building tools for hacking deeply embedded systems
play

Building Tools for Hacking Deeply Embedded Systems Travis Goodspeed - PowerPoint PPT Presentation

Jul 18, 2023 •158 likes •902 views

Building Tools for Hacking Deeply Embedded Systems Travis Goodspeed Recon, Montral -- 11 July, 2010 Sunday, July 25, 2010 Brief Introduction 8, 16-bit Embedded Systems No operating system, no symbol table, etc. Very different

  1. Building Tools for Hacking Deeply Embedded Systems Travis Goodspeed Recon, Montréal -- 11 July, 2010 Sunday, July 25, 2010

  2. Brief Introduction ✤ 8, 16-bit Embedded Systems ✤ No operating system, no symbol table, etc. ✤ Very different access controls. ✤ Low-power Radios ✤ 0 dBm, small payload, no link layer. Sunday, July 25, 2010

  3. Target Hardware ✤ ZigBee, ANT, 802.15.4, etc ✤ Wireless Sensor Networks ✤ Smart Meters ✤ Sports and Medical Equipment Sunday, July 25, 2010

  4. Show of Hands ✤ Soldering? ✤ Intel 8051 or RISC assembly? ✤ Radio? Sunday, July 25, 2010

  5. Sunday, July 25, 2010

  6. Sunday, July 25, 2010

  7. Sunday, July 25, 2010

  8. A Lecture in Parts ✤ Part 1: Sniffing a SPI Bus ✤ Part 2: Reversing a Clicker ✤ Part 3: Sniffing and Injecting a Clicker ✤ Some neat tricks. Sunday, July 25, 2010

  9. The GoodFET ✤ Similar to the Bus Pirate, vendor JTAG devices. ✤ Firmware in C, client in Python. ✤ Implements dozens of protocols ✤ Debugging of 8051, MSP430, ARM. ✤ Reading/Writing of SPI, I2C memory chips. ✤ Radio access to Nordic RF, Chipcon radios. ✤ Cheap/Free Boards Sunday, July 25, 2010

  10. Sunday, July 25, 2010

  11. Part 1: Tapping a SPI Bus Sunday, July 25, 2010

  12. ANT I/O Pins JTAG Radio MCU Sunday, July 25, 2010

  13. Pin Identification 86IJ$8 $'PJ" 678 678 "P 1% ,0 ,2 ,3 ,- "BCD , ,4 JH88 "E!F68E,G 1 ,& JH88 68E1 5 ,5 $OM7 8H88 & ,1 $OM( 8BEI(C 4 ,, JH88 678 - 3 2 0 ,% 9:;.<+=!=>+ 68E%!FJK9"KG B"Q LE"BMN, JH88 LE"BMN1 )??)@A!;)= ! Sunday, July 25, 2010

  14. SPI Bus Pins 86IJ$8 $'PJ" 678 678 "P ✤ SO -- Master In Slave Out 1% ,0 ,2 ,3 ,- ✤ SI -- Master Out Slave In ✤ SCLK -- Clock "BCD , ,4 "E!F68E,G 1 ,& 68E1 5 ,5 8H88 & ,1 Sunday, July 25, 2010

  15. MOSI SCLK MISO Sunday, July 25, 2010

  16. Tap Here Sunday, July 25, 2010

  17. Sunday, July 25, 2010

  18. Sunday, July 25, 2010

  19. Tap Here Sunday, July 25, 2010

  20. Sunday, July 25, 2010

  21. SPI Radio Bus Tap ✤ Sort of like tapping a driver. ✤ Commands vary by chip. ✤ Read/Write Register ✤ TX Packet ✤ RX Packet Sunday, July 25, 2010

  22. SPI Bus Tap Results ✤ Which frequency, modulation, MAC addresses, etc are used. ✤ Enough to packet sniff, usually. ✤ Which AES keys are used. ✤ KEY[0]=98aceb47c26450ee85292d0c8ce55292 ✤ KEY[1]=7b8397ddacac7e429ba6f49cbd2c69b1 ✤ Very useful for channel hopping devices. Sunday, July 25, 2010

  23. Part 2: Reversing a Clicker Sunday, July 25, 2010

  24. Sunday, July 25, 2010

  25. Sunday, July 25, 2010

  26. Sunday, July 25, 2010

  27. Radio+8051 MCU SPI ROM Sunday, July 25, 2010

  28. Dumping Firmware ✤ Chips ✤ nRF24E1G -- 8051 MCU + nRF2401 Radio ✤ 24C32 Boot Rom ✤ Documentation ✤ Datasheets, Reference Design Sunday, July 25, 2010

  29. nRF24E1 ✤ 8051 Microcontroller ✤ More popular than ARM and X86. ✤ Internal nRF2401 Radio ✤ 1Mbps GFSK Radio ✤ 2.4 to 2.5 GHz, 1MHz Channel Spacing ✤ No internal Flash. Boots from external EEPROM. Sunday, July 25, 2010

  30. Radio+8051 MCU SPI ROM Sunday, July 25, 2010

  31. Dumping the 25C32 SPI EEPROM ✤ Serial Peripheral Interface Bus ✤ START, bytes, STOP ✤ Input and Output at the same time. ✤ To read a byte, ✤ TX {0x03, LA, HA, 0x00} ✤ RX {0xFF, 0xFF, 0xFF, byte} Sunday, July 25, 2010

  32. Quick and Dirty 25C32 Driver Sunday, July 25, 2010

  33. EEPROM Basics ✤ Serial Number 15791B, bytes[3,4,5] ✤ Channel at byte[6]. ✤ 8051 code begins at byte[7], loaded to CODE[0]. Sunday, July 25, 2010

  34. nRF24E1 Firmware in IDA ✤ ``goodfet.spi25c dump clicker.hex’’ ✤ Copy all but first 7 bytes to clicker.bin. ✤ Load clicker.bin to CODE memory at 0x0000. Sunday, July 25, 2010

  35. Just 3kB of Code Sunday, July 25, 2010

  36. Identifying Ports, Functions ✤ No operating system. ✤ No function symbol names. ✤ I/O ports do have names. ✤ These names are documented in the datasheet. ✤ Can quickly be imported to IDA. Sunday, July 25, 2010

  37. SPI Exchange Function ✤ mov SPI_DATA, input ✤ while(!READY); ✤ mov output, SPI_DATA Sunday, July 25, 2010

  38. nRF24E1 Internal Arrangement ✤ 8051 MCU ✤ Internal SPI Bus ✤ RADIO register #0x80 Sunday, July 25, 2010

  39. Useful Registers ✤ SPI_DATA, SPICLK, SPI_CNTRL, EXIF ✤ P1 LED Port ✤ P0.0 SPI EEPROM Slave Select ✤ RADIO #0x80 ✤ RADIO.3 is Radio Slave Select ✤ RADIO.7 is Power Up Sunday, July 25, 2010

  40. ✤ Radio SPI ✤ EEPROM SPI ✤ SETB RADIO.3 ✤ CLRB P0.0 ✤ for(...) SPIRXTX(...) ✤ for(...) SPIRXTX(...) ✤ CLRB RADIO.3 ✤ SETB P0.0 Sunday, July 25, 2010

  41. From Registers to Functions Sunday, July 25, 2010

  42. RADIOWRCONFIG ✤ Just a lot of SPIRXTX. ✤ 08 08 00 00 00 00 00 00 00 ✤ (1B) (1C) (1D) ✤ 63 6F ✤ (1A)+1 Sunday, July 25, 2010

  43. Data Width ADR ADR Width CRC LEN Config Channel Sunday, July 25, 2010

  44. RADIOWRCONFIG ✤ Just a lot of SPIRXTX. ✤ Channel at 0x1A ✤ 08 08 00 00 00 00 00 00 00 ✤ MAC at 0x1B, 0x1C, 0x1D ✤ (1B) (1C) (1D) ✤ 4 bytes of data ✤ 63 6F ✤ 1 byte checksum ✤ (1A)+1 Sunday, July 25, 2010

  45. T ransmission ✤ Function takes one byte of input. ✤ Repeated calls to SPITXRX ✤ (1E) (1F) (20) //Destination MAC Address ✤ (1B) (1C) (1D) //Source MAC Address ✤ (input) //Button Code Sunday, July 25, 2010

  46. Destination MAC at 1E, 1F , 20 ✤ MOV 0x1E, #0x12 ✤ DMAC is 0x123456 ✤ MOV 0x1F, #0x34 ✤ Payload length is 4 bytes. ✤ MOV 0x20, #0x56 ✤ One byte checksum. Sunday, July 25, 2010

  47. Part 3: Building a Clicker Sniffer Sunday, July 25, 2010

  48. Sunday, July 25, 2010

  49. Sunday, July 25, 2010

  50. Sunday, July 25, 2010

  51. Next Hope Badge Hardware ✤ Texas Instruments MSP430 Microcontroller ✤ 16-bit RISC, GNU toolchain. ✤ Nordic nRF24L01+ Radio ✤ Radio chain from reference design. ✤ Runs either OpenBeacon or GoodFET Firmware Sunday, July 25, 2010

  52. NHBadge+GoodFET ✤ GoodFET firmware exposes radio by USB. ✤ GoodFET client provides Python libraries for nRF24L01+ Radio. Sunday, July 25, 2010

  53. Radio Settings ✤ 2.441 GHz ✤ 2.481 GHz ✤ 1Mbps GFSK ✤ 2Mbps GFSK ✤ MAC 0x123456 ✤ MAC 0x0102030201 ✤ 4 byte payload, CRC16 ✤ 16 byte payload, CRC8 Sunday, July 25, 2010

  54. GoodFET Python Client ✤ Separate class for most protocols. ✤ Some classes share a hardware module. ✤ SPI EEPROM needs no additional C code Sunday, July 25, 2010

  55. EVERYTHING IS A REGISTER ✤ mov SPI_DATA, DPL ✤ mov DPL, SPI_DATA Sunday, July 25, 2010

  56. Client Driver ✤ GoodFETNRF ✤ poke(register,value); ✤ RF_setfreq(Hz) ✤ RF_setsmac(mac) ✤ RF_setpacketlen(len) Sunday, July 25, 2010

  57. Sunday, July 25, 2010

  58. Other Targets ✤ Toys ✤ Smart Grid ✤ Sports ✤ Medical Sunday, July 25, 2010

  59. Sunday, July 25, 2010

  60. Sunday, July 25, 2010

  61. Sunday, July 25, 2010

  62. Sunday, July 25, 2010

  63. SPECTRUM ANALYZER FIRMWARE BY MIKE OSSMANN Sunday, July 25, 2010

  64. Sunday, July 25, 2010

  65. ANT Protocol ✤ Proprietary LPAN protocol. ✤ Compatible with NHBadge. ✤ Not yet reversed. ✤ (Hardware is waiting at my apartment. :) Sunday, July 25, 2010

  66. Neat T ricks ✤ Vulnerabilities are chip-wise, not application-wise. ✤ Every EM2xx chip exposes full memory to an external debugger. ✤ Every Chipcon 8051 chip exposes RAM to a debugger, but not Flash. ✤ Most ZigBee SEP devices have bad random number generators. ✤ ECMQV exposes private keys when the nonce is recoverable! Sunday, July 25, 2010

  67. Memory Exposure ✤ Access controls exist for protecting CODE, not DATA. ✤ Reprogramming is almost always allowed. ✤ Erase, then dump. RAM and keys will be intact. ✤ goodfet.cc erase ✤ goodfet.cc dumpdata ram.hex 0 0xFFFF Sunday, July 25, 2010

  68. Stack Buffer Overflow Exploits ✤ Standard overflows work, but sometimes RAM is not executable. ✤ Further, the goal of an exploit is often to get code. ✤ No image to work from, just a guess and a crash. ✤ ``Return to ROM’’ like ``Return to LibC’’ ✤ Aurélien Francillon has implemented Return-Oriented-Programming for AVR microcontrollers. Sunday, July 25, 2010

  69. Bus Usurping ✤ 1) Connect a GoodFET to a SPI Bus. ✤ 2) Boot the target device. ✤ 3) Halt the target MCU, leaving radio online. ✤ In the case of application processors (EM260, CC2480), sockets remain open and accessible! Sunday, July 25, 2010

  70. Random Number Generators Sunday, July 25, 2010

  71. Tools ✤ GoodFET for everything. ✤ http://goodfet.sf.net ✤ Next Hope Conference Badge ✤ `Hackers on a Train, eh?’ this Thursday by Amtrak ✤ http://amd.hope.net ✤ Total Phase Beagle for SPI Sniffing. Sunday, July 25, 2010

  72. Conclusions ✤ Deeply Embedded Systems are a lot of fun to hack. ✤ The only impediment is your fear of a soldering iron. ✤ Grab a GoodFET and dump some firmware. ✤ A special thanks to the neighbors at Texas Instruments. Sunday, July 25, 2010

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

KESO An Open-Source Multi-JVM for Deeply Embedded Systems Isabella Thomm, Michael Stilkerich ,

KESO An Open-Source Multi-JVM for Deeply Embedded Systems Isabella Thomm, Michael Stilkerich ,

KESO An Open-Source Multi-JVM for Deeply Embedded Systems Isabella Thomm, Michael Stilkerich , Christian Wawersich, Wolfgang Schrder-Preikschat Department of Computer Science 4 Distributed Systems and Operating Systems Friedrich-Alexander

870 views • 43 slides
Hacking Cell Phone Embedded Systems Keegan Ryan RECON 2017 The Target The Target

Hacking Cell Phone Embedded Systems Keegan Ryan RECON 2017 The Target The Target

Hacking Cell Phone Embedded Systems Keegan Ryan RECON 2017 The Target The Target brendangates The Target Meriac (2010), Churchill Legacy ICLASS Introduced in 2007 Broken in 2010 Master key on every reader Security

682 views • 44 slides
HW/SW Codesign w/ FPGAs Embedded Systems ECE 495/595 Overview (Slides from Embedded Systems

HW/SW Codesign w/ FPGAs Embedded Systems ECE 495/595 Overview (Slides from Embedded Systems

HW/SW Codesign w/ FPGAs Embedded Systems ECE 495/595 Overview (Slides from Embedded Systems Design, F. Vahid and T. Givargis) Embedded computing systems definition: Computing systems embedded within electronic devices. Hard to define

396 views • 26 slides
Software for Embedded Systems Galyna Tabunshchyk Prof. Software Tools Department ZNTU, Ukraine

Software for Embedded Systems Galyna Tabunshchyk Prof. Software Tools Department ZNTU, Ukraine

Development of Embedded System Courses with implementation of Innovative Virtual approaches for integration of Research, Education and Production in UA, GE, AM Pilot Teaching Implementation Software for Embedded Systems Galyna Tabunshchyk

397 views • 14 slides
Embedded systems and the role of programmable logic devices in embedded systems Embedded system :

Embedded systems and the role of programmable logic devices in embedded systems Embedded system :

Embedded systems and the role of programmable logic devices in embedded systems Embedded system : a combination of computer hardware and software, and perhaps additional mechanical or other parts, designed to perform a dedicated function. In some

414 views • 20 slides
Hacking the Internet of Things Andrei Costin andrei@firmware.re @costinandrei What I do?

Hacking the Internet of Things Andrei Costin andrei@firmware.re @costinandrei What I do?

Hacking the Internet of Things Andrei Costin andrei@firmware.re @costinandrei What I do? Embedded Security Research 2009 RFID MiFare Classic (MFCUK) Click to edit Master text styles https://github.com/nfc-tools/mfcuk Second

1.12k views • 71 slides
Last Time Looked at ColdFire and ARM in depth u Today Tools and toolchains for embedded u

Last Time Looked at ColdFire and ARM in depth u Today Tools and toolchains for embedded u

Last Time Looked at ColdFire and ARM in depth u Today Tools and toolchains for embedded u systems Linkers Programmers Booting an embedded CPU Debuggers JTAG All of this stuff is below the C compiler in

813 views • 31 slides
4TU MASTER EMBEDDED SYSTEMS Bert Molenkamp 19/03/2020 Master Embedded Systems 1 Table of

4TU MASTER EMBEDDED SYSTEMS Bert Molenkamp 19/03/2020 Master Embedded Systems 1 Table of

4TU MASTER EMBEDDED SYSTEMS Bert Molenkamp 19/03/2020 Master Embedded Systems 1 Table of contents What is an embedded system Examples of research topics Admission Overview of the programme Success rates Master Embedded

814 views • 31 slides
Embedded Systems (ESII) Prof. Dr. J. Henkel, Dr. M. Shafique CES - Chair for Embedded Systems

Embedded Systems (ESII) Prof. Dr. J. Henkel, Dr. M. Shafique CES - Chair for Embedded Systems

1 ESII: ASIPs_ISEs Design and Architectures for Embedded Systems (ESII) Prof. Dr. J. Henkel, Dr. M. Shafique CES - Chair for Embedded Systems Karlsruhe Institute of Technology, Germany Today: Embedded Processor Platforms ASIPs and Extensible

1.5k views • 89 slides
1 The challenge for this presentation 1. Building an embedded Linux distribution from source is

1 The challenge for this presentation 1. Building an embedded Linux distribution from source is

1 The challenge for this presentation 1. Building an embedded Linux distribution from source is a complex task 2. The Yocto Project is a collection of powerful tools with lots of complexity of their own A word of thanks This presentation is

886 views • 32 slides
interface for an embedded system on a FPGA with Altera tools suite (note: a similar way is

interface for an embedded system on a FPGA with Altera tools suite (note: a similar way is

Embedded Systems &quot;System On Programmable Chip&quot; Design Methodology using QuartusII and SOPC Builder tools Ren Beuchat LAP - EPFL rene.beuchat@epfl.ch 3 Tools suite Goals : to be able to design a programmable interface for an

784 views • 74 slides
Software Engineering for Embedded Systems Software Engineering for Embedded Systems Dr.-Ing.

Software Engineering for Embedded Systems Software Engineering for Embedded Systems Dr.-Ing.

Software Engineering for Embedded Systems Software Engineering for Embedded Systems Dr.-Ing. Mohammad. Abdullah Al Faruque Dipl.-Inform. Sebastian Kobbe CES - C hair for E mbedded S ystems (Prof. Dr. Jrg Henkel) Department of Computer Science

847 views • 72 slides
ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical? Legality VS Ethics State Sanctioned hacking BLACK HAT - Stereotypical Hacker -Stealing data for personal gain -Obviously not ethical -Using

1.17k views • 10 slides
Embedded Systems Programming Trends of Embedded Systems (Module 2) Yann-Hang Lee Arizona State

Embedded Systems Programming Trends of Embedded Systems (Module 2) Yann-Hang Lee Arizona State

Embedded Systems Programming Trends of Embedded Systems (Module 2) Yann-Hang Lee Arizona State University yhlee@asu.edu (480) 727-7507 Summer 2014 Real-time Systems Lab, Computer Science and Engineering, ASU Trends of RT Embedded Systems

332 views • 10 slides
Networked Embedded Systems Ezio Bartocci Overview Networked Embedded Systems (182.717): 6 weeks

Networked Embedded Systems Ezio Bartocci Overview Networked Embedded Systems (182.717): 6 weeks

Networked Embedded Systems Ezio Bartocci Overview Networked Embedded Systems (182.717): 6 weeks for semester ECTS: 6.0 Web: http://ti.tuwien.ac.at/rts/teaching/courses/networked-embedded-systems Type: Lessons (VU Vorlesung) with

700 views • 20 slides
Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June

Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June

Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June 15, 2017 Outline Drone Architectures RF Basics Information Gathering RF Hacking Tools Exploits &amp; Demos Q&amp;A Why? Wrights Law

485 views • 27 slides
On the Optimal Delay Amplification Factor of Multi-Hop Relay Channels Dennis Ogbe, Chih-Chun

On the Optimal Delay Amplification Factor of Multi-Hop Relay Channels Dennis Ogbe, Chih-Chun

On the Optimal Delay Amplification Factor of Multi-Hop Relay Channels Dennis Ogbe, Chih-Chun Wang, David J. Love School of Electrical and Computer Engineering Purdue University West Lafayette, Indiana, USA International Symposium on

1.37k views • 85 slides
Stuff New HW on the web later today No lab today Tests graded by Thurs Last Time

Stuff New HW on the web later today No lab today Tests graded by Thurs Last Time

Stuff New HW on the web later today No lab today Tests graded by Thurs Last Time CAN Bus Intro Low-level stuff Frame types Arbitration Filtering Higher-level protocols Today Embedded wireless networking

600 views • 29 slides
SPREAD SPECTRUM PRINCIPLES ECE2526 MOBILE COMMUNICATION Monday, March 9, 2020 CONCERNS IN

SPREAD SPECTRUM PRINCIPLES ECE2526 MOBILE COMMUNICATION Monday, March 9, 2020 CONCERNS IN

SPREAD SPECTRUM PRINCIPLES ECE2526 MOBILE COMMUNICATION Monday, March 9, 2020 CONCERNS IN COMMUNICATION SYSTEM 1. Most focus in communication system study is focused on efficient use of signal energy and bandwidth. 2. There are however

510 views • 24 slides
Adding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux Device FOSDEM 2017 2017-02-05, Brussels

Adding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux Device FOSDEM 2017 2017-02-05, Brussels

Adding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux Device FOSDEM 2017 2017-02-05, Brussels Stefan Schmidt stefan@osg.samsung.com Samsung Open Source Group Agenda Motivation Linux-wpan Project Hardware Confjguration

768 views • 42 slides
GPRS optimisation and Network visualization Janne Myllyl T-110.456 Topics What do we need

GPRS optimisation and Network visualization Janne Myllyl T-110.456 Topics What do we need

GPRS optimisation and Network visualization Janne Myllyl T-110.456 Topics What do we need to know? Different types of information available Basics of GPRS capacity optimisation Janne Myllyl T-110.456 Planning The network

722 views • 36 slides
Disconnected diagrams with multi-level integration Leonardo Giusti, Tim Harris , Alessandro Nada,

Disconnected diagrams with multi-level integration Leonardo Giusti, Tim Harris , Alessandro Nada,

Disconnected diagrams with multi-level integration Leonardo Giusti, Tim Harris , Alessandro Nada, Stefan Schaefer Lattice 2018, 23.07.18 Outline 1 Motivation 2 Variance reduction for disconnected diagrams 3 Disconnected vector two-point function

455 views • 24 slides
S &amp; P SECURITY &amp; PRIVACY GROUP Security and Privacy for Payment Channel Networks

S &amp; P SECURITY &amp; PRIVACY GROUP Security and Privacy for Payment Channel Networks

FAKULTT FR !NFORMATIK Faculty of Informatics S &amp; P SECURITY &amp; PRIVACY GROUP Security and Privacy for Payment Channel Networks Pedro Moreno-Sanchez Blockchain Summer School BDLT19 Vienna, Sep 2nd 2019 Blockchain Research

1.41k views • 73 slides
LArG4 Refactoring and other changes Why, how, and various animals Status and plans William

LArG4 Refactoring and other changes Why, how, and various animals Status and plans William

LArG4 Refactoring and other changes Why, how, and various animals Status and plans William Seligman 21-Nov-2017 The idea and concepts for the LArG4 changes primarily come from Hans Wenzel; Im just doing some of the coding. Any errors of

598 views • 27 slides

More recommend