Hardware Reverse Engineering: From Boot to Root
-
Upload
yashin-mehaboobe -
Category
Technology
-
view
788 -
download
7
Transcript of Hardware Reverse Engineering: From Boot to Root
![Page 1: Hardware Reverse Engineering: From Boot to Root](https://reader031.fdocuments.net/reader031/viewer/2022020123/55a5244b1a28ab70018b4646/html5/thumbnails/1.jpg)
Hardware Reverse EngineeringFrom Boot To Root
Yashin Mehaboobe
![Page 2: Hardware Reverse Engineering: From Boot to Root](https://reader031.fdocuments.net/reader031/viewer/2022020123/55a5244b1a28ab70018b4646/html5/thumbnails/2.jpg)
• Security Researcher
• Hardware geek
• Speaker (HITB Amsterdam, Nullcon, c0c0n, Kaspersky NextGeneration, Ground Zero Summit)
• Foodie
2
$whoami
![Page 3: Hardware Reverse Engineering: From Boot to Root](https://reader031.fdocuments.net/reader031/viewer/2022020123/55a5244b1a28ab70018b4646/html5/thumbnails/3.jpg)
Define: Reverse Engineering• process of extracting knowledge or design information from
anything man-made and re-producing it or reproducing anything based on the extracted information. [wikipedia]
• hardware as well as software
• used for commercial purposes/non commercial
• Industrial espionage (to borrow ideas)
![Page 4: Hardware Reverse Engineering: From Boot to Root](https://reader031.fdocuments.net/reader031/viewer/2022020123/55a5244b1a28ab70018b4646/html5/thumbnails/4.jpg)
A word about equipment• Good equipment = $$$$
• Use open source equipment such as the bus pirate, hackRF, OpenBench etc…
• Commercial tools work better in most of the cases • Would be a good investment
• Have at least one each of the separate categories of tools • Logic Analyzer • RF Spectrum Analyzer • Oscilloscope • JTAG debugger • Etc……
![Page 5: Hardware Reverse Engineering: From Boot to Root](https://reader031.fdocuments.net/reader031/viewer/2022020123/55a5244b1a28ab70018b4646/html5/thumbnails/5.jpg)
LOGIC ANALYZERS• Monitor communication
• Decode protocols
• Replay (in some cases)
• Cheap (44$ to 500$++)
• Open source ones: • Open Bench • Bus Pirate
![Page 6: Hardware Reverse Engineering: From Boot to Root](https://reader031.fdocuments.net/reader031/viewer/2022020123/55a5244b1a28ab70018b4646/html5/thumbnails/6.jpg)
RF Analysis tools• For scanning the RF frequencies
• Recognizing signals
• Storing and replay
• SDRs are your friends!
• Example: • RFExplorer • RTL-SDR • HackRF/BladeRF/USRP
![Page 7: Hardware Reverse Engineering: From Boot to Root](https://reader031.fdocuments.net/reader031/viewer/2022020123/55a5244b1a28ab70018b4646/html5/thumbnails/7.jpg)
Oscilloscope
• Digital/Analog
• Useful for noting timing
• Can also help in recognition of communication protocol
• Very much needed
![Page 8: Hardware Reverse Engineering: From Boot to Root](https://reader031.fdocuments.net/reader031/viewer/2022020123/55a5244b1a28ab70018b4646/html5/thumbnails/8.jpg)
Why
• For fun
• For profit
• For fun and profit
• Vulnerability discovery….
![Page 9: Hardware Reverse Engineering: From Boot to Root](https://reader031.fdocuments.net/reader031/viewer/2022020123/55a5244b1a28ab70018b4646/html5/thumbnails/9.jpg)
Devices
• Routers
• Phones
• Gaming consoles
• Internet of Things!
![Page 10: Hardware Reverse Engineering: From Boot to Root](https://reader031.fdocuments.net/reader031/viewer/2022020123/55a5244b1a28ab70018b4646/html5/thumbnails/10.jpg)
Actual physical security
• Screws may be regular or proprietary
• Warranty void seals
• Tamper proof casing
• Stupidly powerful tamper proof (a la IronKey)
![Page 11: Hardware Reverse Engineering: From Boot to Root](https://reader031.fdocuments.net/reader031/viewer/2022020123/55a5244b1a28ab70018b4646/html5/thumbnails/11.jpg)
Initial steps• Open casing
• Ascertain ICs and their functionality
• Lookup datasheets
• FCC IDs may be of help when it comes to radio
• Name and series numbers may exist on ICs where they have not been sanitised
![Page 12: Hardware Reverse Engineering: From Boot to Root](https://reader031.fdocuments.net/reader031/viewer/2022020123/55a5244b1a28ab70018b4646/html5/thumbnails/12.jpg)
Hunting for datasheets
• Googling for the serial number may return the name
• name -> datasheet
• datasheet -> operation
• operation -> full pwnage (sometimes)
• Details to look out for differs system to system
![Page 13: Hardware Reverse Engineering: From Boot to Root](https://reader031.fdocuments.net/reader031/viewer/2022020123/55a5244b1a28ab70018b4646/html5/thumbnails/13.jpg)
Diagnostic Ports• Ports left over after development
• Should be disabled by blowing the fuses (not always done)
• Majorly used:
• JTAG, UART
• Not so major:
• LPC (Mainly in XBOX and some TPM systems)
![Page 14: Hardware Reverse Engineering: From Boot to Root](https://reader031.fdocuments.net/reader031/viewer/2022020123/55a5244b1a28ab70018b4646/html5/thumbnails/14.jpg)
Serial
• Also known as UART
• Straight forward diagnostics (mostly)
• There will be an RX,TX, ground and vcc
• Sometimes also gives root access
• Look for groupings of four pins (mainly)
![Page 15: Hardware Reverse Engineering: From Boot to Root](https://reader031.fdocuments.net/reader031/viewer/2022020123/55a5244b1a28ab70018b4646/html5/thumbnails/15.jpg)
Finding Serial the hard way
• Using multimeter
• Continuity test
• Ground pins are usually cross shaped
• Touch a metal piece with the probe
![Page 16: Hardware Reverse Engineering: From Boot to Root](https://reader031.fdocuments.net/reader031/viewer/2022020123/55a5244b1a28ab70018b4646/html5/thumbnails/16.jpg)
Finding the Serial the hard way -2
• After Ground find VCC
• Turn on the power
• Find the pin with the steady voltage
• The other two are the RX and TX Pins
![Page 17: Hardware Reverse Engineering: From Boot to Root](https://reader031.fdocuments.net/reader031/viewer/2022020123/55a5244b1a28ab70018b4646/html5/thumbnails/17.jpg)
Finding Serial the easy way
• Using JTAGulator
• Made by Joe Grand
• Allows you to find UART and JTAG automatically
![Page 18: Hardware Reverse Engineering: From Boot to Root](https://reader031.fdocuments.net/reader031/viewer/2022020123/55a5244b1a28ab70018b4646/html5/thumbnails/18.jpg)
JTAG
• Joint Test Action Group
• Used for debugging purposes mainly
• Can be used in reverse engineering too
• Halt CPU, change instructions etc
![Page 19: Hardware Reverse Engineering: From Boot to Root](https://reader031.fdocuments.net/reader031/viewer/2022020123/55a5244b1a28ab70018b4646/html5/thumbnails/19.jpg)
Radio
• Can be reverse engineered through various means
• Direct radio analysis
• SPI sniffing
• FCC ids are a good way to determine frequency and other factors
![Page 20: Hardware Reverse Engineering: From Boot to Root](https://reader031.fdocuments.net/reader031/viewer/2022020123/55a5244b1a28ab70018b4646/html5/thumbnails/20.jpg)
Bluetooth
• Bluetooth 2 and 3 is surprisingly harder to eavesdrop on than 4.0
• An ubertooth is necessary for most bluetooth related operations
• Important data is rare
• Still good info is possible
![Page 21: Hardware Reverse Engineering: From Boot to Root](https://reader031.fdocuments.net/reader031/viewer/2022020123/55a5244b1a28ab70018b4646/html5/thumbnails/21.jpg)
Flash/EEPROM memory• Nonvolatile
• Used to store data
• Firmware is usually stored in flash memory
• Usually uses SPI for communication
• Usually does not have any protection
• Exceptions include Atmels Crypto Memory
![Page 22: Hardware Reverse Engineering: From Boot to Root](https://reader031.fdocuments.net/reader031/viewer/2022020123/55a5244b1a28ab70018b4646/html5/thumbnails/22.jpg)
Invasive techniques
• Invasive attacks usually destroy the chip
• Used to get at the die
• Usually done to duplicate the chip
• Very expensive equipment required
![Page 23: Hardware Reverse Engineering: From Boot to Root](https://reader031.fdocuments.net/reader031/viewer/2022020123/55a5244b1a28ab70018b4646/html5/thumbnails/23.jpg)
Introducing labrynth
• A reverse engineering training platform
• Uses Atmega328p
• Separate EEPROM for data storage (24LC08)
• Find the password that grants you access
![Page 24: Hardware Reverse Engineering: From Boot to Root](https://reader031.fdocuments.net/reader031/viewer/2022020123/55a5244b1a28ab70018b4646/html5/thumbnails/24.jpg)
DEMO
![Page 25: Hardware Reverse Engineering: From Boot to Root](https://reader031.fdocuments.net/reader031/viewer/2022020123/55a5244b1a28ab70018b4646/html5/thumbnails/25.jpg)
Thank you!
• Special thanks to Justin Searle for loaning some crucial hardware!