Efficient Reverse Engineering of Automotive Firmware · 2019. 4. 30. · Efficient Reverse...

Efficient Reverse

Engineering of

Automotive Firmware

Alyssa Milburn

Security Analyst, Riscure

milburn@riscure.com / @noopwafel

(with Niek Timmers)

Reverse Engineering

Getting

Firmware

Tuning /

manipulation

Efficient Reverse Engineering of Automotive Firmware

Hacking

Reverse

Engineering Understanding

Automotive Firmware?

Instrument Cluster

• Speedometer/gauges • Display (screen) • Speaker! • Blinky lights!

• 32-bit CPU • CAN bus • I2C bus

• EEPROM

How can we get the firmware?

External

interfaces

Software

vulnerabilities

Hardware

attacks

What makes this challenging?

• “Non-standard” platforms

• New concepts

• Complexity

What makes this challenging?

No tools?! Let’s make some!

• Static analysis (disassembly): too complicated

• Dynamic analysis (emulation / debugging): no tools?

What do we need?

• Processor (instruction set) emulator

• Timers, interrupts

• CAN controller

• I2C controller

• EEPROM • Display controller

10 Efficient Reverse Engineering of Automotive Firmware

Emulating the CPU architecture

“Implementing” peripherals

How difficult was it?

~ 1 man-week of work ~ 3000 lines of (terrible) code (excluding support tooling)

Dynamic analysis

Debugging

Break!

Watch!

gdb “stub”

Debugging

(gdb) hbreak *0x11032 Hardware assisted breakpoint 1 at 0x11032 (gdb) c Continuing. 0x00011032 in ?? () (gdb)

Execution tracing

0x02920 0x02922 (jump) 0x02926 0x02928 0x0292c 0x02930

Execution tracing

0x02920 0x02922 (jump) 0x02926 0x02928 0x0292c 0x02930

Execution tracing

Hacks!

Initial state

Running (booted)

Send CAN message

Observe CAN response

State rewinding

100ms boot time

Taint tracking

CAN message Data[2] = CAN.read()

Data[7] = Data[2]

CAN message

Data[7] == Y?

Fuzzing

CAN message Memory

Memory[5] == 0xc7?

Path 1 Path 2

./cc.py dcm discovery CARING CARIBOU v0.1 ------------------- Starting diagnostics service discovery Found diagnostics at arbitration ID 0x????, reply at 0x????

UDS: security access

Random key Random key ==

calculateKey(seed)?

We found calculateKey!

Seed (challenge)

UDS: security access

sending requestSeed (0x3) CAN0: RCV [id ####] 02 27 03 aa aa aa aa aa CAN0: TRQ [id ####] 06 67 03 47 2e 8e 70 aa sending sendKey CAN0: RCV [id ####] 06 27 04 41 9b 35 42 aa

comparison at 0002f390 (419b3542 vs 419b3542) is tainted with 000000c0 CAN0: TRQ [id ####] 02 67 04 aa aa aa aa aa

EEPROM contents

Reverse engineering is hard work!

updateEEPROM(id, value)

Identification (VIN)

Features/ configuration

(UDS) security state

Odometer

Takeaways

• Reverse engineering is not so hard!

• Lots of other “tricks” to try:

• Symbolic execution • Deobfuscation (if necessary) • Smarter fuzzing

• You can’t hide secrets in firmware:

• Use asymmetric cryptography (i.e. public keys) • Use the secure hardware inside modern processors

Thanks to…

Santiago Cordoba

Eloi Sanfelix

Ramiro Pareja

Challenge your security

Alyssa Milburn

Security Analyst, Riscure

milburn@riscure.com / @noopwafel

icons8.com

• Training

• Tools

• Services

Efficient Reverse Engineering of Automotive Firmware · 2019. 4. 30. · Efficient Reverse...

Documents

Transcript of Efficient Reverse Engineering of Automotive Firmware · 2019. 4. 30. · Efficient Reverse...

KB9012 Embedded Controller firmware reverse …...rmware reverse engineering Paul Kocialkowski contact@paulk.fr Monday June 13rd 2016 Situation and Motivation Personal Use Case Use

Reverse engineering

China’s Reverse Engineering By SN Bennett. What is Reverse Engineering? Reverse engineering is the process of discovering the technological principles.

Reverse Engineering archeology: Reverse engineering ...

Shreeraj Reverse Engineering Browser Components emedia.blackhat.com/bh-us-11/Shah/BH_US_11_Shreeraj... · 7 Reverse Engineering Browser components Reverse Engineering and Information

Introduction To IoT Reverse Engineering•Introduction •Information gathering •Emulation environment using QEMU •Analyze how the device works •Modify the firmware What we will

Reverse Engineering Mac Malware - SANS Information ... · Reverse Engineering Mac Malware ... Office Document ZIP Archive ... • ^Reverse Engineering OS X _ - reverse.put.as (@osxreverser)

Embedded Devices Security Firmware Reverse Engineering …s3.eurecom.fr/slides/bh13us_zaddach.slides.pdf · · 2018-04-09What is ﬁrmware? (IEEE) • IEEE Standard Glossary of

Reverse Engineering Tool Based on Unified Mapping Method ... · 4D Reverse Engineering Tool. Keywords Reverse Engineering, Imagix-4D Reverse Engineering Tool, Class Diagram 1. Introduction

Software and Firmware Engineering -ESS

Reverse Engineering

Reverse Engineeringindex-of.co.uk › Reverse-Engineering › Reverse Engineering... · 2019-03-07 · 러시아 프로그래머인 드미트리 스킬리아로프는 어도비 사의

Electronic Reverse Engineering...Reverse engineering PCB's is a necessary process to obtain lost manufacturing files (Gerbers) Sometimes, reverse engineering combined with re-engineering

Reverse engineering of AirCrack software - Freelaurent.fallet.free.fr/docs/concordia/aircrack.pdf · Reverse engineering of AirCrack software Summary Report on the reverse engineering

Introduction to Reverse Engineering · Introduction to Reverse Engineering Gergely Erdélyi Research Manager. February 02, 09 Page Agenda • Reverse Engineering Intro • Ethical

Reverse Engineering - agz.esagz.es/Reverse-Engineering/Basic/Reverse Engineering [Security... · © 2008 Security Awareness Korea - i - Reverse Engineering Table of Content Module

Reverse Engineering & New Product Development · Reverse Engineering & New Product Development What does it mean to reverse engineer something? Reverse engineering is the general

Embedded Devices Security Firmware Reverse Engineering

Reverse engineering the Broadcom NetExtreme's firmware

Enbedded Devices Security Firmware Reverse Engineering