Hardware Reverse EngineeringFrom Boot To Root

Yashin Mehaboobe

• Security Researcher

• Hardware geek

• Speaker (HITB Amsterdam, Nullcon, c0c0n, Kaspersky NextGeneration, Ground Zero Summit)

• Foodie

2

$whoami

Define: Reverse Engineering• process of extracting knowledge or design information from

anything man-made and re-producing it or reproducing anything based on the extracted information. [wikipedia]

• hardware as well as software

• used for commercial purposes/non commercial

• Industrial espionage (to borrow ideas)

A word about equipment• Good equipment = $$$$

• Use open source equipment such as the bus pirate, hackRF, OpenBench etc…

• Commercial tools work better in most of the cases • Would be a good investment

• Have at least one each of the separate categories of tools • Logic Analyzer • RF Spectrum Analyzer • Oscilloscope • JTAG debugger • Etc……

LOGIC ANALYZERS• Monitor communication

• Decode protocols

• Replay (in some cases)

• Cheap (44$ to 500$++)

• Open source ones: • Open Bench • Bus Pirate

RF Analysis tools• For scanning the RF frequencies

• Recognizing signals

• Storing and replay

• SDRs are your friends!

• Example: • RFExplorer • RTL-SDR • HackRF/BladeRF/USRP

Oscilloscope

• Digital/Analog

• Useful for noting timing

• Can also help in recognition of communication protocol

• Very much needed

Why

• For fun

• For profit

• For fun and profit

• Vulnerability discovery….

Devices

• Routers

• Phones

• Gaming consoles

• Internet of Things!

Actual physical security

• Screws may be regular or proprietary

• Warranty void seals

• Tamper proof casing

• Stupidly powerful tamper proof (a la IronKey)

Initial steps• Open casing

• Ascertain ICs and their functionality

• Lookup datasheets

• FCC IDs may be of help when it comes to radio

• Name and series numbers may exist on ICs where they have not been sanitised

Hunting for datasheets

• Googling for the serial number may return the name

• name -> datasheet

• datasheet -> operation

• operation -> full pwnage (sometimes)

• Details to look out for differs system to system

Diagnostic Ports• Ports left over after development

• Should be disabled by blowing the fuses (not always done)

• Majorly used:

• JTAG, UART

• Not so major:

• LPC (Mainly in XBOX and some TPM systems)

Serial

• Also known as UART

• Straight forward diagnostics (mostly)

• There will be an RX,TX, ground and vcc

• Sometimes also gives root access

• Look for groupings of four pins (mainly)

Finding Serial the hard way

• Using multimeter

• Continuity test

• Ground pins are usually cross shaped

• Touch a metal piece with the probe

Finding the Serial the hard way -2

• After Ground find VCC

• Turn on the power

• Find the pin with the steady voltage

• The other two are the RX and TX Pins

Finding Serial the easy way

• Using JTAGulator

• Made by Joe Grand

• Allows you to find UART and JTAG automatically

JTAG

• Joint Test Action Group

• Used for debugging purposes mainly

• Can be used in reverse engineering too

• Halt CPU, change instructions etc

Radio

• Can be reverse engineered through various means

• Direct radio analysis

• SPI sniffing

• FCC ids are a good way to determine frequency and other factors

Bluetooth

• Bluetooth 2 and 3 is surprisingly harder to eavesdrop on than 4.0

• An ubertooth is necessary for most bluetooth related operations

• Important data is rare

• Still good info is possible

Flash/EEPROM memory• Nonvolatile

• Used to store data

• Firmware is usually stored in flash memory

• Usually uses SPI for communication

• Usually does not have any protection

• Exceptions include Atmels Crypto Memory

Invasive techniques

• Invasive attacks usually destroy the chip

• Used to get at the die

• Usually done to duplicate the chip

• Very expensive equipment required

Introducing labrynth

• A reverse engineering training platform

• Uses Atmega328p

• Separate EEPROM for data storage (24LC08)

• Find the password that grants you access

DEMO

Thank you!

• Special thanks to Justin Searle for loaning some crucial hardware!