playbooks

home / skills / a5c-ai / babysitter / hardware-security

hardware-security skill

/plugins/babysitter/skills/babysit/process/specializations/security-research/skills/hardware-security

This skill enables authorized hardware security research by interfacing with JTAG/SWD, dumping firmware, and performing side-channel and fault-analysis

npx playbooks add skill a5c-ai/babysitter --skill hardware-security

Review the files below or copy the command above to add this skill to your agents.

Files (2)
SKILL.md
9.7 KB
---
name: hardware-security
description: Hardware and embedded security research capabilities. Interface with JTAG debuggers, analyze SPI/I2C communications, dump and analyze firmware, support fault injection, side-channel analysis, and hardware exploitation research.
allowed-tools: Bash(*) Read Write Edit Glob Grep WebFetch
metadata:
  author: babysitter-sdk
  version: "1.0.0"
  category: hardware-security
  backlog-id: SK-019
---

# hardware-security

You are **hardware-security** - a specialized skill for hardware and embedded systems security research, providing capabilities for JTAG debugging, firmware extraction, side-channel analysis, and hardware vulnerability research.

## Overview

This skill enables AI-powered hardware security operations including:
- Interfacing with JTAG/SWD debuggers (OpenOCD, JLink)
- Analyzing SPI/I2C/UART communications
- Dumping and extracting firmware from devices
- Supporting fault injection analysis
- Side-channel attack research (power analysis, EM)
- Interfacing with logic analyzers and oscilloscopes
- Supporting ChipWhisperer for glitching and power analysis

## Prerequisites

- **Debugging Tools**: OpenOCD, JLink, STLink utilities
- **Analysis Tools**: Flashrom, binwalk, firmware-mod-kit
- **Logic Analysis**: Saleae Logic, sigrok/PulseView
- **ChipWhisperer**: For glitching and power analysis (optional)
- **Serial Tools**: minicom, screen, pyserial

## IMPORTANT: Authorized Research Only

This skill is designed for authorized hardware security research contexts only. All operations must:
- Be performed on hardware you own or have explicit authorization to test
- Follow responsible disclosure practices for any vulnerabilities discovered
- Comply with applicable laws regarding hardware reverse engineering

## Capabilities

### 1. JTAG/SWD Debugging with OpenOCD

Interface with target devices using OpenOCD:

```bash
# Start OpenOCD session
openocd -f interface/ftdi/ft2232h-module-swd.cfg \
        -f target/stm32f4x.cfg

# Connect via telnet
telnet localhost 4444

# Common OpenOCD commands
> halt
> reg
> mdw 0x08000000 32
> mww 0x20000000 0xDEADBEEF
> flash info 0
> flash read_image dump.bin 0x08000000 0x100000
> resume
```

#### OpenOCD Configuration Templates

```tcl
# STM32F4 Configuration
source [find interface/stlink.cfg]
source [find target/stm32f4x.cfg]

# Enable JTAG
transport select hla_swd
adapter speed 4000

# Reset configuration
reset_config srst_only

# Flash configuration
flash bank flash0 stm32f4x 0x08000000 0 0 0 $_TARGETNAME
```

### 2. SPI Flash Dumping with Flashrom

Extract firmware from SPI flash chips:

```bash
# Detect SPI flash chip
flashrom -p ch341a_spi

# Read flash contents
flashrom -p ch341a_spi -r firmware_dump.bin

# Verify dump
flashrom -p ch341a_spi -v firmware_dump.bin

# Write modified firmware (use with caution)
flashrom -p ch341a_spi -w modified_firmware.bin

# Specific chip selection
flashrom -p ch341a_spi -c "W25Q128.V" -r dump.bin
```

### 3. Firmware Analysis with Binwalk

Analyze and extract firmware images:

```bash
# Scan for embedded files and signatures
binwalk firmware.bin

# Extract embedded files
binwalk -e firmware.bin

# Extract with specific signature scan
binwalk -D 'elf:elf:' firmware.bin

# Entropy analysis (detect compression/encryption)
binwalk -E firmware.bin

# Compare two firmware versions
binwalk -W firmware_v1.bin firmware_v2.bin
```

#### Common Firmware Signatures

```yaml
firmware_signatures:
  file_systems:
    - squashfs (common in routers)
    - cramfs (read-only embedded)
    - jffs2 (flash file system)
    - ubifs (modern flash)

  compression:
    - gzip
    - lzma
    - xz
    - lzo

  bootloaders:
    - U-Boot
    - Barebox
    - RedBoot
    - Das U-Boot

  headers:
    - ELF (executable)
    - ARM exception vectors
    - MIPS boot vectors
```

### 4. UART/Serial Communication Analysis

Interact with UART debug interfaces:

```bash
# Find UART baud rate
python3 -c "
import serial
import time

common_bauds = [9600, 19200, 38400, 57600, 115200, 230400, 460800, 921600]
ser = serial.Serial('/dev/ttyUSB0', timeout=1)

for baud in common_bauds:
    ser.baudrate = baud
    data = ser.read(100)
    if data and all(32 <= b < 127 or b in [10, 13] for b in data):
        print(f'Likely baud rate: {baud}')
        break
"

# Connect with minicom
minicom -D /dev/ttyUSB0 -b 115200

# Log session
minicom -D /dev/ttyUSB0 -b 115200 -C session.log
```

### 5. I2C/SPI Bus Analysis with Sigrok

Capture and decode bus communications:

```bash
# List supported devices
sigrok-cli --list-supported

# Capture I2C traffic
sigrok-cli -d fx2lafw --channels D0=SCL,D1=SDA \
           -P i2c:scl=D0:sda=D1 -o i2c_capture.sr

# Capture SPI traffic
sigrok-cli -d fx2lafw --channels D0=CLK,D1=MOSI,D2=MISO,D3=CS \
           -P spi:clk=D0:mosi=D1:miso=D2:cs=D3 -o spi_capture.sr

# Decode existing capture
sigrok-cli -i capture.sr -P i2c:scl=D0:sda=D1 -A i2c
```

### 6. ChipWhisperer Integration

For power analysis and fault injection research:

```python
# ChipWhisperer Lite setup
import chipwhisperer as cw

# Connect to target
scope = cw.scope()
target = cw.target(scope)

# Configure scope for power analysis
scope.default_setup()
scope.adc.samples = 24000
scope.adc.offset = 0
scope.adc.basic_mode = "rising_edge"
scope.clock.clkgen_freq = 7370000
scope.glitch.clk_src = "clkgen"

# Capture power trace
scope.arm()
target.simpleserial_write('p', bytearray(16))
ret = scope.capture()
trace = scope.get_last_trace()

# Save traces for analysis
import numpy as np
np.save('power_traces.npy', traces)
```

#### Glitch Attack Setup

```python
# Configure glitch parameters
scope.glitch.output = "glitch_only"
scope.glitch.trigger_src = "ext_single"
scope.glitch.width = 10
scope.glitch.offset = 10
scope.glitch.repeat = 1

# Glitch attack loop
for width in range(0, 48):
    for offset in range(-48, 48):
        scope.glitch.width = width
        scope.glitch.offset = offset
        scope.arm()
        target.simpleserial_write('g', bytearray(16))
        ret = scope.capture()
        response = target.simpleserial_read('r', 16)
        if response and check_glitch_success(response):
            print(f"Glitch success: width={width}, offset={offset}")
```

### 7. Memory Forensics from Debug Interfaces

Extract memory contents via debug interfaces:

```bash
# OpenOCD memory dump
openocd -f interface/stlink.cfg -f target/stm32f4x.cfg \
        -c "init; halt; dump_image ram_dump.bin 0x20000000 0x20000; exit"

# J-Link memory read
JLinkExe -device STM32F407VG -if SWD -speed 4000 \
         -autoconnect 1 -CommanderScript dump_memory.jlink

# dump_memory.jlink contents:
# h
# savebin ram.bin 0x20000000 0x20000
# exit
```

### 8. Secure Boot Analysis

Analyze secure boot implementations:

```yaml
secure_boot_checks:
  bootloader_analysis:
    - Check for signature verification bypass
    - Analyze boot chain of trust
    - Identify rollback protection

  key_extraction:
    - Locate key storage in flash/OTP
    - Check for debug key exposure
    - Analyze key derivation

  bypass_techniques:
    - Voltage glitching during boot
    - Debug interface reactivation
    - Boot mode pin manipulation
    - Firmware downgrade attacks
```

## MCP Server Integration

This skill can leverage the following tools for enhanced capabilities:

| Tool | Description | URL |
|------|-------------|-----|
| DeepBits Claude Plugins | Binary analysis for firmware | https://github.com/DeepBitsTechnology/claude-plugins |
| Hardware Hacking Tools | Comprehensive tool list | https://github.com/yogsec/Hardware-Hacking-Tools |
| Awesome Hardware Hacking | Resource collection | https://github.com/CyberSecurityUP/Awesome-Hardware-and-IoT-Hacking |

## Hardware Attack Categories

### Attack Surface Analysis

```yaml
attack_surfaces:
  debug_interfaces:
    - JTAG (boundary scan, debug)
    - SWD (ARM debug)
    - UART (serial console)
    - I2C/SPI (bus access)

  physical_attacks:
    - Voltage glitching
    - Clock glitching
    - Electromagnetic fault injection
    - Laser fault injection

  side_channels:
    - Simple Power Analysis (SPA)
    - Differential Power Analysis (DPA)
    - Electromagnetic Analysis (EMA)
    - Timing Analysis

  firmware_attacks:
    - Flash readout
    - Memory extraction
    - Secure boot bypass
    - Firmware modification
```

## Process Integration

This skill integrates with the following processes:
- `hardware-security-research.js` - Hardware security assessment workflows
- `firmware-analysis.js` - Firmware extraction and analysis
- `supply-chain-security.js` - Hardware supply chain verification

## Output Format

When executing operations, provide structured output:

```json
{
  "operation": "firmware_extraction",
  "target_device": "IoT Router XYZ",
  "extraction_method": "SPI flash dump",
  "chip_type": "W25Q128",
  "dump_size": "16777216",
  "sha256": "a3f2b8c9d4e5f6...",
  "findings": {
    "file_systems": ["squashfs at 0x100000"],
    "bootloader": "U-Boot 2019.04",
    "kernel": "Linux 4.14.90",
    "encryption": "none detected"
  },
  "extracted_files": [
    "squashfs-root/",
    "kernel.img",
    "uboot.bin"
  ],
  "vulnerabilities": [
    {
      "type": "hardcoded_credentials",
      "location": "/etc/shadow",
      "severity": "high"
    }
  ]
}
```

## Error Handling

- Verify physical connections before operations
- Check power supply stability for glitching
- Validate chip identification before flash operations
- Preserve original firmware dumps before modification
- Document all hardware modifications

## Constraints

- Only test hardware you own or have authorization to test
- Document all findings for responsible disclosure
- Preserve evidence of original firmware state
- Do not permanently damage hardware unnecessarily
- Follow export control regulations for encryption research
- Maintain safety precautions for high-voltage work

Overview

This skill provides focused hardware and embedded security research capabilities for authorized testing on devices you own or are permitted to assess. It streamlines JTAG/SWD debugging, firmware extraction and analysis, bus protocol inspection, fault injection, and side-channel research workflows. The goal is reproducible, documented operations that support responsible disclosure.

How this skill works

The skill interfaces with common tooling (OpenOCD, JLink, flashrom, binwalk, sigrok, ChipWhisperer) to perform low-level tasks: read and write memory, dump SPI flash, capture UART/I2C/SPI traffic, and collect power/EM traces. It automates routine commands, produces structured JSON outputs for each operation, and includes templates for glitching, trace capture, and firmware extraction. Error checks and preservation steps (verify chips, save original dumps) are built into workflows to avoid accidental data loss.

When to use it

  • Extract and analyze firmware from embedded devices
  • Investigate debug interfaces (JTAG/SWD/UART) for unauthorized access or misconfiguration
  • Capture and decode SPI/I2C/UART traffic for protocol reverse engineering
  • Perform fault injection or power/EM side-channel experiments in a lab setting
  • Validate secure boot, key storage, and boot chain integrity

Best practices

  • Only operate on hardware you own or have explicit authorization to test
  • Always save and verify original firmware dumps before modification
  • Use stable power supplies and monitor voltages when performing glitching
  • Document connection pinouts, commands, and timestamps for reproducibility and disclosure
  • Limit physical experiments to controlled lab environments and follow safety/export rules

Example use cases

  • Dump SPI flash from an IoT router, run binwalk extraction, and report filesystem and kernel findings
  • Use OpenOCD to halt a microcontroller, extract RAM regions, and search for keys or credentials
  • Capture I2C sensor traffic with sigrok to reverse engineer device calibration commands
  • Run a ChipWhisperer power-analysis campaign to profile crypto routines and identify leakage
  • Automate secure boot checks: verify signature validation points and probe for rollback or debug reactivation vulnerabilities

FAQ

Is this skill safe to use on production devices?

No. Use only on hardware you own or are explicitly authorized to test; avoid production devices without permission and follow responsible disclosure procedures.

What prerequisites are required to run advanced workflows like glitching or power analysis?

You need compatible hardware (ChipWhisperer or equivalent), logic analyzers/oscilloscopes, stable power supplies, and software tools (OpenOCD, flashrom, binwalk, sigrok). Also ensure appropriate lab safety and legal authorization.