Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (20)
Similaire à Thotcon 0x8 - Hardware Hacking on a Budget
Similaire à Thotcon 0x8 - Hardware Hacking on a Budget (20)
Dernier
Dernier (20)
Thotcon 0x8 - Hardware Hacking on a Budget
- 1. Hardware Hacking on a Budget Thotcon 0x8 Price McDonald
- 2. #USERID 0,0 pkm • 15 years InfoSec Experience • Director, Coalfire Labs • Certifications: • GPEN,GWAPT,GREM,GXPN • OSCP • Enjoys long walks to Micro Center
- 3. Current State of Hardware Security
- 4. Methodology
- 5. Get the Stuff on the Cheap • Beta Programs • https://www.betabound.com/tp-link-router-private-beta/ • https://beta.linksys.com/ • https://www.beta.netgear.com/signup/ • Flea Markets • Ebay • Craigslist • Garage Sales
- 7. Tamper Resistance and Detection
- 8. Test Dummy
- 10. Component Identification • EOL 802.11G router SoC (System on Chip) • 200 Mhz MIPS32 core • Supports Serial or Parallel Flash • One JTAG and two UART Ports • 336 ball FBGA (Fine-pitch Ball Grid Array) • 32M-BIT Parallel NOR Flash Memory • 3V only • 48-pin TSOP (Thin Small Outline Package) • CMOS DDR400 RAM • 66-pin TSOP II
- 11. Arts and Crafts Time
- 12. Finding Ground • Using the MultiMeter we can figure out which of the pins on our headers connect to ground and which have voltage. GroundVoltage • Got Ground?
- 14. Common Interfaces • UART - Universal Asynchronous Receiver/Transmitter • SPI – Serial Peripheral Interface • I2C – Inter Integrated Circuit • JTAG – Joint Test Action Group – Hardware Debugging Interface • CAN – Controller Area Network (Cars/ATM/etc) • RS232- Serial Interface used on many legacy devices
- 15. Saleae Logic Analyzer Demo
- 16. Connecting to Interfaces • Bus Pirate • Less of a learning curve • Slower transfer speeds • Supports UART, SPI, I2C and JTAG • Shikra • No UI but faster transfer speeds as a result • Supports UART, SPI, I2C and JTAG • TIAO USB Multiprotocol Adapter • No UI but faster transfer speeds as a result • Supports UART, SPI, I2C, JTAG, RS-232 • Supports multiple connections from same device • Slightly less reliable in my experience
- 17. Connecting via the Shikra http://int3.cc/products/the-shikra
- 18. Connecting to UART Demo
- 19. We have a Shell!!!! But now what?
- 20. No tech hacking
- 22. File System Fiddling Another good Resource: http://wiki.in-circuit.de/index.php5?title=Flashfilesystem_UBIFS
- 24. SSH Whoops
- 25. Brief JTAG Description • JTAG stands for (Joint Test Action Group) which was formed in 1985. • The following pins are required for JTAG use: • TDI (Test Data In) • TDO (Test Data Out) • TCK (Test Clock) • TMS (Test Mode Select) • The TCK Pin (Test Clock) is what keeps the clock for the state machine. • THE TMS Pin (Test Mode Select) is what determines when and how the State Machine advances depending on it’s relative position during each clock cycle. Source: Wikipedia
- 26. Options for Connecting to JTAG Source: Wikipedia Good Better Best $45 $60-$600 $5000-$20000
- 27. JTAGulator Demo
- 28. Using JTAG Demo
- 29. Reverse Engineering Reverse Engineering• Binary Ninja • Free version available • Limited Architecture Support • Learn one IL to reverse thm all • Ida Pro • Paid Version required for disassembly • ARM decompiler available but $$$$ • Also very good debugger • Radare2 • Free multiplatform support • No decompiler available
- 30. So, what Comes Next? Reverse Engineering
- 31. Tornado Anyone? Reverse Engineering Only way to stop the noise was “to unplug the radio systems and the repeater” Could have recorded the commands during a system test or actual tornado, and then played them back. Source: https://arstechnica.com/information-technology/2017/04/dallas- siren-hack-used-radio-signals-to-spoof-alarm-says-city-manager/ Controlled by tone combinations used by the Emergency Alert System broadcast over the National Weather Service's weather radio – Spoofed? Can also be controlled by Dual-Tone Multi-Frequency (DTMF) or Audio Frequency Shift Keying (AFSK) encoded commands from a dispatcher or command center terminal sent over UHF radio frequencies -- 700 MHz range.
- 32. What is an SDR? Reverse Engineering
- 33. Options • RTL-SDR • 500 kHz - 1.7 GHz • RX Only • $25 • HackRF One • 1 MHz - 6 GHz • RX/TX @ Half-duplex • $315 • USRP • 70 MHz - 6 GHz • RX/TX @ Full- Duplex • $900
- 37. So why does this matter?
- 39. Surely a Simple Replay won’t work
- 40. Alarm Demos
- 41. Making it not Suck
- 42. Other Nice to Haves Reverse Engineering
- 43. Contact Information Reverse Engineering Twitter: @pricemcdonald Email: pricemcdonald@gmail.com coalfirelabs.com