Hardware Reverse Engineering: From Boot to Root
-
Upload
yashin-mehaboobe -
Category
Technology
-
view
787 -
download
7
Transcript of Hardware Reverse Engineering: From Boot to Root
Hardware Reverse EngineeringFrom Boot To Root
Yashin Mehaboobe
• Security Researcher
• Hardware geek
• Speaker (HITB Amsterdam, Nullcon, c0c0n, Kaspersky NextGeneration, Ground Zero Summit)
• Foodie
2
$whoami
Define: Reverse Engineering• process of extracting knowledge or design information from
anything man-made and re-producing it or reproducing anything based on the extracted information. [wikipedia]
• hardware as well as software
• used for commercial purposes/non commercial
• Industrial espionage (to borrow ideas)
A word about equipment• Good equipment = $$$$
• Use open source equipment such as the bus pirate, hackRF, OpenBench etc…
• Commercial tools work better in most of the cases • Would be a good investment
• Have at least one each of the separate categories of tools • Logic Analyzer • RF Spectrum Analyzer • Oscilloscope • JTAG debugger • Etc……
LOGIC ANALYZERS• Monitor communication
• Decode protocols
• Replay (in some cases)
• Cheap (44$ to 500$++)
• Open source ones: • Open Bench • Bus Pirate
RF Analysis tools• For scanning the RF frequencies
• Recognizing signals
• Storing and replay
• SDRs are your friends!
• Example: • RFExplorer • RTL-SDR • HackRF/BladeRF/USRP
Oscilloscope
• Digital/Analog
• Useful for noting timing
• Can also help in recognition of communication protocol
• Very much needed
Why
• For fun
• For profit
• For fun and profit
• Vulnerability discovery….
Devices
• Routers
• Phones
• Gaming consoles
• Internet of Things!
Actual physical security
• Screws may be regular or proprietary
• Warranty void seals
• Tamper proof casing
• Stupidly powerful tamper proof (a la IronKey)
Initial steps• Open casing
• Ascertain ICs and their functionality
• Lookup datasheets
• FCC IDs may be of help when it comes to radio
• Name and series numbers may exist on ICs where they have not been sanitised
Hunting for datasheets
• Googling for the serial number may return the name
• name -> datasheet
• datasheet -> operation
• operation -> full pwnage (sometimes)
• Details to look out for differs system to system
Diagnostic Ports• Ports left over after development
• Should be disabled by blowing the fuses (not always done)
• Majorly used:
• JTAG, UART
• Not so major:
• LPC (Mainly in XBOX and some TPM systems)
Serial
• Also known as UART
• Straight forward diagnostics (mostly)
• There will be an RX,TX, ground and vcc
• Sometimes also gives root access
• Look for groupings of four pins (mainly)
Finding Serial the hard way
• Using multimeter
• Continuity test
• Ground pins are usually cross shaped
• Touch a metal piece with the probe
Finding the Serial the hard way -2
• After Ground find VCC
• Turn on the power
• Find the pin with the steady voltage
• The other two are the RX and TX Pins
Finding Serial the easy way
• Using JTAGulator
• Made by Joe Grand
• Allows you to find UART and JTAG automatically
JTAG
• Joint Test Action Group
• Used for debugging purposes mainly
• Can be used in reverse engineering too
• Halt CPU, change instructions etc
Radio
• Can be reverse engineered through various means
• Direct radio analysis
• SPI sniffing
• FCC ids are a good way to determine frequency and other factors
Bluetooth
• Bluetooth 2 and 3 is surprisingly harder to eavesdrop on than 4.0
• An ubertooth is necessary for most bluetooth related operations
• Important data is rare
• Still good info is possible
Flash/EEPROM memory• Nonvolatile
• Used to store data
• Firmware is usually stored in flash memory
• Usually uses SPI for communication
• Usually does not have any protection
• Exceptions include Atmels Crypto Memory
Invasive techniques
• Invasive attacks usually destroy the chip
• Used to get at the die
• Usually done to duplicate the chip
• Very expensive equipment required
Introducing labrynth
• A reverse engineering training platform
• Uses Atmega328p
• Separate EEPROM for data storage (24LC08)
• Find the password that grants you access
DEMO
Thank you!
• Special thanks to Justin Searle for loaning some crucial hardware!