HydraBus An Open Source Platform HydraBus/HydraFW GitHub Hardware - - PowerPoint PPT Presentation
HydraBus An Open Source Platform HydraBus/HydraFW GitHub Hardware / Schematics on GitHub (format Eagle 6.x/7.x) https://github.com/hydrabus/hydrabus License CC-BY-NC Firmware HydraFW Wiki on GitHub
– https://github.com/hydrabus/hydrabus – License CC-BY-NC
– https://github.com/hydrabus/hydrafw/wiki – Apache License
hardware (support also hw extensions like HydraNFC/HydraFlash...)
fast signals (Serial/Parallel...)
consumption < 100mA (less than 2mA with low power mode)
–
"Speak" with electronic device/chipset
–
"Spy" (MITM) electronic device (SPI/UART/CAN Bus...)
–
"Analyze" signals (analog or digital) with the help of SUMP protocol and open source software like sigrok / PulseView
–
"Reverse engineering" electronic device (IoT ...)
show system/memory/threads
mount/umount, erase, cd <dir>, pwd, ls [opt dir], test_perf, cat <filename>, hd <filename>, rm <filename>, mkdir <filename>, script <filename>
Flash (HydraFlash), NFC (HydraNFC)
–
[ Start (for SPI, I2C means Enable Chip Select)
–
] Stop (for SPI, I2C means Disable Chip Select)
–
: Repeat (e.g. r:10)
–
& DELAY us (support optional repeat :)
–
% DELAY ms (support optional repeat :)
–
123 0x12 0b110 "hello" Write 8bits val/string (support optional repeat :)
–
r Read or hd HexDump (support optional repeat :)
–
During a blocking read or write which wait for data(for example Slave mode) you can abort the wait by pressing HydraBus UBTN, else you can also wait timeout which is about 10s.
–
Example: HexDump of an SPI EEPROM: [ 0b11 0 hd:32 ]
firmware
– Main source of vulnerabilities found there
– Firmware update can be encrypted
– Serial console or debugging interfaces
in the process
– Read their serial number,
search for datasheets
– « ADSL2+ processor for residential gateways » – MIPS architecture – No flash memory
– SPI EEPROM
– Memory array – Data is stored even if the chip is not powered – Used to store data
– SCLK (Clock) – MISO (Master In/Slave Out) – MOSI (Master Out/Slave In) – SS (Slave Select)
pinout
SPI pins
– show pins
– Either wires, hooks or clip
http://www.datasheetlib.com/datasheet/374450/25q16bvsig_winbond-electronic.html
correct read command.
> s p i D e v i c e : S P I 1 G P I O r e s i s t
: f l
t i n g M
e : m a s t e r F r e q u e n c y : 3 2 k h z ( 6 5 k h z , 1 . 3 1 m h z , 2 . 6 2 m h z , 5 . 2 5 m h z , 1 . 5 m h z , 2 1 m h z , 4 2 m h z ) P
a r i t y : P h a s e : B i t
d e r : M S B f i r s t s p i 1 > [ x 3 x : 3 h d : 1 6 ] / C S E N A B L E D W R I T E : x 3 x x x 8 2 5 1 2 5 1 8 2 5 2 2 5 | . . . % . . . % . . . % . . % / C S D I S A B L E D s p i 1 >
http://www.datasheetlib.com/datasheet/374450/25q16bvsig_winbond-electronic.html
prove that everything is working
dumps the whole EEPROM in a file
i m p
t s e r i a l i m p
t s t r u c t s e r = s e r i a l . S e r i a l ( ' / d e v / h y d r a b u s ' , 1 1 5 2 ) f
i i n x r a n g e ( 2 ) : s e r . w r i t e ( " \ x " ) i f " B B I O 1 " n
i n s e r . r e a d ( 5 ) : p r i n t " C
l d n
g e t i n t
b I O m
e " Q u i t ( ) s e r . w r i t e ( ' \ x 1 ' ) i f " S P I 1 " n
i n s e r . r e a d ( 4 ) : p r i n t " C a n n
s e t S P I m
e " q u i t ( ) a d d r = b u f f = ' ' p r i n t " R e a d i n g d a t a " w h i l e ( a d d r < 4 9 6 * s i z e ) : s e r . w r i t e ( ' \ x 4 \ x \ x 4 \ x 1 \ x ' ) s e r . w r i t e ( ' \ x 3 ' ) s e r . w r i t e ( s t r u c t . p a c k ( ' > L ' , a d d r ) [ 1 : ] ) s e r . r e a d ( 1 ) b u f f + = s e r . r e a d ( 4 9 6 ) a d d r + = 4 9 6 p r i n t " " e n d = t i m e . t i m e ( )
t =
e n ( ' / t m p / i m a g e . b i n ' , ' w ' )
t . w r i t e ( b u f f )
t . c l
e ( )
$ s t r i n g s i m a g e . b i n [ . . . ] A T H E p r i n t h e l p A T B A x c h a n g e b a u d r a t e . 1 : 3 8 . 4 k , 2 : 1 9 . 2 k , 3 : 9 . 6 k 4 : 5 7 . 6 k 5 : 1 1 5 . 2 k A T E N x , ( y ) s e t B
E x t e n s i
D e b u g F l a g ( y = p a s s w
d ) A T S E s h
t h e s e e d
p a s s w
d g e n e r a t
A T T I ( h , m , s ) c h a n g e s y s t e m t i m e t
r : m i n : s e c
s h
c u r r e n t t i m e A T D A ( y , m , d ) c h a n g e s y s t e m d a t e t
e a r / m
t h / d a y
s h
c u r r e n t d a t e A T D S d u m p R A S s t a c k A T D T d u m p B
M
u l e C
m
A r e a A T D U x , y d u m p m e m
y c
t e n t s f r
a d d r e s s x f
l e n g t h y [ . . . ]
visible, but we don’t know what they are used for
– Labelled RX1 / TX1
function
– Only logic states
software
– Decodes logic signals to
values
– Capture start can be triggered
– Requires experience / tests to recognize the protocols
– In UART mode, use the bridge command
– https://github.com/hydrabus/rhme-2016/blob/master/Other/Whac
kTheMole.md
– This challenge ask for a password so the idea was
– https://github.com/hydrabus/rhme-2016/blob/maste
Glitch on the Arduino board in order to skip/jump over the check and display the flag
–
Results with HydraBus + Custom Board with MOSFET
–
Please write your password: gpio glitch trigger PB0 pin PC15 length 100 offsets 191200 Good try, cheater!^M Chip locked^M
–
Please write your password: gpio glitch trigger PB0 pin PC15 length 100 offsets 191300 Chip unlocked^M Your flag is: 02ab16ab3729fb2c2ec313e4669d319e
– https://github.com/hydrabus/rhme-2016/blob/master/FaultInjecti
– Uses custom debugging protocol – No ccDebugger at hand at that time
website
– Clock / Data – Master drives the clock – Data channel is bidirectional
http://www.ti.com/lit/an/swra410/swra410.pdf
dump its flash memory
– Read UID NFC Vicinity/ISO15693 and Mifare – Read Data on Mifare UL – Emulation ISO14443A/Mifare UL/Classic (Alpha) – Sniffer ISO14443A with unique hard real-time infinite trace mode (requires
FTDI external hw & PC with hydratool sw)
– Autonomous sniffer ISO14443A (Mifare ...) include data from TAG &
READER (data saved in microSD)
– HydraFW HydraNFC online guide see:
UART FTDI C32HM-DDHSL-0 to HydraBus connection:
NAND chips
– Found in more and more
devices
the MCU
– Uses GPIO in bitbang mode
handle commands
–
Some manufacturers use different commands
–
Already manages OOB
speeds
–
~200KB/s on test chip
$ p y t h
2 D u m p F l a s h . p y
/ d e v / h y d r a b u s
I n t
B I O m
e S w i t c h i n g t
l a s h m
e S e t t i n g c h i p e n a b l e F u l l I D : A D 7 3 A D 7 3 A D 7 3 I D L e n g t h : 6 N a m e : N A N D 1 6 M i B 3 , 3 V 8
i t I D : x 7 3 P a g e s i z e : x 2 O O B s i z e : x 1 P a g e c
n t : x 8 S i z e : x 1 E r a s e s i z e : x 4 B l
k c
n t : 1 2 4 O p t i
s : A d d r e s s c y c l e : 3 B i t s p e r C e l l : 4 M a n u f a c t u r e r : H y n i x
eBay
information :(
$ s t r i n g s / t m p / d u m p [ . . . ] M e d i a i s w r i t e
r
e c t e d ! F C U f a i l e d
E C C / C R C e r r
! F C U g e n e r a l e r r
! F C U % s t i m e d
t ! B u r s t ' C
y r i g h t ( c ) 1 9 9 6
4 E x p r e s s L
i c I n c . * F i l e X L X 4 1 8 / G r e e n H i l l s V e r s i
G 3 . 1 a . 3 . 1 a * / h
e / s a n d b
/ s d e / l i b / c / t i m e /
f t i m e . c / h
e / s a n d b
/ s d e / l i b / c / t i m e / t z f i l e . h # # # B a t t e r y _ C h e c k : b y P
e r O n L e v e l A f t e r D u m m y = % B a t t e r y _ C h e c k : N i M H B a t t e r y = = = = = = = = = = = = = = = = B a t t e r y _ C h e c k : B E F O R E L E N S M O V E B a t t e r y _ C h e c k : s B a t t e r y . b y L e v e l < B A T _ N O _ M O V E _ L E N S _ L E V E L [ . . . ]
LIN buses communication
– Mostly found in automotive
– Still alive ;-)
implemented and working
underway
– Able to use all utilities
provided by can-utils
– Python 3.x for microcontrollers – Official support – http://micropython.org
– JTAG/SWD probe / GDB server – Official support – https://github.com/blacksphere/blackmagic
– Frequency measurement – Hexdump mode – 1-wire mode – AVR programming – NAND Flash support – Hex escapes – ...
– Will be the first stable version – Some modes need to be added to provide full set of features
– I2c – [1,2,3]-wire
– HydraFW hackathon
– Test Hydrabus on practice targets – Learn signal analysis – Get yours !
and makers for quick prototyping and development
– Security conference – Yverdon, Switzerland – November 2017 – CFP open until 31.07.2017