DefCon 24 HHV Reverse Engineering Challenge05 Aug 2016
Sadly, we were unable to attend DEF CON this year.
Fortunately, bunni and the folks over at KBEmbedded were nice enough to hook us up with a free Hardware Hacking Village Reverse Engineering Challenge board so we could partake in the pain and frustration remotely.
Here is an excerpt of relevant text from the document provided with the challenge kit:
A link to the kbembedded GitHub repo for the challenge was also provided.
(Originally, only the hex file for the firmware was available during the challenge but all of the design files and source now appear to be hosted here.)
The first part of the challenge is to reverse engineer the schematic for the PCB.
As an aside, Joe Grand (Kingpin) gave a great talk at DEF CON 22 about reverse engineering circuit boards.
The slides for this talk can be found here.
A full writeup of his research can be found here.
For reverse engineering this particular board let's start with the components.
There are a total of 9 separate components with a total of 30 pins.
Conveniently, there are 30 through-hole pads on the board.
(Suggestion for next year: Throw in some extra pads and/or components to really mess with folks.)
Here is a quick rundown of the components that came with the kit.
The main IC is a PIC12F1571
Here is the pinout from the datasheet:
It has an input voltage range of +2.3V to +5.5V DC which will probably be good to know later.
The single resistor value measures ~99.5Ω on the multimeter.
The two identical resistors measure ~3.5KΩ.
If you don't have a multimeter, do have very good eyesight, or are a masochist, you could simply read the colored bands on the resistors.
Here is a convenient site to decode resistor values based upon their colored bands for the lazy.
The single resistor bands are: BROWN, BLACK, BROWN, GOLD, which indicates a 100Ω, ±5% value.
The two identical resistor bands are: ORANGE, GREEN, RED, GOLD, which indicates a 3.5KΩ, ±5% value.
Perhaps the most reliable way to figure out what color of LED is to hook it up to a power supply set to 0V and slowly turn up the voltage.
It's also not a bad idea to toss a current limiting resistor in series and/or to limit the current output of your power supply.
If you happen to have jittery fingers, an overly-sensitive fine voltage control knob, or a cat brushes against your leg, it is not difficult to destroy an LED.
This is mentioned only because it is exactly what occurred...
There was a bright little flash of red light before things went dark and based upon the voltage of the power supply before the slip, the assumption is that the LED was red.
No point crying over toasted LEDs though; grab another from the box and move on.
Besides, this is a reverse engineering challenge and what fun would it be without some fire?
The forward voltage of a RED 5mm LED is typically around 1.8V with a forward current of around 20mA.
Let's assume it's something like a Kingbright WP710A10SRC/E.
The silkscreen in the bottom left corner on the front of the board reads 'CR2025', which is a 3V nominal coin cell battery.
(If the silkscreen is to be trusted.)
Assuming our input voltage was around 3.3V (which is quite common for microcontrollers) we can calculate the current limiting resistor required for this LED to be:
R = (VS - VF)/I
- R is the resistance in ohms (Ω): The term we are attempting to solve for
- VS is the source voltage in volts (V): +3.3
- VF is the forward voltage of the LED in volts (V): ~1.8
- I is the forward current of the LED in Amperes (A): ~.02
Inserting the above terms into the equation gives the required current limiting resistor value to be:
R = (3.3 - 1.8)/.02 = 75Ω
75Ω isn't a common resistor value and it is typical practice to round up to the nearest common value which in this case would be 82Ω.
It is also possible that a Lithium-Ion cell could be a good choice.
Lithium-Ion cells have a nominal voltage of 3.7V which is still within the tolerable voltage range of the microcontroller.
Plugging this value into the above equation yields:
R = (3.7 - 1.8)/.02 = 95Ω
Again, 95Ω is not a common resistor value but 100Ω is.
Fortuitously, we happen to have a 100Ω resistor which should also work just fine as a substitution for the 82Ω resistor we calculated for a 3.3V input.
It is virtually always safe (and often recommended due to the ±whatever% tolerance) to round up resistor values a bit for current limiting of LEDs.
It is possible that the LED which released the magic smoke was bidirectional.
(Bi-directional LEDs were used as a hack on the badges for the i-hacked party at a previous DefCon so it's not unheard of.)
Though somewhat unlikely, we may never know for certain.
These are popcorn parts so the part numbers are largely irrelevant.
(Though, 3.5KΩ through-hole resistors <1W are surprisingly difficult to come by for some reason.)
In capacitor labeling, a number such as 104 (which is what's printed on the cap supplied) typically indicates a value of 10, followed by four zeros expressed in picofarads (100,000 picofarads).
100,000 picofarads is 0.1μF (micro-farads)
If you happen to have a multimeter covered in cat fur (it really does help) capable of measuring farads you can save yourself some eye strain:
Based upon the value, BC logo marking, formed leads, lead spacing, availability, and market price, a best guess would be that it is a Vishay BC K104K10X7RF5UH5 50V ceramic capacitor or similar.
Nothing particularly magical, nor mysterious about these components.
We have two 1X4 and one 2X2 .1" pitch male headers that presumable fit in the nice pin header holes on the PCB.
The only uncertainty about them is what they're all meant to connect to...
From the above we are able to take a stab at a BOM for this board.
|R1||1||Generic axial resistor||100Ω|
|R2, 3||2||Generic axial resistor||3.5KΩ|
|C1||1||K104K10X7RF5UH5||0.1μF ceramic cap||Link|
|P1, 2||2||68002-404HLF||1X4, .1” pitch male header||Link|
|P3||1||67997-404HLF||2X2, .1” pitch male header||Link|
We can also now generate all of the schematic symbols we'll require.
The PCB is where things start to get really interesting.
The routing looks like it was done with either painstaking care by a human being designing it to be intentionally confusing or by any standard autorouter (because they all suck).
While it is possible that the PCB has more than two layers (stackup height is not a reliable measure of this), the general lack of all but a handful of vias which line up on both sides of the board tend to suggest against this.
As a note, it may seem a bit absurd to reverse engineer a circuit visually but in fact it's not at all unprecedented.
The Intel 4004 was reverse engineered from its masks and the MOS 6502 was painstakingly reverse engineered largely from die shots.
The back of the PCB is fairly easy to see under magnification:
Some quick and dirty work with the GIMP path tool makes it fairly easy to see the mess of traces:
Next we'll flip the highlighted back of the board image horizontally so it's easier to compare with the front of the board:
Knowing where each trace starts and stops makes it fairly easy to draw a simplified version of the layout:
We can then do the same with the front of the board which is a bit tricker due to the silkscreen and my inconsistent lighting:
It's really quite a bit easier to zoom in on one section of the board at a time:
Here's another shot with a really sloppy trace:
(May want to rethink your fab for next year bunni)
Again, we can use the path tool to carefully highlight all of the traces in their own colors:
And simplify the crazy traces:
You may notice the blue trace in the above image.
The reality is that it turned out to be rather difficult to find a clean way to route this trace.
As it turns out, this happens to be quite fortuitous for reasons that will become clear momentarily.
Now for the magic.
We can blend both of the simplified images together to give us a fairly reasonable representation of the layout of the board:
One fun thing to note from this image is that it appears as though the solder jumper labeled "Open Me" on the back side of the board is either entirely superfluous, as it is also shorted with a trace on the front side of the board, or perhaps the trace on the front is meant to be cut as well.
We'll certainly have to come back to that one soon...
That blue trace (the one that was hard to route cleanly from the front side of the board) is still kind of an eyesore.
What could it be connected to?
As it turns out...absolutely nothing!
In fact, it appears to be just a handful of vias connect to one another with no connections to any other pins or traces.
We can easily eliminate them and simplify our layout even further:
Now we've got somehting pretty reasonable to work with.
The next step is to figure out how all of the components fit onto the board.
Headers, resistors, and the capacitor (non-polarized in this case) can go in either direction so they're pretty straightforward.
We only have two components who's polarity matter in this case; the LED and the microcontroller.
Again, for the sake of the schematic the LED's orientation doesn't really matter to us.
Of course, it does in practice but hooking an LED up backwards generally won't hurt it as it is a diode after all.
(Assuming we don't exceed its reverse breakdown voltage.)
We already know from the PIC's datasheet (mentioned above) that
PIN 1 (VDD) and
PIN 8 (VSS) are positive and Ground voltage rails respectively.
It is common practice to include a decoupling capacitor (often several) across the positive and Ground voltage rails of a microcontroller to smooth out high-frequency noise.
Following the traces from the capacitor symbol silkscreen on the PCB (assuming this is really where the capacitor goes) shows that indeed each of the leads connects to only one or two pins on the microcontroller which correspond nicely to what we would expect to be our positive and Ground pins:
From this we can deduce that the most likely orientation for the microcontroller is as such:
Well we've come all this way with the intention of drawing a schematic so let's get to it.
One quick thing to note is some terminology here; namely VDD, VCC, VSS, and VEE.
VDD = VCC = Positive supply voltage
VSS = VEE = Negative supply voltage or Ground
This confusing terminology goes back to the days of TTL ICs which were originally based upon BJT technology and CMOS ICs based upon FET technology.
VCC often referred to the voltage applied to BJT
VEE to the voltage applied to BJT
VDD to FET
VSS to FET
Though often no longer the case, much of the archaic terminology has survived and is used interchangeable as noted above.
From the pinout in its datasheet, we know that
PIN 1 of the microcontroller is VCC (or VDD if you prefer.)
Using our merged and simplified top and bottom layers as a reference, we can then highlight all of the traces (and subsequently pins) that ought to be contiguously connected to it.
We can then use this information to draw the corresponding connections on our schematic diagram:
That's 8 pins down and only 22 left to go!
We can then repeat the process with the Ground (VSS) pin of the microcontroller.
We'll just keep drawing on top of our existing image so we can keep track of which pins we have left to connect:
In this image we've drawn the traces we know must be connected to our assumed Ground pin in green. The blue traces correspond to those connected across the jumper labeled "Open Me" on the back side of the board and the solid trace running directly over it on the front side of the board.
For the time being, we'll go ahead and draw these blue connections on our schematic but we'll use wires instead of the Ground reference symbol used on the other pins to make it easier to see what they're connected to later.
There are also a number of traces on the board that simply connect one through-hole pad to another.
While drawn in the same color here, just to make things easier to visualize, it is important to note that the traces in this case are not connected to one another.
We will then add these to our schematic as well.
Rather than drawing a tangle of wires we'll use signal labels to keep our schematic cleaner.
So far as the schematic editor is concerned, wires and signal labels are exactly the same thing and the labels are purely a human convenience.
Some schematic symbols have also been moved around a bit to fit better.
Again, it makes no difference where we physically place the symbols but it is common practice to group componenents based on type, function, or as part of sub-circuits together.
It is also generally good practice to spread schematic symbols out a bit as bunching things together can make schematics difficult to read.
This was not done very well here simply for the sake of fitting everything in nicely sized images for this site.
We'll then do the same with our penultimate set of traces:
And create signals on the schematic for them as well:
We can then add the final set of connected traces to the layout:
It is rather odd to see two microcontroller pins shorted to one-another, especially when neither of them are connected to power rails.
While there are instances, such as multiplexing LEDs, where this is done it is somewhat suspicious.
The safe bet is to simply assign each pin of the microcontroller its own signal label and then just short the signals.
We'll also simply assign each one of the header pins this trace is connected to a signal name based upon whichever is physically closest for the time being.
This may not be turn out to be correct in the long run but since we've shorted the two signals in the schematic anyway and we know for certain that they are physically connected it makes no difference other than to help visualize what might eventually go where.
The schematic is no more or less correct for assigning two separate signal names in this case.
As an aside, we could have had much less fun generating the above completed PCB routing diagram, skipping virtually all of the above steps, by simply numbering each pin and probing every possible combination of two pin pairs with the continuity function of a multimeter to generate a table of connected pins like such:
We could have then used this table to draw the connections between the pins.
Of course, we may never have discovered the wholly useless set of traces looping back on themselves, nor the apparent extra short on the top side of the "Open Me" jumper, and we most certainly wouldn't have appreciated all of the hard work bunni put in to intentionally try to confuse us.
In either case, we can use the above diagram to finally complete our schematic: