Hardware hacking is about to understand the inner working mechanism of hardware. Most of the time, the hardware hacking process starts from reversing. From the hardware point of view, reversing in static way includes uncovering the schematic and disassembling the binary. On the other hand, reversing in dynamic way includes finding a way to debug the hardware and to fuzz it accordingly.
In practice, it is almost a standard operating procedure to obtain the binary of the hardware and reverse it consequently. As a supplementary technique for static binary reversing, debugging allows the real hardware operation process to be demystified in run time. In fact, the binary itself can be obtained by applying debugging technique- while it is not available from manufacturer. So, it is crucial to figure out the provisioning ports of the hardware in order to start performing hardware hacking.
The conventional approach to identify provisioning ports is by using pin finder toolkits such as Jtagulator. However, it is impractical and inefficient once a provisioning port has been found; another toolkit such as Shikra has to be used to manipulate the provisioning port. It is not only prone to error, but not hacker-friendly. So, it is important to find a way to fill the gap between provisioning port identification and manipulation processes. With this, it allows the hardware hacking process to be automated by making it scriptable in high level.
We will present a new method to allow provisioning port identification and manipulation by using connection matrix. With this, it is possible to construct arbitrary analog-alike connection in array form to implement all pattern of interconnect between bus interfacing chip and the target. Hence, once the appropriate provisioning port has been figured out, in the meantime, it is ready to be used for debugging or firmware dumping purposes. Besides, it is also an ideal assistive toolset for unknown signal analysis, side channel analysis (SCA), and fault injection (FI).