OWASP Kansai Bus Pirate を使ったIoTデバイスHack

Transcript

1. - 1 02 1

2. 
   
       
   

3. 
   
   
     

4. 
   
   o t L I ( ) e . A

   . IA A m u E CK b DT b D .

5. - 5

6. 
   
        
   
   

7. 
   
   L / / / / / S i l

   M ptc I t MA u t L D PFL a t R M Pp l Cptc f p a S( (POR ) R Sx e s c o D L L I S tcr S M P )(M R ( i L I R S L A I Sl hn R R D MA Lm I

8. 
   
   312 5

9. 
   
   . V 6B B3 6 6 u a 6

   6 6 6 & s B V 6a P Ia s & s Bs r3 s aB V 3 S 2 B t B 6 C 3 3 4 ei BC

10. 
    
    IG 4 F H e o i ( P

    L 3 Le A L 3 L M z P s P e m m Xe M t n t lR640M0 S lP mm P e P P T k 6 H y m P z tm o L 3 L P o e) 5 ot v P P UiM u ) 5 I k P d6 t P lP mk Za ) 5 6 1 kr P 6 lP mk 4.)U 42 4 FBM4KH D Vh t vP k t o R F H CC DG F S P o k IG 4 F H M z t vP k

11. 
    
    ,M CJ L Wl r so k CJ .b

    S T a d R m 1 - a d R m t n 8 1 d R m dWt n gr 2 i P y dce lP npw R G BJHGHM JC t n 41.1 R m a u l h - D H J 0.(() 3-. U G NCJ C J JC NCLB CLNC ICG HGLJH 8 JCIL CG J CL GA CJ 1 - 8 1 G 7 H

12. 
    
     

13. 
    
      
    

14. 
    
      
    Bus Pirate v3.6a -  

15. 
    
    ) ) - ) ( ) )

16. 
    
      
    

17. 
    
    8

18. 
    
    

19. 
    
    r n d l ne n d l -

    Dq y I c im t ahd Dq $ u D poD w po F - n d lI h l I T g fkh l b lDvs n d l F - - n d lI I T neD I n d l I -

20. 
    
    

21. 
    
    F F #!/bin/sh apt-get install build-essential pciutils usbutils libpci-dev

    libusb-dev libftdi1 libftdi-dev zlib1g-dev subversion apt-get install libusb-1.0 # svn co svn://flashrom.org/flashrom/trunk flashrom git clone https://github.com/flashrom/flashrom.git cd flashrom make make install $ sudo apt-get update $ chmod 755 ./flashrominstall.sh $ sudo ./flashrominstall.sh

22. -

23. 
    
    0B /

24. -

25. 
    
    21 5 & 21 5 3 8

26. 
    
      
         

     

27. 
    
        
       

28. 
    
    < P a om U / / u I

    Fa B V prfl P > i V u V > - proh h prfl ls / Vnou tef htef US V E D a U i cLP u P P > $ time flashrom -V -p buspirate_spi:dev=/dev/ttyUSB0,spispeed=1M -c "MX25L12835F/MX25L12845E/MX25L12865E" -r x -o lg V E > nouV S c E EDD V a >

29. 
    
        
      This chip may

    contain one-time programmable memory. flashrom cannot read and may never be able to write it, hence it may not be able to completely clone the contents of this chip (see man page for details). Reading flash... done. Raw bitbang mode version 1 Bus Pirate shutdown completed. real 27m44.522s user 0m3.150s sys 0m29.560s

30. 
    
       '%"#(*!&)$ 2/    0'%"#(*

    2/ $ binwalk x DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 524288 0x80000 uImage header, header size: 64 bytes, header CRC: 0xAA9492B8, created: Fri May 19 12:42:54 2006, image size: 2216488 bytes, Data Address: 0x2000000, Entry Point: 0x2000040, data CRC: 0x9AD1ABF3, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "gm8136" 542452 0x846F4 gzip compressed data, maximum compression, from Unix, NULL date: Thu Jan 1 00:00:00 1970 3670016 0x380000 Squashfs filesystem, little endian, version 4.0, compression:lzma (non-standard type definition), size: 6963644 bytes, 184 inodes, blocksize: 131072 bytes, created: Sat Jul 1 01:30:16 2006 11534336 0xB00000 JFFS2 filesystem, little endian 12457688 0xBE16D8 Zlib compressed data, compressed, uncompressed size >= 276 12459464 0xBE1DC8 Zlib compressed data, compressed, uncompressed size >= 485 12459776 0xBE1F00 Zlib compressed data, compressed, uncompressed size >= 485 12460084 0xBE2034 Zlib compressed data, compressed, uncompressed size >= 485 12460396 0xBE216C Zlib compressed data, compressed, uncompressed size >= 485   +,.1
          3-

31. 
    
    6 0 1 1 7 4 3 S 4

    0 1 1 5 $ dd if=x skip=3670016 bs=1 count=$((11534336-3670016)) of=squash.bin 7864320+0 records in 7864320+0 records out 7864320 bytes (7.9 MB) copied, 115.81 s, 67.9 kB/s

32. 
    
    
      
       # unsquashfs

    squash.bin Parallel unsquashfs: Using 4 processors 133 inodes (236 blocks) to write [======================================================================================================== ==============================================================================================¥] 236/236 100% created 133 files created 51 directories created 0 symlinks created 0 devices created 0 fifos    $ ls -al drwxr-xr-x 22 pi pi 4096 Jul 1 2006 squashfs-root

33. 
    
    *&' $#)  !"
    ( %    $

    cd squashfs-root $ ls -al total 104 drwxr-xr-x 22 pi pi 4096 Jul 1 2006 . drwxrwxrwt 13 root root 4096 Feb 17 16:13 .. drwxrwxrwx 3 pi pi 4096 Mar 2 2006 bak drwxrwxrwx 2 pi pi 4096 Mar 2 2006 bin -rwxr-xr-x 1 pi pi 5382 Jul 1 2006 boot.sh drwxrwxrwx 4 pi pi 4096 Mar 2 2006 dev drwxrwxrwx 5 pi pi 4096 Mar 2 2006 etc drwxrwxrwx 5 pi pi 4096 Mar 2 2006 gm drwxrwxrwx 2 pi pi 4096 Mar 2 2006 home -rwxr-xr-x 1 pi pi 371 Mar 2 2006 init drwxrwxrwx 3 pi pi 4096 Mar 2 2006 lib drwxrwxrwx 9 pi pi 4096 Mar 2 2006 mnt drwxrwxrwx 2 pi pi 4096 Mar 2 2006 npc drwxrwxrwx 2 pi pi 4096 Mar 2 2006 opt drwxrwxrwx 4 pi pi 4096 Mar 2 2006 patch drwxrwxrwx 2 pi pi 4096 Mar 2 2006 proc -rwxr-xr-x 1 pi pi 0 Mar 2 2006 readme.txt drwxrwxrwx 2 pi pi 4096 Mar 2 2006 rom drwxrwxrwx 2 pi pi 4096 Mar 2 2006 root drwxrwxrwx 2 pi pi 4096 Mar 2 2006 sbin drwxrwxrwx 2 pi pi 4096 Mar 2 2006 share -rwxr-xr-x 1 pi pi 946 Mar 2 2006 squashfs_init drwxrwxrwx 2 pi pi 4096 Mar 2 2006 sys drwxrwxrwx 2 pi pi 4096 Mar 2 2006 tmp drwxrwxrwx 4 pi pi 4096 Mar 2 2006 usr drwxrwxrwx 4 pi pi 4096 Mar 2 2006 var

34. 
    
      

35. 5 3 -

36. 
    
    A

37. 
    
     
       

38. 
    
    
    

39. 
    
    .