Advanced Techniques in Hardware Hacking

Hardware attacks fall into four broad categories:

• Bus interception — passively reading or actively manipulating UART, SPI, I2C, JTAG, or PCIe traffic.
• Fault injection (glitching) — disturbing voltage, clock, or electromagnetic environment to corrupt instruction execution and skip security checks.
• Side-channel analysis — observing power consumption, electromagnetic emissions, timing, or acoustic signals to extract secrets like AES keys.
• Chip-off / physical attacks — desoldering, decapsulation, and microscopy to read memory or probe internal nets directly.

The unifying assumption is physical possession. Hardware attacks dominate where an attacker holds the device: hardware wallets, smart cards, IoT consumer goods, biometric door readers, game consoles, and intercepted shipments.

Essential gear:

• Multimeter, oscilloscope (≥200 MHz), logic analyzer (Saleae Logic Pro 16, DSLogic).
• Bus pirates: Bus Pirate v5, HydraBus, Tigard.
• JTAG adapters: J-Link, Black Magic Probe, Tigard, JTAGulator.
• Programmers: CH341A (SPI), XGecu T56, RT809H.
• Glitching platforms: ChipWhisperer (Husky, Pro, Nano), PicoEMP for EM glitching, Riscure Inspector for high-end work.
• Microscope and hot-air rework station for chip-off.

Most embedded devices expose UART test pads on the PCB. Locating them is the first step:

1. Visual inspection — silkscreened TX/RX/GND.
2. Continuity test from candidate pads to known IC pins (UART TX/RX of the SoC).
3. Probe with an oscilloscope during boot — TX shows asynchronous bursts at the baud rate.
4. Connect via FTDI/CP2102 at the identified baud rate (115200 most common, sometimes 57600 or 921600).

UART consoles frequently drop into U-Boot with Hit any key to stop autoboot, or expose a root Linux shell. Both bypass entire authentication layers.

SPI flash sniffing with a Saleae logic analyzer captures every byte the SoC reads from external flash during boot — including secrets that decrypt firmware images. Then chip-clip in-circuit reads with flashrom and a CH341A dump or rewrite the flash.

I2C is common for EEPROMs storing config or per-device keys. The Bus Pirate's (1) macro scans the I2C bus and reads/writes registers.

JTAG is the holy grail when present. JTAGulator brute-forces pinouts on unknown headers (TDI/TDO/TMS/TCK/TRST). Once mapped, OpenOCD + GDB give full CPU control: halt, single-step, dump RAM, modify registers, bypass authentication.

Glitching exploits the fact that CMOS digital logic is fundamentally analog under stress. A carefully timed voltage drop or EM pulse can cause a single instruction to misexecute — a bne taken as b, a cmp returning the wrong flag, a memory copy ending early. Real-world successes include:

• TrustZone bypass on NXP, ST, and Renesas MCUs.
• STM32 readout protection bypass (RDP) — drops a flash readout from "protected" to "open".
• PS4 SAMU hypervisor escape via DRAM rowhammer + glitching.
• Tesla Model 3 MCU bypass (Riscure / Pen Test Partners).
• Trezor One and Ledger Nano S physical-attack research (responsibly disclosed).

The ChipWhisperer ecosystem democratized glitching:

import chipwhisperer as cw
scope = cw.scope()
scope.glitch.clk_src = "clkgen"
scope.glitch.output = "glitch_only"
scope.glitch.trigger_src = "ext_single"
scope.glitch.width = 4.0
scope.glitch.offset = -20
scope.io.glitch_lp = True
# Trigger, monitor for "glitched" success state.

EM glitching (PicoEMP, RIscure EM-FI Transient Probe) avoids contact and works through plastic packages, opening attacks on un-decapsulated chips.

Power-analysis attacks come in two flavors:

• Simple Power Analysis (SPA) — single-trace inspection reveals coarse operations (RSA square vs. multiply, AES rounds).
• Differential / Correlation Power Analysis (DPA / CPA) — statistical analysis over thousands of traces correlates power consumption with hypothesized intermediate values, recovering full AES, DES, or ECC keys.

The math is straightforward once tooling exists: capture N traces of a target encrypting known plaintexts, model the Hamming weight of the AES S-box output for each key-byte guess, compute Pearson correlation, take the argmax. ChipWhisperer's Jupyter notebooks teach this in an afternoon.

Electromagnetic side channels require only a near-field probe over the chip; acoustic side channels can leak RSA keys from CPU coil whine (Genkin et al.). Cache timing (Spectre, Meltdown, Foreshadow) extends side-channel attacks into pure-software contexts.

When non-invasive methods fail, the chip itself opens. eMMC/UFS chip-off forensics reads phone storage even when the OS is destroyed — desolder the eMMC, place in a UFI Box or Easy JTAG reader. NAND chip-off with bit-correction is standard practice in digital forensics labs.

Decapsulation with fuming nitric acid (HNO3 + H2SO4) removes the epoxy package, exposing the die. Under an optical or SEM microscope, ROM bits can be read directly; with focused ion beam (FIB) equipment, individual traces are cut or rerouted. This is nation-state territory but commercial labs (TechInsights, ChipRebel) offer services.

Game consoles — every major console (Xbox 360 reset glitch, PS4/PS5 Time-of-Check Time-of-Use, Switch Tegra fusée-gelée BootROM exploit) has been broken with hardware attacks within months of launch.

Hardware wallets — Ledger and Trezor research consortia (Donjon, Kraken Security Labs) have published practical attacks ranging from EM fault injection on the STM32 to side-channel PIN extraction. Most have been mitigated with secure elements.

Tesla — Riscure and Pen Test Partners demonstrated voltage glitching to extract the MCU eMMC contents, enabling premium-feature unlocks and key extraction.

Microcontroller readout protection — Researcher Lennert Wouters (KU Leuven) repeatedly demonstrated practical RDP bypasses on STM32 series, leading to vendor firmware fixes and architectural revisions.

SATCOM and BMC attacks — IPMI/BMC chips on enterprise servers, accessible via shared LAN ports and often with default credentials, were shown to permit persistent rootkit installation invisible to the host OS.

For hardware designers:

1. Disable debug interfaces in production via eFuses (one-time programmable). Many vendors leave JTAG enabled.
2. Use authenticated debug (ARM ADIv6 Authenticated Debug) where supported.
3. Encrypted external memory — XIP encryption (e.g., NXP IEE, ST OTFDEC) prevents SPI sniffing from yielding plaintext.
4. Secure elements for key storage — NXP SE050, Microchip ATECC608, Infineon Optiga. They implement side-channel and glitch countermeasures certified to CC EAL5+ or higher.
5. Glitch countermeasures: redundant checks (if(auth) { if(auth) { allow(); } }), constant-time operations, integrity-checked branches, anomaly detectors on voltage/clock.
6. Masking and hiding for crypto implementations to defeat DPA.
7. Tamper-evident enclosures with mesh, light sensors, and zeroization on intrusion.
8. Per-device unique keys so one device's compromise does not break the fleet.

For operators and users:

• Physical control matters. Hardware attacks require possession. Treat lost/stolen devices and supply-chain transit as compromise events.
• Choose certified hardware (FIPS 140-3, Common Criteria) for high-value secrets.
• Verify firmware integrity at boot and periodically; assume tampered devices in unmanaged environments.