PoC||GTFOPoC||GTFOProof
Concept
Get
The
Fuck
Out
o r
fo
0, $0 USD, $0 AUD, 0 RSD, 0 SEK, $50 CAD, 6× 1029 Pengo (3× 108 Adopengo), 100 JPC.Compiled on December 30, 2017. Free Radare2 license included with each and every copy!Des Teufels liebstes Mobelstuck ist die lange Bank. Это самиздат.
17:0217:02 (p. 5) AES-CBC Shellcode(p. 5) AES-CBC Shellcode
17:0317:03 (p. 9) Tall Tales of Science and Fiction(p. 9) Tall Tales of Science and Fiction
17:0417:04 (p. 13) Sniffing BTLE with the Micro:Bit(p. 13) Sniffing BTLE with the Micro:Bit
17:0517:05 (p. 21) Bit-Banging Ethernet(p. 21) Bit-Banging Ethernet
17:0617:06 (p. 32) The DIP Flip Whixr Trick(p. 32) The DIP Flip Whixr Trick
17:0717:07 (p. 34) Injecting Shared Objects on FreeBSD(p. 34) Injecting Shared Objects on FreeBSD
17:0817:08 (p. 42) Murder on the USS Table(p. 42) Murder on the USS Table
17:0917:09 (p. 56) Infect to Protect(p. 56) Infect to Protect
It’s damned cold outside,so let’s light ourselves a fire!
warm ourselves with whiskey!warm ourselves with whiskey!and teach ourselves some tricks!and teach ourselves some tricks!
17:06 The DIP Flip Whixr Trick:An Integrated Circuit That Functions in Either Orientation
by Joe “Kingpin” Grand
Hardware trickery comes in many shapes andsizes: implanting add-on hardware into a finishedproduct, exfiltrating data through optical, thermal,or electromagnetic means, injecting malicious codeinto firmware, BIOS, or microcode, or embeddingTrojans into physical silicon. Hackers, governments,and academics have been playing in this wide openfield for quite some time and there’s no sign of thingsslowing down.
This PoC, inspired by my friend Whixr of#tymkrs, demonstrates the feasibility of an IC be-having differently depending on which way it’s con-nected into the system. Common convention statesthat ICs must be inserted in their specified orien-tation, assisted by the notch or key on the deviceidentifying pin 1, in order to function properly.
So, let’s defy this convention!– — — – — — — — – — –
Most standard chips, like digital logic devicesand microcontrollers, place the power and groundconnections at corners diagonal from each other. Ifone were to physically rotate the IC by 180 degrees,power from the board would connect to the groundpin of the chip or vice versa. This would typicallyresult in damage to the chip, releasing the magicsmoke that it needs to function. The key to thisPoC was finding an IC with a more favorable pinconfiguration.
While searching through microcontroller datasheets, I came across the Microchip PIC12F629.This particular 8-pin device has power and GPIO(General Purpose I/O) pins in locations that wouldallow the chip to be rotated with minimal risk. Ofcourse, this PoC could be applied to any chip witha suitable pin configuration.
In the pinout drawing, which shows the chip fromabove in its normal orientation, arrows denote thealternate functionality of that particular pin whenthe chip is rotated around. Since power (VDD) isnormally connected to pin 1 and ground (VSS) isnormally connected to pin 8, if the chip is rotated,GP2 (pin 5) and GP3 (pin 4) would connect to powerand ground instead. By setting both GP2 and GP3to inputs in firmware and connecting them to powerand ground, respectively, on the board, the PIC willbe properly powered regardless of orientation.
– — — – — — — — – — –
I thought it would be fun to change the datathat the PIC sends to a host PC depending on itsorientation.
On power-up of the PIC, GP1 is used to detectthe orientation of the device and set the mode ac-cordingly. If GP1 is high (caused by the pull-upresistor to VCC), the PIC will execute the normalcode. If GP1 is low (caused by the pull-down re-sistor to VSS), the PIC will know that it has beenrotated and will execute the alternate code. Thisorientation detection could also be done using GP5,but with inverted polarity.
The PIC’s UART (asynchronous serial) outputis bit-banged in firmware, so I’m able to reconfigurethe GPIO pins used for TX and RX (GP0 and GP4)on-the-fly. The TX and RX pins connect directly toan Adafruit FTDI Friend, which is a standard FTDIFT232R-based USB-to-serial adapter. The FTDIFriend also provides 5V (VDD) to the PoC.
In normal operation, the device will look for akey press on GP4 from the FTDI Friend’s TX pinand then repeatedly transmit the character ’A’ at9600 baud via GP0 to the FTDI Friend’s RX pin.When the device is rotated 180 degrees, the devicewill look for a key press on GP0 and repeatedlytransmit the character ’B’ on GP4. As a key pressdetector, instead of reading a full character from thehost, the device just looks for a high-to-low transi-tion on the PIC’s currently configured RX pin. Sincethat pin idles high, the start bit of any data sentfrom the FTDI Friend will be logic low.
32
Adafruit FTDI Friend Interface
1
2
3
4
5
6
P1
Header 6
0.1uF
C1
VDD
GND
CTS ->
VCC <-
TX <-
RX ->
RTS <-
GP52
GP1/ICSPCLK6
GP25
GP3/MCLR4
GP0/ICSPDAT7
VSS8
VDD1
GP43
U1
PIC12F629-I/P
VDD
VDD
VDD
10kR1
10kR2
PIC101
PIC102COC1
PIP101
PIP102
PIP103
PIP104
PIP105
PIP106
COP1
PIR101 PIR102
COR1
PIR201 PIR202
COR2
PIU101
PIU102
PIU103
PIU104 PIU105
PIU106
PIU107
PIU108
COU1
PIC101
PIP106
PIR201
PIU104
PIU108
PIP101
PIP102PIU107
PIP103
PIU103
PIP105
PIR101PIU106
PIR202PIU102
PIC102
PIP104
PIR102
PIU101
PIU105
switch ( input (PIN_A1) ) {// o r i en t a t i onde t e c t i on
2 case MODE_NORMAL: // normal behav ior#use rs232 ( baud=9600 , b i t s =8, pa r i t y=N,stop=1, xmit=PIN_A0, force_sw )
4//wait f o r a keypres s
6 while ( input (PIN_A4) ) ;
8 while (1 ) {p r i n t f ( "A " ) ;
10 delay_ms (10) ;}
12 break ;
14 case MODE_ALTERNATE: // abnormal behav ior#use rs232 ( baud=9600 , b i t s =8, pa r i t y=N,stop=1, xmit=PIN_A4, force_sw )
16// wait f o r a keypress
18 while ( input (PIN_A0) ) ;
20 while (1 ) {p r i n t f ( "B " ) ;
22 delay_ms (10) ;}
24 break ;}
For your viewing entertainment, a demonstra-tion of my breadboard prototype can be found onYoutube.17 Complete engineering documentation,including schematic, bill-of-materials, source code,and layout for a small circuit board module are alsoavailable.18
Let this PoC serve as a reminder that one shouldnot take anything at face value. There are an end-less number of ways that hardware, and the elec-tronic components within a hardware system, canmisbehave. Hopefully, this little trick will inspirefuture hardware mischief and/or the development ofother sneaky circuits. If nothing else, you’re at leastarmed with a snarky response for the next time someover-confident engineer insists ICs will only work inone direction!
17Joe Grand, Sneaky Circuit: This DIP Goes Both Ways18unzip pocorgtfo17.pdf dipflip.zip # or at www.grandideastudio.com/portfolio/sneaky-circuits/
33
Top Related