Automated PCB Reverse Engineering Stephan Kleber Henrik Ferdinand Nölscher Frank Kargl [email protected] [email protected] [email protected] Institute of Distributed Systems, Ulm University Abstract the physical circuitry to connect all components, such as microchips. To assess the attack surface and the secu- The very first step for analyzing the security of an em- rity risk induced by the hardware design of a device, the bedded device, without prior knowledge of the device’s analysis of the employed PCB is necessary. To this end, a construction, is analyzing the printed circuit board (PCB) penetration test is a structured process of searching, con- of the device, in order to understand its electrical imple- firming, and reporting vulnerabilities of a specific test mentation. This analysis is called PCB reverse engineer- specimen. Without having access to proprietary specifi- ing and its results are a list of components, technical doc- cations about the device under test, a penetration test is umentation related to those components, and a schematic called black-box test. This is a common and important reconstruction, that illustrates basic connections between kind of penetration testing, since it most closely emu- the PCB’s components. lates the actions of a real attacker. Particularly for em- Motivated by the lack of inexpensive methods for effi- bedded devices, black-box tests are common since most ciently performing PCB reverse engineering, we propose devices use proprietary PCB-designs and there is almost a novel framework that formalizes and automates most no re-use of designs across multiple PCBs of different of the tasks required for PCB reverse engineering. The products and manufacturers. On the other hand, lacking framework is capable of automatically detecting com- the specification makes PCBs hard to analyze. ponents using machine vision, gathering technical docu- To be able to perform a black-box penetration test of mentation from the internet and analyzing technical doc- the PCB of an embedded device without further doc- uments to extract security-relevant information. We im- umentation available, the PCB has to be reverse engi- plement the concept and evaluate the gain of efficiency neered. The PCB reverse engineering task has been in- and analysis coverage. Our results show that automating vestigated for goals like refurbishing or complete recon- almost all steps of PCB reverse engineering is possible. struction. However, existing techniques for these goals Furthermore, we highlight novel use cases that are en- cannot be applied for penetration tests, since they are too abled by our approach. time-consuming, require specialized equipment, such as X-ray units, and often destroy the device under test in the 1 Introduction process. Moreover, there is no formalized process to con- duct the analysis. Thus, the process is unstructured and, More and more embedded devices pervade business pro- from experience, we know that it is tedious and error- cesses and personal activities. From a security perspec- prone, because it involves repetitive manual work. There tive this leads to an increased attack surface and higher are no tools supporting the process to get a high-level un- risk by the common utilization of devices. Securing soft- derstanding of each component’s role, which is required ware can only reduce part of this risk, since in particular for the subsequent penetration test. embedded devices’ security properties are dependent on In this paper we present a workflow and automated the underlying hardware platform. Therefore, an integral method for PCB reverse engineering in preparation of part of a thorough penetration test, to assess the security a black-box penetration test. The goal is to make ana- of a device, is to analyze the hardware implementation, lyzing devices easier, faster, and to improve the cover- as demonstrated by Grand [4] and Oswald et al. [14]. age of the analysis. Since penetration tests are conducted The common basis of all devices is their hardware imple- within a limited amount of time and with access to few mentation as printed circuit boards (PCBs) which contain testing devices only, the process needs to avoid destruc- tion of devices so they can be used for actual attacks, Longbotham et al. [9] describe how a PCB can be re- later on. In essence, this kind of hardware reverse en- constructed using X-ray imaging techniques. They re- gineering considers the components placed on the PCB gard multi-layered PCBs with connection traces stacked and their interconnections. Therefore, the main task our within the board. Therefore, by this method, all layers approach addresses is to identify components, as well as can be inspected and traces can be reconstructed clearly. finding and analyzing their documentation. Moreover, This approach generates a very detailed copy of all layers we show how manual probing for connections between of a PCB, however, it requires removing all the compo- components on the PCB can be augmented by our ap- nents and access to an X-ray machine. These precondi- proach. For component identification, document anal- tions are rarely met in a black-box penetration test. ysis, and connection probing we present a software ar- Johnson [8] shows how traces on a PCB can be ana- chitecture and show its feasibility by a proof-of-concept lyzed using machine vision. He presents a program that implementation. We evaluated multiple methods for the reconstructs traces from the image of a raw PCB. A raw component identification and found that image segmen- PCB is a circuit board that is stripped off components tation is the best alternative for the task. and solder mask. In order to use this approach on arbi- While PCB reverse engineering guides further steps trary PCBs, the analyst needs to unsolder the components during penetration testing, we do not address vulnera- and scrape off the solder mask. This makes it a tiresome bilities of PCBs themselves. Moreover, our method is process and destroys the device, thereby invalidating the not fully automated, but still requires human interven- approach for our scenario. In 2015, Carne presented the tion. Manual steps can not be fully avoided due to the tool “PCBRE” at the conference ReCon [2]. This tool al- fact that we deal with hardware which needs to be han- lows to reconstruct a whole PCB using images of all lay- dled in the first place. However, we show how to reduce ers. These images, again, have to be taken using X-Rays the amount of manual work to the minimum. or other means of analyzing the whole PCB. However, The structure of the paper is as follows: First, we dis- both Johnson and Carne demonstrate that an automated cuss existing approaches of PCB reverse engineering in analysis of PCB traces is possible. Section 2. We derive a common workflow and require- The book “Hacking the Xbox” by Huang [7] outlines ments of its single tasks in Section 3 to provide a basis basic steps to classify and identify components of a PCB. for the automation of this workflow in Section 4.1. Ad- From our experience, we can conclude that manually re- dressing this workflow, we present the design of a soft- peating the required steps, such as reading the part identi- ware architecture in Section 4.2 and its proof-of-concept fication number and manually searching for documenta- implementation in Section 4.3. Our evaluation results tion online is inefficient for complex systems. While the of methods for component identification are discussed in author explains the most basics steps for reverse engi- Section 4.4. Finally, we deduce leverage points for fu- neering an embedded system, the book lacks a workflow ture work in Section 5 before concluding the paper in description for a professional analysis. Section 6. Grand [5] defines a set of attacks on and possible de- fenses for embedded systems. With our approach, we improve the testability and at the same time provide a 2 Related Work more realistic estimation about an attacker’s obstacles when reverse engineering a system to clone it or to find Previous work on automated PCB reverse engineering vulnerabilities on the physical or the firmware level. can be categorized into destructive and non-destructive As already indicated, all presented methods work de- approaches. While destructive methods will destroy the structively, rendering the device unusable after the analy- device during the test procedure, a non-destructive pro- sis. A penetration tester, however, may want to avoid de- cess retains full functionality of the device under test af- stroying the device because of practical, budget, and time ter the analysis. Grand published a survey [6] of all dif- constraints. Previous work highlights the importance of ferent sorts of methods for PCB deconstruction. The goal PCB reverse engineering and suggests that machine vi- of these methods is to fully reverse-engineer a device, by sion can be applied for analyzing PCBs. Yet, none of extracting images of all PCB layers. A PCB’s complete these approaches addresses all required tasks, such as reconstruction, in this case, contains all details of phys- identification of components and gathering of technical ical connections (traces). It highlights that most decon- information. Furthermore, the focus of existing methods struction techniques require destroying the PCB and a lies in analyzing the whole PCB, including all layers of significant amount of either time or cost. We seek for a multi-layered board. Extracting the detailed physical a compromise between the detailed but expensive ap- layout allows sophisticated tasks such as cloning devices proaches and the cheap but tedious manual approach of completely. Nonetheless, it is not required in preparation performing PCB reverse engineering. of a penetration test. 3 Workflow of Manual PCB Reverse Engineering Probing Document Recording Because advanced methods of PCB analysis are costly Component Analysis Gathering of Traces of Results and time-consuming, in practice, analysts perform man- Identification Documentation ual steps to learn how a specific embedded system is built.