PowerPC Binary Patching for Base Station Analysis
Transcript of PowerPC Binary Patching for Base Station Analysis
![Page 1: PowerPC Binary Patching for Base Station Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062408/62ac57781b9ff710726fdfb6/html5/thumbnails/1.jpg)
Dinosaur ResurrectionPowerPC Binary Patching for
Base Station Analysis
Uwe Müller, Eicke Hauck, Timm Welz, Jiska Classen, Matthias HollickSecure Mobile Networking Lab - SEEMOO
Technische Universität Darmstadt, Germany
![Page 2: PowerPC Binary Patching for Base Station Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062408/62ac57781b9ff710726fdfb6/html5/thumbnails/2.jpg)
2
Motivation
![Page 3: PowerPC Binary Patching for Base Station Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062408/62ac57781b9ff710726fdfb6/html5/thumbnails/3.jpg)
3
What is TETRA?
Just the same as GSM but for emergency communication in Europe.
Stronger encryptionthan GSM :)
Group calls
SIM-based authentication
Walkie-talkie mode (DMO) and base station
mode (TMO)
Voice + text messages
Separate from othermobile infrastructure
![Page 4: PowerPC Binary Patching for Base Station Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062408/62ac57781b9ff710726fdfb6/html5/thumbnails/4.jpg)
4
What is PowerPC?
A dating^Wdated computing architecture.
![Page 5: PowerPC Binary Patching for Base Station Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062408/62ac57781b9ff710726fdfb6/html5/thumbnails/5.jpg)
5
PowerPC-based TETRA Base Station
Never gets old!!!1!
1995 1991
![Page 6: PowerPC Binary Patching for Base Station Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062408/62ac57781b9ff710726fdfb6/html5/thumbnails/6.jpg)
6
TETRA Base Station Setup for Testing
Safety measures● Put everything into an EMF-shielded tent.● Add a huuuuge dummy load.● Configure an invalid frequency.● Only analyze and fuzz local interfaces.
Firmware flashing and control● Site controller usually offers firmware via TFTP.● Raspberry Pi replaces TFTP controller.● Also connect to serial console of the base radio
(bootloader and crash output, local shell).
![Page 7: PowerPC Binary Patching for Base Station Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062408/62ac57781b9ff710726fdfb6/html5/thumbnails/7.jpg)
7
StaticFirmware Analysis
![Page 8: PowerPC Binary Patching for Base Station Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062408/62ac57781b9ff710726fdfb6/html5/thumbnails/8.jpg)
8
Firmware Format
● Base station runs an Enea POLO Bootloader.● Bootloader gets ELF via TFTP from site controller.● The ELF can be compressed with gzip.● The ELF contains symbols! 🎉 🥳 🥂
![Page 9: PowerPC Binary Patching for Base Station Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062408/62ac57781b9ff710726fdfb6/html5/thumbnails/9.jpg)
9
Function Name and Library Analysis
● Operating System Embedded (OSE) 4.5.2, developed by Enea AB.
● IPCOM network stack by Interpeak AB.● MPC8260ADS SoC featuring a big-endian
PowerPC CPU.● Compile dates back from 2006/2007.
![Page 10: PowerPC Binary Patching for Base Station Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062408/62ac57781b9ff710726fdfb6/html5/thumbnails/10.jpg)
10
![Page 11: PowerPC Binary Patching for Base Station Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062408/62ac57781b9ff710726fdfb6/html5/thumbnails/11.jpg)
11
PowerPC Binary Patcher
Let’s patch the firmware using C!
![Page 12: PowerPC Binary Patching for Base Station Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062408/62ac57781b9ff710726fdfb6/html5/thumbnails/12.jpg)
12
PowerPC Assembler Example
● Each function in our target binary starts with the same two position-independent instructions.
● Replace these with a jump to the actual hook.● Hooks can be added to the beginning (PRECALL), end (POSTCALL), or replace a
function (REPLACE).
![Page 13: PowerPC Binary Patching for Base Station Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062408/62ac57781b9ff710726fdfb6/html5/thumbnails/13.jpg)
13
![Page 14: PowerPC Binary Patching for Base Station Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062408/62ac57781b9ff710726fdfb6/html5/thumbnails/14.jpg)
14
Demo: Blinking LEDs
![Page 15: PowerPC Binary Patching for Base Station Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062408/62ac57781b9ff710726fdfb6/html5/thumbnails/15.jpg)
15
DynamicFirmware Analysis
![Page 16: PowerPC Binary Patching for Base Station Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062408/62ac57781b9ff710726fdfb6/html5/thumbnails/16.jpg)
16
Call Traces
● Replace all functions matching a regular expression with a call trace instrumentation.
● Log time (execution time and function order) and currently active thread.● Conversion to Callgrind format, shows time spent in each function.
![Page 17: PowerPC Binary Patching for Base Station Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062408/62ac57781b9ff710726fdfb6/html5/thumbnails/17.jpg)
17
Callgrind Interpretation
![Page 18: PowerPC Binary Patching for Base Station Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062408/62ac57781b9ff710726fdfb6/html5/thumbnails/18.jpg)
18
Interrupt-related Hooks
● Call traces perform very smooth within most libraries.
● If functions are related to hardware interrupts, certain PowerPC instructions cannot be executed.
● This leads to crashes within some libraries.
![Page 19: PowerPC Binary Patching for Base Station Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062408/62ac57781b9ff710726fdfb6/html5/thumbnails/19.jpg)
19
Patching without Reboots
● Hooks section always ends up at the same address within the patched ELF.● Comparison based on objdump output is straightforward :)● We can use this to patch the firmware at runtime.● Sufficiently stable for most use cases :D
![Page 20: PowerPC Binary Patching for Base Station Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062408/62ac57781b9ff710726fdfb6/html5/thumbnails/20.jpg)
20
Calling Functions During Runtime
● The previous approach still requires firmware recompilation.● We can add a simple handler that allows calling functions with arguments directly
from the serial command line interface.
![Page 21: PowerPC Binary Patching for Base Station Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062408/62ac57781b9ff710726fdfb6/html5/thumbnails/21.jpg)
21
Fuzzing with Hyphuzz
![Page 22: PowerPC Binary Patching for Base Station Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062408/62ac57781b9ff710726fdfb6/html5/thumbnails/22.jpg)
22
![Page 23: PowerPC Binary Patching for Base Station Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062408/62ac57781b9ff710726fdfb6/html5/thumbnails/23.jpg)
23
Fuzzing the IPCOM Network Stack
![Page 24: PowerPC Binary Patching for Base Station Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062408/62ac57781b9ff710726fdfb6/html5/thumbnails/24.jpg)
24
OSE Error Handlers and Crash Types
● Some crashes do not result in an error. Hard to analyze without emulation etc.● Other crashes result in crash logs sent to the serial console :)
![Page 25: PowerPC Binary Patching for Base Station Analysis](https://reader035.fdocuments.in/reader035/viewer/2022062408/62ac57781b9ff710726fdfb6/html5/thumbnails/25.jpg)
25
Fuzzing Overhead