Introduction 介绍
One of the most common questions that I get during a training is:
我在培训期间最常遇到的问题之一是:
“What do we need to build out an initial hardware hacking lab?”
“我们需要什么来建立一个最初的硬件黑客实验室?”
Of course, the answer to this question can be heavily tailored based on the goals of the team and their targets, but I wanted to attempt to document what would make for a good starter lab. The following document aims to outline the basic requirements for well rounded embedded systems laboratory.
当然,这个问题的答案可以根据团队的目标和他们的目标进行大量定制,但我想尝试记录一下什么是一个好的入门实验室。以下文件旨在概述全面嵌入式系统实验室的基本要求。
In this list, I will focus on devices that I and a few others regularly use for hardware pen testing and research. I will list a range of devices covering various budgets.
在此列表中,我将重点介绍我和其他一些人经常用于硬件渗透测试和研究的设备。我将列出涵盖各种预算的一系列设备。
It should be noted that the following recommendations are my opinion, and none of the links below are affiliate links or anything of the sort. My goal is to help people build out their first lab, not to make money. This guide will also be maintained at the GitHub repository located here – please submit pull requests with your suggestions and favorite tools!
应该注意的是,以下建议是我的意见,下面的链接都不是附属链接或类似的东西。我的目标是帮助人们建立他们的第一个实验室,而不是为了赚钱。本指南也将保存在位于此处的 GitHub 存储库中 – 请提交拉取请求,并附上您的建议和最喜欢的工具!
Contributors 贡献
Throughout the development of this guide, I was lucky enough to have some really sharp people offer to help me proofread and provide recommendations for some of the gear listed in this write up, I’ve included their names/handles below:
在本指南的整个开发过程中,我很幸运地有一些非常敏锐的人愿意帮助我校对本文中列出的一些装备并提供建议,我在下面列出了他们的名字/句柄:
- Jeremy Hong 杰里米·洪(Jeremy Hong)
- Arsenio Menendez 阿塞尼奥·梅嫩德斯
- Stu Kennedy 斯图·肯尼迪
- Ian Hanschen 伊恩·汉申
- Dreg 渣
Workbench 工作台
First and foremost, you will require a place to perform your work. Depending on your needs this might be a small section on your desk, or you may want an entirely separate workbench. When it comes to choosing a workbench, you’ll quickly find that you can spend a lot of money on a high end standing desk, especially if you’re looking for a larger one. One place you might consider looking is Home Depot / Lowes, I am a big fan of their Husky standing workbench and am currently using two of them in my office.
首先,您将需要一个地方来执行您的工作。根据您的需要,这可能是您办公桌上的一小块区域,或者您可能想要一个完全独立的工作台。在选择工作台时,您很快就会发现您可以在高端站立式办公桌上花很多钱,尤其是在您正在寻找更大的办公桌时。您可能会考虑寻找的一个地方是 Home Depot / Lowes,我是他们的 Husky 站立式工作台的忠实粉丝,目前在我的办公室里使用其中两个。
If you’re looking for something more traditional, I have also built a handful of workbench setups using IKEA tabletops and legs, this is a very popular option for workstations.
如果你正在寻找更传统的东西,我还使用宜家桌面和支腿构建了一些工作台设置,这是工作站非常受欢迎的选择。
| Item 项目 | Price 价格 | Link 链接 |
|---|---|---|
| Husky Adjustable Height 46in-72in Workbench 赫斯基可调节高度 46 英寸-72 英寸工作台 |
$268.00-$398.00 | Link 链接 |
| Ikea LAGKAPTEN Tabletop 宜家 LAGKAPTEN 台式电脑 | $49.99 | Link 链接 |
| Ikea ADILS Leg 宜家 ADILS 支腿 | $7.50 | Link 链接 |
| Ikea Drawer Unit (ALEX) 宜家抽屉柜 (ALEX) |
$109.99 | Link 链接 |
Note: The IKEA drawer units have mounting holes on top of them for attaching to IKEA tabletops which makes assembly extremely simple, and you get the added benefit of extra storage.
注意:宜家抽屉单元顶部有安装孔,用于固定在宜家桌面上,这使得组装非常简单,并且您可以获得额外存储空间的额外好处。
ESD Protections ESD保护
The last thing that you want to happen is for you to accidentally destroy a device with static electricity, In order to avoid this, it is always a good idea to get an ESD wrist strap or an ESD protective mat.
您最不想发生的事情是您不小心用静电破坏了设备,为了避免这种情况,获得 ESD 腕带或 ESD 保护垫总是一个好主意。
Note: Not all silicone mats that you will find on Amazon are actually anti-static, please make sure that you read the description of the mat that you are going to purchase if ESD protection is a high priority for your workspace (which it should be!)
注意:并非所有您在亚马逊上找到的硅胶垫实际上都是防静电的,如果 ESD 保护是您的工作空间的重中之重,请确保您阅读了您将要购买的硅胶垫的描述(应该是!
| Item 项目 | Price 价格 | Link 链接 |
|---|---|---|
| ESD Wrist Strap ESD腕带 | $9.99 | Link 链接 |
| ULine ESD Wrist Strap ULine ESD 腕带 |
$18 | Link 链接 |
| Bertech ESD High Temp Mat Bertech ESD 高温垫 |
$44.30 | Link 链接 |
| STATFREE UC2 Anti-Static Mat STATFREE UC2 防静电垫 |
$138.53 | Link 链接 |
| ULine Assorted Mats ULine 什锦垫 | $80-$1000 | Link 链接 |
DigiKey has a number of high quality ESD mats that you can find here.
DigiKey 有许多高质量的 ESD 垫,您可以在这里找到。
Soldering 软焊
Whether you are tearing down a new router or looking for a new target to perform fault injection, you will need to solder at some point during your hardware hacking journey. Soldering is the process of joining metal surfaces with “solder”; creating a conductive connection between the two soldered points. Soldering is useful when populating unused debug pin headers or connecting wires to points on your target circuit board that you wish to interact with.
无论您是拆除新路由器还是寻找新目标来执行故障注入,您都需要在硬件黑客攻击过程中的某个时刻进行焊接。焊接是用“焊料”连接金属表面的过程;在两个焊接点之间建立导电连接。在填充未使用的调试引脚接头或将电线连接到目标电路板上希望与之交互的点时,焊接非常有用。
Soldering Irons 烙铁
When looking for a new iron, it is essential to keep your goals in mind:
在寻找新熨斗时,必须牢记您的目标:
- Are you mainly focusing on smaller surface mount device (SMD) rework projects?
您是否主要关注较小的表面贴装器件 (SMD) 返修项目? - Will you be working with larger/older components that may need a lot of heat to remove?
您是否使用可能需要大量热量才能去除的较大/较旧的组件?
Ideally, you want an iron with adjustable temperature and removable tips. These can be purchased relatively cheaply from Amazon and other online vendors. I recommend one with an emergency timeout in case you forget to turn off your iron after some late-night soldering.
理想情况下,您需要一个温度可调和可拆卸尖端的熨斗。这些可以从亚马逊和其他在线供应商那里相对便宜地购买。我推荐一个带有紧急超时功能的产品,以防您在深夜焊接后忘记关闭熨斗。
Low Cost 低成本
Below is a very solid starter kit from Amazon, which makes for a good beginner iron. Before buying a more expensive iron, use this iron to learn proper care and maintenance.
下面是来自亚马逊的一个非常可靠的入门套件,它是一个很好的初学者铁杆。在购买更昂贵的熨斗之前,请使用这种熨斗学习正确的保养和维护。
Two other solid options for a beginner iron (at a slightly higher price point) are the Hakko FX888D and Weller WE1010NA. The WE1010NA is the successor to the venerable Weller WES51, which has since been discontinued.
初学者熨斗的另外两个可靠选择(价格略高)是 Hakko FX888D 和 Weller WE1010NA。WE1010NA是久负盛名的Weller WES51的继任者,后者现已停产。
For a portable option, the TS-100 or TS-101 is an excellent choice. These are great for travel, have interchangeable tips and are relatively low cost.
对于便携式选项,TS-100 或 TS-101 是绝佳的选择。这些非常适合旅行,具有可互换的尖端,并且成本相对较低。
High Cost 成本高
For high-end soldering or jobs that require you to solder to smaller components, such as 0402 components, a JBC CDS station with intelligent heat management and sleep/hibernation modes can’t be beaten. This is the station that I have used for quite a while now, and it has been highly reliable and easy to maintain. With this station, you can also get tweezer tips for SMD components, making these jobs much more manageable. It also can be connected to other JBC accessories, such as a fume extractor and other JBC handles.
对于高端焊接或需要焊接到较小组件(例如 0402 组件)的工作,具有智能热管理和睡眠/休眠模式的 JBC CDS 站是无与伦比的。这是我使用很长一段时间的电台,它非常可靠且易于维护。使用此工作站,您还可以获得用于 SMD 组件的镊子头,使这些工作更易于管理。它还可以连接到其他 JBC 附件,例如排烟器和其他 JBC 手柄。
If you have the funds to spare, the JBC DDPE 2-Tool station is great because it lets you have multiple tools active simultaneously. This station comes with micro tweezers and a T210 precision handle, which is compatible with a wide variety of cartridges.
如果您有闲置资金,JBC DDPE 2-Tool 工作站很棒,因为它可以让您同时激活多个工具。该站配有微型镊子和 T210 精密手柄,与各种墨盒兼容。
Hot Air Stations / Hot Plates
热风站/热板
Hot air stations and hot plates can both be used when doing SMD rework. Hot plates work as you might expect, they require surface to surface contact in order to heat the target device, allowing for either solder paste or a traditional iron to be used to bond the solder to the contact pads. These of course have some disadvantages, if you are working with a system that has plastic connectors, housings or is a two sided PCB with components on each side you will not be able to effectively use a hotplate without risking damaging the target. Hot plates can be used in conjunction with a hot air gun in order to “preheat” your target, making component removal easier.
在进行SMD返工时,可以使用热风站和热板。热板的工作方式如您所料,它们需要表面与表面接触才能加热目标设备,从而允许使用焊膏或传统熨斗将焊料粘合到接触垫上。这些当然也有一些缺点,如果您使用的系统具有塑料连接器、外壳或双面 PCB,每侧都有组件,您将无法在不损坏目标的情况下有效地使用加热板。热板可以与热风枪结合使用,以“预热”您的目标,使组件更容易移除。
Low Cost 低成本
Introductory hot plates are relatively low cost, the Soiiw Microcomputer Soldering Preheating station is a great place to start as it has built-in temperature control and display (helpful for letting others in the lab know that the plate is on!).
入门级热板成本相对较低,Soiiw 微电脑焊接预热站是一个很好的起点,因为它具有内置的温度控制和显示(有助于让实验室中的其他人知道板已打开!
If you are going for a lower-cost hot air rework station, there are plenty on Amazon. I have used the YIHUA 959D and have had no issues with it. Others have recommended the QUICK 957D Rework Station, which also has excellent reviews!
如果您要购买成本较低的热空气返修台,亚马逊上有很多。我用过YIHUA 959D,没有遇到任何问题。其他人推荐了 QUICK 957D 返修台,它也有很好的评价!
High Cost 成本高
You will need a hot air station for BGA rework or other package removal. Like a standard soldering station, these can vary in price/quality. A higher-end hot air rework station will allow for precise temperature and airflow control; they will also have a wider variety of hose attachments, allowing for the removal/replacement of smaller components. When working with standard embedded systems, the JBC TESE is an excellent rework station that has multiple suction tips and hose sizes included:
您将需要一个热风站进行 BGA 返工或其他包装移除.与标准焊台一样,这些焊台的价格/质量可能会有所不同。更高端的热风返修台将允许精确的温度和气流控制;它们还将具有更多种类的软管附件,允许拆卸/更换较小的组件。当使用标准嵌入式系统时,JBC TESE 是一款出色的返修台,具有多种吸头和软管尺寸,包括:
Of course, if you are looking to do a lot of SMD rework and reflow on PCBs, you may want to consider the SRS System SMD Rework station.
当然,如果您想在 PCB 上进行大量 SMD 返工和回流焊,您可能需要考虑 SRS 系统 SMD 返修台。
This kit includes an arm, allowing for hands-free operation, as well as a preheater. A preheater is a device used to (as you might have guessed) pre-heat the PCB from below, allowing things to be soldered more easily.
该套件包括一个臂,允许免提操作,以及一个预热器。预热器是一种用于(您可能已经猜到)从下方预热 PCB 的设备,使东西更容易焊接。
The full table of all of the recommended kits can be seen below:
所有推荐套件的完整表格如下:
| Item 项目 | Price 价格 | Link 链接 | Description 描述 |
|---|---|---|---|
| TS-100 TS-100型 | $54.99 | Link 链接 | Low cost, portable soldering iron 低成本便携式烙铁 |
| Soiiw Microcomputer Soldering Preheating station Soiiw微电脑焊接预热台 |
$67.99 | Link 链接 | Low cost pre-heating set up for BGA rework 用于BGA返修的低成本预热设置 |
| KSGER T12 Soldering Station KSGER T12 焊台 |
$69.99 | Link 链接 | Introductory soldering iron with interchangeable tips 带可互换尖端的入门级烙铁 |
| Sparkfun 8508D Hot-Air Rework Station Sparkfun 8508D 热风返修台 |
$99.95 | Link 链接 | Low-cost hot air rework station 低成本热风返修台 |
| QUICK 957D Rework Station QUICK 957D 返修台 |
$125.00 | Link 链接 | Low-cost hot air rework station 低成本热风返修台 |
| JBC CDS Soldering Station JBC CDS 焊台 |
$595 | Link 链接 | Mid range JBC soldering station 中档JBC焊台 |
| JBC DDPE 2-Tool Station JBC DDPE 2-工具站 |
$1700 | Link 链接 | JBC station that allows for multiple tools active and includes micro-tweezers and a T210 precision handle JBC 工作站允许多种工具激活,包括微型镊子和 T210 精密手柄 |
| JBC TESE JBC泰塞 | $2,690 | Link 链接 | High end hot air rework station with multiple suction adapters 高端热风返修台,带多个吸料适配器 |
| SRS System SMD Rework Station SRS系统SMD返修台 |
$5,750 | Link 链接 | Full SMD rework station, including an manueverable arm and preheater 完整的 SMD 返修台,包括可加工臂和预热器 |
Soldering: Practice Kits
焊接:练习套件
These kits are a great way to get comfortable soldering smaller devices and components. One thing I like to recommend is to solder, desolder, and then solder again. This will give you practice with removing parts and adding them!
这些套件是舒适地焊接小型设备和组件的好方法。我喜欢推荐的一件事是焊接,拆焊,然后再次焊接。这将为您提供删除和添加零件的练习!
| Item 项目 | Price 价格 | Link 链接 |
|---|---|---|
| Soldering Practice Kit 焊接练习套件 | $9 | Link 链接 |
| Soldering Practice Kit 2 焊接练习套件 2 |
$9 | Link 链接 |
Soldering Accessories 焊接配件
| Item 项目 | Price 价格 | Link 链接 | Description 描述 |
|---|---|---|---|
| KOTTO Fume Extractor KOTTO排烟机 | $39.99 | Link 链接 | Used to extract solder fumes, relatively portable for travel soldering 用于抽取焊料烟雾,相对便于旅行焊接 |
| Desoldering Braid 拆焊编织 | $9.99 | Link 链接 | Used to remove solder from a target, helpful when cleaning up QFP packages 用于从靶材上去除焊料,在清理 QFP 封装时很有帮助 |
| Tip Tinner 小头锡 | $8.00 | Link 链接 | Used to re-tin oxidized soldering iron tips, crucial for maintaining a working tip 用于重新镀锡氧化的烙铁头,这对于保持工作烙铁头至关重要 |
| Magnet Wire 漆包线 | $7.99 | Link 链接 | Tiny wire, used for connecting to cut traces or small vias on PCBs 细线,用于连接PCB上的切割走线或小通孔 |
| 30 AWG Wire Wrap Wire 30 AWG 绕线 |
$11.99 | Link 链接 | Small AWG wires, convenient for soldering to small pads, etc. 小AWG线,便于焊接到小焊盘等。 |
| Kapton Tape Kapton胶带 | $11.98 | Link 链接 | Heat resistant tape, helpful for protecting other components when doing hot air rework 耐热胶带,有助于在进行热风返工时保护其他部件 |
| ChipQuik SMD 291 Flux ChipQuik SMD 291 助焊剂 |
$15.95 | Link 链接 | Flux removes oxides and enhances solder flow, increasing the reliability of solder joints 助焊剂可去除氧化物并增强焊料流动,从而提高焊点的可靠性 |
| Engineer Solder Suction Device 工程师吸锡装置 |
$18.97 | Link 链接 | Used to remove solder 用于去除焊料 |
Bonus: Learning to Solder
奖励:学习焊接
Below are some YouTube videos to help you learn how to solder if you’ve never attempted it.
以下是一些 YouTube 视频,可帮助您学习如何焊接(如果您从未尝试过)。
- Soldering Crash Course: Basic Techniques
焊接速成课程:基本技术 - SMD Soldering Tutorial SMD焊接教程
- BGA Reflowing for Absolute Beginners
适合绝对初学者的 BGA 回流焊
Hackaday has a great article here about SMD rework and reballing.
Hackaday 在这里有一篇关于 SMD 返工和重球的精彩文章。
Multimeters 万用表
Regardless of the types of components and targets that you’re working on, you will need a multimeter. This is what you will use for your initial survey of your device for things such as measuring voltage, resistance, current and checking for continuity. When choosing a multimeter, make sure that you review the available voltage and current ranges and that they match the ranges of your expected targets. Some multimeters will also have an “auto-range” feature, which will attempt to automatically select the appropriate range for measuring voltage/current/resistance, etc. This feature can be helpful when measuring unknown voltages; it will save you a few button presses when measuring points on a target. The two multimeters listed below are the ones that I keep in my toolbox. I have also included different probes sets, allowing smaller pads/pins to be measured.
无论您正在处理哪种类型的组件和目标,您都需要一个万用表。这是您将用于对设备进行初始调查的内容,例如测量电压、电阻、电流和检查连续性。选择万用表时,请确保查看可用的电压和电流范围,以及它们是否与预期目标的范围相匹配。一些万用表还具有“自动量程”功能,它会尝试自动选择合适的量程来测量电压/电流/电阻等。此功能在测量未知电压时很有帮助;在测量目标上的点时,它将为您节省几次按钮。下面列出的两个万用表是我放在工具箱中的万用表。我还包括不同的探头组,允许测量更小的焊盘/引脚。
| Item 项目 | Price 价格 | Link 链接 |
|---|---|---|
| Micsoa Multimeter Test Leads Kit Micsoa 万用表测试引线套件 |
$20.99 | Link 链接 |
| Crenova MS8233D 克雷诺瓦MS8233D | $29.99 | Link 链接 |
| Fluke High Precision Probes 福禄克高精度探头 |
$94.99 | Link 链接 |
| Fluke 115 福禄克 115 | $220 | Link 链接 |
If you’ve never used a multimeter before, Sparkfun has a great tutorial here that can help get you up to speed and measuring in no time!
如果您以前从未使用过万用表,Sparkfun 在这里有一个很棒的教程,可以帮助您快速上手并立即进行测量!
Microscopes/Magnification
显微镜/放大倍率
When tearing down a target for the first time, you first want to locate and document all of the part numbers. Part numbers and PCB markings can sometimes be challenging to see with the naked eye, so having a cheap benchtop microscope or hand held loupe is never a bad idea. These will also come in handy when removing or modifying small components. Hand held loupes are great for quick identification of components.
首次拆卸目标时,首先要找到并记录所有零件号。零件编号和PCB标记有时很难用肉眼看到,因此拥有便宜的台式显微镜或手持式放大镜绝不是一个坏主意。在拆卸或修改小组件时,这些也会派上用场。手持式放大镜非常适合快速识别组件。
| Item 项目 | Price 价格 | Link 链接 | Description 描述 |
|---|---|---|---|
| Handheld Jewellers Loupes 手持式珠宝放大镜 |
$15.00 | Link 链接 | Small handheld jewellers loupes, various magnification, useful for part identification 小型手持珠宝商放大镜,各种放大倍率,便于零件识别 |
| Plugable USB Microscope 可插拔USB显微镜 | $37.74 | Link 链接 | Small USB compatible microscope, useful for some soldering and part identification, compatible with most desktop operating systems (in my experience) 小型USB兼容显微镜,可用于某些焊接和零件识别,与大多数桌面操作系统兼容(根据我的经验) |
| AMScope USB Microscope AMScope USB显微镜 | $78.99 | Link 链接 | Small USB compatible microscope, useful for some soldering and part identification 兼容USB的小型显微镜,可用于某些焊接和零件识别 |
| MisVision Trinocular Microscope MisVision 三目显微镜 |
$78.99 | Link 链接 | Benchtop microscope 7-45x zoom, check out the review here 台式显微镜 7-45 倍变焦,在此处查看评论 |
| Aven Desktop Microscope Aven台式显微镜 | $697.91 | Link 链接 | 8-25x microscope with a built-in screen, helpful for soldering to small packages and doing BGA rework 内置屏幕的8-25倍显微镜,有助于焊接到小封装和进行BGA返工 |
| MANTIS Serices MCH-001 Microscope MANTIS Serices MCH-001显微镜 |
$1,310.00 | Link 链接 | High-powered microscope with interchangeable lenses, mounting arm, and lenses are sold separately 带有可互换镜头、安装臂和镜头的高倍显微镜单独出售 |
Oscilloscopes 示波器
While multimeters help us measure various signals on our target device, an oscilloscope can help us capture and visualize these measurements. When selecting a scope, you need to consider what the use case will be. Will you be doing differential power analysis or power trace captures? Or are you more interested in capturing other types of analog waveforms over a longer period? The main variables to look at when selecting an oscilloscope are:
万用表可以帮助我们测量目标设备上的各种信号,而示波器可以帮助我们捕获和可视化这些测量值。选择范围时,您需要考虑用例是什么。您是进行差分功率分析还是功率迹线捕获?或者您是否对在更长的时间内捕获其他类型的模拟波形更感兴趣?选择示波器时要考虑的主要变量是:
- Channel Count – How many channels can you capture on
通道计数 – 您可以在多少个通道上捕获 - Memory Depth – This is how long you can capture for
内存深度 – 这是您可以捕获的时间 - Sample Rate – How fast the analog signal is sampled
采样率 – 模拟信号的采样速度 - Bandwidth -Maximum frequency of an input signal that can be passed through the analog front end (probe)
带宽 – 可通过模拟前端(探头)的输入信号的最大频率
Without enough bandwidth, you will capture what appears to be a distorted signal, and with too slow of a sample rate, you risk data loss.
如果没有足够的带宽,您将捕获看似失真的信号,并且采样速率太慢,则有数据丢失的风险。
Remember: According to the Nyquist sampling theorem sampling rate should be at least 2x the frequency of your target signal at a minimum!
请记住:根据奈奎斯特采样定理,采样率至少应为目标信号频率的 2 倍!
An excellent introductory scope can be purchased for ~$500; all big manufacturers offer something in this range. For example, the SIGLENT SDS1104 is an excellent starting scope with a bandwidth of 100MHz and a sample rate of 1GSa/s. I’ve listed a few options below, ranging in price from lowest to highest, and included a few tables from some of the manufacturer’s websites as well:
一个优秀的介绍性范围可以以 ~500 美元的价格购买;所有大型制造商都提供此范围内的产品。例如,SIGLENT SDS1104 是一款出色的起始示波器,带宽为 100MHz,采样率为 1GSa/s。我在下面列出了一些选项,价格从低到高不等,还包括一些制造商网站上的一些表格:
| Item 项目 | Price 价格 | Link 链接 | Description 描述 |
|---|---|---|---|
| Signlent SDS1104X | $399.00 | Link 链接 | Great starter scope, easy to use, SCPI compatible 出色的入门范围,易于使用,兼容 SCPI |
| Rigol MSO5354 里戈尔MSO5354 | $1,999 | Link 链接 | High-bandwidth and sample rate, less memory than the SDS2000X series, 16 digital channels for internal logic analyzer 高带宽和采样率,内存比 SDS2000X 系列少,16 个数字通道用于内部逻辑分析仪 |
| SDS2000X | $2,999 | Link 链接 | High bandwidth, 2GSa/s sampling rate, large memory depth, HDMI out, SCPI compatible 高带宽、2GSa/s 采样率、大内存深度、HDMI 输出、SCPI 兼容 |
| SDS6204A | $60,000 + | Link 链接 | Extremely high capture rate and bandwidth, decoders and other features can bring the price to $100k easily 极高的捕获率和带宽、解码器和其他功能可以轻松将价格降至 10 万美元 |
Note: Many modern oscilloscopes can be upgraded via software. For example, many will have built-in logic analyzers and signal decoders. These will come at an extra cost; decoders are typically $100-$400, depending on the protocol, and other software upgrades can be purchased to unlock things like faster sample rates and increased bandwidth, etc. It’s easy for a 2k-4k oscilloscope purchase to turn into a 10k purchase once all the upgrades and add-ons have been included.
注意:许多现代示波器都可以通过软件进行升级。例如,许多将具有内置的逻辑分析仪和信号解码器。这些将收取额外费用;解码器通常为 100 至 400 美元,具体取决于协议,并且可以购买其他软件升级来解锁更快的采样率和增加的带宽等。一旦包含所有升级和附加组件,购买 2k-4k 示波器很容易变成 10k 购买。
Example Specifications: Rigol
Below are some specifications from the RIGOL MSO5000 line:
以下是RIGOL MSO5000系列的一些规格:
The MSO5354 is an excellent deal for this line, especially considering the 350MHz bandwidth and the 8GSa/s sampling rate. I have this in my lab and use it regularly.
对于这条线路来说,MSO5354是一笔极好的交易,特别是考虑到 350MHz 带宽和 8GSa/s 采样率。我的实验室里有这个,并经常使用它。
Example Specifications: Siglent
规格示例:Siglent
Here is a similar specification table from the SIGLENT SDS2000 line:
以下是 SIGLENT SDS2000 系列的类似规格表:
The Siglent and the Rigol have great options for the prices listed above. Make sure that you pick an appropriate scope per the types of targets you anticipate analyzing.
Siglent 和 Rigol 在上面列出的价格中有很多选择。确保根据预期分析的目标类型选择适当的范围。
Logic Analyzers 逻辑分析仪
Let’s say you identified a fluctuating voltage sequence with your multimeter and decided to look at the signal with your oscilloscope. After viewing the signal with the oscilloscope, you saw sequences of high and low pulses that look something like this:
假设您用万用表识别出波动的电压序列,并决定使用示波器查看信号。使用示波器查看信号后,您会看到高脉冲和低脉冲序列,如下所示:
We will need a Logic Analyzer to make more sense of this signal capture. Logic analyzers are used when analyzing digital signals; they can take sequences of high and low voltages and translate them into a stream of logical 1s and 0s. This stream of 1s and 0s can then be analyzed and decoded via software to display packet structures and more user-friendly data to the user. When choosing a logic analyzer, we need to consider the following:
我们需要一个逻辑分析仪来更好地理解这种信号捕获。逻辑分析仪用于分析数字信号;它们可以获取高电压和低电压序列,并将它们转换为逻辑 1 和 0 流。然后,可以通过软件对 1 和 0 流进行分析和解码,以向用户显示数据包结构和更用户友好的数据。在选择逻辑分析仪时,我们需要考虑以下几点:
- Channel Count – How many channels can be analyzed at once?
通道计数 – 一次可以分析多少个通道? - Sampling Rate – How quickly can we sample data?
采样率 – 我们可以以多快的速度采样数据? - Hardware Sampling Depth / Memory Depth – How long can we sample?
硬件采样深度/内存深度 – 我们可以采样多长时间? - Threshold Voltages – What voltage ranges are compatible with this device?
阈值电压 – 此设备兼容哪些电压范围?
When analyzing standard COTS devices that utilize SPI, eMMC, etc., the Kingst and DSLogic series logic analyzers will work 90% of the time. The Saleae has a well-polished software interface, including APIs for writing decoders and instrumenting captures. The analog capture features of the Saleae are also beneficial when debugging lower-level issues. Despite being the most expensive analyzers listed here, they are worth purchasing if your budget allows it.
在分析使用 SPI、eMMC 等的标准 COTS 器件时,Kingst 和 DSLogic 系列逻辑分析仪将在 90% 的时间内工作。Saleae 具有完善的软件界面,包括用于编写解码器和检测捕获的 API。Saleae 的模拟捕获功能在调试较低级别的问题时也很有用。尽管是这里列出的最昂贵的分析仪,但如果您的预算允许,它们值得购买。
| Item 项目 | Price 价格 | Link 链接 | Description 描述 |
|---|---|---|---|
| LA 1010 洛杉矶 1010 | $69.99 | Link 链接 | The Kingst LA series are suitable introductory logic analyzers, they are pulseview compatible and can also use the Kingst proprietary software Kingst LA 系列是合适的入门级逻辑分析仪,它们兼容脉冲视图,也可以使用 Kingst 专有软件 |
| DSLogic | $149.00 | Link 链接 | DSLogic is a series of USB-based logic analyzer, with max sample rate up to 1GHz, and max sample depth up to 16G. It uses an open-source fork of Pulseview DSLogic是一系列基于USB的逻辑分析仪,最大采样率可达1GHz,最大采样深度可达16G。它使用 Pulseview 的开源分支 |
| Analog Discovery 2 模拟发现 2 | $229.00 | Link 链接 | Multi-function USB Oscilloscope, Logic analyzer, signal generator and power supply 多功能USB示波器、逻辑分析仪、信号发生器和电源 |
| Saleae Logic 16 Saleae 逻辑 16 | $1500 | Link 链接 | Logic analyzer with variable logic levels, analog capture capability, and highly user-friendly software 具有可变逻辑电平、模拟捕获功能和高度用户友好型软件的逻辑分析仪 |
Oscilloscope Vs. Logic Analyzers
示波器与逻辑分析仪
Another common question that often comes up as we review the tools in class is
当我们在课堂上复习工具时经常出现的另一个常见问题是
What is an oscilloscope used for, and what is a logic analyzer used for? Don’t they both measure signals?
示波器是做什么用的,逻辑分析仪是做什么用的?它们不是都测量信号吗?
While the short answer is yes, they both measure electronic signals and visualize them for human consumption; there are a few key differences.
虽然简短的回答是肯定的,但它们既可以测量电子信号,也可以将其可视化以供人类使用;有几个关键区别。
-
Oscilloscopes are useful for analyzing analog waveforms, that is, data that is steadily changing over time
示波器可用于分析模拟波形,即随时间稳定变化的数据 -
Logic analyzers are used to analyze digital signals and convert high/low voltage pulses into a sequence of 0s and 1s that we can attempt to interpret.
逻辑分析仪用于分析数字信号,并将高/低压脉冲转换为我们可以尝试解释的 0 和 1 序列。
So, how do we choose what tool to use? For example, let’s say we are measuring a voltage source on a particular target we are trying to glitch. If we want to monitor the fluctuations of the voltage line, we should use an oscilloscope. The oscilloscope will let us observe the voltage over time, allowing us to see the small period where the voltage drops to a low value and then returns to normal. See the image below, where the purple line represents the voltage line being glitched:
那么,我们如何选择使用什么工具呢?例如,假设我们正在测量我们试图出现故障的特定目标上的电压源。如果我们想监测电压线的波动,我们应该使用示波器。示波器将让我们观察电压随时间的变化,让我们看到电压下降到低值然后恢复正常的小周期。请参见下图,其中紫色线表示出现毛刺的电压线:
We can also use oscilloscopes to characterize and capture power traces. For example, see the following power trace that was captured from the Trezor (purple line):
In the previous two examples, we measured a signal oscillating between a range of values and not just HIGH or LOW. There are fluctuations, rising and falling sequences, and other interesting patterns that we could not catch with our logic analyzer as the logic analyzer looks for either a high or low voltage and reports the results back to the user as a digital signal.
在前两个示例中,我们测量了一个在一系列值之间振荡的信号,而不仅仅是高或低。有波动、上升和下降序列以及其他有趣的模式,我们无法用逻辑分析仪捕捉到,因为逻辑分析仪会寻找高电压或低电压,并将结果作为数字信号报告给用户。
For an example of when we might use a logic analyzer, let’s revisit the oscilloscope capture from before:
例如,我们何时可以使用逻辑分析仪,让我们回顾一下之前的示波器捕获:
Notice that there are not nearly as many strange shapes or fluctuations in this signal; the line either appears at a high or low voltage at any given time. While some oscilloscopes can decode digital signals like this, they often are limited by how much memory they can use for a capture. So that means that if you’re trying to capture UART traffic on a Linux system that takes 60 seconds to boot, you would need a large amount of memory / a costly scope. Also, if you wanted to extract the data from the stream or try to decode it using custom plugins, getting access to the digital signal is a headache (Note It is possible, but logic analyzers greatly simplify this process for us). This is a perfect use case for our logic analyzer if we want to extract the data being encoded in this digital signal.
请注意,该信号中没有那么多奇怪的形状或波动;在任何给定时间,线路要么出现在高电压下,要么出现在低电压下。虽然一些示波器可以解码这样的数字信号,但它们通常受到可用于捕获的内存量的限制。因此,这意味着,如果您尝试在需要 60 秒启动的 Linux 系统上捕获 UART 流量,您将需要大量内存/昂贵的示波器。此外,如果您想从流中提取数据或尝试使用自定义插件对其进行解码,那么访问数字信号是一件令人头疼的事情(注意这是可能的,但逻辑分析仪为我们大大简化了这个过程)。对于我们的逻辑分析仪来说,这是一个完美的用例,如果我们想提取这个数字信号中编码的数据。
The Logic analyzer can sample for much longer because it samples a signal, reports whether the sample is high or low, and does not report back the exact values in between. Note that what defines high or low can often be configured within your logic analyzer software, but the analyzer will still report back either a 0 or 1. Because the logic analyzer is not concerned with all the values in between, it requires significantly less memory to capture over long periods.
逻辑分析仪可以采样更长的时间,因为它对信号进行采样,报告采样是高电平还是低电平,并且不会报告两者之间的确切值。请注意,定义高或低的值通常可以在逻辑分析仪软件中配置,但分析仪仍将报告0或1。由于逻辑分析仪不关心两者之间的所有值,因此需要的内存要少得多,因此可以长时间捕获。
To illustrate this, let’s revisit the older blog post we published last year. The following video shows that the voltage levels fluctuate around 3.3V and eventually return to idle at 3.3V.
为了说明这一点,让我们回顾一下我们去年发表的旧博客文章。以下视频显示,电压电平在3.3V左右波动,最终在3.3V时恢复空闲状态。
If we were to capture this signal with an oscilloscope, it would look very similar to the screenshot we referenced earlier. However, there is one problem – this system takes about 90 seconds to boot, and ideally, we want to capture all of the traffic in a way that allows us to analyze it. This is where our logic analyzer will come in handy.
如果我们用示波器捕获这个信号,它看起来与我们之前引用的屏幕截图非常相似。但是,有一个问题 – 这个系统大约需要 90 秒才能启动,理想情况下,我们希望以一种允许我们分析它的方式捕获所有流量。这就是我们的逻辑分析仪将派上用场的地方。
After connecting our logic analyzer to the signals referenced in the blog post, our logic analyzer software (Pulseview) captures the following:
将我们的逻辑分析仪连接到博客文章中引用的信号后,我们的逻辑分析仪软件(Pulseview)会捕获以下内容:
With this traffic captured, we can set up a decoder to get human-readable values out of this signal, as shown below:
捕获此流量后,我们可以设置一个解码器,从该信号中获取人类可读的值,如下所示:
Now, we can export this data to a text or binary file for further analysis.
现在,我们可以将此数据导出到文本或二进制文件以供进一步分析。
So, in summary – when we want to capture digital signal traffic such as SPI, UART, I2C, JTAG, etc, we use a logic analyzer. If we want to analyze the shape of the waveform or we are investigating an analog signal such as a power source or audio signal, we use an oscilloscope.
因此,总而言之,当我们想要捕获数字信号流量(如SPI、UART、I2C、JTAG等)时,我们使用逻辑分析仪。如果我们想分析波形的形状,或者我们正在研究电源或音频信号等模拟信号,我们使用示波器。
Clips / Jumpers / Probes
夹子/跳线/探头
Sometimes, we have to connect to specific pads or pins to analyze the signal on our target device, but that does not always require soldering and removing components. Probing test pads and reading flash chips in-circuit can significantly reduce the debugging/analysis time when performing firmware patches or testing PoCs. Below are some helpful items that I use when soldering/connecting to new targets. The PCBite kit is handy as the fine-tip probes will often save you from needing to solder to test pads when performing initial analysis.
有时,我们必须连接到特定的焊盘或引脚来分析目标设备上的信号,但这并不总是需要焊接和移除组件。在执行固件补丁或测试PoC时,探测测试板和在线读取闪存芯片可以显著减少调试/分析时间。以下是我在焊接/连接到新目标时使用的一些有用物品。PCBite 套件非常方便,因为在进行初始分析时,细尖探头通常无需焊接到测试焊盘上。
| Item 项目 | Price 价格 | Link 链接 | Description 描述 |
|---|---|---|---|
| Premium Silicone Jumper Wires 优质硅胶跳线 |
$11.95 | Link 链接 | Used to make breadboard connections, etc 用于进行面包板连接等 |
| Pomona SOIC8 Clip | $18.19 | Link | Used to clip onto SOIC8 packages |
| Pomona SMD Grabber Pin | $21.79 | Link | Useful for grabbing individual pins of small packages such as QFP microcontrollers, etc. |
| KOTTO Helping Hands | $23.99 | Link | Useful when soldering to smaller devices |
| XKM-S EX Hook Pin Grabbers | $30.06 | Link | Helpful for grabbing pins of SOIC8 chips and other packages with wide footprints |
| PCBite Kit | $190 | Link | Handy magnetic probe kit with PCB holders and pogo pins |
Power Supplies
When picking a power supply, you need to consider the power requirements of your targets. Be sure to review the voltage and current limitations and choose an appropriate supply based on the targets you will analyze. Some power supplies have options like Over-Current Protection (OCP), which is a feature that prevents a power supply from providing more current than it can handle. Some power supplies will also include a Remote Sense feature that is used to regulate the output voltage at the target load. This compensates for the voltage drop across the cables connecting the power supply to the target load.
| Item | Price | Link | Usage | ||
|---|---|---|---|---|---|
| KC3010D | $49.99 | Link | Low cost introductory power supply | ||
| Hyelec 30V 5A Switching DC Bench Power Supply | $56.99 | Link | Adjustable power supply with output enable line | ||
| RD6006 | $85.00 | Link | Low-cost front end for power supply, can be used with an old ATX supply or other DC barrel jack power supplies | ||
| Siglent SPD1168X | $265.00 | Link | Power supply with programmable output and voltage sensing, also SCPI interface | ||
| Rigol DP832 | $399.00 | Link | Three channel power supply (30V/3A | 30V/3A, 5V/3A) | |
| Keysight E36233A 400W Dual Output Supply | $3,569 | Link | High wattage dual output supply, 30V/20A/400W, SCPI interface | ||
| BK Precision 9140 32V / 8A / 300W Triple-output Bench Power Supply | $1,940 | Link | High current, high power, Ethernet/LXI interface, three outputs, compact |
JTAG / Debug Adapters
Perhaps during your teardown, you discovered a set of test points or debug headers that you believe might be for hardware-level debugging, such as JTAG or SWD. If you’re trying to get hardware-level debugging working on a target, it is always a good idea to see what OEM tools are available. I’ve compiled a list below of some of the more generic tools I keep in my toolbox. Most of these are ARM-focused, as many other JTAG tooling for different architectures will often involve purchasing specific hardware/software or utilizing OpenOCD.
| Item | Price | Link | Usage |
|---|---|---|---|
| FT2232H Breakout Board | $14.95 | Link | Generic interface board, capable of SPI, I2C, UART, etc |
| STLink | $22.16 | Link | Easy to work with, largely focused on STM32, but can be used as a generic SWD adapter with OpenOCD |
| Tigard | $49.00 | Link | Open source FT2232H-based, multi-protocol, multi-voltage tool for hardware hacking. |
| Black Magic Probe | $74.95 | Link | Open source JTAG probe, can be used with OpenOCD |
| JLink | $529.12 | Link | Extremely sound software support, supports a large amount of ARM chips, has built-in level shifting |
| Lauterbach | TBD | Link | Extremely powerful JTAG tooling that can be purchased with licenses targeting specific architectures/chipsets |
When attempting to utilize a hardware debug mechanism (especially from a black box perspective), there is no “one size fits all” tool. Whether you are accessing a JTAG tap or an SWD peripheral, there are two hurdles that you need to overcome:
- Can your hardware communicate with the TAP/DAP?
- Logic Levels, appropriate speeds, timings, etc
- Can your software properly enumerate and interact with the TAP/DAP?
- OpenOCD, UrJTAG, OEM Tools, etc
The right tools for the job is critical when looking at a new hardware-level debug peripheral. Make sure that you search for OEM software/hardware and always check the latest OpenOCD commits for similar targets.
Flash Readers
So, you have done your initial teardown and identified a non-volatile storage device from which you want to extract some data. Perhaps there is a SPI flash chip or a TSOP 48 parallel flash that you want to extract data from. Many flash readers are available; below is a list of what I have in my lab. The Xeltek is somewhat expensive (it is currently on sale for $995.00), and the individual sockets for different chip packages range from $400-$700, so the cost adds up quickly. However, with that cost comes support from Xeltek and fairly reliable tooling, assuming you are comfortable with BGA rework and re-balling ICs, this may be the right choice for you and your team.
| Item | Price | Link | Usage |
|---|---|---|---|
| Transcend SD Card Reader | $10.99 | Link | Good for in-circuit eMMC reads, device supports low speeds and 1-bit eMMC modes |
| CH341A USB Programmer | $13.99 | Link | Generic SPI flash programmer, compatible with flashrom |
| FT2232H Breakout Board | $26.99 | Link | Generic breakout board, can be used with flashrom, openocd, etc. |
| FlashCAT USB Programmer | $99.00 | Link | Parallel flash extraction, TSOP48/56 |
| XGecu T56 | $199.00 | Link | All-purpose flash extraction, SPI, eMMC, NAND, etc |
| Easy JTAG | $399.00 | Link | All-purpose flash extraction, one of the few readers on the market to support UFS extraction |
| Xeltek Superpro | $995.00 | Link 链接 | Enterprise flash programmer, high quality, sockets for different chips can be pretty expensive 企业闪存编程器,高质量,不同芯片的插槽可能非常昂贵 |
| Dataman 48Pro2 Super Fast Universal ISP Programmer Dataman 48Pro2 超快速通用 ISP 编程器 |
$1,195.00 | Link 链接 | Industrial programming tool, expensive, but does consistently work on the supported ICs 工业编程工具,价格昂贵,但在支持的IC上始终如一地工作 |
In my experience, no flash readout tool works on everything. Some tools are better at certain flash types than others. Having a few options in your hardware hacking toolbox is always a good idea if your preferred tool does not support your target device. If I had to pick two devices from the list above, I would choose the FlashCAT and the XGecu T56; you will have a wide range of target chip coverage between those two.
根据我的经验,没有闪光灯读出工具适用于所有事情。有些工具在某些闪光灯类型上比其他工具更好。如果您的首选工具不支持您的目标设备,那么在您的硬件黑客工具箱中拥有一些选项总是一个好主意。如果我必须从上面的列表中选择两款设备,我会选择 FlashCAT 和 XGecu T56;在这两者之间,您将拥有广泛的目标芯片覆盖范围。
SBCs / Interface Tools
SBC / 接口工具
Having a few generic embedded interface tools in your toolkit is always a good idea. I am a big fan of using embedded Linux SBCs due to their flexibility and the fact that you have an entire OS at your disposal, which can open up opportunities to use your favorite programming language to interact with the standard peripherals. One of the most common Linux-based SBCs, the Raspberry Pi, has been difficult to acquire over the last few years. Luckily, the Armbian project supports other boards, such as the Orange Pi Zero 2 and the Orange Pi 4 LTS. You may not always require a fully featured OS, and you just need a tool that can talk to peripherals. In this case, having FT2232H-based boards, such as the generic breakouts and things like the Tigard, will also come in handy. While the FT2232H is a well known, classic interface IC, the RP2040 is quickly gaining popularity due to its ease of use and availability. The Buspirate, a classic embedded Swiss army knife, recently released a new version that the RP2040 powers (Note that the Link below is for just the PCB and not for the entire product)
在您的工具包中加入一些通用的嵌入式接口工具总是一个好主意。我非常喜欢使用嵌入式 Linux SBC,因为它们具有灵活性,而且您拥有完整的操作系统,这可以为您提供使用您最喜欢的编程语言与标准外围设备进行交互的机会。Raspberry Pi 是最常见的基于 Linux 的 SBC 之一,在过去几年中一直很难获得。幸运的是,Armbian项目支持其他板,如Orange Pi Zero 2和Orange Pi 4 LTS。您可能并不总是需要功能齐全的操作系统,您只需要一个可以与外围设备通信的工具。在这种情况下,拥有基于 FT2232H 的板,例如通用分线板和 Tigard 之类的东西,也会派上用场。虽然 FT2232H 是众所周知的经典接口 IC,但 RP2040 因其易用性和可用性而迅速普及。Buspirate 是一款经典的嵌入式瑞士军刀,最近发布了由 RP2040 供电的新版本(请注意,下面的链接仅适用于 PCB,不适用于整个产品)
| Item 项目 | Price 价格 | Link 链接 | Usage 用法 |
|---|---|---|---|
| FT2232H Breakout Board FT2232H分线板 | $14.95 | Link 链接 | Generic interface board, capable of SPI, I2C, UART, etc 通用接口板,支持SPI、I2C、UART等 |
| Arduino Nano Arduino 纳米 | $24.90 | Link 链接 | Generic board for learning embedded programming and protocols 用于学习嵌入式编程和协议的通用板 |
| BusPirate 巴士海盗 | $27.85 (PCB Only) 27.85 美元(仅限 PCB) | Link 链接 | Universal Open Source Hacking Tool 通用开源黑客工具 |
| Orange Pi Zero 2 橙色Pi Zero 2 |
$35.99 | Link 链接 | Low power general purpose Linux SBC, supported by Armbian 低功耗通用 Linux SBC,受 Armbian 支持 |
| Tigard 泰格德 | $49.00 | Link 链接 | Open source FT2232H-based, multi-protocol, multi-voltage tool for hardware hacking. 基于FT2232H的开源、多协议、多电压工具,用于硬件黑客攻击。 |
| Orange Pi 4 LTS 橙色派 4 LTS |
$77.90 | Link 链接 | Linux based SBC, supported by Armbian 基于 Linux 的 SBC,受 Armbian 支持 |
Fault Injection 故障注入
Fault injection (FI) involves introducing an error/modification minor enough to cause undefined behavior on a target but not enough to stop the target from operating entirely. This typically involves injecting a high-voltage pulse or temporarily draining the voltage from a targeted power source or “rail” on the target system.
故障注入 (FI) 涉及引入足够小的错误/修改,该错误/修改足以在目标上导致未定义的行为,但不足以阻止目标完全运行。这通常涉及注入高压脉冲或暂时释放目标系统上目标电源或“电源轨”的电压。
By causing momentary voltage modulations (either above or below the expected voltage), we can force our target system to enter a realm of undefined behavior. An adequately targeted fault can bypass various security checks or other features that may impede an attacker or reverse engineer.
通过引起瞬时电压调制(高于或低于预期电压),我们可以迫使目标系统进入未定义行为的领域。针对性充分的故障可以绕过各种安全检查或其他可能阻碍攻击者或逆向工程的功能。
When it comes to FI, I think that Furrtek explained it best here:
说到FI,我认为Furrtek在这里解释得最好:
Regarding FI, anything capable of pulling a voltage line low or injecting a clock pulse can work. However, depending on your target and attack, you might need advanced timing or protocol triggering, where tools such as the ChipWhisperer become very handy. When learning the fundamentals of fault injection, you cannot go wrong with an introductory ChipWhisperer kit. Their materials and example targets explain the principles behind fault injection and provide a tested, repeatable learning environment. I can’t recommend their materials highly enough. If the ChipWhisperer tools are too expensive for your budget, however, there are other tools that folks have used in the past. I have included the tools in the table below and provided some example blog posts that utilize them to help get you started. We have also published a blog post here as an introduction to FI.
关于FI,任何能够将电压线拉低或注入时钟脉冲的东西都可以工作。但是,根据您的目标和攻击,您可能需要高级时序或协议触发,其中 ChipWhisperer 等工具变得非常方便。在学习故障注入的基础知识时,使用入门级 ChipWhisperer 套件不会出错。他们的材料和示例目标解释了故障注入背后的原理,并提供了一个经过测试的、可重复的学习环境。我不能高度推荐他们的材料。但是,如果 ChipWhisperer 工具对于您的预算来说太贵了,那么人们过去也使用过其他工具。我在下表中包含了这些工具,并提供了一些示例博客文章,利用它们来帮助您入门。我们还在这里发表了一篇博文,作为对FI的介绍。
| Item 项目 | Price 价格 | Link 链接 | Projects / Blog Posts 项目/博客文章 |
|---|---|---|---|
| RP2040 RP2040型 | $4.00 | Link 链接 | Pico Glitcher, PicoRHG – Xbox 360 Glitch, AirTag Voltage Glitching Pico Glitcher、PicoRHG – Xbox 360 故障、AirTag 电压故障 |
| PocketBeagle 袖珍小猎犬 | $35.63 | Link 链接 | The PocketGlitcher, |
| ICEStick ICE40 FPGA | $49.00 | Link 链接 | Grazfather’s LPC Glitch, IceStick Glitcher Grazfather 的 LPC 故障,IceStick 故障 |
| ChipShouter PicoEMP ChipShouter PicoEMP系列 | $60.00 | Link 链接 | EMFI Made easy with PicoEMP 使用 PicoEMP 轻松实现 EMFI |
| ChipWhisperer Lite ChipWhisperer 精简版 | $315.00 | Link 链接 | Replicant: Reproducing a FI Attack on the Trezor One 复制人:重现对 Trezor One 的 FI 攻击 |
| ChipWhisperer Husky ChipWhisperer 赫斯基 | $549.00 | Link 链接 | RL78 Glitching (done by Colin O’Flynn) RL78 毛刺(由 Colin O’Flynn 完成) |
| ChipShouter Kit ChipShouter 套件 | $4125.00 | Link 链接 | EMFI for Automotive Safety with ChipShouter EMFI 与 ChipShouter 一起实现汽车安全 |
There are also plenty of great talks that you can find online about fault injection; I’ve listed some of my favorites below:
您还可以在网上找到许多关于故障注入的精彩演讲;我在下面列出了一些我的最爱:
- Chip.fail 芯片失败
- Glitched on Earth by Humans
人类在地球上出现故障 - One Glitch to Rule Them All: Fault Injection Attacks against AMD’s Secure Processor
一个小故障可以解决所有问题:针对AMD安全处理器的故障注入攻击 - NCC Group – An Introduction to Fault Injection
NCC Group – 故障注入简介
Radio Frequency Tooling and Instrumentation
射频工具和仪器仪表
In the realm of security testing, these tools play a crucial role in assessing and safeguarding the integrity of wireless communication systems and devices. High-cost options provide powerful capabilities for in-depth analysis of various RF signals, allowing security professionals to identify vulnerabilities, intercept and decode wireless transmissions, and assess the robustness of communication protocols. These tools are often employed in academic and research settings for advanced RF security research. On the other hand, low-cost options are accessible solutions that aid in testing and securing more common wireless technologies, including RFID, Bluetooth, Wi-Fi, and various ISM band devices.
在安全测试领域,这些工具在评估和保护无线通信系统和设备的完整性方面发挥着至关重要的作用。高成本选项为深入分析各种射频信号提供了强大的功能,使安全专业人员能够识别漏洞、拦截和解码无线传输,并评估通信协议的鲁棒性。这些工具通常用于学术和研究环境,用于高级射频安全研究。另一方面,低成本选项是可访问的解决方案,有助于测试和保护更常见的无线技术,包括 RFID、蓝牙、Wi-Fi 和各种 ISM 频段设备。
High-Cost Options 高成本选项
| Item 项目 | Price (Approximate) 价格(近似值) | Link 链接 | Description 描述 |
|---|---|---|---|
| HackRF One HackRF一号 | $300 – $350 | Buy HackRF One 购买 HackRF One | A versatile SDR platform for analyzing and testing a wide range of radio signals. 一个多功能的SDR平台,用于分析和测试各种无线电信号。 |
| Proxmark3 Proxmark3 (英语) | $250 – $300 | Buy Proxmark3 购买 Proxmark3 | A dedicated RFID/NFC testing and hacking tool, allowing reading, emulating, and modifying RFID/NFC cards. 专用的 RFID/NFC 测试和黑客工具,允许读取、模拟和修改 RFID/NFC 卡。 |
| LimeSDR LimeSDR的 | $250 – $350 | Buy LimeSDR 购买 LimeSDR | A flexible SDR platform suitable for RF security research and testing. 灵活的SDR平台,适用于射频安全研究和测试。 |
| USRP (Universal Software Radio Peripheral) USRP(通用软件无线电外设) |
$1,000+ | Buy USRP 购买 USRP | High-end SDR platforms for advanced RF research and security testing in academic and research settings. 高端 SDR 平台,用于学术和研究环境中的高级射频研究和安全测试。 |
| Signal Hound Real-time Spectrum Analyzer Signal Hound 实时频谱分析仪 |
$1,190+ | Buy Signal Hound 购买 Signal Hound | High-speed spectrum analysis for advanced RF research and security testing in academic and research settings. 高速频谱分析,用于学术和研究环境中的高级射频研究和安全测试。 |
| Copper Mountain Vector Network Analyzer 铜山矢量网络分析仪 |
$10,000+ | Buy Copper Mountain 购买 Copper Mountain | Specialized instrument for measuring Antennas, RF cables, and RF systems, some instruments with additional options can measure up-to W-Band (75 – 110 GHz) 用于测量天线、射频电缆和射频系统的专用仪器,一些带有附加选项的仪器可以测量高达 W 波段 (75 – 110 GHz) |
Low-Cost Options 低成本选项
| Item 项目 | Price (Approximate) 价格(近似值) | Link to Buy 购买链接 | Description 描述 |
|---|---|---|---|
| Flipper Zero 零鳍状肢 | $150 – $200 | Buy Flipper Zero 购买 Flipper Zero | A multifunctional security testing and hacking tool with RF capabilities, including RFID and NFC testing. 具有射频功能的多功能安全测试和黑客工具,包括 RFID 和 NFC 测试。 |
| YARD Stick One YARD Stick One(码棒一号公寓) | $100 – $150 | Buy YARD Stick One 购买 YARD Stick One |
A wireless transceiver for sub-1 GHz testing and attacks on ISM band devices and other low-frequency signals. 用于对ISM频段设备和其他低频信号进行低于1 GHz测试和攻击的无线收发器。 |
| Ubertooth One Ubertooth One(优步一号公寓) | $100 – $150 | Buy Ubertooth One 购买 Ubertooth One | Designed for Bluetooth security testing, particularly capturing BLE packets for security assessments. 专为蓝牙安全测试而设计,特别是捕获 BLE 数据包以进行安全评估。 |
| RTL-SDR | $20 – $30 | Buy RTL-SDR 购买 RTL-SDR | An affordable and versatile SDR dongle for exploring and analyzing a wide range of RF signals. 一款经济实惠的多功能 SDR 加密狗,用于探索和分析各种射频信号。 |
| Wi-Fi Pineapple Wi-Fi 菠萝 | $100 – $200 | Buy Wi-Fi Pineapple 购买 Wi-Fi 菠萝 | Used for Wi-Fi security assessments and creating rogue Wi-Fi access points, often used alongside RF devices. 用于 Wi-Fi 安全评估和创建恶意 Wi-Fi 接入点,通常与射频设备一起使用。 |
| PortaPack H1 | $100 – $150 | Buy PortaPack H1 购买 PortaPack H1 | An add-on for the HackRF One that provides a more user-friendly interface for HackRF interactions in the field. HackRF One 的附加组件,为现场的 HackRF 交互提供了更加用户友好的界面。 |
| TinySA Ultra | $100 – $200 | Buy TinySA Ultra 购买 TinySA Ultra | An affordable spectrum analyzer and signal generator tool, can measure signals up to 12 GHz 经济实惠的频谱分析仪和信号发生器工具,可测量高达 12 GHz 的信号 |
| NanoVNA 纳米VNA | $300 – $789 | Buy NanoVNA 购买 NanoVNA | Affordable specialized instrument for measuring Antennas and RF Systems, depending on which model it covers most ISM bands under 6 GHz 用于测量天线和射频系统的经济实惠的专用仪器,具体取决于其型号,可覆盖 6 GHz 以下的大多数 ISM 频段 |
| LibreVNA | $500 – $700 | Buy LibreVNA 购买 LibreVNA | Affordable specialized instrument for measuring Antennas and RF Systems, offers full 2-port measurements, and covers ISM bands under 6 GHz 用于测量天线和射频系统的经济实惠的专用仪器,提供完整的 2 端口测量,并覆盖 6 GHz 以下的 ISM 频段 |
Other Helpful Tools 其他有用的工具
- Overhead lighting 头顶照明
- Helping hands 伸出援助之手
- Generic Teardown Tools (Ifixit)
通用拆解工具 (Ifixit) - Mini Electric Drill 迷你电钻
- Silicone Mat 硅胶垫
- Generic Wire Strippers / Pliers
通用剥线钳/钳子
Conclusion 结论
This write-up covered some of the tools required to build your first hardware hacking toolkit. This by no means is an exhaustive list, and I’m sure there are plenty of alternatives to the devices I’ve listed here.Also, it should be noted that you don’t need all of these tools to start hacking on hardware. Sometimes it makes more sense to buy what you need for a given project and save money for nicer equipment later on. I hope this guide was helpful; I plan to revisit this writeup regularly to update it with new tools. If you think a tool should be added to this guide, feel free to email at [email protected] or on Twitter. A list of just the components discussed here can be found on this github repository, and all pull requests are welcome!
这篇文章涵盖了构建您的第一个硬件黑客工具包所需的一些工具。这绝不是一个详尽的列表,我相信我在这里列出的设备有很多替代品。另外,应该注意的是,您不需要所有这些工具来开始对硬件进行黑客攻击。有时,购买给定项目所需的东西并在以后为更好的设备省钱更有意义。我希望本指南对您有所帮助;我计划定期重新审视这篇文章,用新工具更新它。如果您认为应该将工具添加到本指南中,请随时发送电子邮件至 [email protected] 或 Twitter。这里讨论的组件列表可以在这个 github 存储库中找到,欢迎所有拉取请求!
If you are interested in learning more about hardware-level reverse engineering, check out our training course or reach out to us for any consulting needs. If you want to get notified when a new blog post, course, or tool is released, consider signing up for the mailing list. I only send emails when there are actual posts or course updates. Lastly, you can follow me on Twitter for various updates on side projects and classes.
如果您有兴趣了解有关硬件级逆向工程的更多信息,请查看我们的培训课程或联系我们了解任何咨询需求。如果您想在发布新的博客文章、课程或工具时收到通知,请考虑注册邮件列表。我只在有实际帖子或课程更新时发送电子邮件。最后,您可以在 Twitter 上关注我,以获取有关副业和课程的各种更新。
原文始发于voidstarsec:VSS: Beginners Guide to Building a Hardware Hacking Lab
转载请注明:VSS: Beginners Guide to Building a Hardware Hacking Lab | CTF导航
相关文章
