MiniMed 530G Teardown

Teardown Process

Removing End Cap

• use small, sharp utensils (ex. pocket knife) to remove glue from end seam
• use heat gun on glue on end seam
• put pump in vice
• wedge small tool (ex. flathead screwdriver) in end seam
• use hammer or other blunt object to hit end of small tool
• once pump end cap is off, remove ribbon cable from end cap and put end cap aside
• use pliers to remove PCB stack
• separate PCBs

Chip Analysis

Two notable chips were identified, all on the front of PCB 2. The lowest chip on the board is a Cypress 48-pin FBGA static RAM chip.

This chip will require chip-off analysis, so further investigation of its use was postponed.

The highest chip on the board is a Hitachi H8/3067 series CPU. The data sheet is here.

By searching in the data sheet for information regarding exploitable protocols (UART, JTag, etc.), we discovered that this chip utilizes UART.

The next step is to identify which pins are the UART pins. By searching for serial communications in the list of pins, we can find the Tx and Rx pins listed and correlate those IDs to the chip diagram. We can also identify the VCC and VSS pins for ground and voltage.

CPU

Since the 48-pin FBGA chip requires chip-off analysis with a custom tool for its form factor, we began with the Hitachi CPU. Our chip analysis informed us that this chip had two sets of pins (pins 12-15) that use UART, which is potentially exploitable. Since the power source for the device has been removed, the device must be powered using alternate methods. Before attempting to use a DC power source, the chip must be tested for functionality. By using a VR table to make connections to the individual pins, we can avoid soldering.

Four of the arms on the VR table were attached to four pins: VCC (Pin 1), VSS (Pin 11), Tx (Pin 13), and Rx (Pin 15). A camera aimed at the CPU and connected to a monitor was used to get a close-up of the pins and make the connections properly.

Once the pins were connected, the four arms of the VR table could be used to connect the chip to an Attify Badge. The ground pin on the CPU was connected to a ground pin on the Badge, the voltage pin on the CPU was connected to a 5V pin on the Badge, and the Tx and Rx pins on the CPU were connected to the Rx and Tx pins on the badge, respectively. The Badge was then connected to a Kali Linux laptop. The following commands allowed us to see the connected Badge and test for data flow:

ls /dev
sudo screen /dev/ttyUSB0 115200

In the screen command, "ttyUSB0" is the name of the USB as found using the first command, and 115200 is a random bit rate. After a few moments of the screen command being active, data appeared. It was illegible, indicating that the bit rate was incorrect, but it verifies that data is flowing and the chip is powered.

The next step was to perform a logic capture to visualize the data flow with a Saleae Logic Analyzer. The ground cable connecting the VR table to the Attify Badge was removed, as were the Tx and Rx cables. One ground cable on the Saleae was connected to the VR table where the chip's ground pin was, and another was connected to the Attify Badge's ground pin. Two non-ground cables on the Saleae were connected to the VR table where the Tx and Rx pins were. The voltage cable was left on the Attify Badge, and the Badge was unplugged from the Kali laptop.

We downloaded Saleae's Logic 2 application onto a separate Windows laptop and opened it, then selected the Saleae device and started a logic capture before plugging the Badge back into the Kali laptop to power it again. Once it was powered, the logic analyzer showed data and voltage movement. It was determined based on the logic analyzer that utilizing this chip may not yield a shell, so the testing switched to the static RAM chip.

Static RAM Chip

Remove the Static RAM Chip

Step 1: Place PCB on frame above hot plate and secure in place. The PCB should not be able to move around during this process.

Step 2: Turn on the hot plate and preheat it to 200-300 degrees Celsius. Wait for the plate to heat up completely before continuing.

Step 3: Apply flux liberally to the chip being removed.

Step 4: Turn on the hot air gun and heat it to 300-500 degrees Celsius. Take the hot air gun and circle it slowly around the chip, pointing it at the sides. Do this for several minutes.

Step 5: Take tweezers and attempt to move the chip. If it's ready to come off, it will move easily. Once the chip has started moving, remove it immediately to avoid it resoldering to the board in the wrong position. If the chip does not move, continue heating it with the hot air gun and applying flux. Retry every few minutes.

Soldering

Step 1: Gather equipment necessary. This includes protective equipment (gloves, goggles, respirator), fume extractor, flux, lead solder, wires, isopropyl, brush, solder wick, and the chip.

Step 2: Prep the station. Equip protective gear. Stick the chip to the table with double-sided tape. Position microscope over chip. Bring fume extractor close and turn on. Turn on soldering iron. Apply flux liberally to the chip. Cut appropriate length of wire.

Step 3: Solder. Remove soldering iron and gently touch to the end of the lead solder, gathering a small amount on the tip of the iron. Position the wire in one hand and the iron in the other close to the pin being soldered, then look through the microscope. Hold the tip of the wire to the pin, then bring the iron with the lead solder down to press the wire to the pin. Keep tapping and adjusting as necessary until the tip of the wire is fully attached to the pin and does not touch any other pins. The wire should be able to withstand being pulled from the other end without disconnecting from the chip. Apply more flux if needed. If soldering multiple pins, start with the pin highest up on the chip and furthest away from the hand holding the soldering iron.

Step 5: Cleanup. Tape all attached wires down to the table. Take the solder wick and press a clean length of it to the points on the chip where solder needs to be removed. Press the soldering iron against the wick and move both the iron and the wick together across the chip slowly, until no resistance is felt. Douse the chip in isopropyl alcohol, and gently use the brush to get rid of any remaining flux.

Analyzing the Static RAM Chip

Analyze static RAM sheet to determine what needs to happen to pull data

Search data sheet for information regarding which pins take part in data transfer. Search data sheet for information regarding how those pins must be utilized. Search data sheet for information regarding how the pins must be manipulated to output data.

This determines that the Chip Enable (CE) pin and Output Enable (OE) pin must be set low, and the Write Enable (WE) pin must be set high, then the BLE pin must be set low. Then, a memory address must be sent to the A0 pin and the data at that memory address will be read from the I/O0 pin.

Connect static RAM chip to Arduino and write script to pull data

Write Arduino script based off of information pulled from data sheet, as seen above. Put Arduino script in Arduino IDE. The IDE can be installed on a Windows, Linux, or MacOS host with a GUI from the link. See script in this GitHub. Solder wires to pins on static RAM chip based on information found on data sheet. The voltage and ground pins should also be soldered. Connect soldered wires to Arduino pins- pin numbers should align with the set pins in the script. Connect the Arduino to the host running the IDE. The IDE should auto-detect the Arduino. Run Arduino script to obtain all information from static RAM chip.

Pull firmware and analyze with binwalk or dd

Take data obtained from static RAM chip and analyze. Test binwalk and dd commands to see if the data obtained is a firmware image. (ex. file firmware.bin to see what file type the collected data is, binwalk firmware.bin and binwalk -e firmware.bin to extract the file system) If so, use binwalk and dd to extract firmware. (binwalk -e firmware.bin) Search for useful information like data from pump usage, password hashes, etc. by navigating the file system.