Break.Fix.
Learn.
Hacking Roku: Part 2
Having introduced our target, an old Roku XD media streamer, it’s time to begin the first stages of the pentesting process.
Hardware Hacking Tools
In the last post I mentioned a great DEFCON talk that talks about some of the tools that are useful for doing this kind of work.
I already had a lot of the basics:
- Soldering iron - I have a Weller WLC100. It’s a pretty basic setup with an analog control, but it’s great for under $50 US. At some point I will likely upgrade to something nicer with a digital temp. control but so far this iron has not done me wrong.
- Solder - Just some basic 60/40 flux core solder that’s been in my toolbox for 15+ years.
- Multimeter - I have an old Craftsman multimeter. It’s nothing special but adequate for this type of work.
- Tool set - A set of small screwdrivers and bits is helpful.
- Silicone Soldering Mat - This protects the work surface and also has many little wells to help organize screws and other bits of a disassembled device.
- Soldering helping hand with magnifier
Based on what I saw in the video I also ordered:
- Assorted jumper wires
- A bunch of 2.54mm breakapart header pins
- A roll of 30AWG wire-wrapping wire
- A roll of solder wick
- A basic FTDI USB/Serial adapter. I made sure to get one that had a genuine FTDI chip and could easily switch between 3.3v and 5v TTL levels.
- A basic logic analyzer. Seleae are the gold standard in logic analyzers currently. They offer a generous discount (1/2 price!) for hobbyists and students on their most basic unit but even then it is $200 US. As I’m just getting started, I picked up a $15 generic one which I will use for now.
Since it’s relatively easy to get most of the things I might need quickly, I made a conscious decision to order only the bare minimum at first. If I found a need for additional items, I would just order them as needed.
Test Plan
With our tools gathered up, we can now turn our attention to the fun part - testing. Every penetration test begins with an test plan. Without a clear plan and objectives, it’s too easy to bounce around aimlessly, testing some parts inadequately and missing other parts entirely. Here is my initial plan for the Roku:
Roku XD Test Plan
Objectives
- Learn basic hardware hacking tools and techniques
- Dump the device firmware
- Get root on the device
Passive Recon
- OSINT / Google
- Inspect exterior
- Disassemble
- Look for useful markings on the PCB
- Identify potentially useful Pins/Headers or test pads
- Look for common groupings or labels that may indicate UART, JTAG, SWD, SPI, etc.
- Identify all ICs
- Locate Data Sheets
- Note any devices that support I2C, SPI, JTAG
Multimeter Testing
- Identify all ground pins/headers/pads with continuity/resistance test
- Identify remaining pins/headers/pads with voltage test
I will update the plan as I find items of interest and come up with ideas for attacking them, but at this stage I don’t know anything else about the device until I have completed these recon steps. Strictly speaking, attacking the software and UI should come ahead of hardware-based tests, but I am specifically doing this to learn hardware hacking, so I am jumping right in.
Coming Up
In Part 3, I’ll tackle the first couple of steps in the test plan.