https://voidstarsec.com/hw-hacking-lab/vss-lab-guide [l] VoidStar Security Wiki Close x [logo] VoidStar Security Wiki VSS Hardware Hacking Wiki and Blog Entries * Download ZIP File * Download TAR Ball * View On Github Pages (Latest 10 updated) : * Clips / Jumpers / Probes * Conclusion * Fault Injection * Flash Readers * VSS: Beginners Guide to Building a Hardware Hacking Lab * JTAG / Debug Adapters * Logic Analyzers * Microscopes/Magnification * Multimeters * Oscilloscopes Menu (Edit): * Home * VSS Hardware Lab Guide * VSS Research Blog * Wrongbaud's Blog Posts (Latest 10 updated) : * Extending Ghidra Part 1: Setting up a Development Environment * Introduction to Embedded Reverse Engineering * Intro to Embedded RE: UART Discovery and Firmware Extraction via UBoot * Replicant: Reproducing a Fault Injection Attack on the Trezor One * On the Road: Our first onsite training of the year Read all Add new Edit Delete History Source Add new post [ ] Contents: 1. VSS: Beginners Guide to Building a Hardware Hacking Lab 2. Introduction 1. Contributors 3. Workbench 1. ESD Protections 4. Soldering 1. Soldering Irons 1. Low Cost 2. High Cost 2. Hot Air Stations / Hot Plates 1. Low Cost 2. High Cost 3. Soldering: Practice Kits 4. Soldering Accessories 5. Bonus: Learning to Solder 5. Multimeters 6. Microscopes/Magnification 7. Oscilloscopes 1. Example Specifications: Rigol 2. Example Specifications: Siglent 8. Logic Analyzers 9. Oscilloscope Vs. Logic Analyzers 10. Clips / Jumpers / Probes 11. Power Supplies 12. JTAG / Debug Adapters 13. Flash Readers 14. SBCs / Interface Tools 15. Fault Injection 16. Radio Frequency Tooling and Instrumentation 1. High-Cost Options 2. Low-Cost Options 17. Other Helpful Tools 18. Conclusion VSS: Beginners Guide to Building a Hardware Hacking Lab Introduction One of the most common questions that I get during a training is: "What do we need to build out an initial hardware hacking lab?" Of course, the answer to this question can be heavily tailored based on the goals of the team and their targets, but I wanted to attempt to document what would make for a good starter lab. The following document aims to outline the basic requirements for well rounded embedded systems laboratory. In this list, I will focus on devices that I and a few others regularly use for hardware pen testing and research. I will list a range of devices covering various budgets. It should be noted that the following recommendations are my opinion, and none of the links below are affiliate links or anything of the sort. My goal is to help people build out their first lab, not to make money. This guide will also be maintained at the GitHub repository located here - please submit pull requests with your suggestions and favorite tools! Contributors Throughout the development of this guide, I was lucky enough to have some really sharp people offer to help me proofread and provide recommendations for some of the gear listed in this write up, I've included their names/handles below: * Jeremy Hong * Arsenio Menendez * Stu Kennedy * Ian Hanschen * Dreg Workbench First and foremost, you will require a place to perform your work. Depending on your needs this might be a small section on your desk, or you may want an entirely separate workbench. When it comes to choosing a workbench, you'll quickly find that you can spend a lot of money on a high end standing desk, especially if you're looking for a larger one. One place you might consider looking is Home Depot / Lowes, I am a big fan of their Husky standing workbench and am currently using two of them in my office. If you're looking for something more traditional, I have also built a handful of workbench setups using IKEA tabletops and legs, this is a very popular option for workstations. Item Price Link Husky Adjustable Height 46in-72in Workbench $268.00-$398.00 Link Ikea LAGKAPTEN Tabletop $49.99 Link Ikea ADILS Leg $7.50 Link Ikea Drawer Unit (ALEX) $109.99 Link Note: The IKEA drawer units have mounting holes on top of them for attaching to IKEA tabletops which makes assembly extremely simple, and you get the added benefit of extra storage. ESD Protections The last thing that you want to happen is for you to accidentally destroy a device with static electricity, In order to avoid this, it is always a good idea to get an ESD wrist strap or an ESD protective mat. Note: Not all silicone mats that you will find on Amazon are actually anti-static, please make sure that you read the description of the mat that you are going to purchase if ESD protection is a high priority for your workspace (which it should be!) Item Price Link ESD Wrist Strap $9.99 Link ULine ESD Wrist Strap $18 Link Bertech ESD High Temp Mat $44.30 Link STATFREE UC2 Anti-Static Mat $138.53 Link ULine Assorted Mats $80-$1000 Link DigiKey has a number of high quality ESD mats that you can find here. Soldering Whether you are tearing down a new router or looking for a new target to perform fault injection, you will need to solder at some point during your hardware hacking journey. Soldering is the process of joining metal surfaces with "solder"; creating a conductive connection between the two soldered points. Soldering is useful when populating unused debug pin headers or connecting wires to points on your target circuit board that you wish to interact with. Soldering Irons When looking for a new iron, it is essential to keep your goals in mind: * Are you mainly focusing on smaller surface mount device (SMD) rework projects? * Will you be working with larger/older components that may need a lot of heat to remove? Ideally, you want an iron with adjustable temperature and removable tips. These can be purchased relatively cheaply from Amazon and other online vendors. I recommend one with an emergency timeout in case you forget to turn off your iron after some late-night soldering. Low Cost Below is a very solid starter kit from Amazon, which makes for a good beginner iron. Before buying a more expensive iron, use this iron to learn proper care and maintenance. * KSGER T12 Soldering Station Two other solid options for a beginner iron (at a slightly higher price point) are the Hakko FX888D and Weller WE1010NA. The WE1010NA is the successor to the venerable Weller WES51, which has since been discontinued. For a portable option, the TS-100 or TS-101 is an excellent choice. These are great for travel, have interchangeable tips and are relatively low cost. High Cost For high-end soldering or jobs that require you to solder to smaller components, such as 0402 components, a JBC CDS station with intelligent heat management and sleep/hibernation modes can't be beaten. This is the station that I have used for quite a while now, and it has been highly reliable and easy to maintain. With this station, you can also get tweezer tips for SMD components, making these jobs much more manageable. It also can be connected to other JBC accessories, such as a fume extractor and other JBC handles. * JBC CDS Soldering Station * Additional Tips / Cartridges If you have the funds to spare, the JBC DDPE 2-Tool station is great because it lets you have multiple tools active simultaneously. This station comes with micro tweezers and a T210 precision handle, which is compatible with a wide variety of cartridges. * JBC DDPE 2-Tool Station Hot Air Stations / Hot Plates Hot air stations and hot plates can both be used when doing SMD rework. Hot plates work as you might expect, they require surface to surface contact in order to heat the target device, allowing for either solder paste or a traditional iron to be used to bond the solder to the contact pads. These of course have some disadvantages, if you are working with a system that has plastic connectors, housings or is a two sided PCB with components on each side you will not be able to effectively use a hotplate without risking damaging the target. Hot plates can be used in conjunction with a hot air gun in order to "preheat" your target, making component removal easier. Low Cost Introductory hot plates are relatively low cost, the Soiiw Microcomputer Soldering Preheating station is a great place to start as it has built-in temperature control and display (helpful for letting others in the lab know that the plate is on!). If you are going for a lower-cost hot air rework station, there are plenty on Amazon. I have used the YIHUA 959D and have had no issues with it. Others have recommended the QUICK 957D Rework Station, which also has excellent reviews! High Cost You will need a hot air station for BGA rework or other package removal. Like a standard soldering station, these can vary in price/ quality. A higher-end hot air rework station will allow for precise temperature and airflow control; they will also have a wider variety of hose attachments, allowing for the removal/replacement of smaller components. When working with standard embedded systems, the JBC TESE is an excellent rework station that has multiple suction tips and hose sizes included: * JBC TESE Of course, if you are looking to do a lot of SMD rework and reflow on PCBs, you may want to consider the SRS System SMD Rework station. This kit includes an arm, allowing for hands-free operation, as well as a preheater. A preheater is a device used to (as you might have guessed) pre-heat the PCB from below, allowing things to be soldered more easily. The full table of all of the recommended kits can be seen below: Item Price Link Description TS-100 $54.99 Link Low cost, portable soldering iron Soiiw Microcomputer $67.99 Link Low cost pre-heating set up for BGA Soldering rework Preheating station KSGER T12 $69.99 Link Introductory soldering iron with Soldering Station interchangeable tips Sparkfun 8508D Hot-Air Rework $99.95 Link Low-cost hot air rework station Station QUICK 957D Rework $125.00 Link Low-cost hot air rework station Station JBC CDS Soldering $595 Link Mid range JBC soldering station Station JBC station that allows for multiple JBC DDPE 2-Tool $1700 Link tools active and includes Station micro-tweezers and a T210 precision handle JBC TESE $2,690 Link High end hot air rework station with multiple suction adapters SRS System SMD $5,750 Link Full SMD rework station, including an Rework Station manueverable arm and preheater Soldering: Practice Kits These kits are a great way to get comfortable soldering smaller devices and components. One thing I like to recommend is to solder, desolder, and then solder again. This will give you practice with removing parts and adding them! Item Price Link Soldering Practice Kit $9 Link Soldering Practice Kit 2 $9 Link Soldering Accessories Item Price Link Description KOTTO Fume $39.99 Link Used to extract solder fumes, relatively Extractor portable for travel soldering Desoldering $9.99 Link Used to remove solder from a target, Braid helpful when cleaning up QFP packages Used to re-tin oxidized soldering iron Tip Tinner $8.00 Link tips, crucial for maintaining a working tip Magnet Wire $7.99 Link Tiny wire, used for connecting to cut traces or small vias on PCBs 30 AWG Wire $11.99 Link Small AWG wires, convenient for soldering Wrap Wire to small pads, etc. Heat resistant tape, helpful for Kapton Tape $11.98 Link protecting other components when doing hot air rework ChipQuik SMD Flux removes oxides and enhances solder 291 Flux $15.95 Link flow, increasing the reliability of solder joints Engineer Solder $18.97 Link Used to remove solder Suction Device Bonus: Learning to Solder Below are some YouTube videos to help you learn how to solder if you've never attempted it. * Soldering Crash Course: Basic Techniques * SMD Soldering Tutorial * BGA Reflowing for Absolute Beginners Hackaday has a great article here about SMD rework and reballing. Multimeters Regardless of the types of components and targets that you're working on, you will need a multimeter. This is what you will use for your initial survey of your device for things such as measuring voltage, resistance, current and checking for continuity. When choosing a multimeter, make sure that you review the available voltage and current ranges and that they match the ranges of your expected targets. Some multimeters will also have an "auto-range" feature, which will attempt to automatically select the appropriate range for measuring voltage/current/resistance, etc. This feature can be helpful when measuring unknown voltages; it will save you a few button presses when measuring points on a target. The two multimeters listed below are the ones that I keep in my toolbox. I have also included different probes sets, allowing smaller pads/pins to be measured. Item Price Link Micsoa Multimeter Test Leads Kit $20.99 Link Crenova MS8233D $29.99 Link Fluke High Precision Probes $94.99 Link Fluke 115 $220 Link If you've never used a multimeter before, Sparkfun has a great tutorial here that can help get you up to speed and measuring in no time! Microscopes/Magnification When tearing down a target for the first time, you first want to locate and document all of the part numbers. Part numbers and PCB markings can sometimes be challenging to see with the naked eye, so having a cheap benchtop microscope or hand held loupe is never a bad idea. These will also come in handy when removing or modifying small components. Hand held loupes are great for quick identification of components. Item Price Link Description Handheld Small handheld jewellers loupes, various Jewellers $15.00 Link magnification, useful for part Loupes identification Small USB compatible microscope, useful Plugable USB for some soldering and part Microscope $37.74 Link identification, compatible with most desktop operating systems (in my experience) AMScope USB Small USB compatible microscope, useful Microscope $78.99 Link for some soldering and part identification MisVision Benchtop microscope 7-45x zoom, check out Trinocular $78.99 Link the review here Microscope Aven Desktop 8-25x microscope with a built-in screen, Microscope $697.91 Link helpful for soldering to small packages and doing BGA rework MANTIS High-powered microscope with Serices $1,310.00 Link interchangeable lenses, mounting arm, and MCH-001 lenses are sold separately Microscope Oscilloscopes While multimeters help us measure various signals on our target device, an oscilloscope can help us capture and visualize these measurements. When selecting a scope, you need to consider what the use case will be. Will you be doing differential power analysis or power trace captures? Or are you more interested in capturing other types of analog waveforms over a longer period? The main variables to look at when selecting an oscilloscope are: * Channel Count - How many channels can you capture on * Memory Depth - This is how long you can capture for * Sample Rate - How fast the analog signal is sampled * Bandwidth -Maximum frequency of an input signal that can be passed through the analog front end (probe) Without enough bandwidth, you will capture what appears to be a distorted signal, and with too slow of a sample rate, you risk data loss. Remember: According to the Nyquist sampling theorem sampling rate should be at least 2x the frequency of your target signal at a minimum! An excellent introductory scope can be purchased for ~$500; all big manufacturers offer something in this range. For example, the SIGLENT SDS1104 is an excellent starting scope with a bandwidth of 100MHz and a sample rate of 1GSa/s. I've listed a few options below, ranging in price from lowest to highest, and included a few tables from some of the manufacturer's websites as well: Item Price Link Description Signlent $399.00 Link Great starter scope, easy to use, SCPI SDS1104X compatible Rigol High-bandwidth and sample rate, less memory MSO5354 $1,999 Link than the SDS2000X series, 16 digital channels for internal logic analyzer SDS2000X $2,999 Link High bandwidth, 2GSa/s sampling rate, large memory depth, HDMI out, SCPI compatible $60,000 Extremely high capture rate and bandwidth, SDS6204A + Link decoders and other features can bring the price to $100k easily Note: Many modern oscilloscopes can be upgraded via software. For example, many will have built-in logic analyzers and signal decoders. These will come at an extra cost; decoders are typically $100-$400, depending on the protocol, and other software upgrades can be purchased to unlock things like faster sample rates and increased bandwidth, etc. It's easy for a 2k-4k oscilloscope purchase to turn into a 10k purchase once all the upgrades and add-ons have been included. Example Specifications: Rigol Below are some specifications from the RIGOL MSO5000 line: Image The MSO5354 is an excellent deal for this line, especially considering the 350MHz bandwidth and the 8GSa/s sampling rate. I have this in my lab and use it regularly. Example Specifications: Siglent Here is a similar specification table from the SIGLENT SDS2000 line: Image The Siglent and the Rigol have great options for the prices listed above. Make sure that you pick an appropriate scope per the types of targets you anticipate analyzing. Logic Analyzers Let's say you identified a fluctuating voltage sequence with your multimeter and decided to look at the signal with your oscilloscope. After viewing the signal with the oscilloscope, you saw sequences of high and low pulses that look something like this: Image We will need a Logic Analyzer to make more sense of this signal capture. Logic analyzers are used when analyzing digital signals; they can take sequences of high and low voltages and translate them into a stream of logical 1s and 0s. This stream of 1s and 0s can then be analyzed and decoded via software to display packet structures and more user-friendly data to the user. When choosing a logic analyzer, we need to consider the following: * Channel Count - How many channels can be analyzed at once? * Sampling Rate - How quickly can we sample data? * Hardware Sampling Depth / Memory Depth - How long can we sample? * Threshold Voltages - What voltage ranges are compatible with this device? When analyzing standard COTS devices that utilize SPI, eMMC, etc., the Kingst and DSLogic series logic analyzers will work 90% of the time. The Saleae has a well-polished software interface, including APIs for writing decoders and instrumenting captures. The analog capture features of the Saleae are also beneficial when debugging lower-level issues. Despite being the most expensive analyzers listed here, they are worth purchasing if your budget allows it. Item Price Link Description The Kingst LA series are suitable introductory LA 1010 $69.99 Link logic analyzers, they are pulseview compatible and can also use the Kingst proprietary software DSLogic is a series of USB-based logic DSLogic $149.00 Link analyzer, with max sample rate up to 1GHz, and max sample depth up to 16G. It uses an open-source fork of Pulseview Analog Multi-function USB Oscilloscope, Logic Discovery $229.00 Link analyzer, signal generator and power supply 2 Saleae Logic analyzer with variable logic levels, Logic 16 $1500 Link analog capture capability, and highly user-friendly software Oscilloscope Vs. Logic Analyzers Another common question that often comes up as we review the tools in class is What is an oscilloscope used for, and what is a logic analyzer used for? Don't they both measure signals? While the short answer is yes, they both measure electronic signals and visualize them for human consumption; there are a few key differences. 1. Oscilloscopes are useful for analyzing analog waveforms, that is, data that is steadily changing over time 2. Logic analyzers are used to analyze digital signals and convert high/low voltage pulses into a sequence of 0s and 1s that we can attempt to interpret. So, how do we choose what tool to use? For example, let's say we are measuring a voltage source on a particular target we are trying to glitch. If we want to monitor the fluctuations of the voltage line, we should use an oscilloscope. The oscilloscope will let us observe the voltage over time, allowing us to see the small period where the voltage drops to a low value and then returns to normal. See the image below, where the purple line represents the voltage line being glitched: Glitch! We can also use oscilloscopes to characterize and capture power traces. For example, see the following power trace that was captured from the Trezor (purple line): Power Trace In the previous two examples, we measured a signal oscillating between a range of values and not just HIGH or LOW. There are fluctuations, rising and falling sequences, and other interesting patterns that we could not catch with our logic analyzer as the logic analyzer looks for either a high or low voltage and reports the results back to the user as a digital signal. For an example of when we might use a logic analyzer, let's revisit the oscilloscope capture from before: Image Notice that there are not nearly as many strange shapes or fluctuations in this signal; the line either appears at a high or low voltage at any given time. While some oscilloscopes can decode digital signals like this, they often are limited by how much memory they can use for a capture. So that means that if you're trying to capture UART traffic on a Linux system that takes 60 seconds to boot, you would need a large amount of memory / a costly scope. Also, if you wanted to extract the data from the stream or try to decode it using custom plugins, getting access to the digital signal is a headache (Note It is possible, but logic analyzers greatly simplify this process for us). This is a perfect use case for our logic analyzer if we want to extract the data being encoded in this digital signal. The Logic analyzer can sample for much longer because it samples a signal, reports whether the sample is high or low, and does not report back the exact values in between. Note that what defines high or low can often be configured within your logic analyzer software, but the analyzer will still report back either a 0 or 1. Because the logic analyzer is not concerned with all the values in between, it requires significantly less memory to capture over long periods. To illustrate this, let's revisit the older blog post we published last year. The following video shows that the voltage levels fluctuate around 3.3V and eventually return to idle at 3.3V. Gif If we were to capture this signal with an oscilloscope, it would look very similar to the screenshot we referenced earlier. However, there is one problem - this system takes about 90 seconds to boot, and ideally, we want to capture all of the traffic in a way that allows us to analyze it. This is where our logic analyzer will come in handy. After connecting our logic analyzer to the signals referenced in the blog post, our logic analyzer software (Pulseview) captures the following: UART With this traffic captured, we can set up a decoder to get human-readable values out of this signal, as shown below: Image Now, we can export this data to a text or binary file for further analysis. So, in summary - when we want to capture digital signal traffic such as SPI, UART, I2C, JTAG, etc, we use a logic analyzer. If we want to analyze the shape of the waveform or we are investigating an analog signal such as a power source or audio signal, we use an oscilloscope. Clips / Jumpers / Probes Sometimes, we have to connect to specific pads or pins to analyze the signal on our target device, but that does not always require soldering and removing components. Probing test pads and reading flash chips in-circuit can significantly reduce the debugging/ analysis time when performing firmware patches or testing PoCs. Below are some helpful items that I use when soldering/connecting to new targets. The PCBite kit is handy as the fine-tip probes will often save you from needing to solder to test pads when performing initial analysis. Item Price Link Description Premium Silicone $11.95 Link Used to make breadboard connections, etc Jumper Wires Pomona SOIC8 $18.19 Link Used to clip onto SOIC8 packages Clip Pomona SMD Useful for grabbing individual pins of Grabber Pin $21.79 Link small packages such as QFP microcontrollers, etc. KOTTO Helping $23.99 Link Useful when soldering to smaller devices Hands XKM-S EX Hook $30.06 Link Helpful for grabbing pins of SOIC8 chips Pin Grabbers and other packages with wide footprints PCBite Kit $190 Link Handy magnetic probe kit with PCB holders and pogo pins Power Supplies When picking a power supply, you need to consider the power requirements of your targets. Be sure to review the voltage and current limitations and choose an appropriate supply based on the targets you will analyze. Some power supplies have options like Over-Current Protection (OCP), which is a feature that prevents a power supply from providing more current than it can handle. Some power supplies will also include a Remote Sense feature that is used to regulate the output voltage at the target load. This compensates for the voltage drop across the cables connecting the power supply to the target load. Item Price Link Usage KC3010D $49.99 Link Low cost introductory power supply Hyelec 30V 5A Adjustable power supply with Switching DC Bench $56.99 Link output enable line Power Supply Low-cost front end for power RD6006 $85.00 Link supply, can be used with an old ATX supply or other DC barrel jack power supplies Power supply with Siglent SPD1168X $265.00 Link programmable output and voltage sensing, also SCPI interface 30V/ Rigol DP832 $399.00 Link Three channel power supply 3A, (30V/3A 5V/ 3A) Keysight E36233A High wattage dual output 400W Dual Output $3,569 Link supply, 30V/20A/400W, SCPI Supply interface BK Precision 9140 High current, high power, 32V / 8A / 300W $1,940 Link Ethernet/LXI interface, three Triple-output Bench outputs, compact Power Supply JTAG / Debug Adapters Perhaps during your teardown, you discovered a set of test points or debug headers that you believe might be for hardware-level debugging, such as JTAG or SWD. If you're trying to get hardware-level debugging working on a target, it is always a good idea to see what OEM tools are available. I've compiled a list below of some of the more generic tools I keep in my toolbox. Most of these are ARM-focused, as many other JTAG tooling for different architectures will often involve purchasing specific hardware/software or utilizing OpenOCD. Item Price Link Usage FT2232H Generic interface board, capable of SPI, I2C, Breakout $14.95 Link UART, etc Board Easy to work with, largely focused on STM32, STLink $22.16 Link but can be used as a generic SWD adapter with OpenOCD Tigard $49.00 Link Open source FT2232H-based, multi-protocol, multi-voltage tool for hardware hacking. Black Open source JTAG probe, can be used with Magic $74.95 Link OpenOCD Probe Extremely sound software support, supports a JLink $529.12 Link large amount of ARM chips, has built-in level shifting Extremely powerful JTAG tooling that can be Lauterbach TBD Link purchased with licenses targeting specific architectures/chipsets When attempting to utilize a hardware debug mechanism (especially from a black box perspective), there is no "one size fits all" tool. Whether you are accessing a JTAG tap or an SWD peripheral, there are two hurdles that you need to overcome: 1. Can your hardware communicate with the TAP/DAP? 1. Logic Levels, appropriate speeds, timings, etc 2. Can your software properly enumerate and interact with the TAP/ DAP? 1. OpenOCD, UrJTAG, OEM Tools, etc The right tools for the job is critical when looking at a new hardware-level debug peripheral. Make sure that you search for OEM software/hardware and always check the latest OpenOCD commits for similar targets. Flash Readers So, you have done your initial teardown and identified a non-volatile storage device from which you want to extract some data. Perhaps there is a SPI flash chip or a TSOP 48 parallel flash that you want to extract data from. Many flash readers are available; below is a list of what I have in my lab. The Xeltek is somewhat expensive (it is currently on sale for $995.00), and the individual sockets for different chip packages range from $400-$700, so the cost adds up quickly. However, with that cost comes support from Xeltek and fairly reliable tooling, assuming you are comfortable with BGA rework and re-balling ICs, this may be the right choice for you and your team. Item Price Link Usage Transcend SD Card Good for in-circuit eMMC reads, Reader $10.99 Link device supports low speeds and 1-bit eMMC modes CH341A USB $13.99 Link Generic SPI flash programmer, Programmer compatible with flashrom FT2232H Breakout $26.99 Link Generic breakout board, can be Board used with flashrom, openocd, etc. FlashCAT USB $99.00 Link Parallel flash extraction, TSOP48/ Programmer 56 XGecu T56 $199.00 Link All-purpose flash extraction, SPI, eMMC, NAND, etc All-purpose flash extraction, one Easy JTAG $399.00 Link of the few readers on the market to support UFS extraction Enterprise flash programmer, high Xeltek Superpro $995.00 Link quality, sockets for different chips can be pretty expensive Dataman 48Pro2 Industrial programming tool, Super Fast $1,195.00 Link expensive, but does consistently Universal ISP work on the supported ICs Programmer In my experience, no flash readout tool works on everything. Some tools are better at certain flash types than others. Having a few options in your hardware hacking toolbox is always a good idea if your preferred tool does not support your target device. If I had to pick two devices from the list above, I would choose the FlashCAT and the XGecu T56; you will have a wide range of target chip coverage between those two. SBCs / Interface Tools Having a few generic embedded interface tools in your toolkit is always a good idea. I am a big fan of using embedded Linux SBCs due to their flexibility and the fact that you have an entire OS at your disposal, which can open up opportunities to use your favorite programming language to interact with the standard peripherals. One of the most common Linux-based SBCs, the Raspberry Pi, has been difficult to acquire over the last few years. Luckily, the Armbian project supports other boards, such as the Orange Pi Zero 2 and the Orange Pi 4 LTS. You may not always require a fully featured OS, and you just need a tool that can talk to peripherals. In this case, having FT2232H-based boards, such as the generic breakouts and things like the Tigard, will also come in handy. While the FT2232H is a well known, classic interface IC, the RP2040 is quickly gaining popularity due to its ease of use and availability. The Buspirate, a classic embedded Swiss army knife, recently released a new version that the RP2040 powers (Note that the Link below is for just the PCB and not for the entire product) Item Price Link Usage FT2232H Generic interface board, capable of SPI, Breakout $14.95 Link I2C, UART, etc Board Arduino $24.90 Link Generic board for learning embedded Nano programming and protocols $27.85 BusPirate (PCB Link Universal Open Source Hacking Tool Only) Orange Pi $35.99 Link Low power general purpose Linux SBC, Zero 2 supported by Armbian Tigard $49.00 Link Open source FT2232H-based, multi-protocol, multi-voltage tool for hardware hacking. Orange Pi 4 $77.90 Link Linux based SBC, supported by Armbian LTS Fault Injection Fault injection (FI) involves introducing an error/modification minor enough to cause undefined behavior on a target but not enough to stop the target from operating entirely. This typically involves injecting a high-voltage pulse or temporarily draining the voltage from a targeted power source or "rail" on the target system. By causing momentary voltage modulations (either above or below the expected voltage), we can force our target system to enter a realm of undefined behavior. An adequately targeted fault can bypass various security checks or other features that may impede an attacker or reverse engineer. When it comes to FI, I think that Furrtek explained it best here: Image Regarding FI, anything capable of pulling a voltage line low or injecting a clock pulse can work. However, depending on your target and attack, you might need advanced timing or protocol triggering, where tools such as the ChipWhisperer become very handy. When learning the fundamentals of fault injection, you cannot go wrong with an introductory ChipWhisperer kit. Their materials and example targets explain the principles behind fault injection and provide a tested, repeatable learning environment. I can't recommend their materials highly enough. If the ChipWhisperer tools are too expensive for your budget, however, there are other tools that folks have used in the past. I have included the tools in the table below and provided some example blog posts that utilize them to help get you started. We have also published a blog post here as an introduction to FI. Item Price Link Projects / Blog Posts RP2040 $4.00 Link Pico Glitcher, PicoRHG - Xbox 360 Glitch, AirTag Voltage Glitching PocketBeagle $35.63 Link The PocketGlitcher, ICEStick $49.00 Link Grazfather's LPC Glitch, IceStick ICE40 FPGA Glitcher ChipShouter $60.00 Link EMFI Made easy with PicoEMP PicoEMP ChipWhisperer $315.00 Link Replicant: Reproducing a FI Attack on the Lite Trezor One ChipWhisperer $549.00 Link RL78 Glitching (done by Colin O'Flynn) Husky ChipShouter $4125.00 Link EMFI for Automotive Safety with Kit ChipShouter There are also plenty of great talks that you can find online about fault injection; I've listed some of my favorites below: * Chip.fail * Glitched on Earth by Humans * One Glitch to Rule Them All: Fault Injection Attacks against AMD's Secure Processor * NCC Group - An Introduction to Fault Injection Radio Frequency Tooling and Instrumentation In the realm of security testing, these tools play a crucial role in assessing and safeguarding the integrity of wireless communication systems and devices. High-cost options provide powerful capabilities for in-depth analysis of various RF signals, allowing security professionals to identify vulnerabilities, intercept and decode wireless transmissions, and assess the robustness of communication protocols. These tools are often employed in academic and research settings for advanced RF security research. On the other hand, low-cost options are accessible solutions that aid in testing and securing more common wireless technologies, including RFID, Bluetooth, Wi-Fi, and various ISM band devices. High-Cost Options Item Price Link Description (Approximate) Buy A versatile SDR platform for HackRF One $300 - $350 HackRF analyzing and testing a wide One range of radio signals. A dedicated RFID/NFC testing Proxmark3 $250 - $300 Buy and hacking tool, allowing Proxmark3 reading, emulating, and modifying RFID/NFC cards. Buy A flexible SDR platform LimeSDR $250 - $350 LimeSDR suitable for RF security research and testing. USRP High-end SDR platforms for (Universal $1,000+ Buy USRP advanced RF research and Software Radio security testing in academic Peripheral) and research settings. Low-Cost Options Item Price Link to Description (Approximate) Buy Buy A multifunctional security testing Flipper $150 - $200 Flipper and hacking tool with RF Zero Zero capabilities, including RFID and NFC testing. A wireless transceiver for sub-1 YARD $100 - $150 Buy YARD GHz testing and attacks on ISM band Stick One Stick One devices and other low-frequency signals. Ubertooth Buy Designed for Bluetooth security One $100 - $150 Ubertooth testing, particularly capturing BLE One packets for security assessments. Buy An affordable and versatile SDR RTL-SDR $20 - $30 RTL-SDR dongle for exploring and analyzing a wide range of RF signals. Used for Wi-Fi security assessments Wi-Fi $100 - $200 Buy Wi-Fi and creating rogue Wi-Fi access Pineapple Pineapple points, often used alongside RF devices. Buy An add-on for the HackRF One that PortaPack $100 - $150 PortaPack provides a more user-friendly H1 H1 interface for HackRF interactions in the field. Other Helpful Tools * Overhead lighting * Helping hands * Generic Teardown Tools (Ifixit) + Kit 1 + Kit 2 * Mini Electric Drill * Silicone Mat * Generic Wire Strippers / Pliers Conclusion This write-up covered some of the tools required to build your first hardware hacking toolkit. This by no means is an exhaustive list, and I'm sure there are plenty of alternatives to the devices I've listed here.Also, it should be noted that you don't need all of these tools to start hacking on hardware. Sometimes it makes more sense to buy what you need for a given project and save money for nicer equipment later on. I hope this guide was helpful; I plan to revisit this writeup regularly to update it with new tools. If you think a tool should be added to this guide, feel free to email at contact@voidstarsec.com or on Twitter. A list of just the components discussed here can be found on this github repository, and all pull requests are welcome! If you are interested in learning more about hardware-level reverse engineering, check out our training course or reach out to us for any consulting needs. If you want to get notified when a new blog post, course, or tool is released, consider signing up for the mailing list . I only send emails when there are actual posts or course updates. Lastly, you can follow me on Twitter for various updates on side projects and classes. This project is maintained by voidstarsec Hosted on GitHub Pages -- Powered by Git-Wiki v2.8.5 View the Project on Github