In recent years, embedded device security has made its way into the public consciousness as attackers target the now ubiquitous smart devices in homes and offices. But hackers were tinkering with embedded devices long before the Internet of Things was a consumer-friendly, interconnected web. Devices are often full of data that’s pretty easy to snag, and there’s something very satisfying about taking apart hardware and getting into the software layer to develop exploits. You know how little kids take things apart to understand how they work? That same allure drives hackers to try to open up these smart devices for fun and profit.
We admit that at Bishop Fox we’re drawn to breaking things too—and we love that we can do it as part of protecting our clients against the real bad guys. In the last few years, our New York City team started amassing a hardware lab to perform product security reviews and research client devices. Having spent some time developing a hardware lab in my own home, I volunteered to help spec out equipment for the NYC lab.
Our lab setup opens up a whole new vector to comprehensively assess hardware including smart devices, industrial control systems, and consumer and enterprise IoT devices. We’d like to get into them all, and the first step to scratching that itch is having the right tools for the job.
There are many considerations when building out a hardware lab, but the primary goal of this post is to focus on what kinds of tools you’ll want to have to establish an effective lab based on your needs and budget. We don’t intend to provide a comprehensive list of all of the tools you will ever need, since there are a multitude of specific tools to deal with edge cases (like proprietary debuggers). We also won’t go too far into wireless since that could easily be the subject of its own post. Instead, this post will cover our general recommendations for soldering and desoldering equipment, test equipment, and assorted other tools and equipment worth considering for your hardware lab.
For our NYC hardware lab, we purchased the following soldering equipment, based on our needs and budget. That’s not to say you need to buy these exact same tools, but pay close attention to the specifications on the irons you’re buying to make sure they’re up to par:
The soldering iron is the cornerstone of any hardware hacking lab. You’ll be using it often for common hardware hacking tasks like component soldering, adding headers, and running jumper wires. Because of this, you should prioritize getting a quality soldering iron, even if you are only a hobbyist. Cheap irons may sound appealing, but often come with downsides that can make soldering a pain like inaccurate temperatures, poor thermal transfer, and tips with a short lifespan. Low-quality irons can also muddy your progress if you’re working to improve your soldering technique. A common beginner mistake is thinking you suck because your solder won’t stick to anything. A bad iron can cause you to adopt bad techniques like applying heat to contacts for way too long or using too much heat, leading to damaged pads, traces, and pins.
For our lab, we selected the Hakko® FX-951 soldering station because:
If the FX-951 is too expensive for your budget, try an entry-level professional station like the Hakko FX-888D. The FX-888D and similar irons from competitors are excellent choices because they are reasonably powerful, offer a wide range of tips, and are temperature-controlled for a price point of less than 100 dollars. Alternatively, the open-source STM32-based TS100, TS80, and T12 clone stations are gaining traction in the hardware hacking and repair communities for being low-cost and highly portable while still offering the features of more expensive irons.
Whatever station you decide on, ensure that it supports a variety of tips for different jobs and is temperature-controlled so you can avoid mishaps due to inappropriate temperature settings.
It’s tempting to pick up lead-free solder given lead’s harmful properties, but leaded solder is far easier to work with since its melting point is much lower than lead-free solder. Lead-free solder is notoriously difficult to work with, which is especially frustrating for beginners. A balance of at least 63% tin to 37% lead is ideal for hardware hacking and home engineering. The small diameter (between .050 and .015 millimeters) makes it easier to solder to tiny surface mount components and reduce the risk of solder bridges, but it’s helpful to keep thicker solder around just in case you need to solder to larger contacts like ground planes. Using solder with a flux core can help solder to stick to things (wick) better by reducing some of the surface corrosion on contacts.
For our lab, we choose the Kester® 24-6337-8806 245 no-clean flux core solder.
Flux plays an important role by cleaning corrosion off of components, allowing solder to wick to metal more easily. Flux also lowers surface tension, allowing components to be soldered far more easily and reducing incidents of solder bridges. Note that more “active” flux is better at cleaning components at the cost of being more corrosive. Typically, we rely on “active” flux only for working on older, more corroded components that you might encounter if you spend a lot of time repairing things. Flux can be marked as “no-clean”, meaning its technically OK to leave some flux residue on the board (although you should always try to clean off flux unless you’re nasty). No-clean flux is the preferred type for hardware hacking because you’re probably not going to want to spend a ton of time meticulously cleaning a board while you’re reversing it.
For most hardware hacking projects, you’ll likely rely on low- to mid-activity flux. It’s a good idea to keep both tacky flux and a liquid flux pen handy to suit different needs, but personal preference may dictate what you tend to use more. We ended up purchasing Amtech NC-559-V2-TF for its widespread use in the repair community.
Even if you use no-clean flux, it’s a good idea to clean it off with a brush and alcohol to avoid residue. We went with 99% alcohol from MG Chemicals® and generic anti-static brushes, but any brand of 90 to 99% alcohol will do. You can also use a toothbrush if anti-static brushes are hard to come by. While alcohol is safe for circuit boards, scrubbing too hard can remove the board’s finish. Make sure you exercise restraint when cleaning off flux.
Keeping a soldering iron’s tips clean and tinned will greatly extend their lifespan and prevent corrosion. Although it’s true that you can clean tips by just placing solder on the tip, tip tinner is fairly inexpensive and convenient. We bought Thermaltronics® TMT-TC-2, but any lead-free tip tinner should do.
Even though many cheaper soldering irons come with a holder that has a sponge for tip cleaning, it’s a good idea to get a tip cleaner that uses a ball of wire. Wire-type cleaners are more abrasive and therefore better at removing excess solder from tips. Our lab’s FX-951 and most other decent soldering stations come with a wire tip cleaner, but I’ve used a Hakko 599B-02 in the past for soldering irons that didn’t come with a wire tip cleaners like the TS100.
It’s extremely important to keep a board in place while you’re soldering so the device and iron don’t move around. Board holders like the Aven© 17010 or a Stickvise™ with high temperature jaws are extremely useful for this purpose. Third hand tools are also extremely useful because they can hold components or boards in place while soldering. I use a QuadHands® helping hands tool in my home lab and it’s served me well for years.
Solder fumes can be nasty, especially for people with asthma. Even though most hardware hacking sessions won’t cause exposure to fumes for extended periods of time, it’s a good idea to get a small desktop fume extractor. Safety first. Our choice for a fume extractor was the Hakko FA400-04 because its compact, portable, and can be turned face down for a lower profile and slightly better airflow.
Desoldering is a major part of hardware hacking. You’ll often find that removing chips with a hot air rework station is the most effective way to extract firmware from a device, especially if obtaining firmware through updates or directly from the manufacturer’s site isn’t feasible. Occasionally, you’ll also have to remove solder from unpopulated headers on a board to solder in headers. Regardless of the occasion, it’s important to have desoldering equipment around in your lab to deal with whatever arises.
Here’s the list of desoldering equipment we have for our NYC hardware lab:
A hot air station will allow you to blow air at a temperature that is high enough to melt solder. This is particularly useful for removing components from a board because it allows you to heat the whole component evenly (In contrast, a soldering iron can really only heat a small spot at one time.)
For our lab, we chose the Quick 957DW+ hot air station because:
The main specifications to pay attention to in a hot air station are airflow, wattage, and maximum temperature. For reverse engineering projects, you really don’t need an expensive, powerful station. Most desoldering work with a hot air rework station is removing smaller flash chips, so expensive professional hot air stations are overkill in our opinion, unless you also plan to do a lot of repair work as well.
The 858D hot air station type is popular with hobbyists because they are cheap, rated at 700 watts, 120 liters per minute, and have a max temperature of 480°C. Before I upgraded my personal hot air station to a Quick 861DW for more power and reliability, I had an 858D. It served me well for a few years, but buying one of these can be tricky. They are sold under many different brands and some were reported to have dangerous wiring issues inside and quality issues (hang onto your eyebrows). If you’re going to go for the cheaper 858D, make sure you buy one from a respected vendor that has reviews that confirm they are free of issues. It would also be a good idea to take it apart and take a multimeter to it to make sure it is properly grounded and free from wiring faults.
A hand soldering pump is very useful for desoldering through-hole components and removing solder from unpopulated header holes; however, they are notoriously difficult to use. We decided on the Engineer® SS-02 because the flexible tips can form a better seal around component legs and pins, making desoldering a bit easier. However, any decent quality hand pump should be fine since they all behave similarly and don’t differ that much in features. Desoldering guns with an electric vacuum pump are way easier to use and much quicker, but hardware hackers rarely have to desolder enough to justify the cost. If you really have a tough time using hand pumps or plan on doing a lot of repair work, go for a cheap desoldering gun like the ZD-915.
The bane of most hardware hackers’ existence is the desoldering braid, which is notoriously hard to use without practice. The thing is, it can save you in a pinch when you need to clean up some solder bridges, re-do a soldering job, or clean pads of solder before reattaching a chip. For our lab, we got MG Chemicals’ #3 no-clean super wick, but any braid that has flux residue on it should be fine.
Polyimide tape (better known as the genericized trademark Kapton tape) is very heat resistant, making it useful for covering components you don’t want to accidentally remove when desoldering something with a hot air gun. The brand isn’t terribly important as long as you’re not buying something shady and cheap, but it’s a good idea to buy a pack of different sizes of Kapton tape to suit your needs.
Whether you work on a workbench or your mother’s dinner table, protecting your work surface from the high heat of a hot air rework station is very important. Silicone mats are heat-resistant to temperatures over 900°F, making them ideal for protecting your work surface. Most mats are of similar quality, so don’t fret too much over buying some fancy expensive one over a basic option. Keep in mind that silicone mats are not the same as electrostatic discharge (ESD) mats. If you have the dedicated space for an ESD mat, it’s recommended to line your workspace with one and reserve your silicone mat for high-temperature work. While I’ve never had trouble with static on a silicone mat hurting a device under test, they can generate static when they’re moved around or peeled off of a desk. We use a BTSHOW large soldering mat in our lab.
Electronics testing equipment is invaluable for understanding a device’s behavior during the reverse engineering process. It’s fairly common to find interesting chips, test points, pins, and headers once a device is disassembled. Test equipment allows you to probe for signals on a device that can lead to identifying debugging interfaces. With the right adapters, it’s possible to use these interfaces to gain access to debugging functionality, serial consoles, extract firmware, or sniff communication between components in the device. For this reason, an arsenal of test equipment is integral to a hardware lab.
In the process of reverse engineering, you will likely make extensive use of a multimeter’s most basic functionality like continuity testing and measuring voltage to find test points and understand how the device is designed. Because of this, in most cases a simple cheap multimeter should be fine for reverse engineering. However, features like measuring resistance, capacitance, current, and diode testing mode can be useful for diagnostics or more in-depth reversing tasks.
When selecting a multimeter, be sure to look out for a model that offers a decent display count to give a more accurate reading of the component being measured. While a display count of 2,000 to 6,000 is fine, the higher you can get away with within your budget the better. A meter with auto-ranging is helpful because it saves you from doing some guesswork while measuring components. However, it’s not a big deal to save some money by buying a cheaper meter that requires you to manually select your measurement range.
Regardless, you should make sure you get a meter that has enough range to measure low voltage and low current, since most devices you will be reverse engineering won’t exceed 5 volts DC for transistor to transistor logic (TTL) and 12 volts DC for power. The NYC office settled on the Brymen® BM235 multimeter for our lab because of its variety of useful features, measurement accuracy, and display count for the price. Fluke is a very popular manufacturer because of their reliable, accurate meters, but they tend to be on the more expensive side. If both options are too expensive for you, I used a much cheaper Innova® 3320 from Amazon for years in my home lab before upgrading my meter and it was fine for most tasks. We also highly recommend a set of fine-tip needle probes for making measurements on tiny pins and test points. These can be their own separate leads, or add-on tips for your current leads, or included within a set of a variety of tips.
Logic analyzers are the premier tools to help you identify and decode digital signals on a board. In cases where you have multiple points to test, having eight or more wires to analyze multiple signals at once is a godsend. When you’re selecting a logic analyzer, these are some of the other specs to pay attention to:
The standard for compact, easy-to-use logic analyzers is the Saleae Logic family, mostly because the software is simple but effective and the UI is fairly well-designed. The NYC office went with a Saleae Logic Pro 8 because of its higher sample rate and ability to support faster digital signals than the non-pro Logic 8. In spite of this, the cheaper Logic 8 is perfectly fine for most tasks. It should be noted that the Saleae’s simplicity also works against it, as it only supports basic triggering options and doesn’t have the ability to use an external clock signal for capturing data (also known as state mode). While a lack of these features isn’t a deal breaker, a number of cheaper logic analyzers exist that offer this functionality at the cost of being slightly more difficult to use and not having the same level of customer support options as the Saleae. I use a DSLogic U3Pro16 analyzer at home, which offers fairly impressive specs for the price and uses software based on the open-source logic analyzer software Sigrok.
While some would consider an oscilloscope to be an optional addition to an entry-level hardware lab, having an oscilloscope can be useful for quick probing around a board to check signals, rather than having to go through the process of hooking up a logic analyzer and capturing data. More importantly, an oscilloscope will show you a more accurate representation of a signal than a logic analyzer since you can actually view the analog signal’s waveform, which digital representation from logic analyzers cannot provide. This can be immensely helpful when debugging issues while trying to interface with headers, pins, or test points on a board since you can actually see what the signal is doing.
The most important spec to pay attention to when selecting an oscilloscope is bandwidth, as a scope’s bandwidth range will dictate where you will start to lose accuracy to attenuation when making measurements. Without going into too much detail about calculating bandwidth requirements, anywhere from 50 to 200 MHz is enough for most reverse engineering tasks. Specs like sample rate, capture rate, and memory depth are also beneficial to keep in mind, but in general the more you can get away with in your price range, the better. The number of channels your scope supports can also be a point of contention. In our opinion, if it comes down to better specs vs. more channels, you should choose better specs. Four channels can be useful sometimes, but they are not strictly necessary. We got a Siglent® SDS1204X-E because it features 200 MHZ bandwidth and 1G samples per second sample rate as well as built-in protocol decoders without the need for an extra license for a sub $1,000 price point. If the SDS1204X-E is too expensive, the Rigol DS1054z and DS1102E are good lower-cost options and can be upgraded with individual features later. If you have the space and patience, good deals for used, older digital oscilloscopes can be had on eBay as well. If you are a hobbyist and would find having an oscilloscope impractical, some logic analyzers like the Saleae Logic Pro series and the Digilent® Analog Discovery 2 have basic analog signal analysis capabilities.
While reverse engineering, you will typically find a number of different serial protocols being used to allow components to communicate. For this reason, it’s important to have adapters that can allow you to interact serial protocols. Luckily, FTDI has you covered with an assortment of chips that allow you to interface with protocols like UART, SPI, I2C, and JTAG through USB. FTDI provides cables that serve this purpose, but there are also a couple breakout boards for the FTDI FT232H chip, including the Xipiter Shikra and a number of boards from companies like Adafruit and Sparkfun. We have a Shikra in the NYC office, but many of our engineers use the Adafruit FT232H breakout board since Shikras can be hard to get. Most of these devices operate similarly and you can choose whichever board or cable you like.
A working JTAG or SWD interface is the holy grail of hardware reverse engineering since they typically provides you with full hardware debugging capabilities. Even though an FT232H/FT2232H-based board like the Flyswatter2 supports working with JTAG, it’s a good idea to have a dedicated debugger because they are often easier to use and more reliable. When you’re reverse engineering a device, it’s helpful to have a device that you know works so you can reduce the amount of time you spend troubleshooting issues. The SEGGER J-Link debugger and software support a wide range of target devices. SEGGER’s software also includes extensive support for easy debugging and flash programming. For these reasons, we bought a J-Link PLUS debugger for our lab. Students, hobbyists, and personal researchers can get the Edu version of the J-Link debugger for a fraction of the cost without sacrificing access to the best features offered by J-Link software (Although at the cost of some speed). The J-Link debugger is also supported by OpenOCD if you ever felt the need to use it that way. It’s also worth mentioning that the Jtagulator® by Joe Grand is handy to have around for brute-forcing JTAG interface pinouts.
Grabbing firmware directly from a flash chip or modifying and rewriting firmware to a flash chip are fairly common tasks in the process of reverse engineering devices. While you could use an FTDI-based breakout board paired with open source software to read most chips, a good flash programmer with support for a wide range of chips can make the process easier by providing a convenient and reliable interface. Professional flash programmers can be fairly expensive, but there are a number of cheaper programmers from China that perform pretty well for a much lower price point. The TL866 can be purchased for about $100 with an assortment of adapters for working with various chip packages. The TL866 family of programmers also has Linux support through the open-source MiniPro utility, so you’re not locked into the software provided by the manufacturer. Alternatively, the more expensive TNM5000 programmer offers support for about 23,000 different flash chips and comes with an assortment of adapters for various chip packages. I’ve used a TNM5000 at home for several years and rarely encounter a flash chip that the software doesn’t support, so we chose it for the office too. As an added bonus, the TNM5000 is also capable of in-circuit programming for a variety of microcontrollers. For BGA package eMMC flash chips, we use an Allsocket eMMC reader. Honorary mention goes to the low-cost FlashcatUSB Classic, which I’ve had as a backup to my TNM5000 for a handful of chips that it had difficulty reading.
As a reverse engineer, you will occasionally find yourself in situations where you need to supply power to a device under test or specific components of the device. As you spend more time reverse engineering, you will also find yourself designing and prototyping things to help you reverse engineer. For these tasks, having a controllable power source is invaluable. You probably don’t need to go for any of the expensive, fully featured bench power supplies. A 30-volt, 5-amp adjustable power supply with one output can be had for $100 or less and is more than enough for our needs.
Power supplies can be either linear or switching. Linear supplies produce cleaner power but tend to be larger and produce more heat, while switching supplies produce noisier power but are smaller and more efficient. Either should be fine, but linear is generally preferred to switching because noise can occasionally introduce issues. For our lab, we bought a Korad KA3005P because it fits all of our requirements with the added benefit of being programmable. Hobbyists can save a bit of money by buying a cheaper, non-programmable supply or by building a power supply from a kit (which is something of a rite of passage for electronics hobbyists).
They may not be as exciting as soldering irons, hot air guns, and adapters, but the tools and equipment in your lab are every bit as important. Whether you’re in the initial phases of disassembling and analyzing a device or neck-deep in the reverse engineering process, you’ll want an assortment of tools and equipment to help you. In this final section we’re going to go over some of the more integral tools and equipment every lab should have.
Unless you plan on revealing the insides of your devices by smashing them against the wall, you’re going to need a good set of precision screwdrivers to take them apart. The devices you encounter will likely use a variety of screw types and sizes, so being prepared for that range of bit types is practically a hardware hacking requirement. At the very least, your set should include Phillips, flathead, Torx, and security bits. For our office we got the Syntus 80 in 1 precision screwdriver set, mostly because it also comes with some of the other tools needed for a lab like spudgers, tweezers, and an ESD wrist strap. Any precision set with 60 to 100+ bits should be fine though, since they’re mostly similar in terms of functionality.
Since embedded systems are rarely designed to be taken apart, you’ll likely need a spudger set to pry them open without using the aforementioned technique of launching the device at a wall. A lot of precision screwdriver sets are designed with phone repair in mind, so they tend to come with spudgers. If you have to buy them independently of your screwdriver set, you should pick up a set of assorted metal spudgers as the plastic ones tend to deform after a few uses.
You’re going to need a set of precision tweezers for removing and placing small components on a printed circuit board (PCB). It’s unlikely to have to buy these separately since most toolkits will come with a set of precision tweezers, but if you want to get a separate set, the iFixit precision tweezers set will do just fine. Whatever set you get, make sure they are ESD-safe and include a variety of tweezer shapes.
When you’re working with electronics, you want to minimize the risk of static electricity ruining whatever device you’re working on. An ESD wrist strap, when properly used, will help prevent destroying chips accidentally while you’re rooting around inside of a device. These are fairly ubiquitous and there’s no specific recommendation for a brand or type of ESD wrist strap as long as you stay away from wireless ESD wrist straps for obvious reasons.
To tap into signals on a device’s PCB, you’re going to want to have an assortment of wires and headers available to you. At the very least, you will need the following:
For cutting and stripping ribbon wire, we got a Klenk 2-in-1 wire cutter and stripper (DA76070) set because it’s adept at stripping ribbon wire without having to make adjustments like you would with other wire strippers.
One of the most commonly overlooked, yet extremely important assets in a hardware lab is magnification. Most of the devices you’re going to be reverse-engineering will have tiny components or chips with small pin pitches that are difficult to see with the naked eye. When you’re soldering to these components, having some means of magnification will vastly improve your accuracy and help you keep your hands steadier while you solder. It also helps with inspecting your solder jobs afterwards to make sure there are no bridges that would normally be difficult to spot. There are both analog and digital solutions to magnification based on your needs:
Digital microscopes that are essentially USB webcams with an HDMI output port offer the ability to more easily share your magnified view with other people, although soldering without looking directly at your target is somewhat difficult to get used to. When used as a webcam, digital microscopes are also compact, making them convenient for smaller labs or for portable setups. However, digital microscopes introduce some lag when they are used in their webcam mode, which is fine for PCB inspection, but makes them inconvenient for soldering. Digital microscopes are most useful when you use their HDMI output with a monitor since there’s virtually no lag. Digital microscopes also force you to solder without a sense of depth perception since you’re essentially looking at a zoomed-in image. While this is somewhat disadvantageous, it is by no means a deal breaker.
A stereoscopic microscope is a more traditional analog microscope that allows you to solder with full depth perception while zoomed in. In our opinion, this is the most natural-feeling way to solder with magnification, although it is difficult to share what you’re doing with other people while soldering or inspecting a board. However, more expensive stereoscopic microscopes offer a trinocular port that can be used to attach a camera so you can get the best of both worlds, so to speak. Stereoscopic microscopes also tend to take up a bit more space, but don’t require a monitor, TV, or computer to output anything.
Regardless of which type of microscope you go for, you should ensure that it’s capable of at least 10x magnification and has a working distance of 5+ inches. You don’t really need to zoom in very far for soldering or inspection, but working distance is extremely important because it dictates how far away the microscope can be while still being effective. The further this distance, the more space you have to work while soldering. You should also try to get a microscope on a boom stand so you can move it in and out of your workspace without disrupting what you are working on. If you are going for a stereoscopic microscope with a trinocular port for a camera, make sure it is simul-focal, meaning that you can use both eyepieces at the same time as the trinocular port.
In the office, we went with a Hayear 16MP HDMI microscope with a 100x c-mount lens and a LED ring on a boom stand, mostly because we have an abundance of monitors in our office and need the portability to move the microscope around. As a bonus, the camera component of the microscope can be removed and fitted to the trinocular port if a stereoscopic microscope if we ever felt the need to upgrade our setup.
If you are just setting up your own home lab or don’t have a strong need for sharing your magnified view, I strongly recommend going for a stereoscopic microscope. Amscope™ offers some cheaper fixed-magnification microscopes like the SE420-LED and the SE420-XYZ that are ideal. If you really want to leave the option of a camera open, Amscope offers a ton of options for trinocular simul-focal microscopes in various price ranges. Hobbyists on a budget can look at head-mounted or desk mounted magnifying glasses, although these options don’t provide the same level of magnification as a nice microscope would.
In addition to a microscope of some kind, it’s handy to have a jeweler’s loupe with an integrated LED for quickly inspecting components on a board. These are a dime a dozen online and there’s no specific brand you should get, but we have a Gain Express mini jewelers eye loupe in the office.
Now that your lab is fully stocked and ready, the real fun begins. It’s a great time to get into hardware hacking; the IoT space continues to expand, so the demand for product security reviews will keep growing too.
Expertise in dismantling and investigating hardware literally opens up new areas for you to explore in information security, whether you use that skill to tinker with your own devices or to assess products for a client. The first step is doing your research so you surround yourself with the right tools for the job, depending on your interests and spatial constraints.
Our NYC lab, for instance, was built to optimize our collaborative work on product assessments for clients, while my own home setup was originally more geared towards repair. We’d love to hear about your favorite tools and the projects you’ve worked on with them. Tweet your #IoTLab pics to us @BishopFox on Twitter.
tl;dr: Gather your tools, disclose your findings responsibly, and hang onto your eyebrows.