Andrea Barisani
<andrea@inversepath.com>
Daniele Bianco
<daniele@inversepath.com>
embed
verb /em'bed/
embedded, past participle; embedded, past tense;
implant it!in somet!in" else #often as ad$ective embedded % desi"n and b&ild as an inte"ral part of a system or device
Embedded System
An embedded system is a comp&ter system desi"ned for specific control f&nctions it!in a lar"er system' (t is embedded as part of a complete device often incl&din" !ard are and mec!anical parts'
So&rce) *i+ipedia
Examples
,o&ters, Printers, Point-of-Sales, e/&ipment, Avionics, etc' Perip!eral controllers #+eyboard%, 2ana"ement controller, etc' Smart .ards, A&tomotive
0A1
controllers,
System
Employed 3S ran"e from standard 0in&x to real-time systems s&c! as 4x*or+s, 5!read6, 0ynx3s, Pi+e3S'
Exploitation
.ompromisin" Embedded Systems !as been a 7!ot8 topic for several years and plenty of presentations/material are available' 5!e "eneral interest for exploitation ran"es from feat&re en!ancements to a&ditin" p&rposes and, inevitably, malicio&s activity' *e foc&s on some &nort!odox and diffic< reverse en"ineerin" c!allen"es enco&ntered d&rin" t!e co&rse of different penetration tests and t!e tec!ni/&es to approac! t!em'
Copyright 2012 Inverse Path S.r.l. Practical Exploitation of Embedded Systems
Serial (nterfaces
5!e blind #t!o&"! &s&ally fast and efficient% approac! for t!e pino&t discovery consists of t!e follo in" steps)
connect a lo"ical analy>er to every pin exposed by t!e interface start interceptin" 550 levels reboot t!e tar"et device ait for data comin" o&t from any of t!e monitored pins #56 candidate% estimate t!e serial protocol parameters in terms of ba&d rate, data bits, stop bits, parity, bit order #2SB/0SB% and t!e interface lo"ic #standard/inverted% probe remainin" pins in order to find t!e ,6
Serial (nterfaces
;5A<
5!e ;5A< #;oint 5est Action <ro&p% interface is not f&lly standardi>ed as t!e n&mber and position of pins differ across vendors/devices, t!e feat&res implemented and exposed via t!e ;5A< interface are also dependent on t!e specific board/c!ip man&fact&rer' Bo&ndary scan is an important !elper !en testin" connections bet een different (.s on a certain ;5A< c!ain b&t not interestin" for f&rt!er deb&""in"' 7(n-circ&it8 deb&""in", !ere implemented, allo s operations s&c! as .P? sin"le steppin", brea+pointin" and f&ll memory ,/* access'
Copyright 2012 Inverse Path S.r.l. Practical Exploitation of Embedded Systems
;5A< Scan
5!e relevant pins &sed by t!e 5AP controller are t!e follo in") 5D( #5est Data (n% / 5D3 #5est Data 3&t% 5.@ #5est .loc+% 52S #5est 2ode Select% 5,S5 #5est ,eset% optional / S,S5 #System ,eset% 4cc, <1D need to be fo&nd before startin" t!e act&al scan, &sin" a probe resistor #:==-A== 3!ms% e try to p&ll-do n/p&ll-&p all t!e exposed pins' 5!is electrical probin" also !elps in findin" !i"!-impedance pins #inp&t candidates%'
Copyright 2012 Inverse Path S.r.l. Practical Exploitation of Embedded Systems
;5A<
Scannin" device feat&res) a lar"e n&mber of <P(3s (/3 speed is not relevant 2icrocontrollers are t!e perfect tool for t!e $ob' Scannin" strate"ies) BBPASS (D.3DE SC(D5 (, / SC(D5 D,
Copyright 2012 Inverse Path S.r.l. Practical Exploitation of Embedded Systems
4endors can implement restrictions #example) (ntel descriptor mode% to protect certain memory areas from r/ access from t!e 3S' P!ysical memory access a"ainst t!e bare memory c!ip is one bypassin" s&c! protections' ay of
.!ec+s&m Al"orit!m
5!e reverse en"ineerin" of c!ec+s&m al"orit!ms is one of t!e first c!allen"es of modifyin" existin" firm are ima"es' 5!e lar"e ma$ority of embedded systems employs only c!ec+s&ms to sec&re t!e firm are re-flas!in" process a"ainst errors, it!o&t sec&rity protection #i'e' si"nat&re verification%'
.!ec+s&m Al"orit!m
.,.-:9 is t!e most common al"orit!m it! its standard doc&mented polynomial 0x04c11db7, !o ever in assembly code yo& ill find its reversed representation #0x0edb8832%'
0x04c11db7 == 0b0100110000010001110110110111 0x0edb8832 == 0b1110110110111000100000110010
Dindin" t!e polynomial is t!e first essential step in identifyin" t!e al"orit!m and its flavo&r, t!e ot!er parameters to be identified "enerally follo t!e ,oc+softH 2odel'
Width, Poly, Init, RefIn, RefOut, XorOut, hec!
,idth of the &l-orith* -ener&tor .olyno*i&l initi&li/&tion 0ector true 1 in.ut byte' bit 7 i' *o't 'i-nific&nt bit 23%45 f&l'e 1 in.ut byte' but 7 i' le&'t 'i-nific&nt bit 26%45 RefOut+ true " fin&l 0&lue i' 'ent to XorOut 't&-e reflected f&l'e 1 fin&l 0&lue i' 'ent to XorOut 't&-e directly XorOut+ 0&lue XORed to the fin&l re-i'ter 0&lue 2&fter RefOut5 hec!+ chec!'u* 0&lue obt&ined u'in- 7% II 81234$#78(9 &' in.ut
.,. al"orit!m
def crc2in.ut, t&ble = f&l'e5 crc = initi&l:0ector if t&ble crc32:t&ble = -ener&te:crc32:t&ble25 in.ut=e&ch:byte i = 2crc A b5 crc = 2crc @@ end el'e in.ut=e&ch:byte crc A= b 8=ti*e' E crc end end crc A xor:out end
Copyright 2012 Inverse Path S.r.l. Practical Exploitation of Embedded Systems
un'i-ned lon- .tr = STL UIOL:POILUQR? un'i-ned lon- ne,:.tr = LQW:STL UIOL:POILUQR? int fd? fd = o.en28Rde0R*e*9, O:RVWR, 05? if 2l'ee!2fd, .tr, 05 == off'et5 E ,rite2fd, 20oid B5 Cne,:.tr, 'i/eof2ne,:.tr55? F
@ernel memory can also be inspected/modified it! +ernel mod&les it! or it!o&t tar"et 3S development tool+it #available in most cases%'
Copyright 2012 Inverse Path S.r.l. Practical Exploitation of Embedded Systems
Apple S2.
An S2. is "enerally &sed for) 5!ermal 2ana"ement Po er monitorin" Battery 2ana"ement SP( Dlas! Brid"e #B(3S stora"e% A.P( Cost (nterface Si"nal B&fferin" L 0evel S!iftin" .&stom pro"rammable f&nctionality 3n Apple systems it reportedly mana"es t!e po er b&tton activity, display lid open/close activity, S&dden 2otion Sensor, ambient li"!t sensin", +eyboard li"!t, indicator li"!ts'
Copyright 2012 Inverse Path S.r.l. Practical Exploitation of Embedded Systems
Apple S2.
5!e Apple S2. is /&eried by t!e 3S #several tools are available to man&ally reprod&ce s&c! /&eries% to retrieve or set 7S2. +eys8' Some examples)
H7670+ H76U0+ H4%In+ HS07c+ HSPh/+ HL7Ui+ HI 0 + H3O S+ 76% &n&lo- lux info 76% &*bient li-ht 'en'or te*.er&ture for 'en'or 1 4&ttery %t&tu' 2.re'ent, ch&r-in-, etc=5 S&n 0 RP3 Pro-r&**&ble f&n .h&'e off'et LinW& 7ction Ui*er 2XXX5 PT 0 core current 3otion 'en'or confi-ur&tion re-i'ter
it!in
H Zer'ion+ 1=23f20 [+20+4S00000000000000000000000000000000000000+4S [+20+0200000000000000000000000000000000000000+02 \ [+20+2V00000000000000000000000000000000000000+2V [+20+(400000000000000000000000000000000000000+(4 %+20+1400000000000000000000000000000000000000+14 V+00000000+#4+D#4 byte' of d&t&@+2Q J +#4+D#4 byte' of d&t&@+(0 J +#4+D#4 byte' of d&t&@+70 \ V+00001000+#4+D#4 byte' of d&t&@+ 2 J +#4+D#4 byte' of d&t&@+ 0 J +#4+D#4 byte' of d&t&@+ 0 \ V+00027800+#4+D#4 byte' of d&t&@+ 0 J +#4+D#4 byte' of d&t&@+ 0
Copyright 2012 Inverse Path S.r.l. Practical Exploitation of Embedded Systems
H Zer'ion+ 1=23f20 [+20+4S00000000000000000000000000000000000000+4S H [ =@ h&'h d&t& [+20+0200000000000000000000000000000000000000+02 \ [+20+2V00000000000000000000000000000000000000+2V [+20+(400000000000000000000000000000000000000+(4 %+20+1400000000000000000000000000000000000000+14 H % =@ 'ecurity d&t& V+00000000+#4+D#4 byte' of d&t&@+2Q H V =@ d&t& bloc! J +#4+D#4 byte' of d&t&@+(0 J +#4+D#4 byte' of d&t&@+70 \ V+00001000+#4+D#4 byte' of d&t&@+ 2 J +#4+D#4 byte' of d&t&@+ 0 J +#4+D#4 byte' of d&t&@+ 0 \ V+00027800+#4+D#4 byte' of d&t&@+ 0 J +#4+D#4 byte' of d&t&@+ 0
Copyright 2012 Inverse Path S.r.l. Practical Exploitation of Embedded Systems
H Zer'ion+ 1=23f20 [+20+4S00000000000000000000000000000000000000+4S H [ =@ h&'h d&t& [+20+0200000000000000000000000000000000000000+02 H 20 =@ len-th \ [+20+2V00000000000000000000000000000000000000+2V [+20+(400000000000000000000000000000000000000+(4 %+20+1400000000000000000000000000000000000000+14 H % =@ 'ecurity d&t& V+00000000+#4+D#4 byte' of d&t&@+2Q H V =@ d&t& bloc! J +#4+D#4 byte' of d&t&@+(0 J +#4+D#4 byte' of d&t&@+70 H #4 =@ len-th \ V+00001000+#4+D#4 byte' of d&t&@+ 2 J +#4+D#4 byte' of d&t&@+ 0 J +#4+D#4 byte' of d&t&@+ 0 \ V+00027800+#4+D#4 byte' of d&t&@+ 0 J +#4+D#4 byte' of d&t&@+ 0
Copyright 2012 Inverse Path S.r.l. Practical Exploitation of Embedded Systems
H Zer'ion+ 1=23f20 [+20+4S00000000000000000000000000000000000000+4S H [ =@ h&'h d&t& [+20+0200000000000000000000000000000000000000+02 H 20 =@ len-th \ [+20+2V00000000000000000000000000000000000000+2V [+20+(400000000000000000000000000000000000000+(4 %+20+1400000000000000000000000000000000000000+14 H % =@ 'ecurity d&t& V+00000000+#4+D#4 byte' of d&t&@+2Q H V =@ d&t& bloc! J +#4+D#4 byte' of d&t&@+(0 J +#4+D#4 byte' of d&t&@+70 H #4 =@ len-th \ V+00001000+#4+D#4 byte' of d&t&@+ 2 J +#4+D#4 byte' of d&t&@+ 0 J +#4+D#4 byte' of d&t&@+ 0 \ V+00027800+#4+D#4 byte' of d&t&@+ 0 J +#4+D#4 byte' of d&t&@+ 0
Copyright 2012 Inverse Path S.r.l.
S2. Arc!itect&re
Some data abo&t t!e arc!itect&re of t!e S2. microcontroller can be inferred from t!e first relevant data bloc+ #memory address 0x80005'
V+00008000+#4+$7008(8#0000000====================================000+#( J +#4+==S80#$700( 0 00000000000000000000$7008( #000000000===+7(
5!e first address in t!e &ser code area seems to be 0x8000' 5!e 13P instr&ction is probably a certain n&mber of 0x00' An ima"e of t!e act&al S2. microcontroller of co&rse can aid trac+in" do n t!e exact arc!itect&re'
So&rce)
,enesas COS/9JJQ
.(S. microcomp&ter, JP-bit arc!itect&re JP= @bytes of ,32, O @bytes of ,A2 (/3 feat&res) (E. b&s interface A/D converter Serial interface @eyboard b&ffer control #PS9% and matrix scan #&n&sed by Apple% 0P. interface lots of "eneric (/3 ports
Copyright 2012 Inverse Path S.r.l. Practical Exploitation of Embedded Systems
,enesas COS/9JJQ
(t is a idely &sed Embedded .ontroller present in Apple laptops as as ot!er (ntel-based !ard are' ell
Accordin" to its instr&ction set t!e absol&te ;2P instr&ction code is t!e follo in")
1't byte $ 7 2nd byte 0 0 3rd byte 4th byte &b'olute &ddre''
5!erefore t!e first G bytes represent an absol&te ;2P to offset 0x8(8#' 5!e <1? Development tools for ,enesas CO/:== series can be &sed'
Copyright 2012 Inverse Path S.r.l. Practical Exploitation of Embedded Systems
Y -re. "o "Q 8;7"P0"(<E#4,F9 *(#='*c > xxd "r ". @ *(#=bin Y h8300"hit&chi"coff"obWdu*. ""'t&rt"&ddre''=0x1000 "* h8300 ] "b bin&ry "V *(#=bin 00001000 D=d&t&J0x1000@+ 1000+ $& 00 8( === 10#0+ f8 0# 10#2+ $& 00 (d === 10#e+ 00 00 1070+ $& 00 8( === 1080+ f8 08 1082+ $& 00 (d ===
Copyright 2012 Inverse Path S.r.l.
8#
#c
c&
#c
88 2c 01 20 02 14 03 08 00 70 00 70 00 70 00 70 00 70
*o0=b beI c*.=b beI c*.=b beI c*.=b bne *o0=l rt' *o0=l rt' *o0=l rt' *o0=l rt' *o0=l rt'
r0l,r0l =J44 20xf7fc5 H0x1,r0l =J32 20xf7f45 H0x2,r0l =J20 20xf7ec5 H0x3,r0l =J8 20xf7e45 H0x1e&fe,er0 H0x1e&f0,er0 H0x1eb0f,er0 H0x1e&f8,er0 H0x1eb1&,er0
88 2c 01 20 02 14 03 08 00 70 00 70 00 70 00 70 00 70
*o0=b beI c*.=b beI c*.=b beI c*.=b bne *o0=l rt' *o0=l rt' *o0=l rt' *o0=l rt' *o0=l rt'
r0l,r0l =J44 20xf7fc5 H0x1,r0l =J32 20xf7f45 H0x2,r0l =J20 20xf7ec5 H0x3,r0l =J8 20xf7e45 86*'4ri-htLo%c&le9,er0 8Tn!no,n9,er0 86*'4re&the9,er0 86*'On9,er0 86*'Off9,er0
=@ =@ =@ =@ =@
00 $$ 73 #V 00
00 #Q 42 73 00
0x1d(18 =@ 0x1#(18
Lu*ber of %3
H H H H H H
'et 7 OQ cle&r interru.t' 'l&0e recei0e *ode 'l&0e recei0e *ode 'et %UOPI3
00 e1 0e 00 14
00 00 00 00
0c ff 08 ff
*o0=b ^0xffe10e+32,r0l beI =J20 20x1ece5 *o0=b ^0xc1+8,r0l bld H0x1,r0l bc' =J12 20x1ece5 d2 #& 72 10 bclr H0x1,^0xffd2#&+32 br& =J8 20x1ed#5 d2 #& 70 10 b'et H0x1,^0xffd2#&+32
H 'u..orted b&ttery count H count == 1 G """"""""J > > > H 7 not .re'ent > > H 7 .re'ent D"""""""""J
Apple S2.
(n concl&sion t!e Apple S2. can be &pdated it! arbitrary firm are as t!e c!ec+s&m al"orit!m, &pdate mec!anism and event&ally f&nctionality can be f&lly reversed en"ineered' @no led"e of t!e arc!itect&re ma+es it strai"!tfor ard to modify t!e firm are at ill' D(S.0A(2E,) t!is is an ed&cational example only, &se t!e presented information at yo&r o n ris+'