Hardware hacking

Transcript

1. Hardware hacking Tavish Naruka

2. About me What I do: I studied electronics from JIIT

   and have been working at Baseapp Systems, in Delhi. I do software/system design for embedded systems.

3. Hardware hacking? • looking at how a consumer product does

   what it does • making something from scratch • making things do what they were not meant to do.

4. Outline • Introduction to some common protocols used in low

   level electronics (rs 232, spi, i2c) • Sniffing/speaking these protocols • USB protocol, Sniffing USB • A few interesting hardware hacks • Router hacking

5. • Chips follow standard protocols • You can google most

   device datasheets • exception is some chips with limited/restricted distribution There are a few common protocols you will see in a lot of places Things follow rules

6. SPI Serial and SPI communication waveforms Rs 232 Often called

   just Serial, can be found in many places Often used as a debug output in systems, or even control terminal. Often used to just transfer readable text, so you can even read what transfers are going on. $GPRMC,081836,A,3751.65,S,14507.36,E, 000.0,360.0,130998,011.3,E*62

7. I2C protocol Multiple I2C devices wired together A sample I2C

   transaction • I2c comm. initiated by master, and there is only 1 master at a time • All devices have a unique address, and they respond to only that • All transfers require acknowledgement • Start and stop condition to indicate start/stop of data A lot of things, memories, wireless chips, all kinds of sensors, batteries, ADCs, even some LEDs, speak I2C or SPI Also called SMBUS, on PCs

8. Some places where I2c is used EEPROM Laptop batteries Various

   sensors

9. Sniffing/Speaking A logic analyzer connected to a beaglebone Logic analyzer

   output on its software tool

10. Speaking Arduino - really quick prototyping PIC32 Fubarino mini STM32F4

    Discovery FTDI USB serial chips can also do many protocols. Can use C/python libraries

11. FTDI chips (FT232h ^) FT232H (module is pic UM232h) •

    Most often used as usb to serial • Can also do SPI/I2C, GPIO/bitbang • FTDI provides C libraries for using these • Can do JTAG, openOCD or other debuggers • code on right -> read 1MB SPI flash libmpsse, python wrapper over ftdi C libraries(libftdi) from mpsse import * MPSSE(SPI0, THIRTY_MHZ, MSB) Start() Write("\x03\x00\x00\x00") data = Read(0x100000) Stop() Close() open('flash.bin', 'wb').write(data)

12. Some mcu suggestions Arduino 1. Has a serial bootloader, so

    dont need programmer 2. IDE comes with many ready to use libraries, not good 3. code written in C++, in IDE, which is not the best text editor 4. Don’t really need IDE 5. AVR-gcc and clib, avrdude etc. STM32 1. ARM cortex M0/1/3/4 2. GCC arm compilers are free and/or open source 3. Need programmer/debugger, but discovery kits come with one, can also use FTDI chip from last slide as JTAG with Openocd(olimex Tiny-usb jtag etc.) 4. no ide, free to setup anything Microchip PICs 1. Series of 8, 16, 32 bit microcontrollers 2. Also have an IDE, based on Netbeans 3. no completely free toolchain. Some code optimizations are paid features 4. Provide some libraries for USB stack and peripherals etc 5. Need a programmer, like ICD3, which is a bit expensive but can program/debug any microchip PIC

13. Introduction • USB cable has 4 wires, gnd, 5V, D+,

    D- • When you connect a device to a host, host does ‘enumeration’ • device describes itself to host during this • You communicate with USB device on “Endpoints”, which are like port number on an IP in a network. Descriptors sent on endpoint 0, which is always present • After enumeration, host OS may decide to load a driver for device, depending on device class, or if not class, then VID/PID USB Bus 002 Device 003: ID 0079:0006 DragonRise Inc. Generic USB Joystick Device Descriptor: idVendor 0x0079 DragonRise Inc. idProduct 0x0006 Generic USB Joystick bNumConfigurations 1 Configuration Descriptor: MaxPower 500mA bNumInterfaces 1 Interface Descriptor: bNumEndpoints 2 bInterfaceClass 3 Human Interface bInterfaceSubClass 0 No Subclass Endpoint Descriptor: bEndpointAddress 0x81 EP 1 IN Transfer Type Interrupt wMaxPacketSize 0x0008 1x 8 bytes Endpoint Descriptor: bEndpointAddress 0x01 EP 1 OUT Transfer Type Interrupt wMaxPacketSize 0x0008 1x 8 bytes

14. Sniffing USB USB sniffing • Linux kernel facility called ‘usbmon’

    • Sort of like tcpdump for USB • wireshark, vusb analyser are both free/open source Wireshark VUSB analyser

15. Talking USB Libusb http://libusb.info/ or http://libusb.org/ You can talk to

    a device with a class/subclass or vid/pid not associated with a driver using this library. C/C++, python Microcontrollers: most of STM32 series many pic18 and 32 atmega32u4 etc have USB device, some have host too Linux USB gadget API • kernel modules to act as a USB slave(instead of host) • hardware should support usb peripheral, so most desktops can’t, but many embedded ones can • USB serial, ethernet • USB HID, keyboard, mouse • PTP (picture transfer protocol, like in camera, or android phones) • sound devices, webcam • File backed storage, mass storage devices

16. USB mass storage device class as an example Flash USB

    controller Computer You plug in a USB pen drive • Enumeration happens on Control endpoint(EP0) • 2 Endpoints(1 IN, 1 OUT) are set up for exchanging data • Data exchanges are wrapped in SCSI commands(read, write, disk size etc.) • in linux, kernel loads USB mass storage driver, which provides a block device interface like /dev/sdb • linux reads partition table to detect any partitions, if present, /dev/sdb1, /dev/sdb2 • OS auto mounter may mount detected partitions Android mass storage, uses usb gadgetfs driver in linux. Unmounts microsd partition, makes it available to gadgetfs. Mp3 players and other devices do this. Is a means for firmware update in some devices.

17. Block devices MBR - first sector 512 bytes Valid boot

    sector signature Partition table • only 4 entries, hence 4 primary partitions • first byte either 0x80 or 0x0, bootable flag • used by ibm compatible and other computers during boot Some tools for seeing binary data: • hd, hexdump • od - read as int uint, chars etc • strings - show printable characters in file • xxd - hex dump to bin or reverse • file - try to identify type of file • dd - read parts of one file into another, everything is a file

18. STM32 USB pen drive Layers of Host code • USB

    host • usb mass storage driver, bulk only transfer, SCSI • fat32 layer SPI Oled display USB device to pc • Do not know, nor needed to know all layers in detail • Most of USB stack, and mass storage driver is from STmicro • fat32 layer is Chan’s fatfs library • SPI oled initialization sequence • data write sequence • Character fonts • handling ‘frame buffer’ • adafruit had released similar oled, used code from there USB device code • Modify code for USB CDC(or USB serial) • Bulk only transfer, and maximum packet size(64 bytes, full speed) • Custom class/subclass(0xff) • Desktop application uses libusb to communicate

19. Samsung smart tv: • ARM based, runs busybox based linux

    system • has software packages like widgets/games and firmware updates • updates installed via USB pen drive Some examples Implemented on Gumstix board • Linux usb file storage gadget • TV reads and checks files • on reading second time, the filesystem is switched, copying own code onto tv, which it runs as root

20. Some more examples, CHDK Canon Hack Development Kit • (2006)

    Programmer studies disassembly of firmware upgrade for his IXUS camera • Figures out a way to boot from SD card • Dumps firmware of camera by blinking the LED on camera, and reading with a light dependant resistor, CHDK running on a point and shoot • Enhancement to camera firmware, doesn’t void warranty, GPL • Features, RAW images, settings overrides(shutter speed, exposure, ISO), exposure/focus bracketing, • motion detection, HDR, time lapse • User scripts in Lua, uBasic • can make really cheap trigger using usb cable • On screen displays, live histogram

21. Unlimited DOF using focus bracketing

22. HDR, by combining Exposure bracketing

23. Some more examples Openkinect • Microsoft was not willing to

    release open source/otherwise drivers for systems other than linux for kinect • Adafruit(which is DIY/hobbyist electronics company) launched a bounty • they put up dumps of USB traffic from kinect on windows • protocol reverse engineered, libfreenect PS3 jailbreak • Buffer overflow in PS3 USB stack • if device reports smaller descriptor length than actual, PS3 copies the data into a small allocated memory, causing overflow • This allowed the jailbreak creators to run arbitrary code on the ps3 somehow

24. Router hacking Routers have always been closed source • In

    2003 linksys releases WRT54G • turns out it runs linux • community pressure on linksys to release source because of linux GPL license • Many router firmware projects started after this linksys later moved to Vxworks, but people got linux working on new routers too. Openwrt Most active router firmware project Actually a linux distribution for very space constrained systems, and has router specific additions • has a web interface, like in normal routers • generates images as squashfs/jffs2 filesystem • these are written on flash chips on routers • Based on buildroot/uClibc build system

25. TP-link WR841ND SPI flash chip Atheros ar9341 SoC RAM Serial

    port Inside a typical router OpenWrt buildroot menuconfig

26. OpenWrt flash layout 4MB SPI flash For just dumping flash

    contents, can desolder chip and read. (never have to) Some tools to analyse unknown flash contents: • Binwalk • Firmware mod kit - uses binwalk

27. binwalk, firmware-mod-kit Binwalk scan results Firmware-mod-kit • it tries to

    detect different portions in firmware dump • extracts them • you modify them if you want • repacks them, recreating CRCs or signatures again if need be

28. More examples Kindle 4 no touch Create empty file ‘ENABLE_DIAGS’,

    restart from menu • Apart from just breaking consumer stuff, this info is useful for making hardware • Many vendors are selling modules with router SoCs you can use in own projects. Ex. 8devices.com carambola Has wifi, runs linux easier to put in own projects than these BGA chips Arduino yun has same ar9331 chip(also has atmega32u4), runs openwrt. Fon Wireless Ltd., runs a paid wifi sharing network. Their own hardware runs a OpenWrt derivative

29. A wireless audio receiver This is a small wifi audio

    receiver we made. Based on a router SoCs. • Carambola2 SoM, wifi, 16MB flash, 64MB ram • Custom openwrt • each speaker is an alljoyn audio sink • devices have master/slave modes, each mode has a config mode • in config mode you can connect to device with phone using wifi AP • network configuration, DHCP, wifi access point, switching modes, starting/monitoring services etc handled by custom scripts in Lua, since openwrt code was suitable only for a router. • Modifications to board specific code for kernel, for LEDs, buttons, etc. hints taken from board specific code for other routers.

30. Conclusion… • Devices use standard protocols to communicate • Logic

    analyzer is useful • You can make routers run your own code