Date post: | 15-Apr-2017 |
Category: |
Technology |
Upload: | pricemcdonald |
View: | 194 times |
Download: | 0 times |
“Hack Mode” Enabled Hardware Hacking on a Budget
BSides DFW 2016
Price McDonald
About:Me
O’Rly?
Ok, So Hardware Security sucks…But why focus on the hardware?
Methodology
Where do we get the Things?
• Beta Programs• https://www.betabound.com/tp-link-router-private-beta/• https://beta.linksys.com/• https://www.beta.netgear.com/signup/
• Flea Markets• Ebay• Craigslist• Garage Sales
Disassembly “Voiding the Warranty”
Tamper Resistance/Detection/AlertingThey mean different things, but may not matter either way.
Component Identification
What do you see?
Component Identification(2)
• EOL 802.11G router SoC (System on Chip)• 200 Mhz MIPS32 core• Supports Serial or Parallel Flash• One JTAG and two UART Ports• 336 ball FBGA (Fine-pitch Ball Grid Array)
• 32M-BIT Parallel NOR Flash Memory• 3V only• 48-pin TSOP (Thin Small Outline Package)
• CMOS DDR400 RAM• 66-pin TSOP II
Component Identification Tip and Tricks
The image part with relationship ID rId5 was not found in the file.
Arts and Crafts Time
Finding Ground• Using the MultiMeter we can figure out which of the pins on our
headers connect to ground and which have voltage.
GroundVoltageSpecifically 3.3v
• Got Ground?
Physical Counter Measures
Gap in trace
Extra Resistor
Common Interface Types
• UART - Universal Asynchronous Receiver/Transmitter
• SPI – Serial Peripheral Interface
• I2C – Inter Integrated Circuit
• JTAG – Joint Test Action Group – Hardware Debugging Interface
• CAN – Controller Area Network (Cars/ATM/etc)
• RS232- Serial Interface used on many legacy devices
Pinout Reversing
• Saleae Logic Analyzer
• ~100 Bucks on the low end @ https://www.saleae.com• Also, EDU discounts available up to 50% depending on model.
• Keep in mind that logic analyzers are sampling which can cause artificial data depending on the sampling rate and thresholds.
• Works for I2C, UART, SPI, JTAG, CAN, etc, etc
Saleae Logic UI• Using the Saleae logic analyzer we can watch the pins during boot to check for voltage spikes
during. This is a good indication of either a UART, I2C or SPI connection.
System Boot Likely the boot log being transmitted over UART
Saleae Logic - Decoders
Given that we suspect Async Serial (UART) we will select that analyzer
Saleae Logic - Decoding
Among small embedded devices 115200 is a very common bit rate so it is an easy guess. But we will also cover a more automated way of determining bit rate.
Saleae Logic – Decoding(2)
We must also ensure we are configuring the device to analyze the appropriate channel (which are color coded as long as you connect them correctly)
Saleae Logic – Output
As you can see we are successfully decoding the output from the UART serial connection on our Broadcom chip.
Or, Have you heard of the Jtagulator?• Created by Joe Grand @ http://www.grandideastudio.com• ~180-200 Bucks
Connecting to Interfaces• Bus Pirate• Less of a learning curve• Slower transfer speeds• Supports UART, SPI, I2C and JTAG
• Shikra• No UI but faster transfer speeds as a result• Supports UART, SPI, I2C and JTAG
• TIAO USB Multiprotocol Adapter• No UI but faster transfer speeds as a result• Supports UART, SPI, I2C, JTAG, RS-232• Supports multiple connections from same device• Slightly less reliable in my experience
Using the Shikra
http://int3.cc/products/the-shikra
Connecting to UARTThe command used to connect to a UART serial adapter will vary by device and OS but will generally be similar to the command below.
sudo screen /dev/[device id] baud rate
Or the the case of the Device ID below for the Shikra:
sudo screen /dev/ttyUSB0 115200
We now have shell!hopefully
But now what?
No Tech hacking
No Tech hacking(2)
File System Fiddling
Why is my root a mtdblock?
But wait, what is an mtdblock?
• MTD is a "Memory Technology Device.• Unix traditionally only knew block devices and character devices. Character devices were
things like keyboards or mice, that you could read current data from, but couldn't be seek-edand didn't have a size. Block devices had a fixed size and could be seek-ed.
• A mtdblock is a block device emulated over an mtd device.
Source: Wikipedia
File System Fiddling(2)Often times embedded device manufacturers leave important file systems unmounted.
Another good Resource:http://wiki.in-circuit.de/index.php5?title=Flashfilesystem_UBIFS
Pilfering File SystemsBut, How do we get the file system off of the target device?
SSH Whoops?
Ultra quick JTAG primer• JTAG stands for (Joint Test Action Group) which was formed in 1985.• IDCODE , BYPASS Registers are often very helpful• The following pins are required for JTAG use:
• TDI (Test Data In)• TDO (Test Data Out)• TCK (Test Clock)• TMS (Test Mode Select)
• The TCK Pin (Test Clock) is what keeps the clock for the state machine.• THE TMS Pin (Test Mode Select) is what determines when and how the State Machine advances depending on it’s relative
position during each clock cycle.
Source: Wikipedia
Options for connecting to JTAG
Good Better Best
$45 $60-$600 $5000-$20000
Jtagulator
How to Connect with OpenOCD
The command to initiate openocd is : openocd –f interface –f target
But now what? There are errors and stuff!!!!!
#openocd on Freenode
How to Connect with OpenOCD(2)Silly openocd!
That’s more like it J
Using OpenOCD
Reverse Engineering
• Ida Pro• Paid Version required for disassembly• ARM decompiler available but $$$$• Also very good debugger
• Radare2• Free multiplatform support• No decompiler available
• Binary Ninja• Free version available• Very Limited Architecture Support• Not currently an option for this type of
work but something to keep in mind.
IDA Pro
Radare2
Other nice to haves
• http://www.grandideastudio.com/hardware-hacking-training/• http://www.xipiter.com/training.html• https://www.eevblog.com• http://www.embedded.com/electronics-blogs/beginner-s-corner/
THANK YOU!!!!
ANY MORE QUESTIONS?