
– Verb: "Let's hack the Atari Flashback 2 to play actual
game cartridges."
5 © 2005 Grand Idea Studio, Inc.
What is Reverse Engineering?
z The art of learning from practical examples
z Examining products or technologies to see how
they work
– Ex.: Opening a product and creating a schematic
based on the circuit board layout
z Often a subset of hardware hacking

6 © 2005 Grand Idea Studio, Inc.


Why Hardware Hacking?
z Curiosity and fun
– To see how things work
z Improvement and innovation
– Make products better/cooler (build a better mousetrap)
– Some products are sold to you intentionally limited or
"crippled"
z Education
– Learn by doing
z Grass-roots technology development
– Sow a thousand seeds and see what blooms
7 © 2005 Grand Idea Studio, Inc.
Why Hardware Hacking? 2
z Consumer protection
– I don't trust glossy marketing brochures...do you?
z Security competency
– Test hardware security schemes and look for
failures/weaknesses
– People generally trust hardware devices as "secure"
z Good for the environment?
– Old/obsolete hardware gets reused instead of brought
to the landfill

8 © 2005 Grand Idea Studio, Inc.


Legal Issues
z I am not a lawyer!
z Thin line between good and evil
– Recent laws (DMCA) have worked to prevent
reverse engineering by enabling large corporations
to flex their muscle against potential threats
– However, there is legal precedent that explicitly
protects certain types of reverse engineering
z "Shrink wrap" or explicit agreements used to
waive your rights
– Ex.: You don't actually own what you're reverse
engineering
9 © 2005 Grand Idea Studio, Inc.
Legal Issues 2
z Reverse engineering a patented product does
not grant you a license to use it
– Patents contain a full disclosure of the technology,
anyway
z Cannot copy or use a copyrighted work
z Trade secrets (confidential, but not legally
protected) are fair game
z Check with a lawyer if you have any questions!

10 © 2005 Grand Idea Studio, Inc.


A Brief History of Hardware Hacking
z Hacking is not just about breaking and tweaking -
it's also about creating!
z Arguably dates back 200 years
– Charles Babbage's Difference Engine (early 1800s)
– William Crooke's discovery of the electron (mid 1800s)
z Hardware hackers you might have heard of:
– Benjamin Franklin, Thomas Edison, Alexander
Graham Bell, Bill Hewlett and Dave Packard, Steve(s)
Jobs and Wozniak
z Early hardware hacking included:
– Wireless telegraphy, vacuum tubes, radio, television,
transistors, computers
11 © 2005 Grand Idea Studio, Inc.
The Technology Divide
z Differential between mass production and
hobbyist capabilities

12 © 2005 Grand Idea Studio, Inc.


The Technology Divide 2
z Differential between mass production and
hobbyist capabilities

13 © 2005 Grand Idea Studio, Inc.


The Technology Divide 3
z Differential between mass production and
hobbyist capabilities

14 © 2005 Grand Idea Studio, Inc.


Evolution of the Technology Divide
z In the beginning (1940s-1960s)
– Production and hobbyist technology the same
– Your own two eyes, a soldering iron, and some
discrete components

15 Picture: www.vintagecalculators.com/html/anita_mk_8.html © 2005 Grand Idea Studio, Inc.


Evolution of the Technology Divide 2
z ICs lead the way to greater integration (1970s-
1980s)

16 Picture: www.applefritter.com/pictures/images/apple1platine.jpg © 2005 Grand Idea Studio, Inc.


Evolution of the Technology Divide 3
z In the 1970s-1980s, most boards used SSI/MSI
chips
– SSI (Small Scale Integration) = <10 gates
– MSI (Medium Scale Integration) = 10-100 gates
– LSI (Large Scale Integration) = 100-1000 gates
– VLSI (Very Large Scale Integration) = >10000 gates
z At SSI and MSI level, most logic functions
visible to the "naked eye"

17 © 2005 Grand Idea Studio, Inc.


Evolution of the Technology Divide 4
z Early 1990s
– Mass-market adoption of technology drives
integration
– Fine-pitch surface mount technology, increasing
integration, and escalating clock speeds
– Hardware hacking stagnates as interest in
software/network hacking increases
– Hardware hacking now requires high-end test
equipment, microscopes, soldering irons

18 © 2005 Grand Idea Studio, Inc.


Evolution of the Technology Divide 5
z Late 1990s
– BGA technology widely deployed
o Die connections ("pins") located underneath device package
o Working with BGAs inaccessible to hobbyists
o Requires sophisticated soldering and rework equipment
o Inspection and repairing of ball/solder joints expensive
– High board clock speeds obsolete cheap test
equipment
o Low-cost oscilloscopes have ~100 MHz bandwidth
o Motherboards hit 133 MHz signaling in late 1990s (now over
400 MHz!)

19 © 2005 Grand Idea Studio, Inc.


Evolution of the Technology Divide 6
z Early 1990s v. Late 1990s: Do more with less!

20 © 2005 Grand Idea Studio, Inc.


Evolution of the Technology Divide 7
z Cross section of modern circuit board showing
hidden BGA connections and buried traces

21 Picture: Hacking the Xbox © 2005 Grand Idea Studio, Inc.


Hardware Hacking Challenges
z Advances in chip packaging
– Ultra-fine pitch and chip-scale packaging (e.g.,
BGA, COB, CIB)
– Not as easy to access pins/connections to probe
– Discrete components can now easily be inhaled
z Highly-integrated chips (sub-micron)
– Difficult, but not impossible, to probe and modify
– Building a full-custom chip as a hobby project is still
too expensive (> $100K)

22 © 2005 Grand Idea Studio, Inc.


Hardware Hacking Challenges 2
z Cost of equipment
– Advanced tools still beyond the reach of average
hobbyist (probing, decapping, SEMs, etc.)
– "State of the art" defined by what hackers can find in
the trash and at flea markets
z Societal pressures
– Hardware hacking is practically becoming
mainstream, but "hacker" is still a naughty word

23 © 2005 Grand Idea Studio, Inc.


Emerging Trends
z Economic downturn of early 2000 is a blessing
to hardware hackers
– Growth of technology slows down
– Price competition bring rapid PCB prototyping prices
into the < $100 range
– Excess inventory drives down component costs
– IC analysis services become affordable for the mere
mortal

24 © 2005 Grand Idea Studio, Inc.


Emerging Trends 2
z Hardware hacking is making a comeback!
– Was overshadowed for many years by
network/software programming and hacking
– Many resources, web sites, forums, magazines,
people available to learn from

25 © 2005 Grand Idea Studio, Inc.


Make Magazine
z Full-color, quarterly hybrid magazine/book (also
known as a mook) published by O'Reilly
z Launched January 2005, already 80,000 paid
subscribers
z Focused on all aspects of the do-it-yourself ethos
– Electronics, Mechanical, Metal, Wood Working, Food,
Anything!
z Community-based sharing of hacks, projects,
pictures
– http://www.makezine.com
– http://flickr.com/groups/make/pool
26 © 2005 Grand Idea Studio, Inc.
Make Magazine 2
z Even the media likes it!
– "It's the kind of magazine that would impress
MacGyver" -- Marcus Chan, San Francisco Chronicle
– "This is Popular Mechanics for the modern age with a
1968 James Brown attitude." -- Wayne Bedsoe,
Knoxville News Sentinel
– "If you're the type who views the warnings not to pry
open your computer as more a challenge than
admonition, MAKE is for you." -- Rolling Stone

27 © 2005 Grand Idea Studio, Inc.


Hacks!
z Case Modifications
z Game Consoles
z Consumer Products
z Other Technologies
z ...Only a tiny sampling of the thousands of
amazing hacks out there (and the ones I think
are particularly cool)!

28 © 2005 Grand Idea Studio, Inc.


Case Mods: Atari 2600PC
z Fully-featured PC designed into the case of an
Atari 2600 (remember those?)
z Wanted a DVD/CD media station and all-
purpose video game/computer emulator
z 1GHz VIA EPIA M10000 motherboard, 512MB
DRAM, 60GB hard drive, CD-RW/DVD combo
drive, wireless keyboard and mouse, 802.11b
wireless USB adapter, 2 Stelladaptor Atari
controller-to-USB interfaces

29 © 2005 Grand Idea Studio, Inc.


Case Mods: Atari 2600PC 2
z Game Console Hacking and Make issue 2

30 © 2005 Grand Idea Studio, Inc.


Case Mods: Millennium Falcon Xbox
z Stripped down Xbox retrofitted into an original
1979 Star Wars Millennium Falcon
– www.darkops.co.uk

z Xbox w/ 4 gamepad ports, 6 fan "hyper drive"


cooling system, concealed DVD drive

31 © 2005 Grand Idea Studio, Inc.


Game Consoles: Retro/Classic
z Thriving homebrew game development
community
– Ex.: www.atariage.com
z Primarily driven by nostalgia and the desire to
use old technology to create new things
z Excellent way to learn about electronics and
programming
– The challenge is in overcoming constraints of these
early systems (ex.: limited ROM, RAM, and
processor power, necessary low-level hardware
interaction, etc.)
32 © 2005 Grand Idea Studio, Inc.
Game Consoles: Retro/Classic 2
z Custom circuit boards to build actual cartridges
for retro systems (Atari 2600, Atari 5200, Atari
8-bit, Colecovision)
– www.pixelspast.com

33 © 2005 Grand Idea Studio, Inc.


Game Consoles: Retro/Classic 3
z Disabling the Nintendo NES "Lockout Chip"
– Security mechanisms used by Nintendo to maintain
exclusivity on cartridge manufacturing and to control
game distribution
– Lockout chip inside the NES communicates with an
identical chip inside the cartridge (e.g., as a "lock"
and "key")
– Can be disabled with a simple trace cut and
additional wire
– Hack allows foreign games and unlicensed third-
party games to be played on the console
– Game Console Hacking, chapter 7
34 © 2005 Grand Idea Studio, Inc.
Game Consoles: Retro/Classic 4

35 © 2005 Grand Idea Studio, Inc.


Game Consoles: Xbox
z Andrew "bunnie" Huang's Xbox hacking
– Hacking the Xbox: An Introduction to Reverse
Engineering and www.xenatera.com/bunnie/
proj/anatak/xboxmod.html
– Custom-built tap circuit used to intercept data
transfer over Xbox's HyperTransport bus
– Able to retrieve symmetric encryption key used for
protection of a secret boot loader
– Allowed him to execute untrusted/unauthorized
code on the system

36 © 2005 Grand Idea Studio, Inc.


Game Consoles: Xbox 2
z Tap board uses single LVDS-to-CMOS logic
converter (TI SN75LVDS386) interfaced to a
Xilinx Virtex-E FPGA

Picture: Hacking the Xbox


37 © 2005 Grand Idea Studio, Inc.
Game Consoles: Gran Turismo 4
Steering Wheel Mount
z Woodworking skills > Paying $ for expensive
gaming chair
– $18 in parts + time + fun v. $199
– http://berserk.org/gt4

38 © 2005 Grand Idea Studio, Inc.


Game Consoles: Pong Mechanik
z Art project created by Niklas Roy
– Interviewed in Make issue 1
z Completely mechanical version of Pong:
Motors, relays, solenoids, strings, & pulleys!
– www.cyberniklas.de/pongmechanik/indexen.html
z No microprocessors, semiconductors, or other
electronic components

39 © 2005 Grand Idea Studio, Inc.


Consumer: VaxBar
z Built in January 2001
z Simple access control system to prevent un-
authorized employees from eating our snacks!
z Original DEC VAX 11/785 housing w/ custom-
designed Java-based web server and iButton
authentication

40 © 2005 Grand Idea Studio, Inc.


Consumer: Universal Garage
Door Opener
z Replaced DIP switches with timer and counter to
automatically cycle through all 210 (1024)
possible combinations
z Built in July 1994 as a hobbyist project
– Still works on many garage door types that use a
selectable "security code"
– Who changes their garage door systems that often?

41 © 2005 Grand Idea Studio, Inc.


Consumer: Dakota Single-Use
Digital Camera
z One of the few low-cost, single-use digital
cameras (~$10.99 at Ritz or Wolf Camera)
z Intended to be used like a disposable camera
– Sticker on unit says "Camera does not connect to
home computers."
z Quickly hacked to convert to regular, multi-use
camera via USB
– http://cexx.org/dakota
z Underground community has created custom
firmware, image dumping software, webcam, etc.
42 © 2005 Grand Idea Studio, Inc.
Consumer: Dakota Single-Use
Digital Camera 2

43 Pictures: Make, issue 3 © 2005 Grand Idea Studio, Inc.


Consumer: VCR Cat Feeder
z "Liberate a motor from an old VHS deck, attach it
to a food chopper, and program the deck's
recording timer to fill Fluffy's bowl on schedule."
– http://makezine.com/03/catfeeder
z Any old VCR has a programmable timer that
connects to a motor for recording TV shows
z Hack the VCR so the motor operates a food
delivery mechanism instead of the video head
z One of many curiously insane hacks created by
James Larsson (he's also created a clock by
measuring decay rates of a prawn sandwich)
44 © 2005 Grand Idea Studio, Inc.
Consumer: VCR Cat Feeder 2

Pictures: Make, issue 3


45 © 2005 Grand Idea Studio, Inc.
Wireless:
Dell TrueMobile 1184
z One of many broadband access point/routers
z Port scan reveals open ports 80, 333, 1863,
1864, 4443, 5190, 5566
z Device based on vLinux distribution
– www.onsoftwarei.com/product_vlinux.htm
– Hardware Hacking: Have Fun While Voiding Your
Warranty, chapter 10

46 © 2005 Grand Idea Studio, Inc.


Wireless:
Dell TrueMobile 1184 2
z Can telnet into port 333 with default password to
gain complete control of the device
– username: root, password: admin
z No special hardware tools or reprogramming is
necessary
z Many devices running Linux which can make
hacking/experimentation easier
– www.linuxdevices.com
– www.ucdot.org
z Linksys WRT54G is another good one for
47 hacking: Open source firmware, etc. © 2005 Grand Idea Studio, Inc.
Wireless: Can Antenna (Cantenna)
z What better way than to use your empty Pringles
can or coffee can as a WiFi antenna?
– www.turnpoint.net/wireless/has.html

z Perfect for increasing network range or for


"wardriving"
z Many variations exist...

48 © 2005 Grand Idea Studio, Inc.


Other: Self-Chilling Beer Mug
z Keep drink cold wherever you go!
z Uses Peltier junction (moves heat to
one side, leaving the other cold)
– www.popsci.com/popsci/automotivetec
h/59ca1196aeb84010vgnvcm1000004eecb
ccdrcrd.html

49 Pictures: Scott Fullam, DefCon 12 © 2005 Grand Idea Studio, Inc.


Other: Blinkenlights
z Eight floors of a building turned into a huge
interactive display
– 144 lamps behind front windows
– Each lamp computer-controlled to form 18x8 pixel
monochrome matrix
– Linux PC w/ 192-channel Parallel I/O card
– www.blinkenlights.de
z Created by the Chaos Computer Club to
celebrate its 20th anniversary (Sept. 2001)
z Followed up by the "Arcade" project in Paris 2002
– 20x26 pixel greyscale matrix
– Play Tetris, Pong, Breakout, Pac Man, etc.
50 © 2005 Grand Idea Studio, Inc.
Other: Blinkenlights 2

51 Pictures: Chaos Computer Club © 2005 Grand Idea Studio, Inc.


Other: Anonymous Megaphone
z "Bring anonymous voices into public spaces,
stage an anonymous protest, or speak to the
masses without revealing your identity."
– http://makezine.com/04/diy_megaphone/
z Cellphone (auto answer) -> Audio amplifier ->
Paper cone

52 Picture: Make, issue 4 © 2005 Grand Idea Studio, Inc.


Other: Joe's Random Hacks
z Laser Listener: Window Vibration Audio
Reconstruction Project (left)
z Joystick-Controlled Pneumatic Cannon (right)

53 © 2005 Grand Idea Studio, Inc.


Other: Technology as Artwork
z Lichtenberg Lightning Frame (left)
z Tank Searchlight Lamp (right)

54 © 2005 Grand Idea Studio, Inc.


Other: Technology as Artwork 2
z Solder Stencil End Table (left)
z Macintosh Aquarium (right)

55 © 2005 Grand Idea Studio, Inc.


Other: Technology as Artwork 3
z Hard Drive Coffee Table

56 © 2005 Grand Idea Studio, Inc.


Thanks & Have Fun!

Joe Grand
Grand Idea Studio, Inc.
joe@grandideastudio.com
Books and Magazines:
Hardware Hacking
z Make Magazine (w/ blog updated daily), www.makezine.com
z J. Grand, et al, "Hardware Hacking: Have Fun While Voiding Your
Warranty," Syngress Publishing, 2004, ISBN 1-93-226683-6.
z J. Grand, et al, "Game Console Hacking," Syngress Publishing,
2004, ISBN 1-93-183631-0.
z S. Fullam, "Hardware Hacking Projects for Geeks," O'Reilly Media,
2003, ISBN 0-59-600314-5.

58 © 2005 Grand Idea Studio, Inc.


Books and Magazines:
Hobbyist and Robotics
z Nuts & Volts Magazine, www.nutsvolts.com
z Servo Magazine, www.servomagazine.com

59 © 2005 Grand Idea Studio, Inc.


Books and Magazines:
General Electrical Engineering
z Circuit Cellar Magazine, www.circuitcellar.com
z EDN Magazine, www.edn.com
z Horowitz and Hill, “The Art of Electronics,” Cambridge University
Press, 1989, ISBN 0-52-137095-7.
z K. Amdahl, "There Are No Electrons," Clearwater Publishing, 1991,
ISBN 0-96-278159-2.
z M. M. Mano, “Digital Logic and Computer Design,” Prentice-Hall,
1979, ISBN 0-13-214510-3.
z K. R. Fowler, "Electronic Instrument Design," Oxford University
Press, 1996, ISBN 0-19-508371-7.

60 © 2005 Grand Idea Studio, Inc.


Web Sites: Hardware Hacking
z hack a day, www.hackaday.com
z I-Hacked.com: Taking Advantage of Technology, www.i-hacked.com
z Bill Miller's CircuitBending.com,
http://billtmiller.com/circuitbending
z TiVo Techies, www.tivotechies.com

61 © 2005 Grand Idea Studio, Inc.


Web Sites: Electrical Engineering
z Parallax, Inc., www.parallax.com
z ePanorama.net, www.epanorama.net
z The EE Compendium: The Home of Electronic Engineering and
Embedded Systems Programming, http://ee.cleversoul.com
z Discover Circuits, www.discovercircuits.com
z WebEE: The Electrical Engineering Homepage, www.web-ee.com
z University of Washington EE Circuits Archive,
www.ee.washington.edu/circuit_archive

62 © 2005 Grand Idea Studio, Inc.


Web Sites: Other
z Cambridge University Security Group - TAMPER Laboratory,
www.cl.cam.ac.uk/Research/Security/tamper

z Molecular Expressions: Chip Shots Gallery,


http://microscopy.fsu.edu/chipshots/index.html

63 © 2005 Grand Idea Studio, Inc.


Distributors: Electrical Engineering
z Digi-Key, www.digikey.com
z Mouser, www.mouser.com
z Jameco, www.jameco.com
z Newark In One, www.newarkinone.com
z Future Electronics, www.futureelectronics.com
z Radio Shack, www.radioshack.com
z American Science & Surplus, www.sciplus.com

64 © 2005 Grand Idea Studio, Inc.


Distributors: Tools and
General Hardware
z Contact East/Jensen Tools, www.contacteast.com
z Test Equity, www.testequity.com
z The Home Depot, www.homedepot.com
z Lowe's, www.lowes.com
z Hobby Lobby, www.hobbylobby.com
z McMaster-Carr, www.mcmaster.com

65 © 2005 Grand Idea Studio, Inc.

You might also like