mathew rowley
play

Mathew Rowley How many bricks does it take to crack a microcell? - PowerPoint PPT Presentation

Feb 15, 2023 •196 likes •1.17k views

Mathew Rowley How many bricks does it take to crack a microcell? http://67.219.122.21/blackhat2012/ Thursday, July 26, 12 Mathew Rowley @wuntee I hate hearing peoples backgrounds... But this is an exception. Senior Security Consultant

  1. Mathew Rowley How many bricks does it take to crack a microcell? http://67.219.122.21/blackhat2012/ Thursday, July 26, 12

  2. Mathew Rowley @wuntee • I hate hearing peoples backgrounds... But this is an exception. • Senior Security Consultant at Matasano Security • Computer science background - aka software guy • This talk is is a hardware -> software talk Thursday, July 26, 12

  3. agenda my epic battle... • Focus on different aspects of reversing, not GSM/3G • Device background • wuntee vs the network • wuntee vs the cage • wuntee vs hardware • debug pins, SPI, JTAG, Serial • wuntee vs software • UBoot, Kernel, Firmware Thursday, July 26, 12

  4. how does the device work? • Everyone know what a microcell is? • Web based interface to provision phone numbers that can connect to the device • Configuration somehow pushed to microcell • Only those phone numbers can connect Thursday, July 26, 12

  5. Why? • Dear Mathew, our cell service sucks - heres something for free that can do cool things • Was working at Interpidus Group - focus on mobile security • I do not know much about hardware stuff - have always wanted to learn Thursday, July 26, 12

  6. wuntee vs the network round 1 Thursday, July 26, 12

  7. network communication • Routed all traffic through a server running DHCP • tcpdump shows • HTTPS traffic • IPSec tunnel • Multicast stuff • MITM with Mallory? Thursday, July 26, 12

  8. in the 1st round, with a TKO, the winner is.... the network Thursday, July 26, 12

  9. wuntee vs the cage round 1 Thursday, July 26, 12

  10. disassembly • 2 screws under the bottom orange part • Orange part comes off • Two side panels come off • Single board connected to the grey portion • Rip them all off!! • Can I boot? Thursday, July 26, 12

  11. Thursday, July 26, 12

  12. in the 1st round ‘the cage’ knocks wuntee down with a stiff brick to the face, but the battle is not finished... Thursday, July 26, 12

  13. wuntee’s corner convincing customer service they are still ok to fight... Thursday, July 26, 12

  14. Thursday, July 26, 12

  15. wuntee vs the cage round 2 Thursday, July 26, 12

  16. Thursday, July 26, 12

  17. disassembly: wuntee vs Microcell round 2 • Went to Home Depot and purchased a thin saw • Removed bottom orange part • Sawed through the things attaching the jumpers • Removed outer cage • Powered on just fine Thursday, July 26, 12

  18. wuntee utilized the saw to successfully dismantle ‘the cage’ winner wuntee Thursday, July 26, 12

  19. Thursday, July 26, 12

  20. debug pins • C541 • JP1, JP2, JP5, JP6 • PL1 • PL2 Thursday, July 26, 12

  21. wuntee vs debug pins round 1 - CS541 Thursday, July 26, 12

  22. • Saleae Logic Analyzer 16 • Ability to monitor pins on a board • Samples at specific rate/time frame • Auto analysis • Workflow 1. Multimeter to determine ground and that Saleae wont blow up 2. Plug pins to analyzer and sample at high rate 3. Start the Logic software and plug in the device 4. Stop analyzer after you think some data has been transfered 5. Attempt to “Analyze” Thursday, July 26, 12

  23. Thursday, July 26, 12

  24. Thursday, July 26, 12

  25. DATA! Export the “analyzed” data to CSV, import to Excel, copy/paste into vi and manipulate '255''255''255''255''255''255''255''255''255''255''255''255''255''255''255''255 ''255''255''255''255''160''162''0'0'221'$GPGGA232354.755000M0.0M0000*50 '239''176''179''160''162''0'?'221'$GPGSV31112064283065104216483003243018*71 '12''209''176''179''160''162''0'?'221'$GPGSV32111940071033635223361791117325*79 '12''227''176''179''160''162''0'4'221'$GPGSV3311251023731081380702261*49 '192''176''179''160''162''0'*'221'$GPRMC232354.755V150612N*4A '21''176''179''255''255''255''255''255''255''255''255''255''255''255''255''255' '255''255''255''255''255''255''255''160''162''0''2''2''16''0''18''176''179''255 ''255''255''255''255''255''255''255''255''255''255''255''255''255''255''255''25 5''255''255''255''160''162''0'0'221'$GPGGA232359.736000M0.0M0000*58 '251''176''179''160''162''0'?'221'$GPGSV31112064283065104216483003243018*71 '12''209''176''179''160''162''0'?'221'$GPGSV32111940071033635223361791117325*79 '12''227''176''179''160''162''0'4'221'$GPGSV3311251023731081380702261*49 '192''176''179''160''162''0'*'221'$GPRMC232359.736V150612N*42 Thursday, July 26, 12

  26. “$GPGSV32111” • Google? • Just GPS related data • Nothing of interest to me • Could remove GPS chip and send the correct data to spoof location? Thursday, July 26, 12

  27. wuntee vs debug pins round 1 draw Thursday, July 26, 12

  28. wuntee vs debug pins round 2 - JP1 Thursday, July 26, 12

  29. round 2 • Same workflow as before, hope for the best... Thursday, July 26, 12

  30. JP1 CS541 Thursday, July 26, 12

  31. Thursday, July 26, 12

  32. wuntee vs debug pins round 2 - JP1 point wuntee Thursday, July 26, 12

  33. wuntee vs debug pins round 3: JP2, JP5, JP6 Thursday, July 26, 12

  34. wuntee vs debug pins round 3: JP2, JP5, JP6 draw.... no show Thursday, July 26, 12

  35. wuntee vs debug pins round 4 - PL2 Thursday, July 26, 12

  36. Something different... 3 pins of data? Thursday, July 26, 12

  37. SPI • Up to 100MHz - must increase sample rate • Master/slave with multiple slaves • Four lines • MOSI – Output • MISO – Input • Enable/Slave Select – Determine which slave the master is talking to • Clock – Not like your typical metronome clock, but will be explained in the next point • The clock operates in one of two modes, called CHPA, where the data on one of the lines (MOSI, or MISO) is “read” when the clock is changing from low to high, or high to low. So, if it’s set up on low to high, when you see the line on the clock go from bottom to top, that is when the MOSI and MISO lines are read. Thursday, July 26, 12

  38. Thursday, July 26, 12

  39. wuntee vs debug pins round 4 - PL2 point debug pins Thursday, July 26, 12

  40. wuntee vs debug pins round 5 - PL1 Thursday, July 26, 12

  41. PL1 • No data seen with logic analyzer • However, these 7x2 pins “scream JTAG” Thursday, July 26, 12

  42. what is jtag? • Allowed me to dump and update firmware on SurfBoard modems? • Standard for hardware developers the ability do debug chips that have already been placed on a board. Thursday, July 26, 12

  43. jtag • JTAG pins, on their own, do not send any data. AKA – you will not see anything if you only have a logic analyzer connected • The cable provides the clock signal to the board (presumably that’s why there is no data on the pins on their own) • There are 5 pins that must be connected in order to communicate with a device (VREF, TMS, TCK, TDO, TDI) • Multiple chips can be “daisy chained” together. Meaning one JTAG plug/pin-out can communicate with multiple chips on a board • Each chip that is connected in a JTAG chain is called a TAP Thursday, July 26, 12

  44. first... hardware/software • Olimex ARM-USB-OCD-H • Docs have JTAG pinout • OpenOCD • Open source • Supports Olimex cable • Ability to auto-discover TAPs • Can reliably find TAP ID • Unreliably find IRLEN Thursday, July 26, 12

  45. then... pinout discovery workflow 1. If there is data on the pins, then its not JTAG 2. If there is a known configuration for the pins, plug the JTAG up accordingly (as well as the 180 degree flip version as we do not know which is PIN0) 3. Power the device 4. Start OpenOCD software. If it can discover TAPs, then you have a JTAG port Thursday, July 26, 12

  46. Thursday, July 26, 12

  47. Thursday, July 26, 12

  48. $ sudo ./openocd -f wuntee.cfg Open On-Chip Debugger 0.5.0 (2012-07-02-13:56) Licensed under GNU GPL v2 For bug reports, read http://openocd.berlios.de/doc/doxygen/bugs.html Info : only one transport option; autoselect 'jtag' 3000 kHz trst_and_srst separate srst_gates_jtag trst_push_pull srst_open_drain RCLK - adaptive Info : device: 6 "2232H" Info : deviceID: 364511275 Info : SerialNumber: OLUTHMH9A Info : Description: Olimex OpenOCD JTAG ARM-USB-OCD-H A Info : max TCK change to: 30000 kHz Info : RCLK (adaptive clock speed) Warn : There are no enabled taps. AUTO PROBING MIGHT NOT WORK!! Warn : AUTO auto0.tap - use "jtag newtap auto0 tap -expected-id 0x02220093 ..." Warn : AUTO auto0.tap - use "... -irlen 2" Error: IR capture error at bit 2, saw 0x3FFFFFFFFFFFFFF5 not 0x...3 Warn : Bypassing JTAG setup events due to errors Warn : gdb services need one or more targets defined Thursday, July 26, 12

  49. next step... configure TAP • Googling the expected-id reveals this is the Xilinx chip • OpenOCD TAP configuration needs: • expected-id • irlen • ircapture • irmask • BSDL • Configuration file defining how to communicate via JTAG to a specific chip • Xilinx provides for each chip version Thursday, July 26, 12

  50. ... attribute INSTRUCTION_LENGTH of XC3S400_BARE : entity is 6; ... attribute INSTRUCTION_CAPTURE of XC3S400_BARE : entity is -- Bit 5 is 1 when DONE is released (part of startup sequence) -- Bit 4 is 1 if house-cleaning is complete -- Bit 3 is ISC_Enabled -- Bit 2 is ISC_Done "XXXX01"; ... Thursday, July 26, 12

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

WHY EVERYONE NEEDS A DROPS PREVENTION PROGRAM Presented by Mathew Moreau, Product Manager -

WHY EVERYONE NEEDS A DROPS PREVENTION PROGRAM Presented by Mathew Moreau, Product Manager -

WHY EVERYONE NEEDS A DROPS PREVENTION PROGRAM Presented by Mathew Moreau, Product Manager - Dropped Tool & FME Sponsored by TODAYS PRESENTER Mathew Moreau, Product Manager, Pure Safety Group Mathew Moreau has been involved in

490 views • 36 slides
ND Software Integration Update Mathew Muether Mathew.Muether@wichita.edu August 12, 2019 ND

ND Software Integration Update Mathew Muether Mathew.Muether@wichita.edu August 12, 2019 ND

ND Software Integration Update Mathew Muether Mathew.Muether@wichita.edu August 12, 2019 ND Workshop Summary We held a workshop on ND SW integration on July 24 th https://indico.fnal.gov/event/21249/other-view?view=standard The goal

366 views • 10 slides
Accessibility in the L A T EX kernel experiments in tagged PDF Chris Rowley Ulrike Fischer

Accessibility in the L A T EX kernel experiments in tagged PDF Chris Rowley Ulrike Fischer

Accessibility in the L A T EX kernel experiments in tagged PDF Chris Rowley Ulrike Fischer L A T EX3 Team August 2019, TUG Meeting Palo Alto, USA Accessibility in the L A T EX kernel experiments in tagged PDF Chris Rowley,

722 views • 15 slides
A L A N D . R O S C O E , P . E . , B C E E 19 Stoney Brook Road Rowley, MA 01969 (978)

A L A N D . R O S C O E , P . E . , B C E E 19 Stoney Brook Road Rowley, MA 01969 (978)

A L A N D . R O S C O E , P . E . , B C E E 19 Stoney Brook Road Rowley, MA 01969 (978) 948-2682 roscoe.alan@gmail.com Civil/Environmental Engineer with over thirty years of experience in a wide range of planning and civil design

416 views • 10 slides
M O R E A B O U T M A T H E W MATHEW MATTILA | MORTGAGE BROKER With a lifelong history in the

M O R E A B O U T M A T H E W MATHEW MATTILA | MORTGAGE BROKER With a lifelong history in the

M O R E A B O U T M A T H E W MATHEW MATTILA | MORTGAGE BROKER With a lifelong history in the mortgage industry and more than a decade of certified experience, Mathew Mattila is a leading force of the team at Cascade Northern Mortgage. With an

119 views • 9 slides
CF2 Instrumentation Jim Buckley for the CF2 working group M. Cahill-Rowley, R. Cotta, A.

CF2 Instrumentation Jim Buckley for the CF2 working group M. Cahill-Rowley, R. Cotta, A.

CF2 Instrumentation Jim Buckley for the CF2 working group M. Cahill-Rowley, R. Cotta, A. Drlica-Wagner, S. Funk, J. Hewett, A. Ismail, T. Rizzo and M. Wood (SLAC and Irvine Particle Theory groups) Direct and Indirect Detection

666 views • 34 slides
Academies information sharing Ana Rowley Academy Conversion Team Manager, KCC How did we get

Academies information sharing Ana Rowley Academy Conversion Team Manager, KCC How did we get

Academies information sharing Ana Rowley Academy Conversion Team Manager, KCC How did we get here (and what happens next) ? current policy position and its evolution over time how to consider the strategic future options for your

801 views • 45 slides
Chlo Marshall Chlo Marshall, PhD Acknowledgements Kathryn Mason Katherine Rowley

Chlo Marshall Chlo Marshall, PhD Acknowledgements Kathryn Mason Katherine Rowley

Developmental language disorder in deaf children: Implications for teaching Chlo Marshall Chlo Marshall, PhD Acknowledgements Kathryn Mason Katherine Rowley Ros Herman Joanna Atkinson Gary Morgan Bencie Woll The

872 views • 31 slides
International Shipbuilding Policy: The Shipowners Perspective Emily Rowley Adviser

International Shipbuilding Policy: The Shipowners Perspective Emily Rowley Adviser

OECD WP6 Special Session on Market Distorting Factors International Shipbuilding Policy: The Shipowners Perspective Emily Rowley Adviser International Chamber of Shipping What is ICS? Principal international trade association for

357 views • 13 slides
Preserving Pharmaceutical Products: Patrick Cro rowley Pharmaceutical Products Modes of

Preserving Pharmaceutical Products: Patrick Cro rowley Pharmaceutical Products Modes of

Preserving Pharmaceutical Products: Patrick Cro rowley Pharmaceutical Products Modes of administration vary Oral Injection or infusion (parenteral) Inhalation (oral Intranasal Applied to skin (topical) -

910 views • 22 slides
FORD UNIVERSITY Stuart Rowley FORD UNIVERSITY Agenda for todays discussion: Warranty

FORD UNIVERSITY Stuart Rowley FORD UNIVERSITY Agenda for todays discussion: Warranty

March 13, 2015 Vice President and Controller FORD UNIVERSITY Stuart Rowley FORD UNIVERSITY Agenda for todays discussion: Warranty Reserves China JV Equity Earnings Venezuela Accounting Change Cash Drivers -- Working Capital

551 views • 33 slides
MMM Training Solutions Presentation Skills Training Contact Details Pramila.mathew@ mmmts.com

MMM Training Solutions Presentation Skills Training Contact Details Pramila.mathew@ mmmts.com

MMM Training Solutions Presentation Skills Training Contact Details Pramila.mathew@ mmmts.com Email: Pramila Mathew, Phone: +91-98409 88449 Contact: Overview: Excellent presentation skills give you a platform to demonstrate your

209 views • 5 slides
Demystifying the Secure Enclave Processor Tarjei Mandt (@kernelpool) Mathew Solnik (@msolnik)

Demystifying the Secure Enclave Processor Tarjei Mandt (@kernelpool) Mathew Solnik (@msolnik)

Demystifying the Secure Enclave Processor Tarjei Mandt (@kernelpool) Mathew Solnik (@msolnik) David Wang (@planetbeing) About Us Tarjei Mandt Senior Security Researcher, Azimuth Security tm@azimuthsecurity.com Mathew Solnik

1.51k views • 95 slides
New Adventures in PKI May 30, 2014 Jeremy Rowley DigiCert, Inc. Overview Deprecation of

New Adventures in PKI May 30, 2014 Jeremy Rowley DigiCert, Inc. Overview Deprecation of

Direct Exchange 101 New Adventures in PKI May 30, 2014 Jeremy Rowley DigiCert, Inc. Overview Deprecation of SHA-1 Certificate Transparency (CT) Certificate Lifecycles Internal Name Deprecation Certificate Authority

280 views • 13 slides
Labor Market Information Statewide Workforce Development Board July 2019 Mathew Barewicz

Labor Market Information Statewide Workforce Development Board July 2019 Mathew Barewicz

Labor Market Information Statewide Workforce Development Board July 2019 Mathew Barewicz Economic & Labor Market Information Division Vermont Department of Labor 802.828.4153 Mathew.Barewicz@vermont.gov Agenda Introduction Update

799 views • 27 slides
Indian Ocean Roxy Roxy Mat Mathew Koll oll Indian Institute of Tropical Meteorology, Pune

Indian Ocean Roxy Roxy Mat Mathew Koll oll Indian Institute of Tropical Meteorology, Pune

Advanced School on Earth System Modelling & Workshop on Climate Change and Regional Impacts over South Asia 1. Modeling Ocean Biogeochemistry 2. IITM-ESM and biophysical feedbacks in the Indian Ocean Roxy Roxy Mat Mathew Koll oll Indian

1.23k views • 26 slides
Module 11: File-System Interface File Concept Access :Methods Directory Structure

Module 11: File-System Interface File Concept Access :Methods Directory Structure

Module 11: File-System Interface File Concept Access :Methods Directory Structure Protection Consistency Semantics Silberschatz, Galvin, and Gagne 1999 Applied Operating System Concepts 11.1 File Concept Contiguous

755 views • 50 slides
HW/SW Co-designed Processors : Challenges, Design Choices and a Simulation Infrastructure for

HW/SW Co-designed Processors : Challenges, Design Choices and a Simulation Infrastructure for

HW/SW Co-designed Processors : Challenges, Design Choices and a Simulation Infrastructure for Evaluation Rakesh Kumar 1 , Jos Cano 1 , Aleksandar Brankovic 2 , Demos Pavlou 3 , Kyriakos Stavrou 3 , Enric Gibert 4 , Alejandro Martnez 5 ,

1.22k views • 36 slides
CS307&CS356: Operating Systems Dept. of Computer Science & Engineering Chentao Wu

CS307&CS356: Operating Systems Dept. of Computer Science & Engineering Chentao Wu

CS307&CS356: Operating Systems Dept. of Computer Science & Engineering Chentao Wu wuct@cs.sjtu.edu.cn Download lectures ftp://public.sjtu.edu.cn User: wuct Password: wuct123456 http://www.cs.sjtu.edu.cn/~wuct/os/ Chapter

846 views • 51 slides
A Gentle Introduction to IoT Protocols: MQTT, CoAP, HTTP & WebSockets Antonio Almeida and

A Gentle Introduction to IoT Protocols: MQTT, CoAP, HTTP & WebSockets Antonio Almeida and

A Gentle Introduction to IoT Protocols: MQTT, CoAP, HTTP & WebSockets Antonio Almeida and Jaime Gonzlez-Arintero June 14, 2017 Warning: we'll go fast! Visionaries >_ On-line Man-Computer Communication, 1962 Visionaries >_ The

665 views • 65 slides
Good morning.. My name is Simon Howlett, Product Development Director at Workiva, and welcome to

Good morning.. My name is Simon Howlett, Product Development Director at Workiva, and welcome to

Good morning.. My name is Simon Howlett, Product Development Director at Workiva, and welcome to TestOps in a DevOps world where Ill be talking a little about integrating your automated testing workflow and resources alongside a devOps

1.15k views • 45 slides
SoC Design Lecture 10: On-Chip Interconnection Networks Lecture 10: On Chip Interconnection

SoC Design Lecture 10: On-Chip Interconnection Networks Lecture 10: On Chip Interconnection

SoC Design Lecture 10: On-Chip Interconnection Networks Lecture 10: On Chip Interconnection Networks Shaahin Hessabi Department of Computer Engineering g g Sharif University of Technology Signal Transmission on SoC We focus on global wires

800 views • 66 slides
CANANALYZE A PYTHON FRAMEWORK SSTIC 2020 ERWAN LE-DISEZ & ETIENNE CHARRON / 2020 Renault

CANANALYZE A PYTHON FRAMEWORK SSTIC 2020 ERWAN LE-DISEZ & ETIENNE CHARRON / 2020 Renault

CANANALYZE A PYTHON FRAMEWORK SSTIC 2020 ERWAN LE-DISEZ & ETIENNE CHARRON / 2020 Renault ABOUT US Etienne CHARRON Erwan LE DISEZ Intruder Cyber Security specialist Erwan LE-DISEZ & Etienne CHARRON / 2020 Renault AGENDA # CONTEXT

691 views • 28 slides
Chapters 8 (partial coverage) 1 Interfacing Processors and Peripherals I/O Design affected

Chapters 8 (partial coverage) 1 Interfacing Processors and Peripherals I/O Design affected

Chapters 8 (partial coverage) 1 Interfacing Processors and Peripherals I/O Design affected by many factors (expandability, resilience) Performance is complex: access latency throughput connection between devices and the

602 views • 29 slides

More recommend