+ All Categories
Home > Technology > BSides DFW2016-Hack Mode Enabled

BSides DFW2016-Hack Mode Enabled

Date post: 15-Apr-2017
Category:
Upload: pricemcdonald
View: 194 times
Download: 0 times
Share this document with a friend
44
“Hack Mode” Enabled Hardware Hacking on a Budget BSides DFW 2016 Price McDonald
Transcript
Page 1: BSides DFW2016-Hack Mode Enabled

“Hack Mode” Enabled Hardware Hacking on a Budget

BSides DFW 2016

Price McDonald

Page 2: BSides DFW2016-Hack Mode Enabled

About:Me

Page 3: BSides DFW2016-Hack Mode Enabled

O’Rly?

Page 4: BSides DFW2016-Hack Mode Enabled

Ok, So Hardware Security sucks…But why focus on the hardware?

Page 5: BSides DFW2016-Hack Mode Enabled

Methodology

Page 6: BSides DFW2016-Hack Mode Enabled

Where do we get the Things?

• Beta Programs• https://www.betabound.com/tp-link-router-private-beta/• https://beta.linksys.com/• https://www.beta.netgear.com/signup/

• Flea Markets• Ebay• Craigslist• Garage Sales

Page 7: BSides DFW2016-Hack Mode Enabled

Disassembly “Voiding the Warranty”

Page 8: BSides DFW2016-Hack Mode Enabled

Tamper Resistance/Detection/AlertingThey mean different things, but may not matter either way.

Page 9: BSides DFW2016-Hack Mode Enabled

Component Identification

What do you see?

Page 10: BSides DFW2016-Hack Mode Enabled

Component Identification(2)

• EOL 802.11G router SoC (System on Chip)• 200 Mhz MIPS32 core• Supports Serial or Parallel Flash• One JTAG and two UART Ports• 336 ball FBGA (Fine-pitch Ball Grid Array)

• 32M-BIT Parallel NOR Flash Memory• 3V only• 48-pin TSOP (Thin Small Outline Package)

• CMOS DDR400 RAM• 66-pin TSOP II

Page 11: BSides DFW2016-Hack Mode Enabled

Component Identification Tip and Tricks

The image part with relationship ID rId5 was not found in the file.

Page 12: BSides DFW2016-Hack Mode Enabled

Arts and Crafts Time

Page 13: BSides DFW2016-Hack Mode Enabled

Finding Ground• Using the MultiMeter we can figure out which of the pins on our

headers connect to ground and which have voltage.

GroundVoltageSpecifically 3.3v

• Got Ground?

Page 14: BSides DFW2016-Hack Mode Enabled

Physical Counter Measures

Gap in trace

Extra Resistor

Page 15: BSides DFW2016-Hack Mode Enabled

Common Interface Types

• UART - Universal Asynchronous Receiver/Transmitter

• SPI – Serial Peripheral Interface

• I2C – Inter Integrated Circuit

• JTAG – Joint Test Action Group – Hardware Debugging Interface

• CAN – Controller Area Network (Cars/ATM/etc)

• RS232- Serial Interface used on many legacy devices

Page 16: BSides DFW2016-Hack Mode Enabled

Pinout Reversing

• Saleae Logic Analyzer

• ~100 Bucks on the low end @ https://www.saleae.com• Also, EDU discounts available up to 50% depending on model.

• Keep in mind that logic analyzers are sampling which can cause artificial data depending on the sampling rate and thresholds.

• Works for I2C, UART, SPI, JTAG, CAN, etc, etc

Page 17: BSides DFW2016-Hack Mode Enabled

Saleae Logic UI• Using the Saleae logic analyzer we can watch the pins during boot to check for voltage spikes

during. This is a good indication of either a UART, I2C or SPI connection.

System Boot Likely the boot log being transmitted over UART

Page 18: BSides DFW2016-Hack Mode Enabled

Saleae Logic - Decoders

Given that we suspect Async Serial (UART) we will select that analyzer

Page 19: BSides DFW2016-Hack Mode Enabled

Saleae Logic - Decoding

Among small embedded devices 115200 is a very common bit rate so it is an easy guess. But we will also cover a more automated way of determining bit rate.

Page 20: BSides DFW2016-Hack Mode Enabled

Saleae Logic – Decoding(2)

We must also ensure we are configuring the device to analyze the appropriate channel (which are color coded as long as you connect them correctly)

Page 21: BSides DFW2016-Hack Mode Enabled

Saleae Logic – Output

As you can see we are successfully decoding the output from the UART serial connection on our Broadcom chip.

Page 22: BSides DFW2016-Hack Mode Enabled

Or, Have you heard of the Jtagulator?• Created by Joe Grand @ http://www.grandideastudio.com• ~180-200 Bucks

Page 23: BSides DFW2016-Hack Mode Enabled

Connecting to Interfaces• Bus Pirate• Less of a learning curve• Slower transfer speeds• Supports UART, SPI, I2C and JTAG

• Shikra• No UI but faster transfer speeds as a result• Supports UART, SPI, I2C and JTAG

• TIAO USB Multiprotocol Adapter• No UI but faster transfer speeds as a result• Supports UART, SPI, I2C, JTAG, RS-232• Supports multiple connections from same device• Slightly less reliable in my experience

Page 24: BSides DFW2016-Hack Mode Enabled

Using the Shikra

http://int3.cc/products/the-shikra

Page 25: BSides DFW2016-Hack Mode Enabled

Connecting to UARTThe command used to connect to a UART serial adapter will vary by device and OS but will generally be similar to the command below.

sudo screen /dev/[device id] baud rate

Or the the case of the Device ID below for the Shikra:

sudo screen /dev/ttyUSB0 115200

Page 26: BSides DFW2016-Hack Mode Enabled

We now have shell!hopefully

But now what?

Page 27: BSides DFW2016-Hack Mode Enabled

No Tech hacking

Page 28: BSides DFW2016-Hack Mode Enabled

No Tech hacking(2)

Page 29: BSides DFW2016-Hack Mode Enabled

File System Fiddling

Why is my root a mtdblock?

But wait, what is an mtdblock?

• MTD is a "Memory Technology Device.• Unix traditionally only knew block devices and character devices. Character devices were

things like keyboards or mice, that you could read current data from, but couldn't be seek-edand didn't have a size. Block devices had a fixed size and could be seek-ed.

• A mtdblock is a block device emulated over an mtd device.

Source: Wikipedia

Page 30: BSides DFW2016-Hack Mode Enabled

File System Fiddling(2)Often times embedded device manufacturers leave important file systems unmounted.

Another good Resource:http://wiki.in-circuit.de/index.php5?title=Flashfilesystem_UBIFS

Page 31: BSides DFW2016-Hack Mode Enabled

Pilfering File SystemsBut, How do we get the file system off of the target device?

Page 32: BSides DFW2016-Hack Mode Enabled

SSH Whoops?

Page 33: BSides DFW2016-Hack Mode Enabled

Ultra quick JTAG primer• JTAG stands for (Joint Test Action Group) which was formed in 1985.• IDCODE , BYPASS Registers are often very helpful• The following pins are required for JTAG use:

• TDI (Test Data In)• TDO (Test Data Out)• TCK (Test Clock)• TMS (Test Mode Select)

• The TCK Pin (Test Clock) is what keeps the clock for the state machine.• THE TMS Pin (Test Mode Select) is what determines when and how the State Machine advances depending on it’s relative

position during each clock cycle.

Source: Wikipedia

Page 34: BSides DFW2016-Hack Mode Enabled

Options for connecting to JTAG

Good Better Best

$45 $60-$600 $5000-$20000

Page 35: BSides DFW2016-Hack Mode Enabled

Jtagulator

Page 36: BSides DFW2016-Hack Mode Enabled

How to Connect with OpenOCD

The command to initiate openocd is : openocd –f interface –f target

But now what? There are errors and stuff!!!!!

#openocd on Freenode

Page 37: BSides DFW2016-Hack Mode Enabled

How to Connect with OpenOCD(2)Silly openocd!

That’s more like it J

Page 38: BSides DFW2016-Hack Mode Enabled

Using OpenOCD

Page 39: BSides DFW2016-Hack Mode Enabled

Reverse Engineering

• Ida Pro• Paid Version required for disassembly• ARM decompiler available but $$$$• Also very good debugger

• Radare2• Free multiplatform support• No decompiler available

• Binary Ninja• Free version available• Very Limited Architecture Support• Not currently an option for this type of

work but something to keep in mind.

Page 40: BSides DFW2016-Hack Mode Enabled

IDA Pro

Page 41: BSides DFW2016-Hack Mode Enabled

Radare2

Page 42: BSides DFW2016-Hack Mode Enabled

Other nice to haves

Page 43: BSides DFW2016-Hack Mode Enabled

• http://www.grandideastudio.com/hardware-hacking-training/• http://www.xipiter.com/training.html• https://www.eevblog.com• http://www.embedded.com/electronics-blogs/beginner-s-corner/

Page 44: BSides DFW2016-Hack Mode Enabled

THANK YOU!!!!

ANY MORE QUESTIONS?


Recommended