Submit Search
Upload
ROM Hacking for Fun, Profit & Infinite Lives
•
2 likes
•
1,615 views
Ulisses Albuquerque
Follow
ROM Hacking for Fun, Profit & Infinite lives as presented in Silver Bullet 2012.
Read less
Read more
Technology
Report
Share
Report
Share
1 of 38
Recommended
Embedded Virtualization for Mobile Devices
Embedded Virtualization for Mobile Devices
National Cheng Kung University
Extending Android with New Devices
Extending Android with New Devices
Shree Kumar
Embedded Hypervisor for ARM
Embedded Hypervisor for ARM
National Cheng Kung University
make builds groovy
make builds groovy
guest88884d
Workshop: XenClient Serve & Manage your road warriors with local virtual desktop
Workshop: XenClient Serve & Manage your road warriors with local virtual desktop
Digicomp Academy AG
Plan 9: Not (Only) A Better UNIX
Plan 9: Not (Only) A Better UNIX
National Cheng Kung University
Mobile crossplatformchallenges siggraph
Mobile crossplatformchallenges siggraph
JP Lee
Faults inside System Software
Faults inside System Software
National Cheng Kung University
Recommended
Embedded Virtualization for Mobile Devices
Embedded Virtualization for Mobile Devices
National Cheng Kung University
Extending Android with New Devices
Extending Android with New Devices
Shree Kumar
Embedded Hypervisor for ARM
Embedded Hypervisor for ARM
National Cheng Kung University
make builds groovy
make builds groovy
guest88884d
Workshop: XenClient Serve & Manage your road warriors with local virtual desktop
Workshop: XenClient Serve & Manage your road warriors with local virtual desktop
Digicomp Academy AG
Plan 9: Not (Only) A Better UNIX
Plan 9: Not (Only) A Better UNIX
National Cheng Kung University
Mobile crossplatformchallenges siggraph
Mobile crossplatformchallenges siggraph
JP Lee
Faults inside System Software
Faults inside System Software
National Cheng Kung University
Android Optimization: Myth and Reality
Android Optimization: Myth and Reality
National Cheng Kung University
GA1000- Entry level gaming computer
GA1000- Entry level gaming computer
AEWIN
De Re PlayStation Vita
De Re PlayStation Vita
Slide_N
Track A-Shmuel Panijel, Windriver
Track A-Shmuel Panijel, Windriver
chiportal
BigAndroidBBQ 2012: XDA Session - Future of Android Development
BigAndroidBBQ 2012: XDA Session - Future of Android Development
Jeremy Meiss
Capturing Stills, Sounds, and Scenes with AV Foundation
Capturing Stills, Sounds, and Scenes with AV Foundation
Chris Adamson
Learn C Programming Language by Using GDB
Learn C Programming Language by Using GDB
National Cheng Kung University
OpenEye IP Video Basics
OpenEye IP Video Basics
openeyevideo
Explore Android Internals
Explore Android Internals
National Cheng Kung University
Keynote Speech: Xen ARM Virtualization
Keynote Speech: Xen ARM Virtualization
The Linux Foundation
Nakajima numa-final
Nakajima numa-final
The Linux Foundation
e-learning Studio Tools
e-learning Studio Tools
Tewodros K
XS Oracle 2009 PV USB
XS Oracle 2009 PV USB
The Linux Foundation
Bare Metal from a Hardware Perspective: Embedded Frameworks & Build Systems
Bare Metal from a Hardware Perspective: Embedded Frameworks & Build Systems
Omer Kilic
Intro to parallel computing
Intro to parallel computing
Piyush Mittal
High-Performance Computing with C++
High-Performance Computing with C++
JetBrains
OSS Presentation Keynote by Evan Powell
OSS Presentation Keynote by Evan Powell
OpenStorageSummit
Building a robot with the .Net Micro Framework
Building a robot with the .Net Micro Framework
Ducas Francis
Solr on Windows: Does it Work? Does it Scale? - Teun Duynstee
Solr on Windows: Does it Work? Does it Scale? - Teun Duynstee
lucenerevolution
Share winter 2016 encryption
Share winter 2016 encryption
bigendiansmalls
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!
Peter Hlavaty
Emulating With JavaScript
Emulating With JavaScript
alexanderdickson
More Related Content
What's hot
Android Optimization: Myth and Reality
Android Optimization: Myth and Reality
National Cheng Kung University
GA1000- Entry level gaming computer
GA1000- Entry level gaming computer
AEWIN
De Re PlayStation Vita
De Re PlayStation Vita
Slide_N
Track A-Shmuel Panijel, Windriver
Track A-Shmuel Panijel, Windriver
chiportal
BigAndroidBBQ 2012: XDA Session - Future of Android Development
BigAndroidBBQ 2012: XDA Session - Future of Android Development
Jeremy Meiss
Capturing Stills, Sounds, and Scenes with AV Foundation
Capturing Stills, Sounds, and Scenes with AV Foundation
Chris Adamson
Learn C Programming Language by Using GDB
Learn C Programming Language by Using GDB
National Cheng Kung University
OpenEye IP Video Basics
OpenEye IP Video Basics
openeyevideo
Explore Android Internals
Explore Android Internals
National Cheng Kung University
Keynote Speech: Xen ARM Virtualization
Keynote Speech: Xen ARM Virtualization
The Linux Foundation
Nakajima numa-final
Nakajima numa-final
The Linux Foundation
e-learning Studio Tools
e-learning Studio Tools
Tewodros K
XS Oracle 2009 PV USB
XS Oracle 2009 PV USB
The Linux Foundation
What's hot
(13)
Android Optimization: Myth and Reality
Android Optimization: Myth and Reality
GA1000- Entry level gaming computer
GA1000- Entry level gaming computer
De Re PlayStation Vita
De Re PlayStation Vita
Track A-Shmuel Panijel, Windriver
Track A-Shmuel Panijel, Windriver
BigAndroidBBQ 2012: XDA Session - Future of Android Development
BigAndroidBBQ 2012: XDA Session - Future of Android Development
Capturing Stills, Sounds, and Scenes with AV Foundation
Capturing Stills, Sounds, and Scenes with AV Foundation
Learn C Programming Language by Using GDB
Learn C Programming Language by Using GDB
OpenEye IP Video Basics
OpenEye IP Video Basics
Explore Android Internals
Explore Android Internals
Keynote Speech: Xen ARM Virtualization
Keynote Speech: Xen ARM Virtualization
Nakajima numa-final
Nakajima numa-final
e-learning Studio Tools
e-learning Studio Tools
XS Oracle 2009 PV USB
XS Oracle 2009 PV USB
Similar to ROM Hacking for Fun, Profit & Infinite Lives
Bare Metal from a Hardware Perspective: Embedded Frameworks & Build Systems
Bare Metal from a Hardware Perspective: Embedded Frameworks & Build Systems
Omer Kilic
Intro to parallel computing
Intro to parallel computing
Piyush Mittal
High-Performance Computing with C++
High-Performance Computing with C++
JetBrains
OSS Presentation Keynote by Evan Powell
OSS Presentation Keynote by Evan Powell
OpenStorageSummit
Building a robot with the .Net Micro Framework
Building a robot with the .Net Micro Framework
Ducas Francis
Solr on Windows: Does it Work? Does it Scale? - Teun Duynstee
Solr on Windows: Does it Work? Does it Scale? - Teun Duynstee
lucenerevolution
Share winter 2016 encryption
Share winter 2016 encryption
bigendiansmalls
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!
Peter Hlavaty
Emulating With JavaScript
Emulating With JavaScript
alexanderdickson
NVidia CUDA Tutorial - June 15, 2009
NVidia CUDA Tutorial - June 15, 2009
Randall Hand
New York REDIS Meetup Welcome Session
New York REDIS Meetup Welcome Session
Aleksandr Yampolskiy
ELCE 2011 - BZ - Embedded Linux Optimization Techniques - How Not To Be Slow
ELCE 2011 - BZ - Embedded Linux Optimization Techniques - How Not To Be Slow
Benjamin Zores
regmap: The power of subsystems and abstractions
regmap: The power of subsystems and abstractions
Mark Brown
Ceph Day London 2014 - Best Practices for Ceph-powered Implementations of Sto...
Ceph Day London 2014 - Best Practices for Ceph-powered Implementations of Sto...
Ceph Community
Chap3 Device Technology
Chap3 Device Technology
ANUSUYA T K
Application Profiling for Memory and Performance
Application Profiling for Memory and Performance
WSO2
Linux para iniciantes
Linux para iniciantes
Campus Party Brasil
Application Profiling for Memory and Performance
Application Profiling for Memory and Performance
pradeepfn
Recon2016 shooting the_osx_el_capitan_kernel_like_a_sniper_chen_he
Recon2016 shooting the_osx_el_capitan_kernel_like_a_sniper_chen_he
Liang Chen
The end of embedded Linux (as we know it)
The end of embedded Linux (as we know it)
Chris Simmonds
Similar to ROM Hacking for Fun, Profit & Infinite Lives
(20)
Bare Metal from a Hardware Perspective: Embedded Frameworks & Build Systems
Bare Metal from a Hardware Perspective: Embedded Frameworks & Build Systems
Intro to parallel computing
Intro to parallel computing
High-Performance Computing with C++
High-Performance Computing with C++
OSS Presentation Keynote by Evan Powell
OSS Presentation Keynote by Evan Powell
Building a robot with the .Net Micro Framework
Building a robot with the .Net Micro Framework
Solr on Windows: Does it Work? Does it Scale? - Teun Duynstee
Solr on Windows: Does it Work? Does it Scale? - Teun Duynstee
Share winter 2016 encryption
Share winter 2016 encryption
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!
Emulating With JavaScript
Emulating With JavaScript
NVidia CUDA Tutorial - June 15, 2009
NVidia CUDA Tutorial - June 15, 2009
New York REDIS Meetup Welcome Session
New York REDIS Meetup Welcome Session
ELCE 2011 - BZ - Embedded Linux Optimization Techniques - How Not To Be Slow
ELCE 2011 - BZ - Embedded Linux Optimization Techniques - How Not To Be Slow
regmap: The power of subsystems and abstractions
regmap: The power of subsystems and abstractions
Ceph Day London 2014 - Best Practices for Ceph-powered Implementations of Sto...
Ceph Day London 2014 - Best Practices for Ceph-powered Implementations of Sto...
Chap3 Device Technology
Chap3 Device Technology
Application Profiling for Memory and Performance
Application Profiling for Memory and Performance
Linux para iniciantes
Linux para iniciantes
Application Profiling for Memory and Performance
Application Profiling for Memory and Performance
Recon2016 shooting the_osx_el_capitan_kernel_like_a_sniper_chen_he
Recon2016 shooting the_osx_el_capitan_kernel_like_a_sniper_chen_he
The end of embedded Linux (as we know it)
The end of embedded Linux (as we know it)
More from Ulisses Albuquerque
Application Security from the Inside Out
Application Security from the Inside Out
Ulisses Albuquerque
Speeding Up Secure Software Development
Speeding Up Secure Software Development
Ulisses Albuquerque
Software Composition Analysis Deep Dive
Software Composition Analysis Deep Dive
Ulisses Albuquerque
Better Do What They Told Ya
Better Do What They Told Ya
Ulisses Albuquerque
Using Online Activity as Digital Fingerprints to Create a Better Spear Phisher
Using Online Activity as Digital Fingerprints to Create a Better Spear Phisher
Ulisses Albuquerque
PCI DSS e Metodologias Ágeis
PCI DSS e Metodologias Ágeis
Ulisses Albuquerque
SmartTV Security
SmartTV Security
Ulisses Albuquerque
More from Ulisses Albuquerque
(7)
Application Security from the Inside Out
Application Security from the Inside Out
Speeding Up Secure Software Development
Speeding Up Secure Software Development
Software Composition Analysis Deep Dive
Software Composition Analysis Deep Dive
Better Do What They Told Ya
Better Do What They Told Ya
Using Online Activity as Digital Fingerprints to Create a Better Spear Phisher
Using Online Activity as Digital Fingerprints to Create a Better Spear Phisher
PCI DSS e Metodologias Ágeis
PCI DSS e Metodologias Ágeis
SmartTV Security
SmartTV Security
Recently uploaded
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
Fwdays
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Mark Simos
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
Alex Barbosa Coqueiro
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
NavinnSomaal
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
Slibray Presentation
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
The Digital Insurer
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Patryk Bandurski
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
Memoori
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
Enterprise Knowledge
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
SeasiaInfotech2
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
2toLead Limited
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
Fwdays
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
charlottematthew16
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
Kalema Edgar
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
Rizwan Syed
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
Miki Katsuragi
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Safe Software
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
BookNet Canada
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
Alfredo García Lavilla
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
RankYa
Recently uploaded
(20)
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
ROM Hacking for Fun, Profit & Infinite Lives
1.
ROM Hacking for
Fun, Profit & Infinite Lives Green mushrooms > ASLR bypasses Presented by: Ulisses Albuquerque ualbuquerque@trustwave.com © 2012
2.
Agenda •
DISCLAIMER (in capital letters, no less) • Quick Intro • Motivation • Concepts • Old-school architectures • Similarities to embedded systems • Demo • …and the infosec in that is where exactly? • Conclusion © 2012
3.
DISCLAIMER ROM hacking is
NOT about Super Mario Bros. 0-day “ROM hacking is the process of modifying a video game ROM image to alter the game's graphics, dialogue, levels, gameplay, or other elements. This is usually done by technically inclined video game fans to breathe new life into a cherished old game, as a creative outlet, or to make essentially new unofficial games using the old game's engine.” http://en.wikipedia.org/wiki/ROM_hacking 3 © 2012
4.
$ finger @urma •
Coder/security consultant • Managed security services (full stack) • Trusted [Virtual] Computing • Linux device drivers • Scripting/dynamic language love all around • C whenever static typing is needed – OO is fun, Java/C++ are not • Breaking stuff is fun, building stuff is funnier, building stuff to break stuff is awesome. 4 © 2012
5.
I want to
cause chaos, mayhem and global pwnage Now where should I start..? Joseph Leeto 5 © 2012
6.
Motivation • TODO
• Buffer overflows – Stack overflows – Heap overflows • Architectures – x86 (32-bits) – X64 (64-bits) – ARM (mobile phones) – MIPS (gotta pwn those access points) • Operating systems – Win32 – Linux – Mac OSX 6 © 2012
7.
Motivation • TODO (cont.)
• Shellcode writing – Obfuscation/mutation – Avoiding detection (anti-virus, you know) • Counter-measures – Stack canaries – Address Space Layout Randomization – Non-executable stacks – W^X • Techniques – NOP slides – Return oriented programming – Return-to-libc 7 © 2012
8.
Motivation
8 © 2012
9.
Frustration Finding vulnerabilities in
modern software is hard, exploiting it under a modern OS is harder 9 © 2012
10.
Motivation “Eventually,
all the buffer overflow work we’ve been doing will become too hard for the amateur to do.” (David Aitel, http://www.youtube.com/watch?v=absXDeRtVq0) 10 © 2012
11.
Hacking Gamification Because every
nice talk must have a buzzword™ 11 © 2012
12.
Concepts •
Embedded systems • Low-end processors • OS-less code • Memory mapping and types • RAM, ROM, VRAM and everything in between • Tools • Emulators • Debuggers 12 © 2012
13.
Concepts • Embedded systems
• Systems designed for a specific function, usually inside a larger system • Hardware/software is restricted to match use case scenarios • Common use of solid state storage • Limited I/O interfaces • Limited to non-existent expandability 13 © 2012
14.
Concepts • Low-end processors
• Lack of many modern features – Memory management unit (MMU) – Single core – No superscalar pipeline – Narrow memory address/value buses – Limited number of pins • Limited number of opcodes • Low clock speeds 14 © 2012
15.
Concepts
Zilog Z80 • 8,500 transistors • Up to 8MHz initially, up to 50 MHz today • Original packaging contains 40 pins • Nintendo Gameboy • Sega Master System • MSX (Gradiente Expert, Sharp Hotbit) • TRS-80 Model I, III • Sinclair ZX81, ZX Spectrum (TK90X) • Colecovision • Pacman arcade machines 15 © 2012
16.
Concepts
MOS 6502 • 3,510 transistors • 1MHz to 2MHz • Original packaging contains 40 pins • Nintendo Entertainment System (NES) • Commodore VIC-20 • Apple I/II • Atari 2600 • BBC Micro 16 © 2012
17.
Concepts
Intel Core i7 • 731,000,000 transistors • 1,366 pins • Clock speed starts around 2.6GHz 17 © 2012
18.
Concepts
P8X32A-Q44 • Up to 80MHz • 44 pins • 32-bits, 8 “cogs” (processor cores) • 32KiB RAM, 32KiB ROM built-in • Used in the DEFCON20 badge 18 © 2012
19.
Concepts • OS-less code
• No abstractions – is_button_pressed() = reading the I/O port, checking bits – Very straightforward mapping between hardware and code that uses it (hint: demo) • No built-in support functions – Memory management – Scheduler/threading – File systems – Device drivers in general 19 © 2012
20.
Concepts • Memory mapping
• RAM is used for state only • Typically small on embedded systems • Code can be run directly off [EP]ROM – Only if directly addressable by CPU • Clear separation between behavior (code, read-only) and state (data, read-write) • Video framebuffer sometimes mapped into address space – Updating screen can be as simple as writing to memory • Memory mapped I/O – Reading/writing will trigger I/O on external devices, such as LEDs, sensors and actuators 20 © 2012
21.
Concepts • Emulators
• Software simulation of a computer system – No need for similarities between architectures of guest and host systems • Virtual hardware – Hooks for hardware accesses by software running on the guest – State inspection – State snapshot and restore • Performance can be an issue – Not for old-school hardware (8MHz Z80 versus 3GHz Core i7) 21 © 2012
22.
Concepts • Debugger
• Stop, resume and restart code execution • Inspect data state – High level state, represented in variables in memory – Low level state, represented by CPU registers, stack and others • Breakpoints – For virtual hardware, the sky is the limit • Change state during execution – “What happens if I increment this value..?” • Create general chaos and havoc 22 © 2012
23.
Case: NES
23 © 2012
24.
Case: NES • 6502-based
Ricoh CPU • 1.79MHz RP2A03 for NTSC systems • 1.66MHz RP2A07 for PAL systems • Memory • 2kB onboard RAM (can be expanded by cartridges) • 2kB video RAM (PPU) • 256 bytes of Object Attribute Memory (OAM) • 28 bytes of palette memory • Support for memory mappers for more than 32kB of ROM • Video • 256x240 resolution • 48 colors, 6 gray tones 24 © 2012
25.
Case: Sega Master
System 25 © 2012
26.
Case: Sega Master
System • Z80-compatible ~4MHz Sharp LH0080A • Memory • 8kB onboard RAM • 16kB of video RAM (TMS9918/9928, not memory mapped) • Video • 256x192 tile-based screen (up to 32x28 tiles) • Each tile is 8x8 in 16 colors 26 © 2012
27.
Your first ROM
hack Finally, we get to hack something! Talk is cheap, show me some 6502 opcodes! 27 © 2012
28.
Demo: Easy Mode
© 2012
29.
Demo: Easy Mode •
Game Genie • Physical proxy between console and cartridge • Intercepts memory accesses through address/data buses • Allows for value freezes with custom parameters – E.g., reading $075A in Super Mario Bros. would always return the same value, writing a value would succeed but the value would remain unchanged • Focus on state (data in RAM) rather than behavior • Can be used to alter opcodes and parameter values in limited ways • Supported by emulators – instead of patching ROM, generate Game Genie code and use it! 29 © 2012
30.
Where’s the infosec
in that..? Hacking videogames is fun, but beating Super Mario will not land me a job… © 2012
31.
Where’s the infosec
in that..? © 2012
32.
Where’s the infosec
in that..? 32 © 2012
33.
Where’s the infosec
in that..? • Many embedded systems still use old processors • Legacy vertical systems • Industrial control systems • I/O interfaces will vary wildly • Embedded systems are specialized by design • Use the low pin count and absence of hardware abstraction layers to your advantage • Use the hardware schematics (or trace the data flow in the hardware itself) • Have fun! 33 © 2012
34.
Where’s the infosec
in that..? Bus Pirate • US$30 • Support for I2C, SPI, JTAG, KB, UART & more • Always check your voltage levels with a multimeter! 34 © 2012
35.
Where’s the infosec
in that..? • How to get modified code into the device? • Official firmware upload mechanisms may use signature checking, hashing or checksums • Most processors support booting from UART, SPI or other buses, or might support JTAG interfaces • Boot into flash utility, load your custom ROM through out-of- band channel and flash it 35 © 2012
36.
Conclusion • Hacking games
is fun • Code and data relationship in memory • Hardware is standard and well documented • Debuggers and emulators are your friends • Embedded systems • s/joystick/keypad/ • s/cartridge/eeprom/ • s/Super Mario Bros/Global Thermonuclear War/ • Techniques will be the same, hardware will not • Learn how to use a soldering iron, oscilloscope and buy yourself a Bus Pirate 36 © 2012
37.
Conclusion • Crawl before
you run • Tackling Google Chrome running on Windows 7 64-bit is a sure way to frustrate yourself • Simpler stuff is just as fun, and will help you hone your skills before going for bigger prey 37 © 2012
38.
Conclusion
38 © 2012