Contenu connexe


Hardware Reverse Engineering: From Boot to Root

  1. Hardware Reverse Engineering From Boot To Root Yashin Mehaboobe
  2. • Security Researcher • Hardware geek • Speaker (HITB Amsterdam, Nullcon, c0c0n, Kaspersky NextGeneration, Ground Zero Summit) • Foodie 2 $whoami
  3. Define: Reverse Engineering • process of extracting knowledge or design information from anything man-made and re-producing it or reproducing anything based on the extracted information. [wikipedia] • hardware as well as software • used for commercial purposes/non commercial • Industrial espionage (to borrow ideas)
  4. A word about equipment • Good equipment = $$$$ • Use open source equipment such as the bus pirate, hackRF, OpenBench etc… • Commercial tools work better in most of the cases • Would be a good investment • Have at least one each of the separate categories of tools • Logic Analyzer • RF Spectrum Analyzer • Oscilloscope • JTAG debugger • Etc……
  5. LOGIC ANALYZERS • Monitor communication • Decode protocols • Replay (in some cases) • Cheap (44$ to 500$++) • Open source ones: • Open Bench • Bus Pirate
  6. RF Analysis tools • For scanning the RF frequencies • Recognizing signals • Storing and replay • SDRs are your friends! • Example: • RFExplorer • RTL-SDR • HackRF/BladeRF/USRP
  7. Oscilloscope • Digital/Analog • Useful for noting timing • Can also help in recognition of communication protocol • Very much needed
  8. Why • For fun • For profit • For fun and profit • Vulnerability discovery….
  9. Devices • Routers • Phones • Gaming consoles • Internet of Things!
  10. Actual physical security • Screws may be regular or proprietary • Warranty void seals • Tamper proof casing • Stupidly powerful tamper proof (a la IronKey)
  11. Initial steps • Open casing • Ascertain ICs and their functionality • Lookup datasheets • FCC IDs may be of help when it comes to radio • Name and series numbers may exist on ICs where they have not been sanitised
  12. Hunting for datasheets • Googling for the serial number may return the name • name -> datasheet • datasheet -> operation • operation -> full pwnage (sometimes) • Details to look out for differs system to system
  13. Diagnostic Ports • Ports left over after development • Should be disabled by blowing the fuses (not always done) • Majorly used: • JTAG, UART • Not so major: • LPC (Mainly in XBOX and some TPM systems)
  14. Serial • Also known as UART • Straight forward diagnostics (mostly) • There will be an RX,TX, ground and vcc • Sometimes also gives root access • Look for groupings of four pins (mainly)
  15. Finding Serial the hard way • Using multimeter • Continuity test • Ground pins are usually cross shaped • Touch a metal piece with the probe
  16. Finding the Serial the hard way -2 • After Ground find VCC • Turn on the power • Find the pin with the steady voltage • The other two are the RX and TX Pins
  17. Finding Serial the easy way • Using JTAGulator • Made by Joe Grand • Allows you to find UART and JTAG automatically
  18. JTAG • Joint Test Action Group • Used for debugging purposes mainly • Can be used in reverse engineering too • Halt CPU, change instructions etc
  19. Radio • Can be reverse engineered through various means • Direct radio analysis • SPI sniffing • FCC ids are a good way to determine frequency and other factors
  20. Bluetooth • Bluetooth 2 and 3 is surprisingly harder to eavesdrop on than 4.0 • An ubertooth is necessary for most bluetooth related operations • Important data is rare • Still good info is possible
  21. Flash/EEPROM memory • Nonvolatile • Used to store data • Firmware is usually stored in flash memory • Usually uses SPI for communication • Usually does not have any protection • Exceptions include Atmels Crypto Memory

  22. Invasive techniques • Invasive attacks usually destroy the chip • Used to get at the die • Usually done to duplicate the chip • Very expensive equipment required
  23. Introducing labrynth • A reverse engineering training platform • Uses Atmega328p • Separate EEPROM for data storage (24LC08) • Find the password that grants you access
  24. DEMO
  25. Thank you! • Special thanks to Justin Searle for loaning some crucial hardware!