Hacking Hardware Debuggers

Do you want to learn how to reverse engineer and attack hardware level debug interfaces like JTAG and SWD? Do these interfaces feel like a black box to you and you would like to learn more about how they work internally? If so, this course is for you

Buy $2,000.00

Course Overview

Do you want a preview of the content/teaching style? Check out the following resources:

This course teaches students how to identify, instrument, and utilize hardware-level debuggers. Focusing on JTAG - Joint Test Action Group and SWD - Serial Wire Debug, students will first learn to use these interfaces on an exemplar target and then test their abilities on a commercial-off-the-shelf (COTS) target.

The purchase of this course includes all of the hardware required to complete the course materials.

Students will learn how to interact with these interfaces at the signal level and develop high-level tools through labs and exercises. After writing tools to instrument the target, students will utilize tools such as UrJTAG and OpenOCD to gain access to the target systems.

After participating in this course, students will:

Identify and interface with a JTAG test access port
Manually instrument and navigate JTAG scan chains
Develop OpenOCD config files for high-level JTAG access
Utilize JTAG to extract RAM from a target device and modify its behavior
Understand how the SWD protocol is implemented
Use SWD to read and write memory manually
Extract and modify flash memory via SWD using OpenOCD
Learn how to list processes and modify running processes via JTAG

Students will utilize open source tooling and develop tools to interface with the targets included in the kit. All exercises and laboratories are performed using open source tooling on a Linux-based SBC. The targets in the kit include a development board (for learning purposes) and then a COTS target for each interface being targeted.

Course curriculum

1. Welcome! Course Information and Overview
2. Connecting to your PiFex
1. Introductory Information: Please Read!
2. Hardware RE 101: An Overview
3. Electronics 101
4. Printed Circuit Board Reverse Engineering
5. Hardware RE: Component Identification
6. Hardware RE: Component Identification - PDF Version
1. JTAG 1: Introduction and Target Overview
2. JTAG 2: Hardware Teardown and State Machine Overview
3. JTAG 3: State Machine Recap
4. JTAG 4: Daisy Chaining and Available Tools
5. JTAG 5: Reverse Engineering JTAG Headers
6. JTAG 6: Register Length and VCC Detection
7. JTAG Lab 1: Connecting to the Debug Header
8. JTAG Lab 2: IDCODE and BYPASS Scans
9. JTAG Lab 3: Open Source Recon
10. JTAG Lab 4: Datasheet Review
11. JTAG Lab 4.5: Datasheet Review
12. JTAG Lab: Datasheet Review Answers
13. JTAG Lab: UrJTAG
14. JTAG Lab: UrJTAG IDCODE Extraction
15. JTAG Lab: UrJTAG Memory Reads
16. JTAG Lab: OpenOCD Configuration
17. JTAG Lab: OpenOCD Configuration Part 2
18. JTAG Lab: OpenOCD Memory Reads
19. JTAG Lab: GDB Memory Reads
20. JTAG Lab: GDB Breakpoints
21. JTAG Part 1 Conclusion
1. APMA Part 1: Introduction and Overview
2. APMA: JTAG Wiring
3. APMA: OpenOCD Configuration
4. APMA: Patching Binaries
5. APMA: Process Listing
6. APMA: Escalating Privileges
1. SWD: Target Analysis and Overview
2. SWD: Voltage Measurements and SWD Overview
3. SWD: DAPs, DPs and APs
4. SWD: Packet Structure / Read and Write Operations
5. SWD: Packet Structure Part 2
6. SWD: Debug Header Review and Reverse Engineering
7. SWD: Wiring Part 1
8. SWD: Wiring Part 2
9. SWD: OpenOCD Config Part 1
10. SWD: OpenOCD Config Part 2 and DAP Review
11. SWD: Identifying an Unknown MCU
12. SWD: Flash Extraction
13. SWD: Firmware Patching and Review
14. SWD: Patching and Reflashing the Firmware
15. SWD: Troubleshooting / Reflashing
16. SWD: GDB and Breakpoints
17. SWD: DFU Mode
18. SWD: Reading and Writing Flash via DFU
19. SWD: Conclusion

About this course

$2,000.00
54 lessons
6 hours of video content

Included Hardware

Purchase of this course includes:

Hardware kit containing all required materials

PiFex Kit
- Raspberry Pi Pre-configured with course materials
- PiFex Interface module and breakout board
- Power supply and USB C cables
JTAG Target(s)
- SSD
- BeagleBone Black
SWD Targets
- XBox One Controller
Logic Analyzer
Multimeter
Jumper wires, breadboard, carrying case
3 month access to the online course materials
Access to weekly office hours for live Q&A

Instructor(s)

Matthew Alt

[email protected]

VSS was founded in 2020 by Matthew Alt. Matthew began his reverse engineering career in the aftermarket automotive industry, searching for vulnerabilities in engine control units' diagnostic protocol implementations. Next, he worked at MIT Lincoln Laboratory, where he led a team focused on embedded systems analysis. While at MIT, Matthew was awarded the Ouststanding Contributor Award for his technical contributions. You can find other examples of his work and teaching style on his personal blog, the VSS research blog and through the free Ghidra course he authored at Hackaday.

voidstarsecurity