Hacking Roku: Part 5
We’re back with more beginning hardware hacking. In this installment we’re going to get out the multimeter and do some detective work on what the pins and pads on the Roku XD PCB might do.
First let’s review the current state of the test plan:
Roku XD Test Plan
Objectives
- Learn basic hardware hacking tools and techniques
- Dump the device firmware
- Get root on the device
Passive Recon
- Identify all ICs
- Locate Data Sheets
- Note any devices that support I2C, SPI, JTAG
Multimeter Testing
- Identify all ground pins/headers/pads with continuity/resistance test
- Identify remaining pins/headers/pads with voltage test
Further Testing
- Analyze firmware files
- Pin Glitch the NAND Flash chip
In Part 4, we took inventory of the ICs present on the board and looked up their data sheets. With that out of the way, all of the passive recon is complete. Let’s start in on the real fun!
Identify all ground pins/headers/pads with continuity/resistance test
The first step here is identifying all of the ground pins. You may know already that digital devices do their calculations using 1
s and 0
s identified as high and low voltages. Because voltages represent a difference in potential as measured between two points on the circuit, everything on a given device shares a single common ground plane to ensure that transistors or other logic devices can make consistent readings. Various pins/pads on a board will be tied into this ground, along with any GND pins on ICs or other devices attached to the board. Typically any metal shielding on USB ports, wireless antennae, etc, will also be tied into the ground.
Because this test is done with the target un-powered, it is very low risk. The meter does send a small voltage through the probes and there is remote possibility this could damage an IC but it’s very unlikely.
- The target device should be disconnected from the power source.
- Select
Continuity Mode
on the multimeter dial. It often looks like a dot with concentric waves emanating from it. On my meter it’s coupled with the diode test mode, and it may be necessary to press a button to toggle between them.- If your meter does not have a continuity mode, you can also use the resistance test identified by the Ohm symbol -
Ω
- If your meter does not have a continuity mode, you can also use the resistance test identified by the Ohm symbol -
- Plug the black probe into the
COM
jack. Plug the red probe into the plug that has the continuity symbol matching the dial. - Hold the black probe against something that is likely to be grounded. The metal shield around the Wifi module is convenient for the Roku.
- Work your may methodically across the board, touching the red probe against any pins you wish to test.
- Hold the red probe against the pin for a couple of seconds.
What to look for:
If the meter beeps, that means there is continuity between the two probes. You’ve found a ground…be sure to mark it down!
The meter may also display the resistance but the audible signal is helpful because you can keep your eyes focused on the meter probes.
- If using the resistance test, the meter will probably not beep. In this case, if the meter displays a low resistance value, then you have continuity with ground. If the meter displays
OL
then it is not a ground.
Do this for every pin and pad you’re interested in and record the results.
Here’s what I found:
Note | Pin | Pin | Note |
---|---|---|---|
1 | 2 | ||
3 | 4 | ||
5 | 6 | ||
7 | 8 | ||
9 | 10 | GND |
Note | Pin | Pin | Note |
---|---|---|---|
14 | 13 | ||
12 | 11 | ||
GND | 10 | 9 | |
GND | 8 | 7 | |
GND | 6 | 5 | |
GND | 4 | 3 | |
GND | 2 | 1 |
Note | Pin | Pin | Note |
---|---|---|---|
1 | 2 | ||
3 | 4 | GND | |
5 | 6 | GND |
Note | Pin | Pin | Note |
---|---|---|---|
12 | 11 | GND | |
10 | 9 | GND | |
8 | 7 | GND | |
6 | 5 | GND | |
4 | 3 | GND | |
2 | 1 | GND |
Note that P1 and P10 are oriented so that pin/pad #1 are bottom-right so that they match how the board looks when viewed with the ports closest to you.
The even pads of P9 and the odd pads of P10 are actually on the reverse side of the board.
That covers all of the possible grounds.
- Identify all ground pins/headers/pads with continuity/resistance test
Let’s move on to the next step.
Identify remaining pins/headers/pads with voltage test
For the voltage testing, the device will need to be powered on. Because we’re looking in part for voltage fluctuations that could represent output signals of some kind (possibly UART), it will be necessary to keep the probes in place for some time. Devices often output to UART during the boot sequence so it’s a good idea to keep the probes in place for the boot sequence duration. In the case of the Roku XD there is an LED that flashes while the device is booting and then goes solid when the boot sequence is completed. It takes about 30 seconds, but in practice I just held the probes in place until the LED stopped flashing.
Because the device will be powered on there is now some risk of damaging the device or even a possibility of getting shocked if the wrong things get shorted so it’s important to be a little more cautious. I like to connect the black probe to one of the ground pins I just identified with an alligator clip and, if necessary, a jumper so that I don’t have to hold the ground probe while I work. I do the same with the red probe on the target pin, that way I don’t have to worry about slipping and shorting things.
Finally, because it’s necessary to power cycle the device for every pin, it’s helpful to use a power strip with a switch so that you can do it quickly and easily. Unplugging/plugging the power cord takes longer and is hard to do without moving the target around and potentially messing up the connections. You can even use your foot to operate the switch and keep your hands available to work.
Here’s how to do it:
- The target device should be unplugged or plugged in but switched off.
- Select
V DC
on the multimeter dial. - Plug the black probe into the
COM
jack on the meter. Plug the red probe into theV
jack. - Connect the black probe to any of the ground pins identified previously. They are all interconnected so it doesn’t make any difference which.
- Connect the red probe to one of the unknown target pins
- Plug in or switch on the target.
- Note what is displayed on the meter and how it changes over the course of the boot cycle if at all.
- Unplug or switch off the target.
- Note how quickly the voltage changes after the device is powered off.
What to look for:
The first thing to keep an eye out for are signs of “chatter” that may indicate an output (usually UART). A typical digital multimeter does not sample quickly enough to display the “live” data from an output; you need a Logic Analyzer for that, which we’ll cover in the next part of the series. Instead a digital meter shows an average of samples. In practice this means that chatter often looks like a voltage near or a little below the device’s reference voltage (typically 5V or 3.3V on modern IOT devices), and possibly fluctuating a bit. Other things to look out for are:
- Steady 3.3V or 5V readings - this could indicate a power source that would supply VCC OR an input/output that is held high and pulled low when active. If the voltage drops gradually after switching the device off, there is likely a capacitor on the circuit which is a good indicator that it’s a power source. If the voltage drops instantly, then it’s worth investigating further.
- As a secondary test, if you can find a known VCC pin on a device attached to the board, testing continuity (with the device switched off) between the pin you’re examining and the known VCC pin can also be a conclusive way to investigate.
- Millivolt readings - Possibly “floating” voltage. They may not be connected to anything or perhaps they are being pulled low. They’ll merit further examination.
With all that said, I tested every non-ground pin one at a time, watching each the behavior on each pin for the duration of a full boot cycle, making notes about the behavior of each pin.
Most of the pins are fairly inconclusive. A few hang around 3.25V, a few others hang around in the 4mv.
On J-10 something caught my eye on Pin 6. In the animated .gif you can see how it looks on the meter. That voltage bouncing around is a strong indicator that there is a signal of some kind coming out of that pin. It could be very well be a UART TX, but it could be something else entirely. The only way to know is to test further. Now I could easily just connect a USB/UART adapter to it and see what comes out but in keeping with the theme of learning how to use the basic tools of the trade, I’ve got another step to add to my plan first:
- Test with the Logic Analyzer
Here is what my notes look like after testing all of the pins and pads on the board:
Note | Pin | Pin | Note |
---|---|---|---|
3.25V | 1 | 2 | 3.25V |
3.25V | 3 | 4 | 3.25V |
4mV | 5 | 6 | Possible UART TX |
5mV | 7 | 8 | 4mV |
5.27V slow drop | 9 | 10 | GND |
Note | Pin | Pin | Note |
---|---|---|---|
3.26V | 14 | 13 | 3.26V |
10mV | 12 | 11 | 3.26V |
GND | 10 | 9 | 3.06V |
GND | 8 | 7 | 3.09V |
GND | 6 | 5 | 3.06V |
GND | 4 | 3 | 3.09V |
GND | 2 | 1 | 207mV |
Note | Pin | Pin | Note |
---|---|---|---|
3.26V | 1 | 2 | 3.26V |
10mV | 3 | 4 | GND |
12mV | 5 | 6 | GND |
Note | Pin | Pin | Note |
---|---|---|---|
3.26V | 12 | 11 | GND |
3.26V | 10 | 9 | GND |
3.26V | 8 | 7 | GND |
3.26V | 6 | 5 | GND |
3.26V | 4 | 3 | GND |
3.26V | 2 | 1 | GND |
We can now check this item off the list:
- Identify remaining pins/headers/pads with voltage test
That wraps up the Multimeter Testing phase, but I will keep the multimeter handy. I may want to retest things or attempt to trace connections, so it makes sense to keep it close by.
With a step for Logic Analyzer Testing added, here is the current state of the test plan:
Roku XD Test Plan
Objectives
- Learn basic hardware hacking tools and techniques
- Dump the device firmware
- Get root on the device
Passive Recon
- Identify all ICs
- Locate Data Sheets
- Note any devices that support I2C, SPI, JTAG
Multimeter Testing
- Identify all ground pins/headers/pads with continuity/resistance test
- Identify remaining pins/headers/pads with voltage test
Logic Analyzer Testing
- Confirm possible UART on J10 Pin 6
- Check other pins for anything else interesting
Further Testing
- Analyze firmware files
- Pin Glitch the NAND Flash chip
In the next installment it will be time to learn how to use the Logic Analyzer and, hopefully, find something interesting with it. See you soon.