Embedded Systems ExploitationApple SMC

Practical Exploitation of Embedded Systems
Andrea Barisani
<andrea@inversepath.com>
Daniele Bianco
<daniele@inversepath.com>
Copyright 2012 Inverse Path S.r.l.
embed
verb /em'bed/
embedded, past participle; embedded, past tense;
implant it!in somet!in" else #often as ad$ective embedded % desi"n and b&ild as an inte"ral part of a system or device
Embedded System
An embedded system is a comp&ter system desi"ned for specific control f&nctions it!in a lar"er system' (t is embedded as part of a complete device often incl&din" !ard are and mec!anical parts'
So&rce) *i+ipedia
Examples
,o&ters, Printers, Point-of-Sales, e/&ipment, Avionics, etc' Perip!eral controllers #+eyboard%, 2ana"ement controller, etc' Smart .ards, A&tomotive
0A1
controllers,
System
Employed 3S ran"e from standard 0in&x to real-time systems s&c! as 4x*or+s, 5!read6, 0ynx3s, Pi+e3S'
Exploitation
.ompromisin" Embedded Systems !as been a 7!ot8 topic for several years and plenty of presentations/material are available' 5!e "eneral interest for exploitation ran"es from feat&re en!ancements to a&ditin" p&rposes and, inevitably, malicio&s activity' *e foc&s on some &nort!odox and diffic&lt reverse en"ineerin" c!allen"es enco&ntered d&rin" t!e co&rse of different penetration tests and t!e tec!ni/&es to approac! t!em'
Copyright 2012 Inverse Path S.r.l. Practical Exploitation of Embedded Systems
Discoverin" deb&""in"/console interfaces

5!e vast ma$ority of deb&""in"/pro"rammin" ports on Embedded Systems are eit!er serial interfaces #,S9:9% or ;5A<' 5!e discovery and &sa"e of interface pin-o&t for serial interfaces is strai"!tfor ard' *it! ;5A< !o ever t!e process of findin" t!e interface pin-o&t can be complex and time cons&min" as board man&fact&rers sometime implement !ard are protections #= 3!m resistors / b&rned f&ses% as ell as soft are protections #c&stom initiali>ation se/&ence% in order to prevent ;5A< operations'
Serial (nterfaces
5!e blind #t!o&"! &s&ally fast and efficient% approac! for t!e pino&t discovery consists of t!e follo in" steps)

connect a lo"ical analy>er to every pin exposed by t!e interface start interceptin" 550 levels reboot t!e tar"et device ait for data comin" o&t from any of t!e monitored pins #56 candidate% estimate t!e serial protocol parameters in terms of ba&d rate, data bits, stop bits, parity, bit order #2SB/0SB% and t!e interface lo"ic #standard/inverted% probe remainin" pins in order to find t!e ,6
Serial (nterfaces
;5A<
5!e ;5A< #;oint 5est Action <ro&p% interface is not f&lly standardi>ed as t!e n&mber and position of pins differ across vendors/devices, t!e feat&res implemented and exposed via t!e ;5A< interface are also dependent on t!e specific board/c!ip man&fact&rer' Bo&ndary scan is an important !elper !en testin" connections bet een different (.s on a certain ;5A< c!ain b&t not interestin" for f&rt!er deb&""in"' 7(n-circ&it8 deb&""in", !ere implemented, allo s operations s&c! as .P? sin"le steppin", brea+pointin" and f&ll memory ,/* access'
;5A< Scan
5!e relevant pins &sed by t!e 5AP controller are t!e follo in") 5D( #5est Data (n% / 5D3 #5est Data 3&t% 5.@ #5est .loc+% 52S #5est 2ode Select% 5,S5 #5est ,eset% optional / S,S5 #System ,eset% 4cc, <1D need to be fo&nd before startin" t!e act&al scan, &sin" a probe resistor #:==-A== 3!ms% e try to p&ll-do n/p&ll-&p all t!e exposed pins' 5!is electrical probin" also !elps in findin" !i"!-impedance pins #inp&t candidates%'
;5A<
Scannin" device feat&res) a lar"e n&mber of <P(3s (/3 speed is not relevant 2icrocontrollers are t!e perfect tool for t!e $ob' Scannin" strate"ies) BBPASS (D.3DE SC(D5 (, / SC(D5 D,
SP(, (E. Devices

3ften firm ares are stored on dedicated flas! (.s (E. interfaces' !ic! expose SP( or
4endors can implement restrictions #example) (ntel descriptor mode% to protect certain memory areas from r/ access from t!e 3S' P!ysical memory access a"ainst t!e bare memory c!ip is one bypassin" s&c! protections' ay of
SP(, (E. Devices

Direct access options)
c&stom pro"rammed microcontroller flas!rom F ?SB-serial/D(D3 #D5G9:9C 2ini% SP(/(9. converters #651ano%
.!ec+s&m Al"orit!m
5!e reverse en"ineerin" of c!ec+s&m al"orit!ms is one of t!e first c!allen"es of modifyin" existin" firm are ima"es' 5!e lar"e ma$ority of embedded systems employs only c!ec+s&ms to sec&re t!e firm are re-flas!in" process a"ainst errors, it!o&t sec&rity protection #i'e' si"nat&re verification%'
.!ec+s&m Al"orit!m
.,.-:9 is t!e most common al"orit!m it! its standard doc&mented polynomial 0x04c11db7, !o ever in assembly code yo& ill find its reversed representation #0x0edb8832%'
0x04c11db7 == 0b0100110000010001110110110111 0x0edb8832 == 0b1110110110111000100000110010
Dindin" t!e polynomial is t!e first essential step in identifyin" t!e al"orit!m and its flavo&r, t!e ot!er parameters to be identified "enerally follo t!e ,oc+softH 2odel'
Width, Poly, Init, RefIn, RefOut, XorOut, hec!
,oc+softH 2odel .,. Al"orit!m

Width R "1# 1$ R "32PO%IX 32 R "32 32 )&* R 32 Width+ Poly+ Init+ RefIn+ Poly 0x800$ 0x4c11db7 0x4c11db7 0x4c11db7 Init 0x0000 0x00000000 0xffffffff 0xffffffff RefIn,RefOut true,true f&l'e,f&l'e true,true true,true XorOut 0x0000 0xffffffff 0xffffffff 0x00000000 hec! 0xbb3d 0x37&&#011 0xcbf43(2# 0x340bc#d(
,idth of the &l-orith* -ener&tor .olyno*i&l initi&li/&tion 0ector true 1 in.ut byte' bit 7 i' *o't 'i-nific&nt bit 23%45 f&l'e 1 in.ut byte' but 7 i' le&'t 'i-nific&nt bit 26%45 RefOut+ true " fin&l 0&lue i' 'ent to XorOut 't&-e reflected f&l'e 1 fin&l 0&lue i' 'ent to XorOut 't&-e directly XorOut+ 0&lue XORed to the fin&l re-i'ter 0&lue 2&fter RefOut5 hec!+ chec!'u* 0&lue obt&ined u'in- 7% II 81234$#78(9 &' in.ut
.,. Al"orit!m I 5able "eneration

def -ener&te:crc32:t&ble t&ble = ;< 2$#=ti*e' do >i> crc = i? 8=ti*e' do crc = 2crc @@ 15 A 2re0er'ed:.oly B 2crc C 155 end t&ble DD crc end t&ble end
.,. al"orit!m
def crc2in.ut, t&ble = f&l'e5 crc = initi&l:0ector if t&ble crc32:t&ble = -ener&te:crc32:t&ble25 in.ut=e&ch:byte i = 2crc A b5 crc = 2crc @@ end el'e in.ut=e&ch:byte crc A= b 8=ti*e' E crc end end crc A xor:out end
do >b> C 0xff 85 A crc32:t&ble;i<
do >b> = 2crc @@ 15 A 2re0er'ed:.oly B 2crc C 155 F
.,. J==:'9 draft JJ I 5able "eneration

def -ener&te:crc32:dr&ft11:t&ble t&ble = ;< 2$#=ti*e' do >i> crc = i? 8=ti*e' do crc = 2crc @@ 15 A 20x0edb8832 B 2crc C 155 end t&ble DD 22i == 05 G 0x7fffffff + crc5 end t&ble end
.,. J==:'9 draft JJ I al"orit!m # / table%

def crc2in.ut5 t&ble = -ener&te:crc32:dr&ft11:t&ble25 crc = 0x00000000 H initi&l:0ector & = 0 in.ut=e&ch:byte do >b> i = 2crc @@ 245 A b if i == 0 i = & & = 2& J 15 K 2$# end H inter*edi&te /ero i' re.l&ced H ,ith next 0&lue in 'eIuence
crc = 22crc DD 85 A t&ble;i<5 C 0xffffffff end crc end

.,. J==:'9 draft JJ I al"orit!m # /o table%

def crc2in.ut5 crc = 0x00000000 H initi&l:0ector & = 0 in.ut=e&ch:byte do >b> i = 2crc @@ 245 A b if i == 0 i = & & = 2& J 15 K 2$# end H inter*edi&te /ero i' re.l&ced H ,ith next 0&lue in 'eIuence
8=ti*e' E i = 2i @@ 15 A 20x0edb8832 B 2i C 155 F crc = 22' DD 85 A i5 C 0xffffffff end crc end

.!ec+s&m Al"orit!m Dlavo&rs

1on standard .,. al"orit!ms not only can !ave different ,oc+softH parameters b&t mi"!t not fit it!in t!e parametri>ation at all, J==:'9 draft JJ al"orit!m bein" one example' 5!e follo in" .,.-:9 flavo&rs, for instance, all differ from one anot!er)
L&*e 1003=2 dr&ft ( 1003=2 dr&ft 11 1003=2 dr&ft 12 1003=2"1((2 't&nd&rd PO%IX R "32 2POPIP, Qthernet5 hec! 0x828bc708 0xfc(e4dc1 0x&c#$38#c 0x377&#011 0xcbf43(2# Roc!'oftM *odel L L L N N
,&ntime @ernel Patc!in"

,eal 5ime 3Ses often employ c&stom drivers/code to access internal !ard are or implement protocol stac+s often of interest for attac+ p&rposes' As an example, once access is "ained on t!e tar"et system, it mi"!t be necessary to reverse en"ineer its comm&nication to an internal sec&rity mod&le !ic! performs crypto"rap!ic +eys exc!an"e' Even it!o&t +ernel so&rce it can be possible to !i$ac+ r&ntime +ernel f&nctions/system calls it! deb&""in" rappers and event&ally interception code'

2ost embedded systems allo Rde0R*e* 3K,D*, access'
un'i-ned lon- .tr = STL UIOL:POILUQR? un'i-ned lon- ne,:.tr = LQW:STL UIOL:POILUQR? int fd? fd = o.en28Rde0R*e*9, O:RVWR, 05? if 2l'ee!2fd, .tr, 05 == off'et5 E ,rite2fd, 20oid B5 Cne,:.tr, 'i/eof2ne,:.tr55? F
@ernel memory can also be inspected/modified it! +ernel mod&les it! or it!o&t tar"et 3S development tool+it #available in most cases%'

Example of f&nction !i$ac+ for ar"&ment deb&""in"'
RB .ointer to ,r&..in- function BR int ,r&..er:.tr = 2int5 func:,r&..er RB 3IP% ) 1 )u*. o.er&tion+ P = nP ? nP = 2P C 0xf00000005 > 22#:bit:t&r-et:&ddr DD 25? BR int W*. = 222 DD 2#5>22,r&..er:.tr 1 2func:.tr C 0xf000000055 R 455? int no. = 0x00000000? RB function .l&ceholder BR ch&r func:holder = ch&r;func:'i/e<? RB .rototy.e for function &cce'' 0i& .l&ceholder BR 0oid B 2Bheld:func520oid B&0, 0oid B&15 = 20oid B5 func:holder?

RB ,ithout de0!it it i' .o''ible to u'e *&nu&lly identified .tr' BR 0oid B 2B*e*c.y520oid B, 0oid B, 'i/e:t5 = 20oid B5 3Q3 PN:PUR? RB co.y exi'tin- function in & .l&ceholder BR *e*c.y220oid B5 func:holder, 20oid B5 func:.tr, func:'i/e5? RB re.l&ce function ,ith W*. to debu--in- function BR *e*c.y220oid B5 func:.tr, CW*., 'i/eof2W*.55? *e*c.y220oid B5 2func:.tr J 45, Cno., 'i/eof2no.55? int func:,r&..er20oid B&0, 0oid B&15 E RB cu'to* code in'.ectin- or *odifyin- &0, &1 BR RB ex&ct nu*ber of &r-u*ent' i' not nece''&ry BR held:func2&0, &15? E

Dependin" on t!e arc!itect&re t!e exact n&mber of ar"&ments for t!e f&nction to !i$ac+ does not need to be +no n and can be fo&nd by trial and error' Symbol offsets can be decoded from t!e extracted +ernel ima"e by decodin" t!e deb&""in" symbols #if present%, or r&ntime by identifyin" t!e system call table' Pointers can be &sed it! f&nction prototypes' 5!e system call table can be reco"ni>ed as a list of offsets it! val&es close to eac! ot!er' 5!e list orderin" reflects t!e syscall n&mber !ic! is often compliant to t!e 3S family #0in&x) 'y'c&ll:32=tbl, BSD) 'y'c&ll'=*&'ter%
Practical Example) Apple S2.

5!e System 2ana"ement .ontroller #S2.% is an internal embedded s&bsystem implemented on (ntel based Apple laptops' 5!e &sa"e of s&c! Embedded .ontrollers #E.% is not restricted to Apple and can be fo&nd on several (ntel based prod&cts' S&c! E.s can be &sed as S2., @B. #@eyboard .ontroller% or bot! #@eyboard and System .ontroller%' Apple allo s firm are &p"rade for t!eir S2., t!erefore for ed&cational p&rposes e detail t!e process of investi"atin" if and !o arbitrary firm ares can be flas!ed'
Apple S2.
An S2. is "enerally &sed for) 5!ermal 2ana"ement Po er monitorin" Battery 2ana"ement SP( Dlas! Brid"e #B(3S stora"e% A.P( Cost (nterface Si"nal B&fferin" L 0evel S!iftin" .&stom pro"rammable f&nctionality 3n Apple systems it reportedly mana"es t!e po er b&tton activity, display lid open/close activity, S&dden 2otion Sensor, ambient li"!t sensin", +eyboard li"!t, indicator li"!ts'
Apple S2.
5!e Apple S2. is /&eried by t!e 3S #several tools are available to man&ally reprod&ce s&c! /&eries% to retrieve or set 7S2. +eys8' Some examples)
H7670+ H76U0+ H4%In+ HS07c+ HSPh/+ HL7Ui+ HI 0 + H3O S+ 76% &n&lo- lux info 76% &*bient li-ht 'en'or te*.er&ture for 'en'or 1 4&ttery %t&tu' 2.re'ent, ch&r-in-, etc=5 S&n 0 RP3 Pro-r&**&ble f&n .h&'e off'et LinW& 7ction Ui*er 2XXX5 PT 0 core current 3otion 'en'or confi-ur&tion re-i'ter
S2. ?pdate file #2acBoo+ Air%

5!e file is &s&ally named 2acBoo+AirS2.?pdateMversionN'dm", t!e D2< format #Apple Dis+ (ma"e% is ell +no n and can be easily extracted' A ">ip compressed cpio arc!ive named P&ylo&d can be fo&nd t!e pac+a"e and can be extracted it! t!e follo in" command)
Y /c&t P&ylo&d > c.io "i
it!in
5!e interestin" files are)

=RTtilitie'R3&c4oo! 7IR %3 =RTtilitie'R3&c4oo! 7IR %3 =RTtilitie'R3&c4oo! 7IR %3
Sir*,&re T.d&te=&..R ontent'RRe'ource'R%*cSl&'her=efi Sir*,&re T.d&te=&..R ontent'RRe'ource'R*82='*c Sir*,&re T.d&te=&..R ontent'RRe'ource'R*(#='*c

S2. ?pdate file #2acBoo+ Air%

5!e file %*cSl&'her=efi is a &niversal ED( binary #i:OP F xOPKPG% !ic! is ble''285'ed for exec&tion it!in t!e Apple ED( environment d&rin" t!e boot se/&ence' The files *82='*c and *(#='*c #for different specific part n&mbers% contain t!e act&al firm are ima"e !ic! can be inp&t as ar"&ment to %*cSl&'her=efi' 5!e smc firm are files are c!ec+ed for inte"rity by t!e flas!er application !en t!e &pdate is applied' 0et &s analy>e t!e format to &nderstand t!e inte"rity c!ec+s&m'
H Zer'ion+ 1=23f20 [+20+4S00000000000000000000000000000000000000+4S [+20+0200000000000000000000000000000000000000+02 \ [+20+2V00000000000000000000000000000000000000+2V [+20+(400000000000000000000000000000000000000+(4 %+20+1400000000000000000000000000000000000000+14 V+00000000+#4+D#4 byte' of d&t&@+2Q J +#4+D#4 byte' of d&t&@+(0 J +#4+D#4 byte' of d&t&@+70 \ V+00001000+#4+D#4 byte' of d&t&@+ 2 J +#4+D#4 byte' of d&t&@+ 0 J +#4+D#4 byte' of d&t&@+ 0 \ V+00027800+#4+D#4 byte' of d&t&@+ 0 J +#4+D#4 byte' of d&t&@+ 0
H Zer'ion+ 1=23f20 [+20+4S00000000000000000000000000000000000000+4S H [ =@ h&'h d&t& [+20+0200000000000000000000000000000000000000+02 \ [+20+2V00000000000000000000000000000000000000+2V [+20+(400000000000000000000000000000000000000+(4 %+20+1400000000000000000000000000000000000000+14 H % =@ 'ecurity d&t& V+00000000+#4+D#4 byte' of d&t&@+2Q H V =@ d&t& bloc! J +#4+D#4 byte' of d&t&@+(0 J +#4+D#4 byte' of d&t&@+70 \ V+00001000+#4+D#4 byte' of d&t&@+ 2 J +#4+D#4 byte' of d&t&@+ 0 J +#4+D#4 byte' of d&t&@+ 0 \ V+00027800+#4+D#4 byte' of d&t&@+ 0 J +#4+D#4 byte' of d&t&@+ 0
H Zer'ion+ 1=23f20 [+20+4S00000000000000000000000000000000000000+4S H [ =@ h&'h d&t& [+20+0200000000000000000000000000000000000000+02 H 20 =@ len-th \ [+20+2V00000000000000000000000000000000000000+2V [+20+(400000000000000000000000000000000000000+(4 %+20+1400000000000000000000000000000000000000+14 H % =@ 'ecurity d&t& V+00000000+#4+D#4 byte' of d&t&@+2Q H V =@ d&t& bloc! J +#4+D#4 byte' of d&t&@+(0 J +#4+D#4 byte' of d&t&@+70 H #4 =@ len-th \ V+00001000+#4+D#4 byte' of d&t&@+ 2 J +#4+D#4 byte' of d&t&@+ 0 J +#4+D#4 byte' of d&t&@+ 0 \ V+00027800+#4+D#4 byte' of d&t&@+ 0 J +#4+D#4 byte' of d&t&@+ 0
H Zer'ion+ 1=23f20 [+20+4S00000000000000000000000000000000000000+4S H [ =@ h&'h d&t& [+20+0200000000000000000000000000000000000000+02 H 20 =@ len-th \ [+20+2V00000000000000000000000000000000000000+2V [+20+(400000000000000000000000000000000000000+(4 %+20+1400000000000000000000000000000000000000+14 H % =@ 'ecurity d&t& V+00000000+#4+D#4 byte' of d&t&@+2Q H V =@ d&t& bloc! J +#4+D#4 byte' of d&t&@+(0 J +#4+D#4 byte' of d&t&@+70 H #4 =@ len-th \ V+00001000+#4+D#4 byte' of d&t&@+ 2 J +#4+D#4 byte' of d&t&@+ 0 J +#4+D#4 byte' of d&t&@+ 0 \ V+00027800+#4+D#4 byte' of d&t&@+ 0 J +#4+D#4 byte' of d&t&@+ 0
H 0x00001000 =@ *e*ory &ddre''
H 0x00027800 =@ *e*ory &ddre''

S2. ?pdate file c!ec+s&m

.losely analy>in" t!e !as! data and data bloc+ format, !ic! resembles t!e (ntel CE6/S,E. file formats, reveals a simple c!ec+s&m al"orit!m'
H Zer'ion+ 1=23f20 [+20+4S00000000000000000000000000000000000000+4S H [ =@ h&'h d&t& [+20+0200000000000000000000000000000000000000+02 H 20 =@ len-th \ V+00008000+#4+$7008(8#0000000====================================000+#( J +#4+==S80#$700( 0 00000000000000000000$7008( #000000000===+7( = re.re'ent' &n o*itted 'erie' of 0 0x$& J 0x8( J 0x8# == 0x1#( 0xf8 J 0x0# J 0x$& J 0x(c J 0x0c J 0x$& J 0x8( J 0xc# == 0x3&(
S2. ?pdate file c!ec+s&m

Eac! PG bytes data entry is appended a c!ec+s&m t!at consists of t!e least si"nificant byte of t!e s&m of t!e val&es' 5!e !as! data sections #C% consists of t!e s&m of t!e c!ec+s&ms for eac! PG bytes of a data bloc+ #D%' 5!e sec&rity data section #S% consists of t!e s&m of t!e c!ec+s&ms for eac! !as! data section #C%' (t becomes trivial to modify t!e S2. firm are ima"e'
S2. Arc!itect&re
Some data abo&t t!e arc!itect&re of t!e S2. microcontroller can be inferred from t!e first relevant data bloc+ #memory address 0x80005'
V+00008000+#4+$7008(8#0000000====================================000+#( J +#4+==S80#$700( 0 00000000000000000000$7008( #000000000===+7(
5!e first address in t!e &ser code area seems to be 0x8000' 5!e 13P instr&ction is probably a certain n&mber of 0x00' An ima"e of t!e act&al S2. microcontroller of co&rse can aid trac+in" do n t!e exact arc!itect&re'
2acBoo+ Air #mid-9=JJ% 2ot!erboard
So&rce)
'ifixit'com 2acBoo+ Air 5eardo n #.. BB-1.-SA%
9JJQ RN ,enesas COS/9JJQ family, JP-bit Sin"le-.!ip microcomp&ter

,enesas COS/9JJQ
.(S. microcomp&ter, JP-bit arc!itect&re JP= @bytes of ,32, O @bytes of ,A2 (/3 feat&res) (E. b&s interface A/D converter Serial interface @eyboard b&ffer control #PS9% and matrix scan #&n&sed by Apple% 0P. interface lots of "eneric (/3 ports
,enesas COS/9JJQ
(t is a idely &sed Embedded .ontroller present in Apple laptops as as ot!er (ntel-based !ard are' ell
V+00008000+#4+$7008(8#0000000====================================000+#( J +#4+==S80#$700( 0 00000000000000000000$7008( #000000000===+7(
Accordin" to its instr&ction set t!e absol&te ;2P instr&ction code is t!e follo in")
1't byte $ 7 2nd byte 0 0 3rd byte 4th byte &b'olute &ddre''
5!erefore t!e first G bytes represent an absol&te ;2P to offset 0x8(8#' 5!e <1? Development tools for ,enesas CO/:== series can be &sed'
Disassemblin" t!e firm are ima"e

5!e /&ic+ L dirty ay to do it)
Y -re. "o "Q 8;7"P0"(<E#4,F9 *(#='*c > xxd "r ". @ *(#=bin Y h8300"hit&chi"coff"obWdu*. ""'t&rt"&ddre''=0x1000 "* h8300 ] "b bin&ry "V *(#=bin 00001000 D=d&t&J0x1000@+ 1000+ $& 00 8( === 10#0+ f8 0# 10#2+ $& 00 (d === 10#e+ 00 00 1070+ $& 00 8( === 1080+ f8 08 1082+ $& 00 (d ===
8#
W*. *o0=b W*. no. W*. *o0=b W*.
^0x8(8#+24 H0x#,r0l ^0x(d#c+24
#c
c&
^0x8(c&+24 H0x8,r0l ^0x(d#c+24

#c
Disassembly) 'data offset resol&tion

f7cc+ f7ce+ f7d0+ f7d2+ f7d4+ f7d#+ f7d8+ f7d&+ f7dc+ f7e2+ f7e4+ f7e&+ f7ec+ f7f2+ f7f4+ f7f&+ f7fc+ f802+
0c 47 &8 47 &8 47 &8 4# 7& $4 7& $4 7& $4 7& $4 7& $4
88 2c 01 20 02 14 03 08 00 70 00 70 00 70 00 70 00 70
00 01 e& fe 00 01 e& f0 00 01 eb 0f 00 01 e& f8 00 01 eb 1&
*o0=b beI c*.=b beI c*.=b beI c*.=b bne *o0=l rt' *o0=l rt' *o0=l rt' *o0=l rt' *o0=l rt'
r0l,r0l =J44 20xf7fc5 H0x1,r0l =J32 20xf7f45 H0x2,r0l =J20 20xf7ec5 H0x3,r0l =J8 20xf7e45 H0x1e&fe,er0 H0x1e&f0,er0 H0x1eb0f,er0 H0x1e&f8,er0 H0x1eb1&,er0

f7cc+ f7ce+ f7d0+ f7d2+ f7d4+ f7d#+ f7d8+ f7d&+ f7dc+ f7e2+ f7e4+ f7e&+ f7ec+ f7f2+ f7f4+ f7f&+ f7fc+ f802+
0c 47 &8 47 &8 47 &8 4# 7& $4 7& $4 7& $4 7& $4 7& $4
88 2c 01 20 02 14 03 08 00 70 00 70 00 70 00 70 00 70
00 01 e& fe 00 01 e& f0 00 01 eb 0f 00 01 e& f8 00 01 eb 1&
*o0=b beI c*.=b beI c*.=b beI c*.=b bne *o0=l rt' *o0=l rt' *o0=l rt' *o0=l rt' *o0=l rt'
r0l,r0l =J44 20xf7fc5 H0x1,r0l =J32 20xf7f45 H0x2,r0l =J20 20xf7ec5 H0x3,r0l =J8 20xf7e45 86*'4ri-htLo%c&le9,er0 8Tn!no,n9,er0 86*'4re&the9,er0 86*'On9,er0 86*'Off9,er0

0x1e&fe 0x1e&f0 0x1eb0f 0x1e&f8 0x1eb1&
000177Q0 000177S0 00017400 00017410 00017420
=@ =@ =@ =@ =@
00 $$ 73 #V 00
0x17&fe 0x17&f0 0x17b0f 0x17&f8 0x17b1&

00 #4 72 42 00 00 #Q #( 72 00 00 #S #7 #$ 01
6*'4ri-htLo%c&le Tn!no,n 6*'4re&the 6*'On 6*'Off

00 77 #8 #1 72 7$ #Q 74 74 2Q #( 00 4Q #8 S4 31 4 #S #$ 02 3# #V $3 00 Q# 00 73 #3 4 02 00 4S #1 #V $V 00 #Q # 73 01 21 00 #$ 4S 84 31 4 00 ## 00 00 #V 4 ## V7 ======ui1#===X1= Tn!no,n=6*'On=6* '4ri-htLo%c&le=6 *'4re&the=6*'Off ===========<====
00 #Q 42 73 00
Disassembly) S2. +eys constants

0001#(10 0001#(20 0001#(30 0001#(40 0001#($0 0001#(#0 0001#(70 0001#(80 0001#((0 0001#(70 0001#(40 0001#( 0 0001#(V0 0001#(Q0 0001#(S0 0Q 23 24 24 24 41 41 41 41 41 41 41 41 41 41 ( 44 41 4Q 4 43 43 43 43 43 4 4 4 4 4 0V 4$ #4 7$ 44 43 4$ 4# 4( 4( 21 41 41 41 41 30 $( 72 #V $3 4 4Q $0 44 4Q 20 30 31 32 33 0Q 80 88 V0 (0 $1 V0 80 (0 80 0 8 8 8 8 ( 04 04 01 01 01 01 01 08 01 02 0# 0# 0# 0# 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7$ 7$ 7$ ## 7$ 7$ ## #3 ## 7$ 74 74 74 74 00 #( #( #( # #( #( # #8 # #( #1 #1 #1 #1 01 33 33 38 #1 38 38 #1 38 #1 31 # # # # 10 32 32 20 #7 20 20 #7 27 #7 3# #1 #1 #1 #1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 SS 01 01 00 00 SS 00 SS SS SS SS SS SS 00 V( V7 4S 4S V8 V8 VS V$ V2 V1 Q0 Q0 Q0 Q0 04 18 78 87 14 48 2 V2 78 8S #4 27 30 3# 3 ===0===x======== HOQN====ui32==== Y7dr====ui32==== YLu*====ui8 ==O= J6O%====fl&-==== 7 6_===ui8 ==== 7 QL====ui8 ==== 7 SP====fl&-==== 7 IV====ch8B==== 7 IL====fl&-==== 76X ====ui1#===d 7670====E&l&===B 7671====E&l&===0 7672====E&l&===# 7673====E&l&===D
0x1d(18 =@ 0x1#(18
Lu*ber of %3
!ey' 20x110 =@ 2725
Disassembly) (E. operations

&(fc+ &(fe+ &&02+ &&08+ &&0e+ &&12+ &&18+ &&1c+ &&22+ &&28+ &&2c+ &&2e+ &&30+ &&32+ &&3&+ &&3e+ &&44+ &&4&+ &&$0+ &&$#+ &&$c+ &&$e+ &&#2+ f( #& #& #& #& #& #& #& #& 7f 0f 10 0& 78 #& #& #& #& #& #& f8 #& $& 0$ 8( 18 2& 8& 2& 8& 18 18 c3 b0 33 83 30 8( 18 18 18 18 18 4c 88 01 *o0=b fe 8& *o0=b fe 88 72 70 bclr 00 01 d8 4& *o0=b fe 8f *o0=b 00 01 d8 4b *o0=b fe 8e *o0=b fe 88 70 70 b'et fe 8( 72 00 bclr 70 70 b'et *o0=l 'hll=l &dd=l #& 2( 00 ff d7 08 *o0=b fe 8f *o0=b fe 88 70 30 b'et fe 88 72 #0 bclr fe 88 72 $0 bclr fe 88 72 40 bclr fe 8c 70 70 b'et *o0=b fe 8c *o0=b 1b $4 W*. H0x$,r1l r1l,^0xfe8&+1# H0x7,^0xfe88+1# ^0x1d84&+32,r2l r2l,^0xfe8f+1# ^0x1d84b+32,r2l r2l,^0xfe8e+1# H0x7,^0xfe88+1# H0x0,^0xfe8(+1# H0x7,^0xc3+8 er3,er0 er3 er0,er3 ^20xffd708+32,r35,r1l r1l,^0xfe8f+1# H0x3,^0xfe88+1# H0x#,^0xfe88+1# H0x$,^0xfe88+1# H0x4,^0xfe88+1# H0x7,^0xfe8c+1# H0x4c,r0l r0l,^0xfe8c+1# ^0x11b$4+24
Disassembly) (E. operations

&(fc+ &(fe+ &&02+ &&08+ &&0e+ &&12+ &&18+ &&1c+ &&22+ &&28+ &&2c+ &&2e+ &&30+ &&32+ &&3&+ &&3e+ &&44+ &&4&+ &&$0+ &&$#+ &&$c+ &&$e+ &&#2+ f( #& #& #& #& #& #& #& #& 7f 0f 10 0& 78 #& #& #& #& #& #& f8 #& $& 0$ 8( 18 2& 8& 2& 8& 18 18 c3 b0 33 83 30 8( 18 18 18 18 18 4c 88 01 *o0=b fe 8& *o0=b fe 88 72 70 bclr 00 01 d8 4& *o0=b fe 8f *o0=b 00 01 d8 4b *o0=b fe 8e *o0=b fe 88 70 70 b'et fe 8( 72 00 bclr 70 70 b'et *o0=l 'hll=l &dd=l #& 2( 00 ff d7 08 *o0=b fe 8f *o0=b fe 88 70 30 b'et fe 88 72 #0 bclr fe 88 72 $0 bclr fe 88 72 40 bclr fe 8c 70 70 b'et *o0=b fe 8c *o0=b 1b $4 W*. H0x$,r1l r1l,î2c:bu':ctrl:init:re-:2 H0x7,î2c:bu':ctrl:re-:2 ^0x1d84&+32,r2l r2l,^'l&0e:&ddr:re-:2 ^0x1d84b+32,r2l r2l,^2nd:'l&0e:&ddr:re-:2 H0x7,î2c:bu':ctrl:re-:2 H0x0,î2c:bu':'t&tu':re-:2 H0x7,^0xc3+8 er3,er0 er3 er0,er3 ^20xffd708+32,r35,r1l r1l,î2c:bu':*ode:re-:2 H0x3,î2c:bu':ctrl:re-:2 H0x#,î2c:bu':ctrl:re-:2 H0x$,î2c:bu':ctrl:re-:2 H0x4,î2c:bu':ctrl:re-:2 H0x7,î2c:bu':ext:ctrl:re-:2 H0x4c,r0l r0l,î2c:bu':ext:ctrl:re-:2 ^0x11b$4+24 H H H H H H H H cle&r intern&l l&tch cle&r bu' interf&ce =d&t& 0x1#84& =@ 0x10 'l&0e &ddr =@ 0x8 =d&t& 0x1#84b =@ 0x12 2nd 'l&0e &ddr =@ 0x( 'et bu' interf&ce cle&r 7 O4
H H H H H H
'et 7 OQ cle&r interru.t' 'l&0e recei0e *ode 'l&0e recei0e *ode 'et %UOPI3
Disassembly) Battery Stat&s S2. +ey

0001#V30 0001#V40 0001#V$0 0001#V#0 0001#V70 1eb0+ 1eb#+ 1eb&+ 1ebc+ 1ebe+ 1ec2+ 1ec&+ 1ece+ #& $8 28 77 $8 #& $8 #& 28 70 c1 18 $0 38 00 38 42 42 42 42 42 4Q $2 $3 $3 $3 7$ $3 41 44 4( #V 43 43 43 #Q 80 80 0 80 80 01 02 01 01 01 00 00 00 00 00 00 00 00 00 00 7$ 7$ 7$ 7$ 7$ #( #( #( #( #( 38 31 38 38 38 20 3# 20 20 20 00 00 00 00 00 SS SS SS SS SS Q1 V2 V2 V2 V2 0Q 00 # $# #7 4Lu*====ui8 ==== 4R% ====ui1#==== 4%7 ====ui8 ===l 4%V ====ui8 ===Z 4%In====ui8 ===W
00 e1 0e 00 14
00 00 00 00
0c ff 08 ff
*o0=b ^0xffe10e+32,r0l beI =J20 20x1ece5 *o0=b ^0xc1+8,r0l bld H0x1,r0l bc' =J12 20x1ece5 d2 #& 72 10 bclr H0x1,^0xffd2#&+32 br& =J8 20x1ed#5 d2 #& 70 10 b'et H0x1,^0xffd2#&+32
H 'u..orted b&ttery count H count == 1 G """"""""J > > > H 7 not .re'ent > > H 7 .re'ent D"""""""""J
Apple S2.
(n concl&sion t!e Apple S2. can be &pdated it! arbitrary firm are as t!e c!ec+s&m al"orit!m, &pdate mec!anism and event&ally f&nctionality can be f&lly reversed en"ineered' @no led"e of t!e arc!itect&re ma+es it strai"!tfor ard to modify t!e firm are at ill' D(S.0A(2E,) t!is is an ed&cational example only, &se t!e presented information at yo&r o n ris+'

Embedded Systems ExploitationApple SMC

Diunggah oleh

Informasi Dokumen

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Embedded Systems ExploitationApple SMC

Diunggah oleh

Hak Cipta:

Format Tersedia

Practical Exploitation of Embedded Systems

Copyright 2012 Inverse Path S.r.l.

Practical Exploitation of Embedded Systems

Copyright 2012 Inverse Path S.r.l.

Practical Exploitation of Embedded Systems

Copyright 2012 Inverse Path S.r.l.

Practical Exploitation of Embedded Systems

Copyright 2012 Inverse Path S.r.l.

Practical Exploitation of Embedded Systems

Discoverin" deb&""in"/console interfaces

Copyright 2012 Inverse Path S.r.l.

Practical Exploitation of Embedded Systems

Copyright 2012 Inverse Path S.r.l.

Practical Exploitation of Embedded Systems

SP(, (E. Devices

Copyright 2012 Inverse Path S.r.l.

Practical Exploitation of Embedded Systems

SP(, (E. Devices

Copyright 2012 Inverse Path S.r.l.

Practical Exploitation of Embedded Systems

Copyright 2012 Inverse Path S.r.l.

Practical Exploitation of Embedded Systems

Copyright 2012 Inverse Path S.r.l.

Practical Exploitation of Embedded Systems

,oc+softH 2odel .,. Al"orit!m

Copyright 2012 Inverse Path S.r.l.

Practical Exploitation of Embedded Systems

.,. Al"orit!m I 5able "eneration

Copyright 2012 Inverse Path S.r.l.

Practical Exploitation of Embedded Systems

do >b> C 0xff 85 A crc32:t&ble;i<

do >b> = 2crc @@ 15 A 2re0er'ed:.oly B 2crc C 155 F

.,. J==:'9 draft JJ I 5able "eneration

Copyright 2012 Inverse Path S.r.l.

Practical Exploitation of Embedded Systems

.,. J==:'9 draft JJ I al"orit!m # / table%

crc = 22crc DD 85 A t&ble;i<5 C 0xffffffff end crc end

.,. J==:'9 draft JJ I al"orit!m # /o table%

8=ti*e' E i = 2i @@ 15 A 20x0edb8832 B 2i C 155 F crc = 22' DD 85 A i5 C 0xffffffff end crc end

.!ec+s&m Al"orit!m Dlavo&rs

Copyright 2012 Inverse Path S.r.l.

Practical Exploitation of Embedded Systems

,&ntime @ernel Patc!in"

Copyright 2012 Inverse Path S.r.l.

Practical Exploitation of Embedded Systems

,&ntime @ernel Patc!in"

,&ntime @ernel Patc!in"

,&ntime @ernel Patc!in"

,&ntime @ernel Patc!in"

Practical Example) Apple S2.

Copyright 2012 Inverse Path S.r.l.

Practical Exploitation of Embedded Systems

S2. ?pdate file #2acBoo+ Air%

5!e interestin" files are)

Sir*,&re T.d&te=&..R ontent'RRe'ource'R%*cSl&'her=efi Sir*,&re T.d&te=&..R ontent'RRe'ource'R*82='*c Sir*,&re T.d&te=&..R ontent'RRe'ource'R*(#='*c

S2. ?pdate file #2acBoo+ Air%

H 0x00001000 =@ *e*ory &ddre''

H 0x00027800 =@ *e*ory &ddre''

S2. ?pdate file c!ec+s&m

Copyright 2012 Inverse Path S.r.l.

Practical Exploitation of Embedded Systems

S2. ?pdate file c!ec+s&m

Copyright 2012 Inverse Path S.r.l.

Practical Exploitation of Embedded Systems

Sir,&re T.d&te=&..R ontent'RRe'ource'R%cSl&'her=efi Sir,&re T.d&te=&..R ontent'RRe'ource'R82='c Sir,&re T.d&te=&..R ontent'RRe'ource'R(#='c

H 0x00001000 =@ eory &ddre''

H 0x00027800 =@ eory &ddre''

W. o0=b W. no. W. o0=b W.

6'4ri-htLo%c&le Tn!no,n 6'4re&the 6'On 6'Off