TrainSec Hardware Hacking Expert​ Exam, Exams of Technology

This advanced certification measures expertise in hardware exploitation and embedded system security. Topics include hardware interfaces (JTAG, UART, SPI), firmware extraction, chip analysis, fault injection, side-channel attacks, and reverse engineering. Candidates must demonstrate the ability to identify and exploit hardware vulnerabilities while documenting findings for security research or product assurance.

Typology: Exams

2025/2026

Available from 01/24/2026

shilpi-jain-2
shilpi-jain-2 🇮🇳

1

(1)

25K documents

1 / 87

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
TrainSec Hardware Hacking Expert Exam
**Question 1. In an MCUbased system, which pin is most likely to provide the reference clock
for the CPU core?**
A) VCC
B) RESET
C) XTAL_IN
D) GND
Answer: C
Explanation: The XTAL_IN pin connects to an external crystal or resonator that supplies the
reference clock for the MCU’s CPU and peripheral buses.
**Question 2. When reading a datasheet, the “Maximum Continuous Current” specification is
most important for which design decision?**
A) Choosing the package type
B) Selecting a voltage regulator
C) Determining the pinout order
D) Setting the flash latency
Answer: B
Explanation: Maximum continuous current tells the designer the worstcase current draw, which
is needed to size a voltage regulator that can supply that load reliably.
**Question 3. Which of the following surfacemount packages uses a grid of solder balls
underneath the die?**
A) QFP
B) BGA
C) SOIC
D) DIP
Answer: B
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56
pf57

Partial preview of the text

Download TrainSec Hardware Hacking Expert​ Exam and more Exams Technology in PDF only on Docsity!

Question 1. In an MCU‑based system, which pin is most likely to provide the reference clock for the CPU core? A) VCC B) RESET C) XTAL_IN D) GND Answer: C Explanation: The XTAL_IN pin connects to an external crystal or resonator that supplies the reference clock for the MCU’s CPU and peripheral buses. Question 2. When reading a datasheet, the “Maximum Continuous Current” specification is most important for which design decision? A) Choosing the package type B) Selecting a voltage regulator C) Determining the pin‑out order D) Setting the flash latency Answer: B Explanation: Maximum continuous current tells the designer the worst‑case current draw, which is needed to size a voltage regulator that can supply that load reliably. Question 3. Which of the following surface‑mount packages uses a grid of solder balls underneath the die? A) QFP B) BGA C) SOIC D) DIP Answer: B

Explanation: Ball Grid Array (BGA) packages have an array of solder balls on the bottom side, providing high pin density and better thermal performance. Question 4. On a typical 4‑layer PCB, which layer most commonly contains the ground plane? A) Top signal layer B) Inner layer 1 C) Inner layer 2 D) Bottom signal layer Answer: B Explanation: Designers often place a continuous ground plane on the first inner layer (layer 2) to provide a low‑impedance return path and reduce EMI. Question 5. Which voltage rail is most frequently used for logic‑level I/O on modern 3.3 V microcontrollers? A) 1.8 V B) 3.3 V C) 5 V D) 12 V Answer: B Explanation: 3.3 V is the standard logic level for most contemporary MCUs, balancing power consumption and noise immunity. Question 6. The “hacker mindset” emphasizes which of the following approaches when confronting a new hardware target? A) Immediate exploitation without reconnaissance B) Systematic information gathering before attack C) Relying solely on software tools

B) Persistence mode C) Bandwidth of at least 5× the signal frequency D) XY plot Answer: C Explanation: To accurately capture fast edges, the oscilloscope’s bandwidth should be at least five times higher than the signal’s fundamental frequency. Question 10. A J‑Link debugger connects to a target microcontroller using which interface by default? A) UART B) SWD (Serial Wire Debug) C) I²C D) SPI Answer: B Explanation: The J‑Link supports SWD (or JTAG) as the primary debug interface for ARM Cortex‑M devices. Question 11. When desoldering a QFN package, which of the following techniques reduces the risk of lifting the PCB pads? A) Using a high‑temperature soldering iron on each pad individually B) Applying a hot air rework station with a uniform temperature profile C) Scraping the pins with a flat‑head screwdriver D) Cooling the board with compressed air before heating Answer: B Explanation: Hot air provides even heat across the entire QFN, melting all solder simultaneously and minimizing pad lift.

Question 12. In a typical UART connection, which pin on the host side carries the data that the target device transmits? A) TX B) RX C) RTS D) CTS Answer: B Explanation: The host’s RX pin receives data transmitted by the target’s TX line. Question 13. Which of the following is a common method to bypass a weak UART login password? A) Sending a break sequence to reset the login state B) Over‑volting the TX pin to force a reboot C) Using a logic analyzer to capture the password hash in clear text D) Injecting a NOP sled via the MOSI line Answer: A Explanation: Many UART login shells accept a break (Ctrl‑C) to abort the login process and drop directly into a prompt. Question 14. The I²C bus uses open‑drain drivers. Which external component is required on the bus to ensure proper logic levels? A) Pull‑up resistors on SDA and SCL B) Series termination resistors C) Decoupling capacitors on each device D) Schottky diodes to ground Answer: A

D) Mode 3 Answer: A Explanation: Mode 0 has CPOL = 0 (idle low) and CPHA = 0 (data captured on the first clock edge, i.e., rising edge). Question 18. When extracting firmware from a serial flash via SPI, which command is typically used to read the chip’s ID? A) 0x B) 0x9F C) 0x D) 0x Answer: B Explanation: The 0x9F “Read JEDEC ID” command returns manufacturer and device identification bytes. Question 19. The JTAG TAP controller’s “Shift‑DR” state is used for which purpose? A) Shifting instruction registers B) Shifting data registers (e.g., boundary‑scan) C) Resetting the TAP controller D) Selecting a target device on the chain Answer: B Explanation: “Shift‑DR” moves data into or out of the Data Register, which is used for boundary‑scan operations. Question 20. Which JTAG signal carries the test data from the debugger to the target? A) TCK B) TDI

C) TDO

D) TMS

Answer: B Explanation: TDI (Test Data In) is the serial input line that carries data from the debugger into the target’s TAP. Question 21. A bootloader backdoor that accepts a specific UART command to dump memory is an example of which exploitation technique? A) Buffer overflow B) Command injection C) Side‑channel attack D) Fault injection Answer: B Explanation: The attacker injects a crafted command that the bootloader interprets as a request to reveal memory contents. Question 22. When reconstructing a dumped firmware image, which tool can convert a raw binary into an ELF file assuming a known load address? A) binwalk B) objcopy C) strings D) gzip Answer: B Explanation: GNU objcopy can take a raw binary and produce an ELF with a specified entry point and load address. Question 23. Which filesystem is commonly found on embedded Linux devices using flash memory?

Question 26. During USB enumeration, which descriptor is sent first by the device? A) Configuration descriptor B) Interface descriptor C) Device descriptor D) Endpoint descriptor Answer: C Explanation: The host first requests the Device descriptor to learn vendor/product IDs and supported USB version. Question 27. A CAN bus node that continuously transmits high‑priority frames to monopolize the bus is performing which attack? A) Replay attack B) Bus‑off attack C) Denial‑of‑Service (DoS) D) Man‑in‑the‑middle (MITM) Answer: C Explanation: Flooding the CAN bus with high‑priority messages prevents other nodes from communicating, constituting a DoS attack. Question 28. In CAN, the “identifier” field determines what? A) The payload length B) The arbitration priority of the frame C) The CRC polynomial used D) The physical voltage levels on the bus Answer: B

Explanation: Lower identifier values have higher priority during the arbitration phase, allowing those frames to win bus access. Question 29. Which RFID frequency band is typically used for proximity cards (125 kHz)? A) LF (Low Frequency) B) HF (High Frequency) C) UHF (Ultra‑High Frequency) D) Microwave Answer: A Explanation: 125 kHz falls within the LF band, commonly employed for low‑frequency proximity access cards. Question 30. To clone an NFC tag that uses the NTAG213 chip, which command sequence is required after the tag is placed in the reader’s field? A) GET_VERSION → READ → WRITE B) AUTHENTICATE → READ → UPDATE C) SELECT → READ_BINARY → UPDATE_BINARY D) REQA → ANTICOLLISION → SELECT Answer: D Explanation: NFC Type 2 tags (like NTAG213) follow the ISO14443A anti‑collision procedure: REQA, ANTICOLLISION, and SELECT to retrieve the UID before reading data. Question 31. Which Bluetooth Low Energy (BLE) advertising channel is NOT used for data transmission? A) 37 B) 38 C) 39

B) The ELF magic number C) A CRC checksum D) An escaped control character Answer: B Explanation: The byte sequence 0x7F 0x45 0x4C 0x46 corresponds to “0x7F ‘E’ ‘L’ ‘F’”, the ELF file header magic. Question 35. Which of the following is a typical symptom of a missing pull‑up resistor on an I²C line? A) Constant high level on SDA/SCL B) Bus stuck low, no communication possible C) Excessive ringing on the lines D) Increased power consumption Answer: B Explanation: Without pull‑ups, the open‑drain drivers cannot release the line, leaving it low and preventing any communication. Question 36. In a multi‑drop SPI bus, what technique is used to select a specific slave without extra chip‑select lines? A) Daisy‑chain the slaves’ MISO outputs B) Use addressable SPI devices with internal CS decoding C) Toggle the SCK frequency per slave D) Employ a shared MOSI line with separate VCC supplies Answer: B Explanation: Some SPI flash devices support “addressable” CS where a command byte includes the target’s address, eliminating the need for dedicated CS lines.

Question 37. Which JTAG instruction is used to read the IDCODE register of a device? A) EXTEST B) SAMPLE C) IDCODE D) BYPASS Answer: C Explanation: The IDCODE instruction shifts out the 32‑bit device identification code from the IDCODE register. Question 38. When a firmware image contains a “bootloader magic” value of 0x5AA5 at offset 0x0, what does this indicate? A) The image is encrypted B) The image is a valid bootloader for that platform C) The image is corrupted D) The image uses a proprietary compression scheme Answer: B Explanation: Many embedded bootloaders place a recognizable constant (e.g., 0x5AA5) at a fixed offset to verify integrity before execution. Question 39. Which of the following commands can be used with the Bus Pirate to perform an I²C read of a single byte from address 0x50? A) ; I2C 0x50 r 1 B) ; i2c 0x50 r 1 C) ; i2c 0x50 w 1 D) ; i2c 0x50 rd 1 Answer: B

D) Sending a “read‑all” command over SPI Answer: C Explanation: Physical removal and reading with a programmer bypasses any on‑board protection mechanisms. Question 43. When analyzing a captured CAN frame, the DLC field value of 0x08 indicates what? A) The frame uses an extended identifier B) The data payload length is 8 bytes C) The frame is a remote transmission request (RTR) D) The frame contains an error flag Answer: B Explanation: DLC (Data Length Code) specifies the number of data bytes; 0x08 means eight bytes of payload. Question 44. Which of the following is a typical symptom of a “bus‑off” condition on a CAN controller? A) The controller continues to transmit but receives no ACKs B) The controller stops transmitting and reports an error state C) The controller automatically switches to ISO‑TP mode D) The controller increases its baud rate to recover Answer: B Explanation: In a bus‑off state, the controller disables its transmitter after exceeding the error‑passive threshold. Question 45. In NFC, the “NDEF” message format is used for what purpose? A) Defining the physical antenna shape

B) Encoding payload data such as URLs or vCards C) Negotiating the communication speed D) Authenticating the reader device Answer: B Explanation: NDEF (NFC Data Exchange Format) standardizes how application data (e.g., URLs, contact info) is packaged on NFC tags. Question 46. Which command in the nfc-tools suite can be used to read the entire memory of an NTAG215 tag? A) nfc-poll B) nfc-list C) nfc-mfclassic r D) nfc-ndef Answer: C Explanation: nfc-mfclassic r reads MIFARE Classic‑compatible tags, and NTAG215 is compatible with this command set. Question 47. When performing a Bluetooth “sniffing” attack with Ubertooth, which of the following radio frequencies must be monitored? A) 2.4 GHz ISM band (2402–2480 MHz) B) 5 GHz UNII band C) 900 MHz ISM band D) 1.8 GHz LTE band Answer: A Explanation: Classic Bluetooth and BLE operate in the 2.4 GHz ISM band, making it the target for Ubertooth sniffing.

Question 51. When using a ‘Bus Pirate’ in UART mode at 9600 bps, which command sets the baud rate? A) baud 9600 B) U 9600 C) #9600 D) b 9600 Answer: B Explanation: The U command followed by the desired speed configures the UART baud rate on the Bus Pirate. Question 52. Which of the following is a common consequence of “glitching” the reset pin of a microcontroller during boot? A) Permanent hardware damage B) Skipping bootloader integrity checks C) Increasing flash write speed D) Enabling the JTAG interface automatically Answer: B Explanation: A precisely timed reset glitch can cause the MCU to miss security checks performed early in the boot sequence. Question 53. In a typical ARM Cortex‑M microcontroller, which register holds the vector table base address? A) VTOR (Vector Table Offset Register) B) PC (Program Counter) C) SP (Stack Pointer) D) PSR (Program Status Register)

Answer: A Explanation: VTOR allows relocation of the interrupt vector table to a different memory region. Question 54. Which of the following is an effective way to protect an I²C bus from unauthorized readout? A) Use a higher pull‑up resistor value B) Enable hardware address randomization (if supported) C) Short the SDA line to ground during idle periods D) Disable the I²C peripheral in firmware Answer: B Explanation: Some modern MCUs support address randomization or encryption of I²C communication, making unauthorized reads harder. Question 55. When analyzing a flash image with binwalk, which flag extracts embedded files automatically? A) -E B) -D C) -e D) -M Answer: C Explanation: The -e (extract) option tells binwalk to carve out and save discovered embedded files. Question 56. Which of the following best describes a “ROM shadowing” technique in firmware hacking? A) Copying flash contents into RAM to bypass write‑protect bits B) Overwriting the bootloader with a malicious image