Tweet
Tweet

Slide 1

Slide 1 text

Firmware Security Analysis 李倫銓 Alan, NiNi

Slide 2

Slide 2 text

About Linkit7697 LinkIt7697 是一塊針對物聯網應用的開發版,基於 MT7697 系統單晶片, 具有含浮點運算的 ARM Cortex-M4 微控制器, 並整合了 802.11b/g/n WiFi 無線網路與 Bluetooth 4.2 低功耗藍牙。

Slide 3

Slide 3 text

What is firmware ROM EPROM flash memory firmware firmware firmware Firmware is a piece of code stored in ROM, EPROM, flash memory. It may provide some functions to software to control hardware. Or, it may be the only program that will run on the embedded system.

Slide 4

Slide 4 text

Before starting…. 先把 firmware 燒上去

Slide 5

Slide 5 text

UART UART 1 UART 2 Tx Rx Tx Rx

Slide 6

Slide 6 text

UART UART 1 UART 2 Tx Rx 1 0 1 1 1 0 1

Slide 7

Slide 7 text

PC RAM BIOS Hard Disk MBR boot loader Boot loader

Slide 8

Slide 8 text

PC RAM BIOS Hard Disk MBR boot loader Boot loader BIOS 抓

Slide 9

Slide 9 text

PC RAM BIOS Hard Disk boot loader MBR Boot loader MBR BIOS 抓完

Slide 10

Slide 10 text

Boot loader PC RAM Hard Disk boot loader MBR MBR MBR 抓

Slide 11

Slide 11 text

Boot loader PC RAM Hard Disk boot loader MBR MBR Boot MBR 抓沒完

Slide 12

Slide 12 text

Boot loader PC RAM Hard Disk boot loader MBR MBR Boot MBR 再抓

Slide 13

Slide 13 text

Boot loader PC RAM Hard Disk boot loader MBR MBR Boot loader Boot loader完成載入

Slide 14

Slide 14 text

Boot loader DEMO

Slide 15

Slide 15 text

ARM ARM 架構有需多版本, 從最早的 ARMv1 到現在的 ARMv8 每個版本都有引入一些新的特色。

Slide 16

Slide 16 text

ARM ARM不賣晶片,而是靠授權架構賺錢, 實作則是由購買的公司進行(一般不能改架構), CPU 名字跟架構版本沒有關係, 如 ARM7EJ 對應 ARMv5,ARM11 對應 ARMv6。

Slide 17

Slide 17 text

ARM 但 ARM11 之後改變了命名的方式,改為 Cortex-A Application profile Cortex-R Real-time profile Cortex-M Microcontroller profile

Slide 18

Slide 18 text

ARM ARM 有兩個模式 一個 ARM,一個 Thumb Thumb 是 ARM 的子集, ARM 一條指令需要 4Byte 的編碼 , Thumb 則是 2 or 4 byte

Slide 19

Slide 19 text

ARM 00010400 : 10400: b580 push {r7, lr} 10402: af00 add r7, sp, #0 10404: 4b03 ldr r3, [pc, #12] ; (10414 ) 10406: 0018 movs r0, r3 10408: f7ff ff68 bl 102dc 1040c: 2300 movs r3, #0 1040e: 0018 movs r0, r3 10410: 46bd mov sp, r7 10412: bd80 pop {r7, pc} 000103fc : 103fc: e92d4800 push {fp, lr} 10400: e28db004 add fp, sp, #4 10404: e59f000c ldr r0, [pc, #12] ; 10418 10408: ebffffb3 bl 102dc 1040c: e3a03000 mov r3, #0 10410: e1a00003 mov r0, r3 10414: e8bd8800 pop {fp, pc}

Slide 20

Slide 20 text

ARM 後來則增強為 Thumb2 ,code density 與 Thumb 接近 但有類似 ARM 的性能

Slide 21

Slide 21 text

ARM 快問快答

Slide 22

Slide 22 text

ARM http://infocenter.arm.com/help/topic/com.arm.doc.dui0553b/DUI0553.pdf http://infocenter.arm.com/help/topic/com.arm.doc.qrc0001m/QRC0001_UAL.pdf Cortex-M4 Manual ARM Thumb2 cheatsheet

Slide 23

Slide 23 text

ARM 暫存器 R0 R1 R2 R3 R4 R5 R6 R7 R8 R9 R10 R11 R12 SP(R13) LR(R14) PC(R15) 2.1.3 Core registers

Slide 24

Slide 24 text

ARM 基本運算 opcode Rd, Rn opcode Rd, Rn, Op2

Slide 25

Slide 25 text

ARM MOV R0 R1 R2 R3 R4 R5 R6 R7 R8 R9 R10 R11 R12 SP(R13) LR(R14) PC(R15) 0x0000FA05 MOV R1, #0xFA05 3.5.6 MOV and MVN

Slide 26

Slide 26 text

ARM R0 R1 R2 R3 R4 R5 R6 R7 R8 R9 R10 R11 R12 SP(R13) LR(R14) PC(R15) 0x0000FA05 0x00000100 MOV R1, #0xFA05 MOV R5, #256 MOV 3.5.6 MOV and MVN

Slide 27

Slide 27 text

ARM R0 R1 R2 R3 R4 R5 R6 R7 R8 R9 R10 R11 R12 SP(R13) LR(R14) PC(R15) 0x0000FA05 0x0000BEEF 0x00000100 MOV R1, #0xFA05 MOV R5, #256 MOVW R3, #0xBEEF MOV 3.5.6 MOV and MVN

Slide 28

Slide 28 text

ARM R0 R1 R2 R3 R4 R5 R6 R7 R8 R9 R10 R11 R12 SP(R13) LR(R14) PC(R15) 0x0000FA05 0xDEADBEEF 0x00000100 MOV R1, #0xFA05 MOV R5, #256 MOVW R3, #0xBEEF MOVT R3, #0xDEAD MOV 3.5.6 MOV and MVN

Slide 29

Slide 29 text

ARM R0 R1 R2 R3 R4 R5 R6 R7 R8 R9 R10 R11 R12 SP(R13) LR(R14) PC(R15) 0x0000FA05 0xFFFFFFF0 0xDEADBEEF 0x00000100 MOV R1, #0xFA05 MOV R5, #256 MOVW R3, #0xBEEF MOVT R3, #0xDEAD MVN R2, #0xF MOV 3.5.6 MOV and MVN

Slide 30

Slide 30 text

ARM LDR/STR 只有 ldr 跟 str 可以存取記憶體 其他 opcode 的運算子都不能存取記憶體 3.4 Memory access instructions

Slide 31

Slide 31 text

ARM LDR/STR R0 R1 R2 R3 R4 R5 R6 R7 R8 R9 R10 R11 R12 SP(R13) LR(R14) PC(R15) 0xFFFFFFF0 0xDEADBEEF 0x00000100 0x100 0x104 0xfaceb00c 0xdeadbeef LDR R1, [R5] 3.4 Memory access instructions

Slide 32

Slide 32 text

ARM LDR/STR R0 R1 R2 R3 R4 R5 R6 R7 R8 R9 R10 R11 R12 SP(R13) LR(R14) PC(R15) 0xfaceb00c 0xFFFFFFF0 0xDEADBEEF 0x00000100 LDR R1, [R5] 0x100 0x104 0xfaceb00c 0xdeadbeef 3.4 Memory access instructions

Slide 33

Slide 33 text

ARM LDR/STR R0 R1 R2 R3 R4 R5 R6 R7 R8 R9 R10 R11 R12 SP(R13) LR(R14) PC(R15) 0xfaceb00c 0xFFFFFFF0 0xDEADBEEF 0x00000100 LDR R1, [R5] STR R2, [R5,#4] 0x100 0x104 0xfaceb00c 0xdeadbeef 3.4 Memory access instructions

Slide 34

Slide 34 text

ARM LDR/STR R0 R1 R2 R3 R4 R5 R6 R7 R8 R9 R10 R11 R12 SP(R13) LR(R14) PC(R15) 0xfaceb00c 0xFFFFFFF0 0xDEADBEEF 0x00000100 0x100 0x104 0xfaceb00c 0xFFFFFFF0 LDR R1, [R5] STR R2, [R5,#4] 3.4 Memory access instructions

Slide 35

Slide 35 text

ARM LDR/STR R0 R1 R2 R3 R4 R5 R6 R7 R8 R9 R10 R11 R12 SP(R13) LR(R14) PC(R15) 0xfaceb00c 0xFFFFFFF0 0xDEADBEEF 0x00000100 0x100 0x104 0xfaceb00c 0xFFFFFFF0 LDR R1, [R5] STR R2, [R5,#4] LDR R2, [R5],#4 3.4 Memory access instructions

Slide 36

Slide 36 text

ARM LDR/STR R0 R1 R2 R3 R4 R5 R6 R7 R8 R9 R10 R11 R12 SP(R13) LR(R14) PC(R15) 0xfaceb00c 0xfaceb00c 0xDEADBEEF 0x00000104 0x100 0x104 0x108 0xfaceb00c 0xFFFFFFF0 LDR R1, [R5] STR R2, [R5,#4] LDR R2, [R5],#4 3.4 Memory access instructions

Slide 37

Slide 37 text

ARM LDR/STR R0 R1 R2 R3 R4 R5 R6 R7 R8 R9 R10 R11 R12 SP(R13) LR(R14) PC(R15) 0xfaceb00c 0xfaceb00c 0xDEADBEEF 0x00000104 0x100 0x104 0x108 0xfaceb00c 0xFFFFFFF0 LDR R1, [R5] STR R2, [R5,#4] LDR R2, [R5],#4 STR R2, [R5,#4]! 3.4 Memory access instructions

Slide 38

Slide 38 text

ARM LDR/STR R0 R1 R2 R3 R4 R5 R6 R7 R8 R9 R10 R11 R12 SP(R13) LR(R14) PC(R15) 0xfaceb00c 0xfaceb00c 0xDEADBEEF 0x00000108 0x100 0x104 0x108 0xfaceb00c 0xFFFFFFF0 0xfaceb00c LDR R1, [R5] STR R2, [R5,#4] LDR R2, [R5],#4 STR R2, [R5,#4]! 3.4 Memory access instructions

Slide 39

Slide 39 text

ARM 單位 10101010 10101010 10101010 10101010 10101010 10101010 10101010 1 BYTE 1 Half Word 1 Word LDR LDRH, LDRSH LDRB, LDRBH

Slide 40

Slide 40 text

ARM condition execution N -> negative Z -> zero C -> carry V -> overflow CMP R1, #3 LDREQ R1, [R5] 3.3.7 Condition execution

Slide 41

Slide 41 text

ARM condition execution N -> negative Z -> zero C -> carry V -> overflow if( r1 == 3 ) r1 = *r5 3.3.7 Condition execution

Slide 42

Slide 42 text

ARM condition execution CMP R1, #3 IT EQ LDREQ R1, [R5] N -> negative Z -> zero C -> carry V -> overflow 3.3.7 Condition execution

Slide 43

Slide 43 text

ARM condition execution N -> negative Z -> zero C -> carry V -> overflow if( r1 == 3 ) r1 = *r5 3.3.7 Condition execution

Slide 44

Slide 44 text

ARM condition execution CMP R1, #3 ITT EQ LDREQ R1, [R5] LDREQ R2, [R5] N -> negative Z -> zero C -> carry V -> overflow 3.3.7 Condition execution

Slide 45

Slide 45 text

ARM condition execution N -> negative Z -> zero C -> carry V -> overflow if( r1 == 3 ){ r1 = *r5 r2 = *r5 } 3.3.7 Condition execution

Slide 46

Slide 46 text

ARM condition execution CMP R1, #3 ITTE EQ LDREQ R1, [R5] LDREQ R2, [R5] ADDNE R1, #1 N -> negative Z -> zero C -> carry V -> overflow 3.3.7 Condition execution

Slide 47

Slide 47 text

ARM condition execution N -> negative Z -> zero C -> carry V -> overflow if( r1 == 3 ){ r1 = *r5 r2 = *r5 }else{ r1 += 1 } 3.3.7 Condition execution

Slide 48

Slide 48 text

ARM B{cond} lable 跳轉 BL{cond} lable 跳轉,把 return address 放進 LR BX{cond} Rm 跳轉 BXL{cond} Rm 跳轉,把 return address 放進 LR 3.10 Branch and control instructions

Slide 49

Slide 49 text

Find the main Literal Pool

Slide 50

Slide 50 text

Find the main

Slide 51

Slide 51 text

BONUS TIME

Slide 52

Slide 52 text

Secure Boot

Slide 53

Slide 53 text

Secure Boot 所以在 Bootloader 執行時 我們要確保即將掛載的 firmware 不是修改過的

Slide 54

Slide 54 text

Secure Boot Reset ROM Bootloader Bootloader input Signed? yes no Bootloader firmware input Signed? yes no Stop
 or Recover

Slide 55

Slide 55 text

Secure Boot Bootloader hash ##### encrypt flash memory key

Slide 56

Slide 56 text

Secure Boot Bootloader hash ##### encrypt flash memory key burn eFuse

Slide 57

Slide 57 text

Secure Boot Firmware digital signature hash ##### private key (on your PC) signature algorithm

Slide 58

Slide 58 text

Secure Boot Firmware digital signature hash ##### public key (in bootloader) signature algorithm Same?

Slide 59

Slide 59 text

Secure Boot But this is not the end……

Slide 60

Slide 60 text

Secure Boot Tegra X1

Slide 61

Slide 61 text

Secure Boot Tegra X1 USB Recovery Mode https://http.download.nvidia.com/tegra-public-appnotes/tegra-boot-flow.html#_error_handling_and_recovery_mode

Slide 62

Slide 62 text

Secure Boot Fusée Gelée:https://github.com/Qyriad/fusee-launcher ShofEL2:https://fail0verflow.com/blog/2018/shofel2/