Commit 92310eb9 authored by Chipp Jansen's avatar Chipp Jansen Committed by node
Browse files

Update on Overleaf.

parent 0231d26e
......@@ -41,13 +41,11 @@ For the hardware hacking portion of the workshops (Section \ref{sec:hardware-hac
\item NEOS V2 SmartCam (the device we will hack)
\item Small Philips screw-driver with a long neck (Figure \ref{fig:screwdriver})
\item A \textit{spudger} (preferably metal) or a butter knife. (Figure \ref{fig:spudger})
\item 3 Solder-less test-point connectors (small plastic bits)
\item 3 Solder-less test-point connectors (Figure \ref{fig:solderless})
\item (\textit{optional}) Tweezers to help position the test-point connectors onto the circuit board.
\item (\textit{optional}) Magnifying glass to help read the circuit board markings
\end{itemize}
For connecting to and re-programming the device (Section \ref{sec:rooting-device}), you will need either:
%
% Tools
% - Screw-driver
\begin{figure}[h!]
\centering
......@@ -55,7 +53,7 @@ For connecting to and re-programming the device (Section \ref{sec:rooting-device
\caption{Screwdriver with long shaft, Philips size 0 works, although other sizes work as well.}
\label{fig:screwdriver}
\end{figure}
%
% - Spudger
\begin{figure}[h!]
\centering
......@@ -64,11 +62,33 @@ For connecting to and re-programming the device (Section \ref{sec:rooting-device
\label{fig:spudger}
\end{figure}
% - Solderless test points
\begin{figure}[h!]
\centering
\includegraphics[width=0.3\textwidth]{figures/solderless}
\caption{Solder-less test points used to ease connecting clamps to through-hole solder pads on printed circuit boards}
\label{fig:solderless}
\end{figure}
For connecting to and re-programming the device (Section \ref{sec:rooting-device}), you will need:
\begin{itemize}
\item 512 MB SD-CARD for loading the firmware onto the NEOS (see below).
% TODO - Image of the Test Lead clips
\item 3 test lead wires with clips
\item Raspberry Pi Single Board Computer (RPI 3 or RPI 4)
\item SD-CARD (at least 8GB) with Debian OS for the RPI
\item USB to SD-CARD adaptor for the RPI to program the NEOS SD-CARD.
\item Mouse, keyboard and monitor peripherals
\end{itemize}
A note about the SD-CARD for the NEOS SmartCamera. The device is sensitive to having a SD-CARD of 512MB in size (very small!). Instead of having an old and small SD-CARD, one can create a 512MB partition on a larger SD-CARD, but the camera will only be able to access this small partition.
As an alternative to using the Raspberry PI, you can use a laptop with a USB to TTL Serial cable, also known as a Serial Console cable \footnote{\url{https://www.adafruit.com/product/954}}.
\section*{Day 1}
\section{Hardware Hacking} \ref{sec:hardware-hacking}
\section{Hardware Hacking} \label{sec:hardware-hacking}
\subsection{Good devices to Hack}
Early IoT devices have the worst security. Also, lesser-known or ``generic'' brand of devices might not have the incentive or motivation to instill good security. For example, for Apple or Amazon, having an insecure device makes headlines and bad press. Also, larger companies have the resources to invest in security.
......@@ -350,6 +370,8 @@ Figure \ref{fig:guts-middle-board} is the top of the USB board. In the upper ri
\subsubsection{Debug Ports}
\paragraph{Add pin headers to debug port} Returning to the USB board, flip it over to see the debug port pads (Figure \ref{fig:guts-debug-port}). Using nimble fingers, or tweezers, plug the 3 solder-less test point loops into the debug port. Ideally you would plug the loops on \textit{other} side of the circuit board with the USB port. Alternatively, you can solder a pin header onto the circuit board for a more permanent fixture.
\begin{figure}[h!]
\centering
\includegraphics[width=0.3\textwidth]{figures/guts-debug-port-good}
......@@ -357,6 +379,27 @@ Figure \ref{fig:guts-middle-board} is the top of the USB board. In the upper ri
\label{fig:guts-debug-port}
\end{figure}
\paragraph{Connect debug port to Raspberry PI} The three pins on the NEOS are Ground (bottom), Data Receive (RX), Data Transmit (TX). We will connect these to the UART on the Raspberry Pi using the clip headers.
In order to communicate properly, the Data Transmit (TX) on the NEOS needs to be connected to the Data Receive (RX) on the Raspberry Pi, and vice versa. Table \ref{tbl:connections} for the connection mapping, as well as Figures \ref{fig:debug-port-connect} and \ref{fig:rpi-connect}.
% https://pinout.xyz/pinout/uart#
% https://www.raspberrypi.org/documentation/computers/configuration.html
% TODO - probing possible debug ports on the device.
Also, an important thing to consider here is the operating voltages of the boards. The Raspberry PI's I/O and board operates at 3.3V (which is a common voltage for modern IoT devices). This device also operates at 3.3V. However, older devices might run at 5V (like Arduino baords). Using a multi-meter first on the device to see at what voltage level the board is powered. If you have different voltages, you'll need to add level-shifters to the UART lines.
\begin{table}[]
\centering
\begin{tabular}{c|c|c|c|c}
NEOS Pin & On NEOS & cable color & RPI Pin & On RPI \\
Ground Pin & bottom pad & black & Ground (GND) & Pin 6 \\
RX Pin & center pad & white & TX (GPIO14) & Pin 8 \\
TX Pin & top (corner) pad & grey & RX (GPIO15) & Pin 10
\end{tabular}
\caption{Connections between the NEOS and the Raspberry PI}
\label{tbl:connections}
\end{table}
\begin{figure}[h!]
\centering
\includegraphics[width=0.3\textwidth]{figures/debug-port-connect}
......@@ -372,23 +415,36 @@ Figure \ref{fig:guts-middle-board} is the top of the USB board. In the upper ri
\end{figure}
Probing possible debug ports on the device.
% https://learn.adafruit.com/adafruits-raspberry-pi-lesson-5-using-a-console-cable/test-and-configure
Attaching the Raspberry-PI to a port.
% https://pinout.xyz/pinout/uart#
% https://www.raspberrypi.org/documentation/computers/configuration.html
We need to connect GND, TX, and RX.
\paragraph{Test connection} Now on the Raspberry Pi, in a terminal prompt, we will first check that the hardware UART is enabled.
Run \texttt{raspi-config} to get to the configuration menu.
Choose Peripheral Interfaces (3?)
Choose Serial Console
No on Enable Serial Console
Yes on Enable Serial Hardware.
Also, an important thing to consider here is the operating voltages of the boards. The Raspberry PI's I/O and board operates at 3.3V (which is a common voltage for modern IoT devices). This device also operates at 3.3V. However, older devices might run at 5V (like Arduino baords). Using a multi-meter first on the device to see at what voltage level the board is powered. If you have different voltages, you'll need to add level-shiftwers to the UART lines.
We will use the program \texttt{screen} to access the serial port on the device. First, we need to give screen the path to the serial port on the RPI, in this case it is \texttt{/dev/serial0}, however, on other systems like your laptop this might be another name, such as ttyS0 or cu0.
% TODO - check on the Mac serial port name
% https://learn.adafruit.com/adafruits-raspberry-pi-lesson-5-using-a-console-cable/test-and-configure
The other argument that we need to give screen is the speed that the serial port is operating at, which is a \textit{baud} rate. For modern systems, 115200 is a good starting point \footnote{Other baud rates to try: 9600...}. In general, you will get some sort of output, but if the baud rate is wrong, then you'll get random characters. A more sophisticated approach would be to measure the speed of the output lines with an oscilliscope.
Run screen to access the serial port on the device. Once you turn on the device, and you start seeing the output, you have access to the debug console of the device.
\begin{verbatim}
screen /dev/serial0 115200
\end{verbatim}
In the next part we look at how people access and modify the firmware for the device.
Once you turn on the device, and you start seeing the output, you have access to the debug console of the device. You'll see something like this output.
\begin{verbatim}
TODO - Output here.
\end{verbatim}
Now we verified that we have a successful connection to the NEOS via the Raspberry PI. In the next part we look at how people access and modify the firmware for the device.
\section{Rooting the Device} \label{sec:rooting-device}
When the NEOS boots...
\subsection{Boot loaders}
U-Boot % https://source.denx.de/u-boot/u-boot/blob/HEAD/doc/README.autoboot
Screenshots of loading.
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment