Post on 29-Nov-2014
description
transcript
Making BadUSB Work For You
Adam Caudill (@adamcaudill)Brandon Wilson (@brandonlwilson)
What is BadUSB?
● NOT a technical flaw● NOT a vulnerability
Patriot 8GB Supersonic Xpress
Phison 2251-03
Reverse Engineering
A word of warning...
● Always starts at boot ROM● Attempts to read firmware from NAND● If successful, first 32KB loaded to XDATA● If not, waits to receive code to RAM and
executes it
Boot Process
Pin Shorting
Paging
...
Page 0 Page 1 Page 2 Page A
Base section
0x0000
0x5000
0xEFFF
Firmware Update Process
Boot ROM Burner Executable Firmware
Pain Points
● Patching existing firmwareo Very touchyo Limited RAM available
● Writing from-scratch firmwareo NAND suckso Non-standard command setso Bad block managemento Global wear leveling
● Lots...and lots...of pin shorting
Quick Reset Cable
New Tools
● Desktop Flasher● Firmware Patcher● HID payload injector
What We've Done
● Custom HID firmware● Hidden partition patch● Password protection bypass patch
Custom HID Firmware
Hidden Partition Patch
Read Request(Get LBA
0x00000073)
Patch (Use hidden
area?)
Section 1(Public)
Section 2(Hidden)
Password Protection Bypass
Defense & Detection
● Composite devices● Modified firmware
?
Source Code & Tools
Drive: bit.ly/badusb4youCode: github.com/adamcaudill/PsychsonBurner & Stock Firmware: usbdev.ru/files/phison/
Special Thanks
Security Research Labs● Karsten Nohl● Sascha Krißler● Jakob Lell
Special Thanks
Richard Harman (@xabean) ShmooCon 2014 Controlling USB Flash Drive Controllers
bit.ly/1xaNkbP
Thanks
github.com/adamcaudill/Psychson
Adam Caudill (@adamcaudill)Brandon Wilson (@brandonlwilson)