It's assembler, Jim, but not as we know it!

Video thumbnail (Frame 0) Video thumbnail (Frame 827) Video thumbnail (Frame 3707) Video thumbnail (Frame 5361) Video thumbnail (Frame 7338) Video thumbnail (Frame 8079) Video thumbnail (Frame 8791) Video thumbnail (Frame 10020) Video thumbnail (Frame 11849) Video thumbnail (Frame 13336) Video thumbnail (Frame 14794) Video thumbnail (Frame 16263) Video thumbnail (Frame 17787) Video thumbnail (Frame 20660) Video thumbnail (Frame 21464) Video thumbnail (Frame 24212) Video thumbnail (Frame 25192) Video thumbnail (Frame 25917) Video thumbnail (Frame 26622) Video thumbnail (Frame 27481) Video thumbnail (Frame 28350) Video thumbnail (Frame 29364) Video thumbnail (Frame 30254) Video thumbnail (Frame 31088) Video thumbnail (Frame 31798) Video thumbnail (Frame 33752) Video thumbnail (Frame 35066) Video thumbnail (Frame 36582) Video thumbnail (Frame 37671) Video thumbnail (Frame 39707) Video thumbnail (Frame 40523) Video thumbnail (Frame 41196) Video thumbnail (Frame 41870) Video thumbnail (Frame 43087) Video thumbnail (Frame 45163) Video thumbnail (Frame 47147) Video thumbnail (Frame 48186) Video thumbnail (Frame 50157) Video thumbnail (Frame 51010)
Video in TIB AV-Portal: It's assembler, Jim, but not as we know it!

Formal Metadata

Title
It's assembler, Jim, but not as we know it!
Alternative Title
(Ab)using Binaries from Embedded Devices for Fun and Profit
Title of Series
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
2018
Language
English

Content Metadata

Subject Area
Abstract
With the proliferation of Linux-based SoCs -- you've likely got one or two in your house, on your person or in your pocket -- it is often useful to look "under the hood" at what is running; Additionally, in-situ debugging may be unavailable due to read-only filesystems, memory is often limited, and other factors keep us from attacking a live device. This talk looks at attacking binaries outside their native environment using QEMU, the Quick Emulator, as well as techniques for extracting relevant content from devices and exploring them.
Arm Assembly language Bit Quicksort Student's t-test Systems engineering
Point (geometry) Laptop Complex (psychology) Game controller Service (economics) Multiplication sign Virtual machine Student's t-test Mereology Arm Theory Field (computer science) Revision control Estimator System on a chip Router (computing) Firmware Computing platform Physical system Multiplication Arm Surface Independence (probability theory) Bit Reduced instruction set computing Universe (mathematics) MiniDisc Whiteboard Quicksort Figurate number Freeware Window Reverse engineering
Game controller Water vapor Mereology Power (physics) Pi Peripheral Envelope (mathematics) Befehlsprozessor Bus (computing) Electronic visual display Data storage device System on a chip Communications protocol Booting Standard deviation Link (knot theory) Arm Content (media) Plastikkarte Line (geometry) Befehlsprozessor Block diagram Data storage device Physics Quicksort Multi-core processor Diagram
Laptop Arm Trail Flash memory 1 (number) Plastikkarte Semiconductor memory Plastikkarte Partition (number theory) Ring (mathematics) Data storage device Different (Kate Ryan album) System on a chip Bus (computing) Multimedia Right angle Multimedia Data storage device System on a chip Booting
Asynchronous Transfer Mode Flash memory Flash memory Android (robot) Plastikkarte Bit Plastikkarte Semiconductor memory SCSI Partition (number theory) Data model Population density Different (Kate Ryan album) Band matrix Multimedia Data storage device Bounded variation Booting Bounded variation Linear map Booting
Game controller Presentation of a group Flash memory Plastikkarte Mereology Power (physics) Revision control Data management Graphical user interface Peripheral Case modding Different (Kate Ryan album) Computer hardware Data storage device Wireless LAN Modem Personal identification number Decision tree learning PCI Express Plastikkarte Sound card Connected space Word Data management Integrated development environment Chain output Peripheral Quicksort Wireless LAN Bounded variation
Rule of inference Serial port Game controller Greatest element Serial port Flash memory Bit Complete metric space Power (physics) Formal language Formal language Tablet computer Kernel (computing) Computer configuration Semiconductor memory Telnet Finite-state machine Game theory Quicksort Booting Modem Booting
Android (robot) Game controller Inheritance (object-oriented programming) Code Multiplication sign Computer-generated imagery File system Video game Set (mathematics) RAID Disk read-and-write head Revision control Medical imaging Bootstrap aggregating Fluid Root Kernel (computing) File system Router (computing) Booting Computing platform Surjective function Physical system Multiplication Arm Data recovery Structural load Surface Binary code Content (media) Code Maxima and minima Basis <Mathematik> Electronic signature Shooting method Root Kernel (computing) Software Factory (trading post) Order (biology) Video game Physical system Library (computing) Booting
User interface Multiplication sign Set (mathematics) Disk read-and-write head Likelihood function Blog Computer configuration Different (Kate Ryan album) Damping Endliche Modelltheorie Information security Physical system Arm Binary code Moment (mathematics) Electronic mailing list Bit Internetworking Computer configuration Right angle Quicksort Information security Task (computing) Physical system Firmware Backup Beat (acoustics) Service (economics) Family of sets Similarity (geometry) Black box Generic programming Peripheral Term (mathematics) Internetworking Software Computer hardware Gastropod shell Booting Firmware Task (computing) Sine Consistency Debugger Stack (abstract data type) Compiler Kernel (computing) Software Blog Revision control Gastropod shell
Computer configuration Computer configuration Binary code Reverse engineering
Point (geometry) Asynchronous Transfer Mode Implementation Scripting language Local area network Multiplication sign Execution unit Spyware Revision control Broadcasting (networking) Root Internetworking File system Gastropod shell Fuzzy logic Implementation Computer-assisted translation Router (computing) Address space Injektivität Arm Spyware Interface (computing) Computer file Binary code Debugger Group action Emulator System programming Interface (computing) Fuzzy logic MiniDisc
Point (geometry) Direct numerical simulation Crash (computing) Information Root Semiconductor memory Interface (computing) System administrator Gastropod shell Planning Router (computing) Resource allocation
Server (computing) File system Configuration space Musical ensemble Information security
Graphics tablet Information Block (periodic table) Multiplication sign Flash memory Real-time operating system Spherical cap Semiconductor memory POKE File system Source code Damping Musical ensemble Routing Writing Reading (process)
Asynchronous Transfer Mode Information Interface (computing) Flash memory Plastikkarte Medical imaging Direct numerical simulation Root Semiconductor memory Touch typing File system Directed set Musical ensemble
Asynchronous Transfer Mode Greatest element Standard deviation Randomization Table (information) Information Line (geometry) Computer-generated imagery Virtual machine Plastikkarte Density of states Plastikkarte Partition (number theory) Medical imaging Hacker (term) File system Cuboid MiniDisc Directed set Multimedia Information Information security Bounded variation Spacetime
Asynchronous Transfer Mode Blog Adaptive behavior Plastikkarte Directed set Bit Software protection dongle
Point (geometry) Standard deviation Asynchronous Transfer Mode Table (information) Computer-generated imagery Density of states Surface of revolution Tracing (software) Partition (number theory) Fermat's Last Theorem Case modding Data storage device Computer hardware Computer hardware Directed set Information Data storage device MiniDisc Curvature Physical system
Axiom of choice Interface (computing) File system Binary code Plastikkarte Device driver Bit Bit rate Binary file Partition (number theory) Sign (mathematics) Logic Computer hardware Static random-access memory Logic Bus (computing) File system Right angle Information Table (information) Communications protocol Partition (number theory) Reverse engineering Row (database)
Mainframe computer Emulator Internetworking Semiconductor memory Multiplication sign Linear programming Open set Booting Coprocessor Alpha (investment)
Emulator Game controller Digital electronics Process (computing) Kernel (computing) Integrated development environment Computer hardware Energy level Parallel port Coprocessor Booting Window
Laptop Installation art Mainframe computer Tape drive Core dump Computer hardware Virtual machine Density of states Parallel port Physical system Power (physics)
Personal identification number File format Binary code Virtual machine Numbering scheme Database Density of states Binary file Revision control Inclusion map Emulator Fluid statics Fluid statics Root Synchronization File system Integrated development environment Booting Local ring Physical system Library (computing) Spacetime
Uniformer Raum Software Demo (music) Demo (music) Source code Menu (computing) Peg solitaire Physical system
Arm User interface Principal ideal domain Befehlsprozessor Demo (music) Virtual machine Source code Cuboid Bit Mereology Statistics Physical system
Bit Musical ensemble
Inclusion map Message passing Integrated development environment Demo (music) Keyboard shortcut Binary code Computer hardware Virtual machine Source code Software testing
Mainframe computer Arm Multiplication sign File system Binary code Grand Unified Theory Bit rate Mereology Rule of inference Emulation Sign (mathematics) Process (computing) Software Computer hardware Entropie <Informationstheorie> Computer hardware Router (computing) Physical system Booting
Asynchronous Transfer Mode Game controller User interface Code Computer-generated imagery PCI Express Planning Stack (abstract data type) Frame problem Entire function Revision control Blog Telecommunication Revision control Directed set Gastropod shell Buffer overflow Physical system Form (programming)
Multiplication sign Video game Plastikkarte Data management Mechanism design Bootstrap aggregating Telnet File system Encryption Bus (computing) Computer engineering Router (computing) Booting Surjective function Graphics tablet Serial port Arm Key (cryptography) Data recovery PCI Express Code Formal language Tablet computer Voting Computer configuration Password Configuration space Normal (geometry) Peripheral Musical ensemble Quicksort Probability density function Booting
Asynchronous Transfer Mode Computer file Partition (number theory) Sign (mathematics) Root Computer configuration Integrated development environment Peripheral Telnet Directed set Software framework Information Musical ensemble System on a chip Speicheradresse Booting
Arm Copyright infringement Device driver Emulator Emulator Peripheral Bridging (networking) Internetworking Computer hardware Computer hardware Bus (computing) Right angle Musical ensemble Reverse engineering Physical system Reverse engineering
hi my name is working gamer I'm a student but first you've made it to talk about arm and all sorts of fun stuff so first a little bit of a dedication of my father my father's in Tibetan systems engineer which we're seeing right here is he has one arm he taught me to build my own tools keep building your own tools you will learn so much just by exploring your world and he taught me that and I want you to come out of this at least with explore your world know how it works thanks dad
[Applause] so I'm the happiest food that ever did across the universe I know exactly where my towel is it's a little Puck I bought it from REI been fiddling with Linux stuff for a good 10 years now I got an old embedded arm board from my father at one point I've done arm services for last awhile I've I even build my own version of cyanogen just to try and get it to build on a machine I'm actually a student by day I try to not talk about it as much because it's in a completely unrelated field I'm here because it's fun so this talk is a fair amount of kind of theory there's a lot of complex and like ooh look at this you know sweet trick that you can pull this is because this sort of work the reverse engineering is one part science one part estimation - of bitter feelings about everything in the world and a little bit of hint of what the was that EEE thinking when they built this a lot of things come from experience I can point the way but I cannot see the future you will have to learn many little tools and techniques on your own there are a lot of seemingly random parts in this talk they'll all come together so first let's talk about arm the bbc2 your face arm originally stood for eric rowan RISC machine if you think you are away from an arm machine you are sorely wrong arm originally built the arm one ship for the BBC micro for a lightweight risk system acorn changed handing hands a couple of times they've never cut silicon but fun fact Intel has cut silicon not until platform multiple times especially after they have bought deck the is a actually hasn't changed about 20-30 years you can still read arm one assembly from the 80s kind of figure it out and then run it on a brand new ARM chip today there are armed devices all
around you including in routers cell phones Nass devices QNAP actually has a version of their Nass that runs on a cortex arm system Synology is another company that produces hundreds of devices that run on ARM chips and even new laptops with Qualcomm Snapdragon chips are coming out today that are running Windows Linux everything in the non SOC world arm takes up everything from smartwatches to home lighting to even in your laptop today in the surface alone there are four or five ARM chips just for things like firmware control disk access even the touchpad has two independent ARM chips the steam controller is built around a cortex I'm zero and I Kias trod free lighting system is built around and embedded ZigBee and cortex arm zero base station sony has been building arm into their cameras for a good long while and your camera today probably runs arm so let's
talk about embedded Linux kind of high-level an embedded Linux device looks like three parts storage SOC and RAM everything else is a bonus you're gonna see physical devices on iqc or USB or SDI oh there's standards for how cameras and displays work a lot of this has been hashed out pretty straightforward it looks a lot like a standard PC today and the lines are getting really blurry so let's ask it the question of what is the system on chip it's a just add water sort of easy design peripheral what you're seeing here is an orange pie with an all winner chip that is a quad-core arm device that you can get for 10 this is this is really amazing actually because now we stuff in today's world where you can put this envelope breakout board at power boot Linux for mice an SD card and actually build a device this is methods a lot of devices that are using really cheap SOC s including our phones everything looks about the same especially when you look at the block diagram everything sits on an internal bus there's a peripheral controller for external content there's a storage controller for content a GPU at CPU some external peripherals once you've seen
one you've seen them all
including ones from Intel you don't actually always see arm stuff on an SOC this is from Bay Trail SOC that goes into a laptop as you can see down there is even a old sm bus and what looks to be like boot ROM and legacy stuff to hold all of the old x86 stuff that has been sitting there with a ring away in a corner because nobody runs 32-bit x86 anymore right
storage comes to a couple different flavors MTD which is basically a cheap way to say oh this is flash emmc which are called embedded multimedia cards SD
cards and if you ever see an SD card on a device you have just won the jackpot then there's u FS u FS is a new standard that's come along in recent years for the purposes of cell phones for higher speed higher density stuff if you have a newer cell phone you are probably using this there's a lot of different
variations for this some devices have a little too onboard flash on the chip so that they can load the first-stage bootloader this is common on phones stuff like fastboot boots from this every vendor has their own way of shoving bits onto a device they all suck
Ram you're gonna see a whole lot of different variations of this vendors were notoriously tight asked especially after the terrific price fixing that SK Hynix was found of doing but consider that there's a lot of devices that have eight megabytes of RAM including the word 54 G and later they did an another revision that four Meg's of RAM but modern phones are hanging to get on the realm of a gig to four to six gigs in a pure flash environment you might actually be losing RAM because flash can sometimes be slow and faster shell things to RAM when it comes
to peripherals you've got SBI I squared C I squared sound you know these are common stuff but then I'm gonna see really crazy in there STI Oh Wireless carts are not uncommon turns out secured you know SD cards were also built for general purpose i/o devices and so they actually talked a slightly different variation of SPI you're gonna see sound cards over I squared sound GSM modems most of them are just pretending to be Hayes 80 modems power management is all the rage you'll see LEDs on your GPIO pins go look around in signage and mod will see all sort of and examples of this Linux doesn't care if they're on die this is an example from a Snapdragon 820 a PCIe a UART a PCM chain are all used just for the wireless LAN and Bluetooth this is so that they can turn Bluetooth audio into just another channel on the audio to stack and completely abstract away the actual hardware the PCIe is typically for wireless LAN connectivity and the UART is actually going to be probably for part of a baseband controller for the Bluetooth again Linux doesn't care if these are on die you could have these emulated somewhere you could have them completely non present
another good example of this is this is the next bit robin the flash on the camera is done through GPIO it's a bicolor LED but all of the LEDs in the back including the bottom notification LED are actually run off of a small TI light LED controller that has its own is a and is actually its own complete state machine when it comes to boot loaders
there's one predominant game in the market dossie you boot it has a very simple simple scripting language talks over a serial port it can pull over TFTP HTTP all sorts of stuff you can shove X modem kernels at this thing it doesn't care all you have to tell it is I'm going to put this thing in memory at this place and then jump to this place and execute some devices don't use you boot though fast boot is a very common thing to see on phones some Linux tablets are also built around you boot but more often commercial devices you might be seeing Samsung has her own stage two bootloader and such it's all something interesting
so stuck with the life and death of an SOC based device first stuff it does IDF you check to see if there's anything to load fresh code onto it then loads its intellectual initial program loader this is from the vendor typically it does any signature checking from the initial image this is typically burned straight on to die at factory then it pulls in the bootloader for early you our network wake up especially if it's a network device then you get you boot loading kernel and RAM for some other fun stuff its kicks the kernel and then you're in userspace fun shoot is in the DFU because that's the first chance you have to actually attack the device if you can get life at DFU then you can run whatever you want on it you have full control over everything that's happening if you can interrupt you boot or any other bootloader then you can run your own kernel now you can start attacking other pieces if you're gonna get an attacking user land that's still fun you can go and attack the actual surface that most people be hitting in order to start a
Linux system you need root filesystem it contains the bare minimum to boot Linux any shared object libraries binaries at the content on a fluid content actual get star balled up in a lot of routers you'll see this on consistent basis this means that like temp FS is gonna look really huge and if you try to extract content from it it's gonna look weird sometimes there's actually multiple root file systems newer Android phones are running off of a more consistent a B platform which means that you have one version of one of Android that is known good to boot and you have an unknown version that has just been applied you might find yourself scratching your head at times especially if you've gotten a dump off of a live system as to why you're not booting that that might be why so devices might actually try NFS there's a whole set of devices that internally they have a bunch of arm SSE is running DSPs and they're gonna like boot off of NFS because that's the easiest thing to do attacking these
devices comes down to scoping out your device get to know what makes your device actually run it notes what in terms of Linux what a software stack is etc if gonna start attacking cortex arm zero devices and friends then what you're gonna start doing is looking at what SOC it has what sort of JTAG ports it has what kind of backup stuff does it have or is there a known way to dump the code off of your chip arm executables are really generic arm really doesn't care as long as you can wake up the peripherals in the right way under Linux this means that you don't have to compile for a particular chip Debian has an arm HF and that's for any arm that has hard float if you have our Marg 64 binaries they'll run on any arm our 64 device as long as they can load up their loader and they're necessary shared binaries hardware vendors are also dumb and lazy you will see a lot of vices that are variations on current existing devices don't reinvent the
wheel as well and vegetative devices like this are gonna be really common really popular and they're going to be consistent centurylink for example sends out really consistently similar devices Kobo puts out devices that the only difference is what kernels are running internally everything else gets loaded at running time a wasp has a whole set of set of tasks devoted to looking at embedded IOT devices they're a little tool set can actually become really helpful for devices which talk over the Internet or what you're trying to figure out what's going on - looks like firm Walker and such they are built for you know turnkey push this at your device and see what happens they are intended to start looking and interrogating devices and services and especially running binaries just see what's going on if you are curious about this there's a fantastic model called the firmware security blog they have a whole list of tools so one option especially if it's a Linux system is say it's a UNIX system you know I know this if you're gonna shell beat against the shell you have only what's on the target only what's available at that moment this is a bit like going into the wild with a bowie knife and a sharp hiss I mean it's got work you're gonna beat your head against a brick wall for a while but you'll eventually find something but you have no debugger you have no compiler you know fuzzer you have none of the tools that most people like to play with the second option is to black box it entirely don't even try and pull apart the system just attack with externally visible things are I'm not a lawyer if you think you might be touching something that's gonna violate some NDA's get a lawyer but you have a less likelihood of running into some secret you are only out externally attacking this as though or just a black box but unfortunately you've lost the Jarvis and all you have is the bowie knife both of
these options suck so you go okay well
let's reverse it playa divert Daraa any of your you know standard reversing tools grab a beer learn you and is a and off you go this is a great way to start with stuff like embedded IOT devices like those lightbulbs from Philips IKEA etc your SmartWatch etc the problem is the do you get the binaries forget to that
you know but I'm a lazy asshole I'm with fuzz this thing I don't learn Ida well then you emulate it you have
every tool at your disposal if you're emulating debugger fuzzer cool but you still have that problem of how the hell do you get your actual you know binary of interest you get the root filesystem
especially if it is a Linux device if it's an arm such as none a standard embedded device a lot of these tools are gonna apply as well easy modus update packages these are probably the fastest way to get a root filesystem if you have a complete OTA or a lot of routers just ship an entire complete version of the filesystem they open up the disk they say cool here's my update and they just plow right over whatever is there already sometimes they are actual executables the downside is sometimes are encrypted sometimes they're really obfuscated they're sometimes they're actually intended to keep you from doing this the second trick is interview execution you're going to Eva's shell hijack some administrative in for interfaces go back to stop zero and start looking at you know what can you do is there an own attack against you know command injection can use and cat can you explore what's on the file system through some blind in command injection you I need some kind of Packer there's a lot of stuff built into most busybox implementations you're gonna have to find a way to get it to somewhere that cat is a good example curl can do some amount of push you might actually have an HD PD to follow on on the device if you can set a symlink into whatever it's using you might need some creativity I've actually done this at one point I just simply had the device send its entire disk straight over the internet over the local network to a broadcast address and use Wireshark to capture all the unit all the traffic and then pieced it back together so let's take a look at what that looks like so this is me the first time I
looked at the Technicolor C 100 t this is a DSL router sent by CenturyLink I've turned on the admin interface here and I'm just poking around what the I've been interface gives me gives you information about the memory of allocation there's some DNS redirecting that you can do this is really cool it's been running for a couple minutes I can actually muck with the way in interface here let's see if we have a shell oh look we have a root shell the world is our oyster at this point so let's go peek around they put plane crash
text credentials all over PS but what I'm starting to see is like gdb server I'm starting to see config stuff tftpd I'm certain to actually find some really cool stuff especially if you look very carefully there you can actually flash from W get straight to the device [Music] yeah this this is definitely the is security the the this is available to
CenturyLink over their backdoor so I start figuring out you know can I not
cap this thing off and then I go and I
plug a flash drive into the back because
this is meant for like shoving printers on to for printer sharing so I'm gonna copy over the MTD flash blocks just directly and there's a handful of them I don't care how many it thinks it has I'm gonna copy them all over just because I think I can some time passes this takes about ten minutes in real time and let's
go poke around some more turns out we have like scratch pad stuff there's actually some arbitrary memory read and write that I end up finding here this is some interesting useful information about how MTD is laid out looks like there's a route FS android FS update which do not appear to be intentionally overlapping but they are overlapping entirely I know what kind of file systems it has access to and you know just come playing around [Music]
so what are we get out of that we got a whole bunch of information we know that this thing has read and write commands that can touch arbitrary chunks of memory and that it can do things like DNS redirection and that this is available to CenturyLink through their administrative interface but more importantly we got the full root filesystem these are ext2 file system blobs just hanging out on a flash drive now [Music] other methods surprise is a directed extraction a lot of these devices have an SD card so pull it out and image it and you're telling me okay asshole tell
me something I can't already figure out my own damn self SD cards were hiding in
plain sight these are like Kickstarter's for devices that are literally just a Raspberry Pi a like there's a anti-villain box which is intended for like tourist security over on the bottom left there is the first-generation Amazon Kindle device it just had a standard off-the-shelf 2gig SD card that you could just pull you need more space we'll put a 16 gig card in there it doesn't care Kobo is the same way that's an SD card just SanDisk SD card you can pull out you could image it expand the file systems off you go
EMM see is just a variation on SD they're actually both simply multimedia cards it can be done you're gonna have to pull some stuff you're gonna understand how the disk is laid out in the end having some interview information is really helpful doing some reconnaissance shelling into your device playing around like a like a traditional unix hacker would give it an any random machine something to look harder by the
fact that emmc is also now pwned into e MC P which is LPD are and emmc combined however all this is made simple by China
because they need to work on iPhones and iPhones use emmc devices so these are SD card adapters that you slot your MMC device into and they turn it into a USB or SD card or you can make your own it's
just an SD card it talks for a bit it's a little bit slow but it works and these
things are everywhere these are Raspberry Pi based devices the mod berry and revolution Pi are both did mountable these are going in industrial control systems all it fails solder the rescue
you might need D solder some storage especially if you're on MMC you might need to drag out some traces you're gonna look it for JTAG if you're interested this weekend go check out the hardware hacking village and start looking at what you can do at this point
you might be looking for a logic analyzers SLA makes a really good one that's cheap runs over USB does a lot of the decoding for you there's also hardware interfaces to talk
to a lot of this stuff on the left is the bus pirate it is an open-source SRAM backed protocol analyzer it has a lot of stuff baked in on the right is the SPI driver is a little USB device that lets you make up a an SPI interface but you can run it at any speed you can see and visualize what's going on and then you why're so now that we have that you know what the hell do we do you try extracting it you mount it you take a look at what you've just pulled MMC's regularly and sometimes do have the partition tables SD cards more than likely because somebody's actually on a PC had it touched this thing go back to the reconnaissance go back to step zero and see what you found but then let automation do your work look at bin walk in walk has a fantastic tool for anybody who is getting into reverse engineering especially tools like photorec might actually be useful you might be have to get a little bit more creative ello setup and friends can do a lot of stuff like finding partition tables they can find certain records that mark that this is a file system if you're only looking for stuff for like Ida and Road alright once you have your binary of choice automation might be the easy way to get it this is kind of where you're gonna stop however if you're looking to
actually like attack this thing live you want something like um you because the problem is these devices are slow the device that sits and does my internet at home is an 18 megahertz device it has all for Ram I don't want to sit and try and figure out how to cross compile my fuzzer and something and run it on there and try to beat it against it and it takes 5 minutes to boot every time I touch up that chunk of memory it reboots and I'm down for another 5 minutes and now I'm back to where I started so if you don't be able to do some stuff it's a simple fast processor emulator for also stuff like mainframes arm mips open risk you can pretend you're an stm32f4 or you can pretend that you are a dec alpha you can run OS X on Amiga you can
even run a high Q on BOS there's two
ways to run Q mu as a full fat VM or as translating loader with the full fat VM you have full control over everything you are the hardware this is an in circuit emulator for everything you've got gdb a kernel level because you could step through the entire processor requires zero trust or whatever binary you're working with especially if you've got something that you might think as mo you probably want a special kernel if you're working with this however there's a lot of ways to make um you do what you need to do any tools that you need are you gonna have you're gonna have to push it under the target environment and I hit cross compose so that's why I definitely use the translating loader you have access to whatever you're doing downside translating loaders is that it's kind of like wine except I can't run Windows executables it's intended to run Linux executables directly you can run at a container so now you can completely automate a process you can run this in parallel you don't need a container so this is actually as a full
fat VM I have a friend that needed some
work done this is a nine crack tape drive from Overland data with a laptop running ms-dos six as a full fat VM over the parallel port interfacing with real hardware here I'm actually reading blocks out of an a OS install tape from a data general mainframe that we had picked up this is just pretend to to the system it's running on an old dos machine it's old it's slow I'm running on a Core 2 Duo this doesn't require a whole lot of power all things considered but what it does mean is that you don't have to worry about is the hardware
actually like there do I have to drag on a Doss machine no you just boot das out of a qemu as a loader you're relying on
pin format long ago Linux have the ability to just say hey I need to say that this is my executable for this type of executable I was originally for running jars so you can run jars for the command line turns out it's a great place to put emulators qmu has a static version which runs entirely in user space and it uses the magic number system that's baked into Ben format Debian puts it in there in front of this package and a couple others without a container it's dumb simple to set up you just call Ben qmu whatever static I call your binary it all goes you have to trust that your executable is not malicious you also have to have of your local libraries sync up to whatever libraries it had this works best for like big static monolithic executables like busybox however for a container you know you can bring that whole root filesystem along you can bring those weird versions of G lib see you have effectively a little jail you can run it in docker you can run in system DS machine containers it's great for when your binary is linked against some weird like oh we had this idea and let's go mangle G Lib C for
this next demo we're gonna look at a piece of software or that's running on what is more normally known as IBM z14 if anybody is familiar with s/390 X it's actually coming out with the system/360 so this is a quick user demo so here we
are we're starting an SP 90 X container from system D we have you know standard
thing here you can see that it's changed a little bit in a stop but to everything it's a standard s p90x system but for
fun we can also do this for arm again my machine just says yeah you're an arm system never them mind that this is actually internally just an x86 box it's
actually a VM running inside a vm q mu
in this way is really astonishingly powerful the big part is gonna run AFL
internally AFL is a fantastic fuzzer and AFL has support for qemu there's little bit of setup you have to bring a copy of QM you built for AFL for your target alongside I've done this in a VM it's really slow and it works so
[Music]
so here we are we're gonna run our sweet 9tx and we're gonna bind a couple of things over from the Debian machine that I'm running on the song I've compiled a FL for x86 already here's our target executable it's a 64-bit IBM s/390 executable we're gonna tell AFL hey here's your AFL pass and if I'll starts up it's got a couple of small simple tests environments and this is actually really slow but here we can see AFL is attacking an s3 90 X binary I don't have s/390 X hardware I have a cheap laptop with a VM so what we learned is that
hardware vendors are lazy as we saw that you know a lot of these devices are gonna be very similar to each other there is a lot of duplication in so many things attacking hardware means getting really creative you're gonna see a lot of stuff that whole process of pulling off a Century Link routers firmware that was the first time I had seen it and that took me just over an hour to get you know taken peek around you spend a lot of time doing reconnaissance you start looking at what is my device doing QA mio is pretty neato it is fundamentally a way to make a device pretend a piece of software depend pretend that it is on the actual piece of hardware that it believes it is QM you can actually be used for way more there is again a stm32 port you can run it on embedded arm you can run qmu on arm to pretend that it's armed if you have the wrong kind of arm for a little while I was doing this that I could use arm 64 binaries on arm 32 systems it works its slow but it works a FL also runs really slow when you're emulating x86 stuff on SPX the other way around and remember rule 0 ok this is
the the big part here that little rule 0
a lot of reconnaissance a little bit of
planning can spend you and save you hours and hours of a headache sometimes just simply noticing that there's an emmc device means olt solder it pop it into a reader I'm done I don't have to worry about how am I gonna extract this then you find out that it's encrypted well alright then you go back you start looking you start sniffing the wires a lot of creativity comes with things like when failed overflow did their attack on the PlayStation 4 they found it was just an accident so what they did is they intercepted a lot of the create the communications between two sides by running PCIe over a UART at 9600 baud so they can watch each frame visually as it went through their entire system and people are lazy remember that the Xbox one ps4 and probably upcoming versions are just x86 systems they're just playing newer and more creative forms of control on how code gets loaded attack early and find interesting ways you will
pour over documents in broken Chinese you will pour over documents in broken English I have spent many hours sitting in front of data sheets that were I copied and pasted this out of a PDF and Google Translate and then had to be translated because the company that makes it only makes it in Chinese because all the engineers are Chinese [Music] you'll see stuff you know don't be afraid to look for TFTP your device actually might pop open TFTP early Meraki devices for a long time did this and it was a really interesting yes the
comment was that a lot of consumer routers will boot from TFTP if they can't vote from their normal file system and yeah that happens if you can induce that failure it might be as simple as a paperclip okay this is you know a paperclip is how you defeat on a lot of our think pads the lockout mechanism so you cause the thing to boot miss read the boot configuration and then out comes an empty slate you go back into the boot configuration the BIOS and it goes I don't have a password all the encryption keys been wiped so I just have to reboot and you've no encryption keys this sort of stuff is pretty common again if you're interested go look at Harbor hacking village explore what hardware engineers have to build because you will wonder what the hell was that ee drinking on that day because people put PCIe devices on arm there's even there's a GPS receiver there as well and that's going over its own custom proprietary bus [Music] there are many different ways to attack
these a FL is an amazing tool if you get
it working great so any questions yes
[Music]
so for SOC from the question was how do I emulate peripherals in qmu I've worked predominantly in environments where I don't have to worry about peripherals I know that there is a framework for saying when you write this memory address really write to this device [Music]
check the qmu documentation they have a lot of how to emulate external peripherals something like the SPI
driver or bus pirate can be used as a bridge to the real hardware as well you would have to check the documentation [Music]
any questions remember I can't see all the way back fantastic thank you so much there's more resources available on the Internet definitely check out if you are more interested in US recon 2010 there was a fantastic talk by Igor Scotch insky on reverse engineering for BZ reversers as well as the fantastic JTAG explained article go look at a Linux and Linux MIPS there are many targets just you can attack there are armed devices and embedded Linux places all around you like right here this is a hundred megahertz ARM chip there are armed devices on your body there are possibly armed devices in your body there are embedded systems everywhere keep on hacking [Music] [Applause] [Music]
Feedback