Ask HN: If you wanted to 'hardware jailbreak' a device, how might you do this?

[hwhatwhatwhat]

Most rootings/jailbreaks that have been widely released use software vulnerabilities to escalate privilege.

If instead you had access to the hardware of a device, and could make any reasonable modification or intervention, how would you approach this? What techniques are used for this class of attacks?

(Reasonable modifications might be things like soldering extra components, removing ICs, using oscilloscopes and data loggers - but not, say, decapping chips and imaging them in an electron microscope as presumably those resources are a lot more limited.)

More practically, how might you do this on recent devices such as latest, flagship iOS, Android, or Windows Phone handsets? Are there any good, educational examples of this?

[dpeck]

One of the best approachable writeups I've found on getting started in reversing embedded devices is an old gem from Matasano. Retsaot is Toaster, Reversed: Quick 'n Dirty Firmware Reversing - http://www.woodmann.com/forum/archive/index.php/t-11707.html

That should give you a little bit of a feel for it. Its a fun rabbit hole to spend a few years down.

[breakingcups]

Most commonly you can find either a RS232 port (not the regular one, a 3.3v one!) or a JTAG port through which you might be able to influence the software running on it.

For example, I managed to flash OpenWRT on my otherwise unflashable router that way.

Another (even more hardware-y) approach is to dump flash chips containing ROMs. With those roms in hand you might be able to find a vulnerability to exploit, or you could replace the rom chip with a socket in which you can place your own modified roms.

Bunnie famously broke the Xbox classic security by building his own hardware to sniff the (until then thought to be unsniffable) HyperTransport bus. He wrote a very interesting book about it and it's free nowadays: http://bunniefoo.com/nostarch/HackingTheXbox_Free.pdf

[Vexs]

You can get a lot off rom chips, it's always the second thing I go for after serial ports- and if you run into a password on the serial port, than it's probably (often hardcoded) in the rom.

Sometimes they don't include headers and the like, so looking up a pinout and soldering to the IC helps in that case too- tapping into the serial connections between chips can reveal a lot too.

[fulafel]

Here's a good start for chip level stuff

"Fault attacks on secure chips: from glitch to flash" https://www.cl.cam.ac.uk/~sps32/ECRYPT2011_1.pdf

[ManlyBread]

Video game consoles used to do this with modchips and sometimes design flaws, this might be a good starting point for your research.