Welcome back to our ongoing series on hardware hacking and our second lesson. Last month we presented “Lesson 1: Beauty, Your Home Lab and Basic Electronics” with an appreciative nod to this fine art, the essential components needed to try this at home and some helpful tutorials to quickly get you up to speed. We also made a distinction between classical and security-focused hardware hacking. So before we drag you into the deep waters and forcing devices to reveal their secrets, we’ll focus on having a smoother transition from noob to necromancer!
To get our feet wet, we’re going to start with a bit of classical hardware hacking. My keyboard, like most, has 3 green indicator LEDs above the number pad; let’s change their color. Additionally, since Linux can do some fun stuff with the scroll lock LED, let’s make that LED have a rainbow effect as a gaudy Linux notification light. Along the way, we’ll cover some core concepts for hardware hacking, learn the importance of breaking large problems into smaller ones, and eventually we’ll make an 80s era keyboard spit rainbows on command with Linux.
Quick Syllabus of Hardware Hacking 101
Now that we have you hooked, let’s reveal where this is all going.
- Lesson 1: Beauty, Your Home Lab and Basic Electronics (Jan 2019) – An intro to the series and the world of circuit boards and soldering irons.
- Lesson 2: Classical Hardware Hacking (Feb 2019) – An intro to Classical Hardware Hacking and a simple working example project with an 80s keyboard mod & spitting rainbows on command with Linux.
- Lesson 3: Standards Abuse for Your First Root Shell (March 2019) – An intro to Security-Focused Hardware Hacking and a simple working example project.
- Lessons 4 & 5: Intermediate Hacks (April & May of 2019) – Each month we’ll step it up a bit with more complex projects building on what we’ve learned. This will be comprised of a classical hardware hacking intermediate-level project followed by a security-focused intermediate hack.
- Sneak Preview of IoT Village at DEF CON 27 (June 2019)
- Lessons 6, 7 & Beyond: Advanced Hacks (1 classical and then 1 security), Resources for Further Study and a Contest (Throughout the rest of 2019)
And now on with the show…
Making Sense of the Madness
First thing’s first, we need to build some basic understanding of what we’re working with. To do this, we’ll crack open the keyboard and analyze the circuit.
After removing 4 screws on the back of the keyboard, we can remove the case and gain access to the internal components.
If you’re new to electronics and hardware hacking, this can be a lot to take in and may even be a bit intimidating. However, we can make the task at hand a lot easier by following one of the core concepts of engineering: Break large problems into smaller problems.
That circuit board is a mess, but we only care about the LEDs (Light-Emitting Diodes). So let’s just focus on the LEDs and whatever they’re connected to. We can do this by simply following the traces connected to each LED.
It’s still a total mess, so let’s simplify it a bit more by sketching a schematic. If we follow the red, green, and blue lines, we can see that they’re more-or-less the same. Each one goes from an unknown chip, through a resistor, over a jumper wire, and to one side of an LED. On the other side of the LEDs, we have the yellow line. This one connects all LEDs together, along with a bunch of other unknown stuff. Sketching that out, I came up with the following:
This schematic is much easier to work with and starts to give us an idea of how the circuit may work. It lacks a lot of important details though, so let’s take a moment to think about the components, our goal, and what we may need to know.
Our main targets are the LEDs. We know that these are just diodes (of the light-emitting variety) and diodes have certain characteristics:
- They have a physical size. If we get the wrong size, the replacements may not fit the board/case properly. We don’t know: the size of the LEDs.
- They allow electricity to flow in one direction but not the other. We don’t know: the polarity (direction of current flow) of the LEDs.
- They will pass as much current as they can get until they explode. The current needs to be limited somehow. A common method of limiting current is via a current limiting resistor. The three resistors in our sketch likely perform this task. We’ll perform these calculations later, but there’s still some info we need from the existing circuit. We don’t know: the supply voltage of the circuit.
Divide and Conquer
We have 3 unknowns to focus on: size of LEDs, polarity of LEDs, and supply voltage of the circuit. Let’s tackle them one-by-one and update our schematic as we go.
Common sizes for through-hole LEDs are 3mm, 5mm, and 10mm. A quick measurement shows that these are 5mm. Well that was easy.
So let’s update our schematic.
The long leg of an LED is often used to determine polarity, but these have been trimmed. Some LEDs (like these) have a notch in the lens on the negative side, but others will need to be tested with a multimeter. Using diode-test mode should return the LED’s forward-voltage when connected with the proper polarity and overload (“OL”) when connected backwards. Knowing the polarity will also tell us where our relative supply voltage (VCC) and ground are.
And our schematic should now look like this:
If you’re not sure what each of the changes to the above diagram means, then guess what? Time for some homework. It’s not hard, but here’s a few questions for you to answer:
- What is the schematic symbol for a diode?
- What is the schematic symbol for an LED?
- How do we indicate the proper direction or polarity?
- What else has changed?
Supply voltage, for our purposes, is the difference in voltage between the positive and negative sides of our portion of the circuit. These LEDs could be running at some strange voltage relative to the rest of the keyboard, but we don’t care – we’re only working with this one localized chunk of circuit. After plugging the keyboard in and turning on an LED, I used my trusty multimeter to measure about 5v between the far end of the lit LED and the far end of the resistor connected to it.
Designing the Modification
Now we know a few key details about the circuit:
- LED size: 5mm.
- LED polarity: positive towards edge of board.
- Current limiting: resistors R9-R11, near print-screen key.
- Supply voltage: 5v.
Using this information, we can start designing a modification. We pretty much just need to find replacement LEDs at the right size and determine what to use for the new current limiting resistors. I decided to go with some orange LEDs for num-lock and caps-lock. I’m going to do something special for scroll-lock though – that one will be an auto-cycling RGB LED that I can use as an indicator light. This rainbow LED takes care of all the fancy RGB stuff for us, so we can treat it like a normal single-color LED. Another core concept of engineering: Work smarter not harder!
To implement these new LEDs, we need to know their forward voltage. For those unfamiliar with forward-voltage, it’s the voltage drop across a diode and the minimum voltage needed to illuminate an LED. Forward-voltage is also the reason we’re going through all of this trouble to understand the circuit instead of just haphazardly replacing LEDs. The thing about forward-voltage is that different colors of LEDs have different forward-voltages, and current limiting resistors have to be designed for a specific forward-voltage. If we don’t modify/understand the current limiting resistors, the LED may receive too little current and fail to illuminate or receive way too much current and burn out.
Determining the forward-voltage is super easy if you know the part number for each LED, and pretty easy even if you don’t. If you have the part number, look it up and find a datasheet. The datasheet should provide a “nominal forward voltage” rating. If you don’t have the part number or datasheet, use a multimeter with a decent diode test setting. A lot of cheap multimeters just say 1 or overload, but the UNI-T UT139C that I recommended last month will work great. My orange LEDs (nte30040) have a typical forward voltage of 2.0v, while the generic rainbow ones have a forward-voltage of 3.2v-ish.
Once we have the forward voltage for each LED, we can calculate what value of current limiting resistor will be needed. To do this, we will use Ohm’s law. Let’s break our schematic down even further and focus on a single LED and resistor.
In this diagram we have the following:
- A power source providing the source voltage we measured earlier (Vs = 5v).
- A current limiting resistor (R1 = xΩ).
- A diode that causes a voltage drop of the forward voltage (LED1 = 2.0v for orange).
- A connection to ground.
What we want to do is limit the amount of current (I) flowing through the circuit. About 5mA should be ideal (1/4th the LED’s maximum rating). Remember Ohm’s law? V=IR? Since we have a known voltage and amperage, we can use R=V/I to determine the required resistance. For voltage, we need the voltage after the drop caused by the diode, so our equation will look something like R=(Vs-Vf)/I where:
- Vs = supply voltage (5v)
- Vf = forward voltage of LED (2v)
- I = desired current (0.005A)
- R = required resistance (xΩ)
Plugging that all in, we get the following: (5v-2v)/0.005A=600Ω
However, we won’t always find a resistor at the exact value we want and may need to round up or down. Since I wanted to round in the direction of more light, I rounded down to the closest value I had on-hand, 510Ω.
Applying the same process to the rainbow LED results in the following: (5v-3.2v)/0.005A=360Ω
Once again, I rounded down for more amperage and more brightness and went with 220Ω.
Executing the Modification
Now that we know what needs to be replaced and what to replace it with, we can finally dig in and start modifying things.
We need to remove 6 components: the 3 LEDs and the 3 resistors (R9-R11). These can be removed relatively easily using a soldering iron and a pair of needle-nose pliers. I tend to follow these steps:
- Add lead solder to the pins of the target components. Doing so will clean up the joint and will usually decrease the melting temperature.
- Grip a target component with the pliers.
- Melt one of the target component’s joints with the soldering iron.
- While applying heat to that joint, gently bend the component away from the joint. This should cause the component’s pin in the heated joint to pull out a slight bit.
- Repeat on the other pad, moving in the opposite direction.
- Continue back and forth and walk the component out.
- Optionally, use a desoldering pump or wick to remove excess solder.
Once the old components have been removed, we can insert our new ones. With through-hole components, I prefer to work in a sort of “batch” process:
- Insert a component, being mindful of polarity requirements.
- Bend the component’s leads at a 45-ish degree angle so the component stays in place without solder. Note: This may make it harder to desolder the component in the future.
- Repeat for all components or a sizable group.
- Flip the board over and solder each component into place.
- Trim excess component leads.
When inserting the LEDs, remember to reference the polarity we documented at the beginning. The LED can be inserted backwards, and it won’t light up if it’s backwards.
The Fruits of Our “Classical Hardware Hacking” Labor
Now that all of the new components are in place, we can test the mod. Since this mod is relatively simple and hardy, we can get away with plugging the keyboard in and testing each light. Caps-lock and num-lock can be tested pretty easily but scroll-lock is a bit different in Linux. Most Linux distros won’t use scroll-lock, but they will allow us to toggle the LED with a command. `xset led 3` will turn the light on and `xset -led 3` will turn it off.
With the keyboard plugged in, I can see a wonderful orange glow when I turn on caps-lock or num-lock, and a gaudy rainbow when I enable the scroll-lock light via xset!
It worked! But I’m not quite satisfied… I want to use the scroll-lock light for something “useful.” Using the xset command, I built a shell script that will illuminate the rainbow LED when I get a DM in Slack – neat! Annoying… but neat!
The script is available on Github. I can’t guarantee that it’ll work though.
So what did this little exercise demonstrate?
- Documentation is your friend. Take lots of pictures. Write down part numbers. Write down measurements.
- Large circuits can often be viewed as a collection of smaller circuits – break large problems into smaller ones. That keyboard had a lot going on, but we managed to simplify the circuit to 2 components for our mod.
- Consult thy datasheets.
- Ohm’s law is kinda important.
- (De)soldering actually isn’t too hard.
In the next article, we’re going to shift focus a little bit. Instead of classical hardware hacking, we’re going to do some security-focused hardware hacking. There will be less of a focus on electronics fundamentals and more of a focus on identifying a standard, abusing the standard, and using the standard as leverage for further research. With any luck, we’ll have a root shell by the end.
Ian Sindermann is an Associate Security Analyst at Independent Security Evaluators (ISE), a firm of security specialists that provide a wide range of services including custom security assessments and software development. He is also a researcher for ISE’s newly formed research division, ISE Labs. ISE also runs IoT Village, which hosts talks by expert security researchers who dissect real-world exploits and hacking contests consisting of off-the-shelf IoT devices. Ian’s day-to-day duties include conducting rigorous security assessments on a wide variety of web applications, researching the security posture of various IoT devices, and sharing knowledge whenever possible. His background is somewhat varied, with a primarily self-taught education, prior experience as a wannabe Linux admin, and a childhood spent as a traveling performer. Interests include hardware hacking, legacy systems, mainframes, and whatever tech obscurities he can get his hands on.diyelectronicshackinghardwarelessonsindermannstemtutorial