| You read your chips' datasheets that go in detail on pinouts and protocols. You use logic analyzers that capture signals and programmatically decode a multitude of protocols from those signals. When you don't know what are the pinouts or protocols, you compare against similar enough known ones, or bruteforce them. Some examples: * Once you've learned a few chip pinouts, you can pretty much guess unknown pinouts just from identifying a few ground/control/address pins, as even chip-on-board globs follow similar layouts [1]. However, despite plenty of datasheet archives being publicly available, none of them allow you to actually search by pin function [2], so you potentially have to go through dozens of datasheets of similar model ids to find what you need. * UART baud rates that are likely used are in the single digits, they can be easily bruteforced. * JTAG pins you need to interface with can go up to a dozen or so, there are enumeration scripts you can run in an Arduino to identify which pin has which function. These scripts also identify the IDCODE which you can lookup against boundary scan files if you need so [3]. But in most cases, you will interface with JTAG without thinking of the state machine behind it. * Reverse engineering memory maps is a matter of following data read/write patterns and inferring associated functionality. You will bump into several address cross-references that also hint at what are the base addresses of each map. It's a more general skill you develop as you go, and Ghidra's decompilation made it much more accessible in the last years. The author went with a elaborate linker script but a more bare-bones approach would be to link code as a distinct ELF object, then copy its text section over to offset 0x20A0000-0x2010000 in the firmware image, and patch the initializers. * Soldering and associated skills can also be self-learned from tutorials, pick several videos and learn the tricks/mistakes each of them cover. So, in practice? Each of these does not require a vast amount of knowledge for things to happen, even allowing one to skip required reading of huge bibles that are recommended to electronics beginners. This is how a lifetime gets reduced to a few months of non-working hours. When getting into hardware hacking, what I felt was the main blocker is how a lot is described at a superficial level, without enough breadcrumbs one can follow to reproduce the same results. Sure, the pictures of spaghetti wires and decapped chips look awesome, but nobody learns from that. Unlike the software side where you are given the source and everything you need to lookup is in front of you. [1]: https://qufb.gitlab.io/writeups/mysteries [2]: https://github.com/qufb/PinoutDB [3]: https://bsdl.info/index.htm |
I agree with but extend your last point about breadcrumbs - it's not just that write-ups are hard to find, it's that even several great write-ups for adjacent projects may not be sufficient for a beginner to synthesize a path for his specific project. I spent a week watching YouTube videos and reading in preparation to dump the router firmware, and it still took me 3 days before I committed to actually soldering the wires to the UART contacts - the videos all had header pins! (Sounds dumb, but I'd never permanently altered hardware before.)
In case people are curious, the router automatically gave me a root shell when I accidentally pressed a key during startup once I was connected to UART (using a [programmer board](https://a.co/d/0aVp22Mq)), and I was able to dump firmware using `dd` on one of the device partitions labeled "firmware", then `netcat`ing it out.
I also tried dumping the SPI flash chip directly using tiny alligator clips and flashrom, but I think I literally didn't know to build the latest version of flashrom from source, and so couldn't connect. Maybe same issue with JTAG - old software couldn't find my new programmer board. But I wouldn't have known what to do with gdb access even if I had connected to JTAG! Oh, I also didn't know that I needed to solder together the 2 pins that were specified by the datasheet to activate JTAG - thought I could just hold a wire between them like stealing a car in the movies lol.
Final example of "no breadcrumbs": I wanted to modify the firmware, then flash it back, but I couldn't for several days and the life of me figure out how to repack the firmware after using binwalk to unpack it. Ultimately I flashed something badly formatted out of desperation (maybe wrong size??) and bricked the router. Every guide mentioned "flashing back", but none showed how to do it - I am actually still curious haha, what was I missing?