Ask HN: If you wanted to 'hardware jailbreak' a device, how might you do this?
Most rootings/jailbreaks that have been widely released use software vulnerabilities to escalate privilege.
If instead you had access to the hardware of a device, and could make any reasonable modification or intervention, how would you approach this? What techniques are used for this class of attacks?
(Reasonable modifications might be things like soldering extra components, removing ICs, using oscilloscopes and data loggers - but not, say, decapping chips and imaging them in an electron microscope as presumably those resources are a lot more limited.)
More practically, how might you do this on recent devices such as latest, flagship iOS, Android, or Windows Phone handsets? Are there any good, educational examples of this?
5 comments
[ 2.8 ms ] story [ 17.6 ms ] threadFor example, I managed to flash OpenWRT on my otherwise unflashable router that way.
Another (even more hardware-y) approach is to dump flash chips containing ROMs. With those roms in hand you might be able to find a vulnerability to exploit, or you could replace the rom chip with a socket in which you can place your own modified roms.
Bunnie famously broke the Xbox classic security by building his own hardware to sniff the (until then thought to be unsniffable) HyperTransport bus. He wrote a very interesting book about it and it's free nowadays: http://bunniefoo.com/nostarch/HackingTheXbox_Free.pdf
Sometimes they don't include headers and the like, so looking up a pinout and soldering to the IC helps in that case too- tapping into the serial connections between chips can reveal a lot too.
"Fault attacks on secure chips: from glitch to flash" https://www.cl.cam.ac.uk/~sps32/ECRYPT2011_1.pdf
That should give you a little bit of a feel for it. Its a fun rabbit hole to spend a few years down.