Blog

Small Scale Circuit Board Assembly: A Working Guide

July 28, 2022

Here at River Loop Security, we’re tightly focused on solving hardware security challenges. The nature of our work frequently brings us into contact with problems that:

  • deal with intricate technical details of ICs, electrical systems, and products
  • are, by their very nature, technically risky - we frequently run across challenges with no known solutions, and, as such, we have to try out technical approaches that can only be verified experimentally.

These two factors mean that we end up designing and fabricating a lot of circuit boards. It’s often the fastest way to quickly prove out hardware security techniques. We’ve come to find that traditional turnkey circuit board manufacturing is both too expensive and, crucially, too slow to meet our needs. Over the years, we’ve accumulated a lot of knowledge of how to quickly create circuit boards for testing hardware security proof of concepts. We wanted to share an explanation of our most basic low-quantity hand-assembly process in the hope that it helps others.

Continue reading

Introducing Flash BASH

September 6, 2021

Introduction

Flash BASH

Flash BASH is a tool which automates glitching and allows for precise timing attacks. If you don’t know what glitching is, then check out our earlier blog post on the topic to learn more.

We are pleased to release an initial open source version of this tool available on GitHub. Please take a look and reach out with any feedback. Please feel free to submit pull requests or post issues on the GitHub page as well.

Continue reading

Security Questions Regarding the Recent DJI Go 4 App

September 2, 2021

Last year, we took a look at the DJI Mimo app used with the company’s Osmo “action camera”. Soon thereafter we read security reports from other companies such as Synactiv’s DJI Go analysis, Synactiv’s DJI Pilot analysis, GRIMM’s validation report. These other security companies looked at the DJI Go and Pilot applications used for controlling drones and they found, among other things, similar results to what we found on DJI Mimo.

Continue reading

Repairing a Broken Huawei NAND Dump and Single-Bit Errors

July 26, 2021

Introduction

One device that recently came across our desks was a Huawei EchoLife optical network terminal. As part of our standard analysis, we dumped the flash chip on the device in order to analyze the firmware. If you haven’t already seen it, check out a previous Hardware Hacking 101 blog entry which goes over the basic process of identifying and dumping flash from a device.

In most cases, once we have a flash dump, an open-source tool like binwalk can handle the rest of the extraction. However, this was one of the rarer cases where considerably more work was needed before we could effectively extract the firmware to return the kernel and filesystems. In this blog post, we’ll go over the process of finding out what was wrong with the flash dump and how we repaired it.

Continue reading

Adding Chip Support to Flashrom

July 19, 2021

Flashrom: An Introduction

When working with embedded systems, various flash chips often need to be read or written for analysis. Flashrom is an open-source tool used for reading, writing, verifying, and erasing a wide assortment of flash chips. It currently has support for over 470 chips as well as large numbers of chipsets, mainboards, and various other devices. While this base is impressive and covers many common uses, it is possible to come across a chip that is not supported. Fortunately, due to the open-source nature of the Flashrom project, it is fairly straightforward to add the support ourselves with a bit of help from data sheets and documentation. The flashrom project is written in the C programming language, so you’ll want to be familiar with the basic syntax before diving in.

Continue reading

Hardware Hacking 101: Communicating with JTAG via OpenOCD

July 8, 2021

Introduction

Welcome back to our introduction to hardware hacking 101 and the final installment of the JTAG blog post series! In this post we cover how to communicate with a target device via JTAG once the pinout has been identified. We walk through Open On-Chip Debugger (OpenOCD) and GDB (GNU project debugger), demonstrate how to read and write from memory, and more broadly discuss the impacts of an exposed JTAG interface on production devices. If you haven’t already, make sure to check out our previous JTAG posts: in part 1 we provide background on JTAG and in part 2 we share a teardown of a TP-Link AC1750 to demonstrate how to identify and verify a pinout for JTAG.

Continue reading

Remote Administration of Connected Devices – Potential Danger Ahead

June 7, 2021

Danger Ahead!

Congratulations – you have deployed a new product, device, or server that runs on your customer’s premise. The product development lifecycle, however, does not end at deployment. Support and maintenance are key components of delivering a robust product. When a customer encounters an issue with a deployed device, there are a few options: 1) attempt to coach them through troubleshooting over the phone (or any telecom system), 2) send an expert to be on-site with the customer and the problem device, or 3) create a remote access system in the product that allows your experts to access the device from anywhere at any time.

Continue reading

Hardware Hacking 101: Identifying and Verifying JTAG on a Device

May 27, 2021

Introduction

Welcome back to our introduction to hardware hacking 101 series and our second installment of our JTAG blog post! In this post we share a teardown of a TP-Link AC1750 to demonstrate how to identify and verify a pinout for JTAG. If you haven’t already, make sure to check out part one of the JTAG post where we provide background on the interface and its characteristics.

Hands On

Now that we have covered how JTAG works and its interface, let’s take a look at a TP-Link Archer C7 | AC1750 dual band wireless router to demonstrate how to locate and identify the pinout for JTAG.

Continue reading

Hardware Hacking 101: Introduction to JTAG

May 6, 2021

Introduction

Welcome back to our introduction to hardware hacking series! In this post we will be covering the Joint Test Action Group (JTAG) interface, its state machine, pinout, and electrical characteristics. This is the first part of a multi-part series about JTAG. In this first installment, we provide background and information to get started working with JTAG. In our next post, we will share a teardown of a TP-LINK AC1750 to demonstrate how to identify and verify a pinout for JTAG. Lastly, we will provide examples of how to use this for security research purposes to dump firmware, read and write memory, and perform other actions.

Continue reading

Equitable management of cybersecurity workforce meal-related debts with questionable integrity protections

April 1, 2021

Introduction

For the modern cybersecurity workforce, there is oftentimes nothing more important than a satisfying meal. While COVID-19 has meant that most employees are working from home, we address some important issues for employees who may be returning to offices soon – and will need satiation.

Some offices, including many lab spaces, may have few ideal local lunch options. While a trip to a local artisan food establishment may be a welcome distraction from a long day of reverse engineering, the time spent going back and forth to pick up meals may be considered a distraction to some. Thus, often one person may pick up meal for several employees. However, the protection of the purchasing employee’s monetary outlay is critical.

Continue reading