TrainSec Hardware Hacking Expert Level 1 Exam, Exams of Technology

This foundational hardware hacking certification introduces embedded system security concepts. Topics include basic electronics, hardware interfaces, firmware access, and simple exploitation techniques. Candidates are evaluated on their ability to perform entry-level hardware security assessments safely and methodically.

Typology: Exams

2025/2026

Available from 01/24/2026

shilpi-jain-2
shilpi-jain-2 🇮🇳

1

(1)

25K documents

1 / 92

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
TrainSec Hardware Hacking Expert Level 1
Exam
Question 1. **In an MCUbased embedded system, which memory type retains its contents
when power is removed?**
A) SRAM
B) DRAM
C) EEPROM
D) Cache
Answer: C
Explanation: EEPROM is nonvolatile, preserving data without power, unlike SRAM, DRAM, or
cache.
Question 2. **When mapping the attack surface of a smart thermostat, which of the following is
typically the most exposed entry point?**
A) Internal crystal oscillator
B) Debug UART header on the PCB
C) Heatsink fins
D) Poweron reset circuit
Answer: B
Explanation: Debug UART headers are often left accessible for development and can be used to
inject commands or extract firmware.
Question 3. **During device disassembly, the presence of a tamperevident epoxy seal primarily
indicates what?**
A) The device uses lowpower components
B) The manufacturer wants to deter physical probing of the PCB
C) The device has a builtin battery backup
D) The device complies with FCC regulations
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56
pf57
pf58
pf59
pf5a
pf5b
pf5c

Partial preview of the text

Download TrainSec Hardware Hacking Expert Level 1 Exam and more Exams Technology in PDF only on Docsity!

Exam

Question 1. In an MCU‑based embedded system, which memory type retains its contents when power is removed? A) SRAM B) DRAM C) EEPROM D) Cache Answer: C Explanation: EEPROM is non‑volatile, preserving data without power, unlike SRAM, DRAM, or cache. Question 2. When mapping the attack surface of a smart thermostat, which of the following is typically the most exposed entry point? A) Internal crystal oscillator B) Debug UART header on the PCB C) Heat‑sink fins D) Power‑on reset circuit Answer: B Explanation: Debug UART headers are often left accessible for development and can be used to inject commands or extract firmware. Question 3. During device disassembly, the presence of a tamper‑evident epoxy seal primarily indicates what? A) The device uses low‑power components B) The manufacturer wants to deter physical probing of the PCB C) The device has a built‑in battery backup D) The device complies with FCC regulations

Exam

Answer: B Explanation: Epoxy seals are applied to make it difficult to access components without destroying the seal, deterring hardware tampering. Question 4. Which technique is most effective for identifying an unknown IC when its marking is illegible? A) Measuring voltage on its pins with a multimeter B) Consulting the device’s BOM (Bill of Materials) list C) Performing a pin‑out scan using a logic analyzer while the device runs D) Heating the chip to see if it glows Answer: C Explanation: A pin‑out scan reveals functional behavior of each pin, allowing correlation with known IC families even when markings are unreadable. Question 5. A datasheet for a voltage regulator lists “VOUT = 3.3 V ± 5 %”. What is the maximum allowable output voltage? A) 3.15 V B) 3.30 V C) 3.45 V D) 3.60 V Answer: C Explanation: 5 % of 3.3 V is 0.165 V; adding this to 3.3 V gives a maximum of 3.465 V, rounded to 3.45 V. Question 6. On a four‑layer PCB, which layer typically carries the ground plane? A) Top signal layer

Exam

Question 9. Which oscilloscope probe type is best suited for measuring high‑frequency (>100 MHz) signals on a PCB trace? A) 10× passive probe with 100 pF capacitance B) 1× passive probe with 50 pF capacitance C) Active probe with <5 pF input capacitance D) Current probe Answer: C Explanation: Active probes have very low input capacitance, preserving signal integrity at high frequencies. Question 10. When desoldering a surface‑mount resistor, which tool provides the fastest removal with minimal pad damage? A) Solder wick B) Hot air rework station C) Desoldering pump (suction) D) Tweezers and soldering iron Answer: B Explanation: A hot‑air station evenly heats the component and pads, allowing quick removal while reducing mechanical stress on the pads. Question 11. In a UART interface, which line is idle high when no data is being transmitted? A) TX B) RX C) RTS D) CTS

Exam

Answer: A Explanation: UART uses a high (logic 1) idle state on the TX line; data bits are driven low for start bits. Question 12. A UART communication uses 8‑N‑1 configuration. How many stop bits are transmitted per frame? A) 0 B) 1 C) 1. D) 2 Answer: B Explanation: “8‑N‑ 1 ” denotes 8 data bits, No parity, and 1 stop bit. Question 13. Which voltage level is standard for RS‑232 signal “mark” (logic 1) relative to ground? A) +5 V B) +12 V C) – 12 V D) 0 V Answer: C Explanation: RS‑232 defines a logic 1 (mark) as a voltage between – 3 V and – 15 V, typically – 12 V. Question 14. On an I²C bus, which condition indicates a “start” condition? A) SDA transitions from low to high while SCL is high B) SDA transitions from high to low while SCL is high

Exam

Answer: C Explanation: Fast‑mode Plus operates up to 1 MHz; standard fast mode is 400 kHz, and high‑speed mode is 3.4 MHz. Question 17. When sniffing an SPI flash chip, which pin must be held high to keep the chip deselected? A. MOSI B. MISO C. SCK D. CS (Chip Select) Answer: D Explanation: In SPI, the Chip Select (CS) line is active low; keeping it high disables communication with the device. Question 18. A flash memory uses SPI Mode 0 (CPOL=0, CPHA=0). On which clock edge is data captured? A) Rising edge, first half‑cycle B) Rising edge, second half‑cycle C) Falling edge, first half‑cycle D) Falling edge, second half‑cycle Answer: A Explanation: Mode 0 captures data on the rising edge (first clock transition) and changes data on the falling edge. Question 19. Which command is typically used with OpenOCD to dump the entire flash memory of an ARM Cortex‑M device? A) flash write_image

Exam

B) dump_image C) flash read_bank D) memory read_all Answer: B Explanation: The dump_image command in OpenOCD writes a binary dump of a memory region, commonly used to extract flash contents. Question 20. In JTAG, the TAP controller’s “Shift‑IR” state is used for what purpose? A) Shifting instruction register data into the device B) Shifting data register contents out of the device C) Resetting the TAP controller to idle D) Selecting the target device on a chain Answer: A Explanation: “Shift‑IR” moves instruction bits into the Instruction Register (IR) of the target device. Question 21. When performing boundary‑scan testing, which JTAG pin carries the test data out of the device? A) TCK B) TMS C) TDI D) TDO Answer: D Explanation: TDO (Test Data Out) is the pin through which captured data is shifted out of the device during boundary‑scan operations.

Exam

Explanation: BadUSB reprograms the device’s firmware to masquerade as a different class (e.g., HID) and issue malicious commands. Question 25. Which frequency band is used by NFC for contactless payments? A) 125 kHz (LF) B) 13.56 MHz (HF) C) 433 MHz (UHF) D) 2.4 GHz (ISM) Answer: B Explanation: NFC operates at 13.56 MHz, which is the high‑frequency (HF) band. Question 26. When cloning a 125 kHz RFID tag, which parameter is most critical to replicate? A) Antenna coil inductance B) UID (Unique Identifier) C) Modulation depth D) Data rate Answer: B Explanation: Many low‑frequency RFID systems rely on a static UID for authentication; cloning requires reproducing this identifier. Question 27. In BLE, which layer is responsible for defining GATT services and characteristics? A) Physical Layer (PHY) B) Link Layer (LL) C) Generic Access Profile (GAP)

Exam

D) Generic Attribute Profile (GATT) Answer: D Explanation: GATT defines the hierarchical data model of services and characteristics used by BLE applications. Question 28. Which BLE pairing method offers the highest security against man‑in‑the‑middle attacks? A) Just Works B) Passkey Entry C) Out‑of‑Band (OOB) D) Numeric Comparison Answer: C Explanation: OOB uses an external channel (e.g., NFC) to exchange cryptographic keys, preventing MITM attacks. Question 29. In a CAN bus frame, the “ACK” slot is used for what purpose? A) Transmitting the message identifier B) Signaling that at least one node received the frame correctly C) Providing error‑checking bits D) Indicating the end of the frame Answer: B Explanation: All receivers that successfully decoded the frame drive the ACK slot low, confirming receipt. Question 30. When analyzing a CAN bus, which tool can automatically decode standard OBD‑II PID messages?

Exam

Explanation: External crystals improve timing accuracy but do not inherently reduce EMI; EMI is mitigated by layout and shielding. Question 33. When performing a voltage measurement on a high‑impedance I²C pull‑up resistor, which multimeter setting yields the most accurate result? A) 200 mV range B) 2 V range C) 20 V range D) Continuity beep mode Answer: B Explanation: Using a low‑range voltage setting (2 V) provides higher resolution for the typical 3.3 V pull‑up voltage. Question 34. On a PCB, a “via” primarily serves what function? A) Connects two traces on the same layer B) Provides a mechanical mounting point C) Connects traces between different layers D) Acts as a fuse for over‑current protection Answer: C Explanation: Vias are plated holes that electrically connect conductive layers across the PCB stack‑up. Question 35. Which of the following signals on a UART line is typically idle when the line is not transmitting data? A) Logic low (0 V) B) Logic high (VCC)

Exam

C) Pulsating square wave D) Random noise Answer: B Explanation: UART idle state is high; the line stays at VCC until a start bit (low) begins transmission. Question 36. If a UART line is observed with a 2‑stop‑bit configuration, how many stop bits will be transmitted after each data byte? A) 0 B) 1 C) 2 D) 3 Answer: C Explanation: “2‑stop‑bit” explicitly means two stop bits follow each data byte. Question 37. When analyzing a UART capture, you notice the line is idle at 5 V but the device operates at 3.3 V logic levels. What is the most likely cause? A) The UART is using RS‑232 voltage levels B) The multimeter is set to the wrong mode C) The device is malfunctioning D) The UART is in half‑duplex mode Answer: A Explanation: RS‑232 uses higher voltage swings (± 5 V to ± 12 V), so a 5 V idle suggests an RS‑ 232 transceiver rather than TTL UART. Question 38. Which of the following I²C bus speeds is defined as “High‑Speed Mode”?

Exam

Question 41. A microcontroller’s JTAG interface is disabled in firmware. Which hardware method can still allow access? A) Sending a specific UART command B) Using a voltage glitch to bypass the lock C) Connecting to the SWD (Serial Wire Debug) pins if they are exposed D) Reading the flash via I²C Answer: C Explanation: SWD is a separate 2‑wire debug protocol often left enabled even when JTAG is disabled. Question 42. During a JTAG scan chain, the length of the Instruction Register (IR) is typically: A) 4 bits for all devices B) Fixed at 8 bits regardless of device C) Device‑specific, ranging from 4 to 10 bits D) Determined by the TAP controller state machine length Answer: C Explanation: Each JTAG device defines its own IR length, commonly between 4 and 10 bits. Question 43. Which USB descriptor contains the “bInterfaceClass” field? A) Device descriptor B) Configuration descriptor C) Interface descriptor D) Endpoint descriptor Answer: C

Exam

Explanation: The Interface descriptor defines class, subclass, and protocol for a specific interface. Question 44. When creating a BadUSB payload that emulates a keyboard, which HID usage ID corresponds to the “Enter” key? A) 0x B) 0x2A C) 0x2C D) 0x2E Answer: A Explanation: In the HID usage table, 0x28 represents the “Enter” (Return) key. Question 45. A BLE device advertises the service UUID 0x180F. Which standard service does this represent? A) Battery Service B) Heart Rate Service C) Device Information Service D) Generic Access Service Answer: A Explanation: UUID 0x180F is the standardized Battery Service in BLE. Question 46. Which of the following NFC tag types supports NDEF (NFC Data Exchange Format) messages? A) Type 1 only B) Type 2 and Type 4 C) Type 3 only

Exam

Question 49. Which of the following is a common method to perform a “brute‑force” attack on a JTAG password? A) Sending random UART characters B) Cycling through all possible 32‑bit values via the TAP controller’s BYPASS register C) Using a voltage glitch on the TCK line D) Re‑flashing the device over SPI Answer: B Explanation: Some JTAG implementations store a 32‑bit password in a register; repeatedly writing different values via BYPASS can attempt all possibilities. Question 50. When using a multimeter to measure the voltage on a USB VBUS line, what is the typical nominal voltage? A) 3.3 V B) 5 V C) 9 V D) 12 V Answer: B Explanation: Standard USB VBUS supplies 5 V (±5 %). Question 51. A device’s PCB has a “test point” labeled TP1 connected to the MCU’s reset pin. What is the primary purpose of this test point? A) To provide a convenient location for injecting a reset signal during debugging B) To measure the MCU’s supply voltage C) To serve as a ground reference for the board D) To output the MCU’s serial data stream Answer: A

Exam

Explanation: Test points on reset pins allow engineers to manually assert or monitor the reset line without desoldering. Question 52. Which of the following statements about a “pull‑up” resistor on an I²C line is true? A) It is required on the SCL line only B) It defines the bus’s idle high level and limits rise time C) It must be a variable resistor for dynamic bus speed changes D) It is used to invert the logic level of the bus Answer: B Explanation: Pull‑up resistors hold SDA and SCL high when no device drives them low, establishing the idle state and influencing rise time. Question 53. If an SPI flash chip reports “Write Protect” status, which pin is most likely asserted? A) WP (Write Protect) B) CS (Chip Select) C) HOLD D) VCC Answer: A Explanation: The WP pin, when asserted, disables write/erase operations on the flash memory. Question 54. During a logic‑analyzer capture of an I²C bus, you notice the SDA line never goes high. What is the most probable cause? A) The pull‑up resistor is missing or faulty B) The SCL line is stuck low