Date post: | 29-May-2015 |
Category: |
Technology |
Upload: | 44con |
View: | 317 times |
Download: | 8 times |
A story of Research by: !
Josh “m0nk” Thomas / @m0nk_dot!
44CON 2014
I gave a talk about robots
and hardware!
this hour, your talking head is…✤ Josh “m0nk” Thomas!
✤ @m0nk_dot !
✤ Partner and Chief Breaking Officer @ Atredis Partners!
✤ Recovering software developer (AI / Crypto / Mobile “stuff”)!
✤ Atredis Partners!
✤ Focused and targeted security firm!
✤ Specializing in advanced hardware and software assessments!
✤ Mobile and embedded systems!
✤ Societal infrastructure!
✤ Black boxes!
✤ Advanced malware and rootkit analysis!
✤ Handcrafted artisanal and deep bespoke research
@m0nk_dot likes to put trite commentary in
front of pretty pictures
story arc
✤ preface[0] = “Tongue Tied by many nights of NDA curiosity”!
✤ preface[1] = “What is the point / Where is the squishy?”!
✤ history lesson [0] = “The story of Wang and the Bed”!
✤ story[0] = “Hardware Design”!
✤ story[1] = “Iteration”!
✤ story [2] = “SoC, Bootloaders and trust chains”
I haz NDA?
✤ I hate this, but it is sadly worth mentioning!✤ … and you thought open source licenses were annoying!
✤ Words I can say:!✤ Sony!✤ HTC!✤ LG!
✤ I can sometimes say the words:!✤ Nokia!✤ Qualcomm!✤ BlackBerry!
✤ Words I cannot say:
Why to care?
Why Hit Hardware?
✤ Hard to get Code Exec / Control!
✤ Forensic OS Dumps!
✤ Crypto Keys & Boot Settings
What to look for?
✤ JTAG & Debug Access!
✤ Direct NAND Access!
✤ Bootloader Access & Manipulation
Functionality aside, why is hardware interesting
✤ Pretty!
✤ It is just as raw as source code, ASM or IDA!
✤ A concrete example of how much a company cares / what level of effort should be expected to break it!
✤ Not normally “patchable” / LOOOOOOOONG shelf life
The story of Wang and the Bed
history lesson [0]: could be true?
…had a kid, scada-curious, , talked about StuxNet, met at the pub… proof that I am not a EE and that some people are just damn cool
story[0] All hardware has a story to tell
stick with me here… I promise the following has a point and is more that “vacation pics”
What Simple Looks Like: MasterLock dialSpeed
What Complex Looks Like: Microsoft Xbox 360
Traces I Love: Samsung ChromeBook (Daisy)
Ol’ Grand Dad: Qualcomm Dragon Board
The Godfather Phone: Qualcomm Snapdragon 8974 Dev Platform
One Sided Conversation / Traces I Hate: Motorola Moto X
Grumble Grumble RF Shields: BlackBerry Z30
Hidden for a Reason: HTC One
Advanced Game: Apple iPhone 5S
XXX: BlackBerry Z10
XXX: Nokia Lumia 635
Speaking of… Microsoft Surface RT (V1)
Squares and NAND: Sony Arc S
Squares and Burner: Sony Xperia Z
XXX: LG Nexus 5
Old School: LG Nexus 4
Not a Monster: Samsung Galaxy Note 3
Oddly Normal: Samsung Galaxy 4
Lessons Learned
✤ Motorola tends to make one sided boards that are very simple and masked!
✤ Samsung likes uber dense complexity and non-euclidean shapes!
✤ Sony is just kinda boring and square!
✤ BlackBerry and Nokia internals look oddly identical!
✤ No one is a dense as Apple!
✤ Microsoft should QA a bit more!
✤ The new style is to hide Qualcomm below the NAND
story[1] Background Complete:
Exploring Iterative Design with Amazon Prime
Catching Fire - An Evolution
✤ Amazon has released 7 iterations of the Kindle Fire platform since late 2011:!
✤ Kindle Fire (1st Generation - 11/15/2011)!
✤ Kindle Fire (2nd Generation - 09/14/2012)!
✤ Kindle Fire HD 7" (1st Generation - 09/14/2012)!
✤ Kindle Fire HD 8.9" (1st Generation - 11/20/2012) (also has a cellular variant)!
✤ Kindle Fire HD 7" (2nd Generation - 10/02/2013)!
✤ Kindle Fire HDX 7" (3rd Generation - 10/18/2013) (also has a cellular variant)!
✤ Kindle Fire HDX 8.9" (3rd Generation - 11/07/2013) (also has a cellular variant)!
✤ Fire Phone (released 07/25/2014).
Amazon Fire V1
Amazon Fire V2
Amazon Fire V1
Amazon Fire V2
Amazon Fire HD V1
Amazon Fire HD V2
Amazon Fire HDX V1
Amazon Fire HDX V1
story[2]: SoC, Bootloaders and trust chains
TEE on the MSM8960 SoC
✤ Hosts a collection of Trusted Execution Environments!
✤ Krait Core 0 (Trust Zone)!
✤ The ARM7 based RPM (Resource and Power Management System)!
✤ The Modem System (assume this is the Hexagon Baseband platform)!
✤ The SPS (Smart Peripheral System)
Hardware of Note
✤ eFuses / QFPROM hold a lot of data (covered later)!
✤ The SoC reuses the ARM7 and ARM9 cores for different functions depending on the current processing needs!
✤ Hardware hosts 2 discrete “Crypto Engine” processors in hardware!
✤ CE1 is hardware latched to fuses for the the Primary Hardware Key !
✤ CE2 is hardware latched to fuses for the User Hardware Key!
✤ Assumed to be the ARM9 cores
A Glance at the Boot Chain before the “Bootloader”
The Secure Boot 3.0 Process Interesting tidbits
✤ RPM PBL starts executing at physical address 0x00!
✤ Multitude of Bootloader options here specifying where to look for more code to execute!
✤ All Authentication pre TZ load uses the Crypto Engine 1 (CE1) & the Primary Hardware Key (PHK) from the eFuse block!
✤ (Supposedly) Debuggable via “proprietary” tools!
✤ Highly eFuse controlled!
✤ Supports an “Emergency Download Mode” upon crash
Things are getting fused
How Fuses Work
✤ Total of 16kb block of eFuses / QFPROM on MSM8960!
✤ 4kb mapped and easily accessible:!
✤ QFPROM BASE PHYSICAL: 0x00700000!
✤ QFPROM SHADOW BASE: 0x00706000!
✤ Can be read whenever / Written Once!
✤ To write, need to hold voltage for $TIME_PERIOD
Interesting QFPROM
✤ A 256-bit Primary Hardware Key (PHK used by CE1)!
✤ A 256-bit Secondary Hardware Key (SHK used by CE2)!
✤ A 128-bit OEM Customer key!
✤ A 2048-bit Customer private key!
✤ Fuses to disable debug / JTAG!
✤ Fuses to reenable debug / JTAG!
✤ Possible large swaths of unmapped free space
<insert POC||GTFO source here>
There is no conclusion, only Zuul
thanks for letting me talk… any questions?