The Common Methods of Hardware Hacking
Hardware Hacking is an art, but there are some common methods to modifying devices that can jump-start any good hacking project.
The word "hacking" as it pertains to hardware is often misused. In the commonly accepted definition, "hardware hacking" means modifying a piece of existing electronics to use it in a way that it was not necessarily intended. Even that definition is vague, as it can refer to any method of modifying hardware, be it the enclosure, the electronics, or the behavior. Modifying an enclosure of a device is usually straightforward; drill a hole, cut a slot, etc. But hacking the electronics and/or behavior is a complicated subject in itself. When looking to modify a device, sometimes it's hard to know where to start, and what angle of attack to take when hacking something for a purpose for which it was not designed.
If you're looking to hack a piece of hardware, how you approach the hack depends on what you're trying to do. Are you trying to make it wireless? Are you trying to change what it displays? Are you trying to get it to trigger another device? Each hack requires a different angle of attack, and it's difficult to decide on how to proceed if you've never hacked a device before. What follows are some common methods of hardware hacking and the implementations in which they are used. This is not, by any means, a "how to hack hardware" tutorial. Such an article could not exist in a complete form. The nature of hacking insists that there is always a new creative way to a solution, but these are some common methods that I've used in my experiences.
Method 1: Patching Into I/O
The first (and arguably easiest) method of hacking a device is patching into its control mechanism. Most consumer products have at least one button or indicator LED, and the connections for that component are usually easy to find and solder to.
With access to button pads, you can attach your own button, relay, or transistor circuit to control it with your own hardware. For example, if you wanted to make a device wireless, you can connect your wireless device directly to the button pads to drive the button signal high or low depending on what the wireless device receives. I see this kind of implementation all the time. For example, there was recently a write-up on hackaday about a user named Kolumkilli hacking his Keurig coffee maker to be wirelessly controlled. He accomplished this by locating the "brew" button pads and connecting a wireless device. This kind of hack can be accomplished without digging into the actual programming of the device.
Image courtesy of Hackaday
With access to the LED pads on a device, you have a reliable output source from the device. The best example I've seen of this is a hack with the Star Wars Force Trainer. It appears the blog post for this hack has been removed, but in the hack the designers simply soldered to LEDs on the base of the toy to trigger their own device when certain LEDs turned on. Then they could use the toy as the controller for their own system, without ever having to access the data on the device.
Image courtesy of starwars.com
Method 2: Replacing a Component
This method is often used in Circuit Bending. The user wants the device to sound different, so he or she replaces a component (usually experimentally) to get a different sound out of a device. This kind of approach isn't relegated to Circuit Bending, though. A lot of interesting hacks have been achieved by replacing a component. For example, replacing bike light bulbs with high-intensity LEDs, or replacing the motors on an off-the-shelf toy car to make it drive dangerously fast.
Image courtesy of Hackedgadgets.com
Method 3: The Logic Analyzer
One can gather a lot of "private" data from a device with the use of a simple logic analyzer. To do this, one finds an interesting chip or test point on a circuit board, connects a logic analyzer, and then runs the device. The logic analyzer will record any signals occurring on the lines it's sniffing, and that data can potentially be translated into something useful. I once hacked a Lidar range finder this way, probing its serial lines while it was running.
The blog post went live before I had time to do anything useful with the data, but I made the data public, and by the next day someone had interpreted it and created of video of the graphical representation of the data. Just for a little shameless self-promotion, I used the Logic Analyzer that we sell, which does auto baud-rate detection and signal translation for the SPI, I2C, and serial protocols. Because of this, it is a vital tool in my hardware hacking toolkit.
Method 4: JTAG Hex Dump (a.k.a. Voodoo)
When an electronic device is manufactured, it must be programmed with firmware at some point. The same port through which a device is programmed can also be used to disassemble and hack the firmware. Many microcontrollers have a memory dump feature that can be triggered through its programming port that allows a user to read the full memory (in hex) of the chip. Many devices include a feature that "locks" the device so that it cannot be read or reprogrammed once it is flashed, but many device manufacturers do not implement this feature, leaving their products susceptible to firmware hacking.
In order to hack firmware through a programming port, one must:
- Identify the device and if it has the capability to dump its memory
- Build or buy a programmer that can receive this memory dump and transmit to a computer
- Get the hex dump from the chip with the programmer
- Disassemble the hex into assembly language
Once the hacker has the assembly language, he or she is looking at the firmware. From there one can modify the firmware file to one's own ends, changing variables and registers to change the behavior of the device. Then the hacker recompiles the firmware into hex, and reprograms the device with the hacked firmware. This is an advanced method of hardware hacking, but can provide the most effective (or entertaining) results.
One of my favorite examples of this sort of hacking is the GoodFET, a device developed by Travis Goodspeed to (among other things) easily trigger a hex dump and re-flash the memory of multiple platforms (MSP430, AVR, PIC, etc.). The GoodFET makes it easy for the hardware hacker to download or "peek" at code hosted on a chip, in order to modify or exploit it for hacking.
Image courtesy of Goodfet.sourceforge.net
For those interested in heavy-duty hardware hacking, be sure to check out Travis Goodspeed's blog.
As I said before, this is by no means a complete "how to hack hardware" article. There will always be new ways to modify and hack new devices and chips, and someone will always come up with some slick way to use a device to an unintended end. What methods have you used to hack hardware, or what do you find useful in the reverse engineering process?
