Introduction to Hardware Hacking: How you too can find a decade old bug in widely deployed devices
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Subtitle |
| |
| Title of Series | ||
| Number of Parts | 335 | |
| Author | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/48413 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
DEF CON 2747 / 335
8
9
12
14
32
38
41
58
60
61
72
75
83
87
92
96
108
115
128
132
143
152
158
159
191
193
218
230
268
271
273
276
278
295
310
320
321
335
00:00
Software bugScheduling (computing)Hacker (term)Computer hardwareMultiplication signControl flowRoundness (object)Metropolitan area networkGoodness of fit
00:46
FingerprintInformation securitySoftwareTwitterVulnerability (computing)Computer hardwareServer (computing)HypermediaControl flowWeb 2.0Hacker (term)NP-hardGastropod shellPoint (geometry)Black boxOpen setComputer animationMeeting/Interview
01:57
SoftwareFirmwareDifferent (Kate Ryan album)Computer hardwareLatent heatGoogolRight angleSlide ruleInformationInternet service providerInternettelefonieEndliche ModelltheorieSoftwareVideo gameWeb page
02:42
Computer hardwareLink (knot theory)Hacker (term)Series (mathematics)Information securityRSA (algorithm)UsabilityBlogMultilaterationComputer hardwareInformationMultiplication signSoftwareSlide ruleInternetworkingLink (knot theory)Information securityHacker (term)
03:26
Dynamic Host Configuration ProtocolNumberHacker (term)Computer hardwareComputer iconHacker (term)Endliche ModelltheorieProcess (computing)SoftwareData conversionComputer hardwareInformation securityGodPatch (Unix)Selectivity (electronic)Open sourceCodeProjective planeFirmware
05:02
WebsiteSoftwareInformation securityComputer animation
05:41
Data modelSeries (mathematics)Endliche ModelltheorieRandomizationComputer hardwareRight angleFlash memoryFile systemPoint (geometry)NP-hard
06:26
WebsiteModule (mathematics)Service (economics)Serial portOpen setVideo game consoleSurfaceBenutzerhandbuchInstance (computer science)Connected spaceCuboidSerial portComputer hardwareComputer animation
07:03
WebsiteInternet forumSummierbarkeitFirmwareSystem identificationComponent-based software engineeringPoint (geometry)PasswordComputer hardwareSystem administratorDefault (computer science)Labour Party (Malta)Instance (computer science)FirmwareConnectivity (graph theory)Interface (computing)Internet forumComputer animation
07:45
EEPROMSummierbarkeitGraphics tabletInternetworkingInstance (computer science)Greatest elementExpert systemPersonal identification numberVideo game consoleTerm (mathematics)Serial portBefehlsprozessorSlide ruleEmailFlash memoryGraph coloring
08:44
Hash functionFile systemFlash memoryInstance (computer science)Process (computing)EmailWhiteboardPoint (geometry)Software testingConnected spaceMereologyResampling (statistics)Connectivity (graph theory)1 (number)Labour Party (Malta)Product (business)Personal identification numberSoftwareSymbol tableTable (information)Proper mapSerial port
10:16
TelecommunicationSerial portSoftware testingDisk read-and-write headPhysical systemBit rateVideo game consoleDifferent (Kate Ryan album)TransmitterPersonal identification numberVoltmeterComputer hardwareComputer animation
10:58
Computer hardwareRight angleSlide ruleComputer hardwareBefehlsprozessorGreatest elementPoint (geometry)WhiteboardPersonal identification numberLink (knot theory)Different (Kate Ryan album)Number
12:05
Machine visionInstance (computer science)WhiteboardLatent heatMultiplication signArmBefehlsprozessorModule (mathematics)
12:57
Set (mathematics)Computer hardwareHacker (term)Computer hardwareHacker (term)Right angleBlock (periodic table)1 (number)CASE <Informatik>Line (geometry)MIDIPersonal identification numberGreatest elementOnline helpSurfaceCapillary actionPoint (geometry)Connectivity (graph theory)Meeting/Interview
15:26
Hacker (term)Computer hardwareSet (mathematics)LogicData conversionDifferent (Kate Ryan album)MeasurementTelecommunicationAsynchronous Transfer ModeConnected spaceBefehlsprozessorLogikanalysatorComputer hardwareProcess (computing)Analytic continuationCommunications protocolStandard deviationSoftware
16:37
Serial portVideo game consoleCommunications protocolControl flowCAN busFlash memoryEEPROMComputer programCommunications protocolCopyright infringementVideo game consoleBus (computing)Serial portLaptopComputer programmingComputer hardwareLogikanalysatorMicrocontrollerReading (process)Different (Kate Ryan album)Programmer (hardware)LogicHacker (term)
17:30
Inheritance (object-oriented programming)WhiteboardNetwork socketDigital electronicsCASE <Informatik>Range (statistics)Right angleFile systemSoftware testingPoint (geometry)Flash memoryDebuggerComputer-assisted translationEntropie <Informationstheorie>Computer animation
19:02
NP-hardWechselseitige InformationVideo game consoleInjektivitätFirmwarePower (physics)2 (number)Flash memoryHeegaard splittingSide channel attackHacker (term)Proxy server
19:37
Hydraulic jumpBootingVirtual machineEEPROMVideo game consoleReading (process)Local ringPower (physics)Kernel (computing)Branch (computer science)Data modelInterface (computing)Device driverFlash memoryWeb pageVideo game consoleFirmwareBootingEscape characterSlide ruleWhiteboardTrailVector potentialFlash memoryGoodness of fitSpacetimeComputer hardwareUniqueness quantificationSource codeJSON
20:50
SoftwareCAN busFlash memoryHash functionData recoveryFirmwareBootingMultiplicationKey (cryptography)Point (geometry)SoftwareInternet der DingeRight angleComputer hardwareInstance (computer science)CASE <Informatik>Flash memoryComputer animation
21:47
CAN busDigital electronicsComputer programmingFlash memoryCore dumpDirected setNP-hardFluxTape driveComponent-based software engineeringBefehlsprozessorPower (physics)Read-only memoryMagneto-optical driveStructural loadTouchscreenTrigonometric functionsSineFile formatError messageComputer-generated imageryRootBootingDuality (mathematics)Kernel (computing)ThumbnailFlash memoryTouchscreenFluxBootingResampling (statistics)Kernel (computing)Scripting languageElectric power transmissionPoint (geometry)Gastropod shellDigital electronicsSemiconductor memorySpacetimeComputer programmingPersonal identification numberGreatest elementPhysical systemPower (physics)CASE <Informatik>BefehlsprozessorRight angleInternettelefonieRandomizationMultiplication signBlock (periodic table)Entropie <Informationstheorie>BendingInstance (computer science)Structural loadWhiteboardConnectivity (graph theory)
25:15
Flash memoryFirmwareDressing (medical)BefehlsprozessorSemiconductor memoryHidden Markov modelComputer hardwareSurfaceFirmwareComputer fileArithmetic meanFlash memoryLaptopCASE <Informatik>InternetworkingHacker (term)Multiplication signFile systemEmailCodeBoundary value problemBinary codeArmTablet computerBookmark (World Wide Web)BlogComputer animation
26:57
Asynchronous Transfer ModeIEC-BusIcosahedronRootFlagBlock (periodic table)Execution unitPublic key certificateEmailSequenceFile formatScripting languageAlgorithmSign (mathematics)Price indexRevision controlData compressionError messageSource codeString (computer science)BootingHash functionFile systemFirmwareData modelInheritance (object-oriented programming)BootingCASE <Informatik>File systemComputer fileFirmwareAsynchronous Transfer ModeWebsiteHeegaard splittingPosition operatorString (computer science)Medical imagingLatent heatDifferent (Kate Ryan album)Source code
27:53
Hill differential equationCAN busElectronic signatureMaxima and minimaFirmwareArmCache (computing)Chi-squared distributionThumbnailOptical disc driveAddress spaceSystem callFunction (mathematics)Structural loadAbsolute valueTouchscreenEmailVector graphicsSheaf (mathematics)TouchscreenWindows RegistryEmailSystem callInternettelefonieParameter (computer programming)Binary codeAddress spaceBinary fileString (computer science)Point (geometry)CASE <Informatik>ArmAbsolute valueBootingCovering spaceFunctional (mathematics)Key (cryptography)FirmwareComputer fileSpeicheradresseBlogVideo game consoleComputer hardwareCodeSquare numberPatch (Unix)Gastropod shellInterrupt <Informatik>Process (computing)Structural loadVector spaceLink (knot theory)Scripting languageFile systemFlash memoryStack (abstract data type)Public key certificateJSON
31:13
CodeInformation managementChi-squared distributionNewton's law of universal gravitationMultitier architectureLipschitz-StetigkeitString (computer science)Binary fileBootingCAN busVideo game consoleEEPROMLie groupCASE <Informatik>Hydraulic jumpBootingStructural loadRight angleString (computer science)Greatest elementLetterpress printingAddress spacePhysical systemProper mapFunctional (mathematics)EEPROMComputer animationSource code
31:53
EEPROMInterface (computing)Serial portPeripheralRead-only memoryData typeRaw image formatReading (process)Table (information)Web pageSystem identificationView (database)WritingVideo gameWhiteboardLogikanalysatorBefehlsprozessorCommunications protocolSemiconductor memoryEEPROMSlide ruleOpcodePersonal identification numberInstance (computer science)Object-oriented programmingWritingComputer animation
32:48
Reading (process)Video game consoleEEPROMDefault (computer science)Error messageSerial portLetterpress printingComputer configurationVideo game consoleString (computer science)1 (number)BootingAddress spaceGoodness of fitFunctional (mathematics)Computer animation
33:35
EEPROMHill differential equationPersonal identification numberNo free lunch in search and optimizationVariable (mathematics)EEPROMFunctional (mathematics)Address spaceMultiplication signBefehlsprozessorCASE <Informatik>Right angleSemiconductor memoryReading (process)Computer animation
34:48
Bus (computing)PlanningCopyright infringementPatch (Unix)Video game consoleReading (process)Flash memoryGroup actionWritingBus (computing)FluxCodeComputer animation
35:31
Uniform resource nameBranch (computer science)Virtual machineRevision controlCache (computing)Associative propertySet (mathematics)Line (geometry)PiSpecial unitary groupRead-only memoryData bufferBootingSession Initiation ProtocolMach's principleKernel (computing)Reading (process)Device driverPower (physics)Annulus (mathematics)Video game consolePersonal identification numberWhiteboardPoint (geometry)CodeBoilerplate (text)Bus (computing)Inheritance (object-oriented programming)Copyright infringementVideo game consoleMedical imagingoutputSpacetimeType theoryZoom lensRootWhiteboardComputer animationSource codeJSON
36:10
MIDIEstimationWhiteboardSoftware testingMultiplication signBEEPAnalytic continuationAsynchronous Transfer ModeGraphics tabletCase moddingRight angle
36:46
Programmable read-only memoryWhiteboardMagneto-optical drivePhase transitionPersonal identification numberCursor (computers)Curve fittingVideo game consoleCuboidVideo game consoleRight angleRootGastropod shellPersonal identification numberKey (cryptography)Multiplication sign
37:36
Gastropod shellEinheitswurzelSoftware bugProcess (computing)Physical systemPOKEBinary fileStructural loadDemonSingle sign-onSoftwareMessage passingError messageString (computer science)TouchscreenVideo game consoleGastropod shellRootCoefficient of determinationProcess (computing)Open setVulnerability (computing)SequelRandomizationMessage passingMereologyPoint (geometry)Client (computing)JSONComputer animationSource code
38:35
Source codeBuffer overflowExploit (computer security)Stack (abstract data type)Integrated development environmentSet (mathematics)HTTP cookieCodeAddress spaceOpticsClient (computing)SubsetComputer configurationClient (computing)Revision controlLatent heatAuditory maskingCodeComputer configurationOpen sourceSoftware bugSource codePatch (Unix)Stack (abstract data type)Computer animation
39:33
Universe (mathematics)RippingDuality (mathematics)Integrated development environmentCAN busPhysical systemArmEmulatorCuboidKernel (computing)Wide area networkComputer-generated imageryBuildingExpressionVulnerability (computing)Right angleMultiplication signEmulatorMatching (graph theory)Physical systemArmQuery languageComputer animationJSON
40:10
Kernel (computing)Serial portComputer networkProper mapExpressionPhysical systemMenu (computing)Scripting languageStack (abstract data type)InfinityNetwork socketBinary fileConfiguration spaceCrash (computing)Time domainSoftwareDynamic Host Configuration ProtocolNetwork socketMultiplication signInternettelefonieComputer configurationCartesian coordinate systemShared memoryClient (computing)JSONComputer animation
40:49
MaizeNetwork socketRing (mathematics)Interface (computing)Thread (computing)Point (geometry)Drum memoryConvex hullData bufferCAN busDynamic Host Configuration ProtocolScripting languageInterior (topology)Address spaceCompilerExploit (computer security)Different (Kate Ryan album)Cartesian coordinate systemScripting languageBinary imageNetwork socketConfiguration spaceClient (computing)Proof theorySoftwareLibrary (computing)Level (video gaming)Software bugVulnerability (computing)Exploit (computer security)Computer animationSource codeProgram flowchartJSON
41:41
Software bugComputer configurationDynamic Host Configuration ProtocolCAN busData typeLengthComputer wormClient (computing)Electronic mailing listIn-System-ProgrammierungHacker (term)StrutJava appletDynamic Host Configuration ProtocolVulnerability (computing)Software bugComputer configurationType theoryLengthScripting languageAuditory maskingCodeComputer wormSource code
42:21
Computer programOpticsControl flowDataflowPattern languageWaveAddress spaceComputer wormExploit (computer security)CAN busSimilarity (geometry)Computer-assisted translationLevel (video gaming)CodeGastropod shellRead-only memoryGame controllerCrash (computing)Computer programmingProgrammer (hardware)Gastropod shellCodeGoodness of fitSystem callBinary codeSource codeJSONComputer animation
42:56
Level (video gaming)Read-only memoryComputer wormPhysical systemControl flowComputer configurationTime domainCAN busDifferent (Kate Ryan album)Dynamic Host Configuration ProtocolString (computer science)Structural loadPhysical systemAddress spaceString (computer science)Semiconductor memoryAutomatic differentiationDynamic Host Configuration ProtocolClient (computing)Goodness of fitDomain nameComputer configurationServer (computing)Demo (music)Configuration spaceJSON
43:42
HypermediaJava appletTouchscreenBootingServer (computing)Web 2.0Client (computing)WindowBoss CorporationSpeech synthesisRandomizationFilter <Informatik>Computer-assisted translationExploit (computer security)Video gameLaptopComputer wormRadical (chemistry)Computer animation
44:39
Computer wormChi-squared distributionStructural loadComputer configurationCAN busDifferent (Kate Ryan album)Dynamic Host Configuration ProtocolRead-only memoryString (computer science)Patch (Unix)PlastikkarteTerm (mathematics)Software bugPatch (Unix)SoftwarePhysical systemGastropod shellDynamic Host Configuration ProtocolGoodness of fitTwitterBlack boxScripting languageInstance (computer science)Firewall (computing)Annihilator (ring theory)Source codeJSON
46:00
Source code
Transcript: English(auto-generated)
00:00
without further ado because we stay on schedule Felipe is here uh from uh from Portland uh by way of uh France from what I understand and he is going to talk to the talk to us about uh breaking into embedded devices including phones uh phones that you might have on your desk at work phones that might be I'm not even gonna get into that phones that might be
00:24
around let's learn about embedded device hacking let's give Felipe a big round of applause have a good time man thank you. Thank you everyone um sorry I'm really excited to be here it's like a big honor and um yeah so today we're going to talk about hardware hacking and um I'm going to share like this introduction to it and I hope um I can share
00:44
some love about um hardware hacking. So uh who am I? I'm Felipe Loewet um I'm a senior security researcher at McAfee um Advanced Light Research so I I do um software and hardware value research and you can find me on Twitter at phloel before joining McAfee I spent two years doing um embedded security and before that I was a C plus plus dev so I'm
01:04
more coming from um software background actually so you could wonder like why should you care about um hardware hacking in the first place right? Um I can see like two main reasons uh first is like it's actually really fun and empowering to be able to um you know break up break open like a device that you're like having in your home at work
01:22
whatever and instead of considering that it's a black box you can instead you know like start poking at it and understanding how it works and then in a more like pragmatic way um if if we consider like security in the past couple of years uh software is becoming much and much harder to like break like if you try to uh I know like point like uh whatever
01:41
like um an embedded device like a web server like finding a word in the web server by itself is kind of hard but if instead you can just like open the device so like a couple of wires and get like a shell from that that's much easier so uh hardware hacking is great because it's also like a lot of uh low hanging fruits basically. So uh today we're going to talk about Avaya funds um and especially like the the fund picture on the right side of
02:04
the slide is uh 9611G model uh so Avaya is like one of the biggest uh view IP um solution provider you can find them like all over the place uh covers like 90% of the 14100 company and I think that's specific model of funds starting in 2006 and is going to be end of life like at the end of the year or something and the funny um on the
02:23
bottom right of my slide there is this uh funny like um screenshot from like a firmware download page from like a really old software firmware for these funds where um actually like you can see that um you can only download that specific firmware if you're like a DOD customer so um basically you can see that these funds are like going to a lot of
02:41
different places. So uh we're getting prior art uh in hardware hacking there's like a lot of information nowadays on the internet like you can find a lot of blog posts, tutorials um there is like the hardware hacking village that you all go and check out uh CTF as well where you can like practice uh like kind of like the software side of stuff and
03:01
um on my slides I like a bunch of links at the end uh so you can like download the slides at later time and um also the slides uh I've like the one I've uploaded I have like more text on them so it's like a more like standalone so you can read more um and yeah uh Red Balloon Security uh found like 2 RCs in the same uh phone uh something like 5
03:21
years ago or something um and I'd like a talk at RSA called Stepping Pawns that I would also recommend to check out online. So uh for the next 40 minutes um so I'm going to talk about um hardware hacking and use that phone as a base to like support that conversation um and basically the idea of like the whole situation is um like couple of
03:42
like 12 years ago maybe uh via folks some open source code and um they never applied security patches to that and um it turns out that like me by poking at the device I found that and it was like women like unnoticed for like 10 years that they were like actually like a CV that got released like 10 years ago for Defcon. So I'm going to talk
04:01
about uh how I found that like that it was like some stupid like vulnerable code inside the firmware but more interesting I think is uh talking about the whole process you know like how I did it um and why I did what I did it when oh sorry why I did stuff I did when I did it um you know like basically like sharing um the process so that and
04:22
you know also like sharing uh you know what if the stuff I tried didn't work or also actually like stuff that didn't work because you know what what works for one device might not work for another and I think just like that mental model of what we can do and what you cannot uh helps you a lot approaching like any kind of device and that's I really think why I want people to take away from that talk is more like um
04:41
learning the process so that you can check out like whatever device you have and yeah I would want to like insist that um if I can do it I think everyone in this room can do it as well as I said I'm more from like software background and hardware hacking is still like you know like um a little scary a little foreign to me but it's in the end it's really not that hard if you have like a good process and you know work with
05:01
patience. So uh how did the whole project start? Um uh to be honest I didn't know working at work and there were like all these cubicles and on every desk I see this like phone like standing on the desk and like wait a minute these phones run Linux they have you know network access they have like mics and stuff it's like how how secure is that
05:21
you know like you know you you wonder like what's up with it did people consider the security of those? So um the first step before you know even like I start like stealing my co-workers phone and breaking it apart you can and that's general step is uh you can check out the FCC websites usually like any device that has Wi-Fi or Bluetooth has to be um on the FCC website for a compliance reason. So that's what I found um that's not my
05:44
phone that's like a other model of like same brand basically and like pretty close. So you see all these cool pictures but more interesting is the um the inside of the phone. Uh so we can enhance it and um on the left side in right in red um I've added like this like random debug connector I don't know what it is but that's interesting to see that's
06:02
there. And on the right side um there is like that like um in purple there is that flash memory so that's usually where the file system of the phone is going to be stored. And the whole point of that is just to get an idea of what to expect you know before even approaching a real target like buying hardware and stuff. So that um you you know like if
06:21
it's going to be a easy target or hard target uh you know if everything was covered in black epoxy that would be harder. So another important step is like faking um getting online material like um you know um marketing brochures so you have an idea of what the phone what are the phone capabilities and the ecosystem surrounding it. So that you have
06:41
an idea of um you know like the attack surface. And you can also find like user manuals and stuff and for instance I found that one that was pretty cool. It's like a user like uh advanced user manual that says oh if you want a serial connection to the phone you need that funky box and uh yeah which is interesting it teach it tell us that yeah you can find a serial connection and you may have some special hardware for that but
07:02
are we going to see that in a bit. And uh after that you also want to check like forums and um so that you can find like what poor user are doing like for instance I found like the default password for the phone uh debug interface because um and system admin so uh talk uh talking about that online. And uh if you're lucky you can
07:20
also download the firmware of an ID of uh WhatsApp there and I will cover that in a second. Um so we have an idea of like what it might look inside. This is a hardware hacking talk so we're going to avoid warranties and so the point is like you open the phone first. Um and the trick is like usually you always expect to find the same stuff inside and uh if you look at the labels of the components you will see uh you and you
07:43
Google that uh you will find out like what it is. So for instance that's my phone and uh you can see in the center the CPU above it like the RAM in like a lavender-ish color like some unpopulated like header that I marked with a question mark. This I think the same header as the one we were like seeing in the picture before and uh it might
08:01
be JTAG I did not have to use it so I don't know actually. Uh in purple we have like the EEPROM so that's uh with the whole like some settings and stuff. Uh in dark blue in the bottom of the um of the slide is like a keyed RG45 so I was kind of kind of confused when I was looking at that and I didn't know even the term for it. And the idea is just a regular RG45 uh like Ethernet plug but with a weird um connector so that you
08:22
cannot plug the wrong stuff into it. Um and uh more interesting in yellow uh the UART. So it's UART is kind of like the serial console and um we have like this exposed like uh pads and so usually like in manufacturing or something you would have like uh pogo pins that would like directly connect to the pads and that's uh that one is actually really interesting
08:41
because you would find like ser- you would expect to find a serial console on that. And on the back uh we can see the same name flash uh that we've seen in the previous picture. And um yeah from that is like where the file system would be like stored on on the device. So okay you have um we looked at the stuff inside and like other things that are
09:01
interesting to look at is like test points and debug headers. So and like basically all these kind of stuff that are not components. And you can ask why would you expect to find them inside? And a couple of reasons like one is like just usually like the dev board that the the guys are going to use is the same as the production board and maybe they're not just not going to solder the debug components. It's the same as if you are
09:21
like software and it was built with like debug symbols for instance. And um also like part of the manufacturing process um you this test points and stuff might be used for like flashing the device or making sure it's flashed properly. And sometimes you know like something died on um in in the in the real world and they want to like do a post-mortem to understand what happened and that's useful as well. So what kind of
09:42
stuff you want to look for in that situation? You want to look at UART that we like looking at before. JTAG that I'm going to uh cover in like in a minute. And then like you can also have like random test points that are chilling there like all over the all over the table uh all over the board. And there might be like long test points like like TP1, TP2, whatever. And sometimes that might be like not interesting to you but
10:02
sometimes you can find interesting stuff like um you might find that like oh if you shot like TP64 uh with ground it's going to reset the device which might be actually useful in some extent. So uh looking at UART uh so as I said it's for like serial connection. And it comes in like 3 or 4 pins. The 3 pins will be um ground uh
10:23
transmit and receive. And the 4th pin would be like VCC so 3 volt, 5 volt whatever. And usually you don't care about that one. You don't even want to plug it. You don't have to. And might uh yeah and um the the trick to know is um the serial console uh send data at different speed. And there are only like a couple of it's called like
10:41
baud rate. And there's only like a few uh common baud rate values. So if you try to plug you your system in on into the UART and you just see gibberish on screen, probably the reason is you just have the baud rate wrong and you could just like try to cycle through like all the posi- possible one and you would find something eventually I think. Um JTAG is another one that's um interesting. Um so that's for like hardware
11:04
debugging and with that you could like you know uh debug the CPU usually and execute like instruction by instruction and what not. And it's like coming many different uh shapes, number of pins and what not. So some example like on the bottom of the slide. Uh but actually only a couple of wires are interesting and uh at the end of the slides
11:23
I'll link to like a scenario article about like understanding JTAG better. But basically like if you look on the top right side uh of my slides there is like a dev board and there's like a nice uh JTAG connector like plugged there. And on the other hand like on the bottom right it's like some uh random device I was looking at which you
11:40
can see is there should be a JTAG but it's never been soldered on and so I had to solder directly onto that stuff. And the trick to remember here if you kind of like solder your own connector is uh you actually may have to add like extra resistors called like pull up and pull down resistors that connects like one pin to ground or one pin to like VCC. And the point of that is actually I don't know the point of that
12:01
but the the reason is like if you don't have them it might not work well or it's more like most of the time it's going to be glitchy. So um and if you follow the instruction from like for instance like a ARM specification for like what resistor you need so you might skip them but then you might waste time like understanding why it's uh weird weirdly like fucked up sometimes. So I would recommend like remember the pull up and
12:22
pull down resistors. So that's just a random board that my coworker was looking at just to show you that what I said is actually fairly generic. Uh on the left side we have like you want. On the right side is like some JTAC connectors. Uh up there is the um uprise there is like the main CPU whatever that's under like a shield. And usually you do that for um preventing um interferences so it's like a wifi module so that's why. And the
12:46
cool thing to know is usually the shield is grounded so like if you're looking for the ground on your thing like either the shield on that kind of stuff or like the casing around the ethernet port or whatever is also actually like fairly useful. So uh now that we learned how to uh look into stuff we need to know what hardware you need for um
13:04
interfacing with what's inside. So I'm going to present like a bunch of uh cool hacking tool set that's important. So the first one uh you may want this pin or like the stickers I don't know if you're familiar with that but um the actually like what's really important is like safety. Um so you know don't work with stuff that's plugged in the wall. Uh remember to unplug stuff. Work in like well ventilated room. It's
13:23
important. And uh yeah just don't be stupid when you're like uh messing with hard hardware. Uh but yeah. So next uh picture from the lab uh I'm holding um the soldering iron. You can usually switch tip for like if you're like large tip for like big soldering and tiny ones for small soldering. I have a microscope so that's really useful for doing
13:44
uh tiny soldering. And the trick is I I tend to drink a lot of coffee and I shake so I would I was thinking like I couldn't do that. But actually if you um if you're careful and the the trick is like really like try to um you know when you're soldering try to hold your arm like straight and well grounded. And under the microscope you can actually do a lot of stuff that's you just don't think you you wouldn't be able to use
14:02
you would think you shouldn't be able to do it but you actually actually can. Sorry. Um top right side um it's actually used for doing tiny soldering and um it's like top right is like flux. So it's kind of um magic glue magic uh gooey substance that you put on um pins to uh when you're soldering surface mount or pads so that it works
14:24
really well. So don't never forget flux. Uh bottom is um so like in the same uh size like uh copper wires like um enamel wire that you use usually for making cords you know for like radio or whatever. Um and the trick is like the the wire is actually um coated in
14:40
uh varnish so it doesn't uh short. And you can use that to do like really tiny point to point like soldering and that's actually really useful. And just next to it you have like some desoldering wick so like the idea is if you put too much solder and you fuck it up uh you can put the wick on top of the solder blob that you messed up with and you um put the soldering iron on top of that it's going to get really hard so you want to hold it through like the plastic casing and it's going to absorb
15:03
all the like extra solder and you can clean up your stuff. And then I put like a picture of like some random like um jumper wires that uh are usually always useful to have. And on the bottom right I have like that crazy uh heat gun uh which is like 60 bucks at Home Depot it's meant to like help paint dry or something I'm not sure but it's
15:21
actually really useful for if you're on the chip if you want to remove components by just like heating them and pulling them off. So um more cool hardware um that's a multimeter um if you're not familiar with that it's you use it for um finding voltage of chip you don't know like what's the actual voltage so the black goes to ground and with the red you uh with the red probably it's like poking around to uh
15:43
measure the voltage. And the other really cool stuff is you can set it in continuity mode and when you have like connection between the two probes it beeps. So if you do like crappy soldering job as I was describing just before you can make sure that you actually did proper job where like everything is connected the way you think by you know making sure that both like when you probe like both sides it actually beeps. And
16:02
that's actually fairly useful uh tool. The other one is this is a logic analyzer uh the name is like a Sally um that's a brand. And the idea is the same as in software you have like ways of communicating between process like in hardware you have like ways of communicating between chips or the CPU and the chip and it's uh it's like a lot of different standards different ways of doing stuff. But the logic analyzer like know a lot of
16:24
them and it's going to convert like a bunch of signals that's going on to wires into actual data. And it's actually really useful that would be your eyes like when you're doing uh debugging you know. And that's like a snapshot of like some spy communication uh which spy is just some random protocol. Uh that's like an FTDI cable also come in many uh or serial cable it comes in many different shapes and stuff. And
16:44
the idea is just like when you want to do like UART you you plug that into your laptop and you connect the the other side to like the UART port and you get like a console which shows up at the serial port. And uh as an example I have um on the bottom right um like a Raspberry Pi that's you can actually get a serial console and you don't
17:01
need like HDMI cable or anything to interface with that. Whew. Um the bus pirate uh other like cool device um it does um it it's kind of dependent of the hardware hacking uh sorry the um the Sally the logic analyzer. So instead of absorbing data it's like send data so it speaks a bunch of different protocol and you can use Python to program
17:23
it. So it's extremely useful if you want to like read flash, program um micro controllers and that kind of stuff. Uh more cool stuff like how about I was talking about JTAG that's the JTAG debuggers that you that's why you would plug actually like the JTAG port on. They come in many different like uh price range and
17:41
whatnot. So on the bottom right is a flyswatter it's like for like 30 bucks I think. And it works okay and above it's like a JLink which is more fancy. And the idea is like the more expensive the stuff is the more the probably the more reliable it is and it comes with like better software and whatnot. And on the bottom right the pink board is a JTAGulator that uh Joe Grant the same guy who made like those badges uh made. And
18:03
it's really awesome so if you have like that board you don't know what it is and there's like a bunch of test point and you're like I bet there is some JTAG somewhere in it but you don't know where. You can just wire like all the test points to the JTAGulator and it's going to brute force like and try to find everything. So it's really cool. Um another interesting important tool is uh flash readers. So um usually flash contain uh the
18:23
flash has the file system and stuff. And um so you want to like interface with that. And uh it comes in two flavor I guess. You can do like in circuit stuff so you have like either like a little like clamp that you put on the chip or like the little rectangular one um and you clip on. Um so like the Raspberry Pi is a good one for that and on the top
18:43
right is like a flashcat. Uh it's like useful for the rectangular one. Um but you can also like choose to like actually desolder the chip and in that case you would have like something like a socket adapter so you can clip the chip on and then you plug it into your flashcat or whatever and it's going to read it. And I will cover like why what's what's why it's important like both in a in a minute. And finally it's kind of
19:04
the um last uh hope. So let's say uh you know your flash is encrypted, there is no URs, there is no firmware. So you can try to do like the more crazy stuff like fault injection and side channel attack. So that's a chip whisperer so like more like a kind of hard more bad ass device. And the idea with that is um it it you can do stuff like um you you uh wire it
19:25
and to the CPU and you're going to drop the power on the CPU for like a split second and it's going to like mess up some instruction and you can bypass checks and stuff. That's what people use for like gaming console hacking and and um that kind of stuff. So uh what do we do now? Um that we have an idea of what's inside the phone and um you
19:44
know um the tools we can use. So it's like I think there's three post potential track. One is messing with the URs to the serial console. Another one is uh messing with the flash and trying to recover the firmware or something and then maybe we can just download the firmware online. And the three are like valid approach and sometimes it's
20:00
good to just go from one to another to another and you know whatever you find like some hurdle you can like go from one to another. Uh so I went for the UART first and that's what I'm greeted at by when I connect my FTDI cable to the UART port that uh I was doing before. So um we can see like on the left side the um the console thing it's like dot dot dot usually when you see that you can press space or escape and it's
20:21
going to interrupt the booting process of the phone. And in that situation uh but somehow here didn't work and uh I will cover that why in a minute. And on the top right side of the slide um we can see like it read something from the EEPROM and it decided to set the console to dev null. So you don't want console to be dev null because that goes nowhere but that's interesting to know that uh there is some potential there. And
20:43
finally it says like booting Linux so it con-confirm that it's a Linux board but then uh there is nothing more uh after that. So that's some good thing but things the problems are like nothing shows up after like the Linux is as booted. Probably because of the dev null situation. And when I press keys it's not working and uh I'm going to like
21:01
come up with like why that happened. So at that point I was like ok I cannot go anywhere so I'm going to try to recover the firmware to try to understand what's up with that. Uh multiple ways of recovering firmwares uh it's like an easy way like you can download it online and actually that worked um there is like some cool snapshot of that. Uh sometimes it's encrypted, on our case it wasn't. Um but yeah so you can also try to
21:25
sniff a firmware update uh that's really useful for IoT devices in general and you can use a network tab which is like the thing pictured on the top right of the slide. Um or you can mirror your port on your switch or whatever. Uh the problem with all of that is often times the firmware update is going to do over like HTTPS or it might be and in
21:42
case you're like stuck. And then you want to go for like a more like uh hardware hacking stuff or like you're going to dump a flash for instance. And the like even more advanced technique that I will briefly like uh talk about. So uh how do you dump a flash? There is two ways as I was mentioning just before. You can do in circuit programming and um out of circuit. So in circuit is cool because you don't have to you
22:02
know like remove stuff, break stuff. But there are a couple of issues with that. Um the main idea is to read the flash you need to power the flash and if you if it's like still plugging into the whole system uh it when you're like Raspberry Pi for instance going to try to read the flash. It's going to try to power like everything else that's connected to the same like in a bus line uh power line. And either you know your
22:21
Raspberry Pi is not strong enough to power like a VoIP phone which you would expect. And in that case uh but it's just not going to work. Or maybe your Raspberry Pi is really strong and it's going to do it. But then the problem is the CPU start booting and it's going to talk with the flash and that's going also to mess up your stuff. So in that situation you have like two choices usually. Either you can try to like lift up the
22:42
pin the power pin so that it doesn't happen. Or you can kind of go a little more like yellow approach where um you want to keep the CPU in reset. So I've been successful with that many times where I just like start like trying to ground like random test points of stuff on the board praying that it's not going to fry anything. And usually at some points like I'm going to notice that okay when I do that the phone like light up but
23:03
doesn't boot. That's good. And maybe better ways you can disorder the chip with like a big like heat gun and what not. You have to be careful though because if you like pull it too hard you might like bend pins and it's going to be like useless. Um but a good trick to know is like you can make a little like um tin foil hat or whatever like
23:20
around the chip. So that like when you're heating up the chip like the stuff around it doesn't like get too hot. Uh so you don't accidentally like knock off like some like tiny like components that would be like a pain in the butt to um put back. And uh bottom right is like I was I was I thought I would have to do that on the phone so I wanted to practice first and I just took like some random USB thumb drive and I tried. And actually that worked really nice but the trick is remember I also put some flux because it
23:43
helps. And uh yeah just don't be careful with when you pull it off. A few other tricks that actually didn't work on this one but are good to know. Uh U-boot is the most common boot loader uh not used here but it's you would find that on pretty much every other device. And the idea is you can also interrupt the boot process of that and ask
24:02
nicely you would hey can you load the flash in memory? And then uh U-boot is also able to dump in a hex like in the screen um the the memory so this way you can just like write little script to do that and recover everything on the flash which is really cool. But usually like dev don't like letting you do that so they set they lock that approach so
24:21
you cannot like press space to interrupt the boot process. But there is a trick that I also call like the YOLO approach where um instead when the idea is like U-boot is going to load from the flash like the Linux kernel or something but if while it's happening you start like poking with you know like a wire that's connecting to ground you start like poking the flash like some of the pins it's going to mess up like what's uh U-boot is
24:43
reading. And after a couple of tries U-boot is going to be like damn that kernel is fucked up I don't know what to do. And it's going to give you like a shell. So that's really cool. But yeah as I said that one wouldn't work on our phone unfortunately. But uh just some cool example that I found online where like some guy actually did that. And uh I underlined in uh in like purple on the bottom like the command
25:02
you need to use to like load the the the flash in memory. And on the right side this like little block of text is um sorry is how uh U-boot is panicking and be like eh I don't know how to do with your kernel and give you the the shell. So um so a few more like tricks for um dumping a flash. So you can use JTAG. So usually you have a
25:24
if JTAG works you're going to be able to um dump the RAM. So in this case it wouldn't be really like dumping the flash it would be more dumping the firmware. But in a lot of devices it's going to load the whole stuff in memory. So if you can dump the memory you are the same means you're pretty good there. And kind of the last hope but
25:40
this that's one of my favorite about the hardware hacking is you can do crazy uh stuff. Um and an example is uh ScanLime um that person on the internet who um she had um a Wacom tablet that she wanted to dump the um the firmware off and there was like no attack surface at all. But she realized that like when you it was like USB stuff so when you plug your USB um onto the laptop there was some USB exchange that I
26:02
don't know anything of. But it sounds like USB descriptor and if you if you glitch the CPU just at that time um it's going to like you know miss like a boundary check and it's going to send way more data. And with that uh she was able to recover like the full flash uh full memory or something. So it's really impressive but and that's kind of awesome about hardware hacking. Ok so uh we recovered the firmware uh in my case
26:24
just by downloading online but what do we do now? We want to analyze it. Um the best tool for that is called binwalk and it's just basically a magic dictionary that's going to like look at your binary blob of stuff and be like hmm halfway through it looks like there is a zip file I'm going to try to extract it. It tries. Maybe it works maybe it doesn't depending if it was actually a zip file or not. And it does that for
26:43
everything. And uh it might also find like compressed file system uh such as like squashfs, gffs2 etcetera. And sometimes like your um your firmware file might just start with like health headers or just like random like arm code that you could like look at. So I run binwalk on the so that's the firmware file I've downloaded from the website. And
27:02
once again it's easy mode it's just a dot file and they already like speed it up into boot one boot two and gffs2. So like binwalk has nothing to do here really and I can just extract the all file system. And that's cool because from there I can look at what's on the phone just like that. Uh but the more interesting use case for binwalk is I took like a different uh firmware file for like a another avaya phone. And this one is way
27:24
more interesting because binwalk find like a way more a lot of stuff. And uh I've highlighted like you find the file system and is able to extract it. And there's also that random like MySQL stuff which I think is a false positive. Then you need to be aware that there will be a lot of false positives so don't blindly trust what binwalk
27:40
says. And uh really really funny stuff that I was looking at uh if you run strings on that specific image um it will find like you boot strings. So that phone is using you boot and the cool stuff I was describing before would actually work on that one. Look. So now that you have extracted the firmware file what do you want to look for? One of the most uh interesting stuff is uh finding the update mechanism. So assuming you have uh
28:04
encrypted firmware like if you reverse engineer that you might find the keys and how to extract like subsequent uh firmware updates without having to do like any hardware stuff. And then you want to look for like secrets like uh passwords, certificates, and so and so forth. Uh originally my goal was to look at the main binaries so that's the thing that
28:21
deal with like the VoIP stack uh that would make sense to look at that. And um also you want to look at the bootloader because it may have a hidden commands, explain why our console is not working, that kind of stuff. So remember the point of all of that was I wanted to get a shell on the device and um what's the process to do that? So the one I
28:40
want to go for is I want to fix the serial console you know like the dev node was not cool. Um but also our approach would be like messing with your boot arguments um not working here obviously. Uh but you know you can specify the console you want and uh the init script can be marked as like oh I want bin bash as my init script and then you have a console. Uh and like kind of last resort stuff that I was considering as well is
29:01
you could patch the firmware uh in our case the firmware is signed so uh that won't work unless you try to glitch it which is really hard. But you can also try to patch the file system so the way binwag extracts the GFFS2 stuff you could modify it and then like repack it and flash it directly onto the flash. And that's usually like a foolproof method like that would work in most cases. So instead I'm going to uh reverse um the
29:26
bootloader and um for that um because I wanted to understand like what is the console was set to dev node and stuff. I'm going to cover ARM in much detail and I would recommend you to check out Azariah Labs tutorials that cover everything but just useful
29:41
here um there is this notion in ARM of literal pool which is um inside the code section you would find some little chunk of data and that's usually like used to like load in registries um absolute addresses, immediate values, magic offset, that kind of stuff. And FYI like in case of function calls um the arguments are going to R0 to R3 the return value is
30:04
R0 and when you like want to return from your call it's the return address is saved in like the LR register that stands for like link register. Um and the big trick, the big problem here is um we're like trying to load the bootloader so it's uh it's not real ELF so if you try to import it in IDA IDA doesn't know what to do with it and so you
30:23
need to find the loading address for that stuff so it match what's where the phone is loading it. Couple of tricks um sometimes you're lucky and it's going to be printed on screen that's our case, sweet. Um but otherwise you want to look at like header file uh headers in the in the bootloader file or maybe reset vectors so that stuff where like
30:40
specifically for ARM like the CPU needs to know uh specific addresses where like there like a recess or like an interrupt happening and it's like fairly like um square like the how it that's being set up so if you find that and you find like what looks like an interrupt vector handler or something you can find like oh that must be the address. And uh finally the little puller was mentioning uh really useful because it's
31:01
going to contain like absolute addresses or point to strings and stuff so uh if if like you have strings and they look like all fucked up you probably got the wrong address. And uh Quackslab wrote a blog post about it so I would recommend you checking it out. So as I said in our case it was easy um when it boots it prints uh the jump whatever and that's actually why you should load it and um on the bottom right side
31:23
it's like a bunch of uh strings um so it's a bunch of addresses that point to strings uh this is a snapshot from IDA and um we can see that um it's uh all the strings like prints well so that means that it's loaded properly it's not like all messed up. Okay so now that we have the bootloader and we can like work it with IDA uh we want
31:42
to search for strings uh we were looking at you know like that sentence like iprom read successful whatever so we can use like cross reference in IDA to find where the string is coming from and look at the function that handles that. And uh yeah just as a FYI about like iprom and spy so the iprom that's on the board is called a spy
32:00
iprom and spy is just one of those protocol I was mentioning before. Eprom is just like a small memory uh whatever and the spy uh protocol is just like four wires um and the ID the CPU sending command and the iprom like reply and uh that's a dump from like using the logic analyzer to have a look at what it would look like in real life. Uh that's a
32:21
data sheet of the iprom uh that you can find on online if you google the label on it. Um the cool thing is in the bottom left of the slide it tells you like the pin out so you know how to connect stuff to it and on the right side of the slide um it tells you which which opcodes are for like the co- spy com- spy command you would send. Like
32:41
for instance if you send uh three it's going to be a read, if you send two it's going to be a write. So that's that's something useful to know right? Oops sorry. Back to the um back to the IDA and the bootloader we can see uh the strings we were like looking for and something extremely promising is we can see the console set to dev null but above that is
33:00
like a b- two other option and it's actually saying like oh setting console to like yard zero or yard one. So we want these ones to be printed. Um that's a that's a function that actually does print that string and uh what it does is roughly uh clean up clear some bytes on the stack and then read from iprom from a magic address and it's going to
33:22
compare like bytes uh that has just been read. And if we have the good value it's going to actually print on the console setting the console for uh dev tty uh am zero. So we want that to happen. Uh and something you can ask me is like well how did you find that read iprom function you know? And there are like multiple ways of doing that. Uh the easy
33:42
way that I've highlighted in green in that screenshot is uh on the bottom right you can see some like logging that says oh iprom read fails. So I know that function is responsible for reading iprom. Uh but maybe maybe the firmware you're going to look at is not uh as uh verbose. In which case um as I said before like to read from an
34:01
iprom you know you have to send three over SPI. So if you find like the SPI function and you see like sending three you know what it is. And that's what I've highlighted in um yellow. Um but then like how do you find the SPI function? You know it's kind of a problem. Uh two ways for that um in my case once again it was logged so it was easy. But usually like the main trick is um you have this um
34:23
something called uh mapped uh IO. A memory mapped IO. It's this kind of like magic address values in the CPU that like if you write to them it's actually going to send data over like QRT or SPI or whatever. If you're lucky you're going to have a data sheet for the CPU and it specifies exactly what are those addresses. If you're unlucky um you have
34:42
to guess and that's really hard. And at that time maybe you should like look for something else or just you know you're going to spend a lot of time on that. So we want to uh patch the iprom now so we can enable the console. The plan of action is we know the read write commands uh we want to interface with the flash. So to do that um sorry the iprom. We we um we need like a SPI uh device and we've seen before the bus
35:04
pirate is a perfect candidate for that. And we need to connect to the chip. Uh unfortunately like it's a really tiny one and so like the clip I was showing are like too big for that. You can buy online some rigs that people make um it's like expensive and it's like 5 weeks to get them. So instead I went kind of crazy and I tried to solder like um little wires onto the thing and I was like honestly that's never
35:24
going to work. But it happened to actually work and I was like sweet. And uh it's all like look like cross because it's like all the flux that remains on that. Um and that's the code for the bus pirate. It's super like boiler plate uh thing. And when you just write um these magic values that uh sorry I was asked to like uh replace them with
35:42
like emojis. But uh the idea is like just after that you're greeted with console is set to uh like you are 0 and now we have a lot of more stuff uh printed on console which is great. But unfortunately I get like this hurdle like the input are still like not working. I was like trying to press space or type like it's like asking for oh you want to
36:02
look as root what's? I type nothing happens like ugh. What happened? It's like it just cuts the trace so you cannot send data. We have the boards we can look at it. Um so uh this just like like uh zoom up on the thing and at that time I was like you know looking at the UART pad and start like with my multimeter like trying to beep out like where it goes. You know it's following the continuity testing. And eventually it
36:24
reached some wires like on the right side and the wires are that little hole that connect one side of the board to the other. So the trick is the actual like trace that connects the UART to whatever uh goes to the other side of the board and goes all back and forth and it's like really like tedious. And eventually I kind of lost where it was going but it was kind of under that mode port uh that's like the keyed uh RG45. Um and
36:46
so um remember like the recon side uh recon part? Um we have that box and it's like oh damn. That's the thing. So I kind of went to like my YOLO approach again where um I was
37:00
holding like I had a plug like a jumper cable in my um the transmit of my FTDI cable. And uh so I had like this like wire that I could poke around. And on the other side I was like pressing keys on the console trying to see if something happened. And meanwhile I was poking like to the pins one by one and I think at the second one it actually worked. And I got greeted by uh like a wood shell on the device. So
37:21
that was cool. Um but the trick was um the on the right side like a proper set up where I plugged my ethernet cable into the plug. So at that time I didn't know where the keyed RG45 was so I just like sanded the plastic of the ethernet cable so I could like shove it in. And yeah it just works so that was nice. Uh now that we have a wood shell there's like uh a lot of debug strings printed on screen and that's annoying. So um the
37:44
trick I was like ah I want to kill the process it's like that's like floating my console. Uh there's a watch dog that's going to reboot the device if that happens. So I highlight in the corner like the magic commands that you can run to kill that. It's just like random Linux stuff. Uh so now we can finally do some run research. Um and really what you're doing to do is like look at process running, poke around, look at open
38:03
ports. Uh there's just a bunch of processes uh new SQL stuff but uh that's when it's all getting interesting. I think at some point I was tired of looking in IDA and I was like I'm going to poke more. And I looked at DH client and like huh. And the really funny part is like I run DH client and I see this like 2007 copyright. I was like whoa that's not a
38:22
good thing. And if you just run DH client by itself it's like false. I was like that's weird. And if you like run it the right way they print a debug message and say oh we modified it to work it better on our device. And I was like huh that's interesting. So if we look back uh and we look for the specific version it turns out that 10 years ago
38:41
actually for Defcon uh John Oberheide um really is like an exploit for that specific version of DH client. So I was like whoa that's that's easy. Um but we want to make sure it's actually v- still vulnerable. So the um the run was like a dumb like um stack overflow like while handling DHCP options. So we can compare the original source code
39:01
with the patch source code because DH client is open source. And just keep in mind there might be like mitigation like stack cookies, ASLR, what not. So if we look at the vulnerable code on the left side we can see a memcpy like highlighted in red that's using like data dot lane as a field. While on the patch version they replace that by 4. So the idea is like this bug is uh subnet, it's a bug in the subnet mask handling. And the
39:24
subnet mask should be like 4 bytes. But the way the HTTP option works is that it can send up to like 255 bytes I think. And it used to just dump it, trust whatever you were sending which is bad. And if we look in IDA at like the actual like function, uh we can see there is no stack canary. And the vulnerability the the on the left on the right
39:40
side it's it's not using that magic 4 so it's it's obviously like still vulnerable. So it's time to exploit stuff. Um working on the phone with tedious I was like I'm going to try to set up QEMU. Um if you're not familiar with QEMU you can do like emulation of ARM stuff or like many other system. And can do either like user land or uh full system. User land wouldn't work here because uh DHCP is uh we try to modify an IP and
40:02
stuff and that's not cool. Um but instead we can do do a full system emulation and uh those tutorials tell you how to like set up a cool image for that. And we just want to set up the network properly uh because we want to interfere with DHCP and naturally um the um QEMU stack would give you a DHCP for yourself so you have to be say like don't do
40:24
that. And yeah. So I run it in the in QEMU and after like all this effort and it still like huh. So it turns out that like I modified stuff that's actually causing the segfault. And um I'm not going to cover that too fast because I'm running like a little out of time. But uh basically it's creating that weird socket uh it's like a name
40:42
socket and uh so that's like the main application that the VoIP stack can talk with each client and share options. Um and uh the idea is like that's like the main application and you can see what it does. That's not super interesting. But basically on the left side it's like sending data to configure the each client at startup. And on the right side I re-implemented that in Python. And uh you can run that with like
41:03
socket um. So socket is just a kind of like netcat in um in more like uh more tools so you can create that name socket. And the idea you run the Python script on the host, you run socket on the um QEMU like binary image and that would just work. So now we can start debugging uh DH clients. Um you can run GDB, we can try to like actually run the
41:25
POC. Uh I couldn't compile the original proof of concept. It was like using really old tools and it's just after like a couple of hours like ah fuck that I'm tired. So instead uh I use a scapi based uh exploit scapi is a Python library that lets you like you know mess with uh network packets like at a fairly low level. And um so now we want to like
41:44
reach the um vulnerable code. So um I was explaining the bug is in the subnet mask option and how the way DHCP works is like a tag length value like type of stuff. So you say oh this option is a subnet mask. Here's the length, here's the value. And obviously it was
42:01
like it should be 4 but if you send more it's fine but for the DHCP specs. And so we can use scapi for doing that. So uh that's my like a chunk of my scapi script and just the payload in properly is interesting. Um basically just sending the subnet mask option with uh data that would be like AAA BBBB CCCC and so on and so forth. So that uh when it
42:23
crashes in GDB. Uh we can see like all the register we control and we know um exactly um you know if we want to affect which register which chunk of the shellcode we need to change. And we can see that we actually controlling uh PC so the program counter so that's good. We know that we have um we can exploit we have control control for
42:42
execution. And there are like a few more details that I'm going to skip over but um we need to start to craft a shellcode now. Uh unfortunately like it looks like the stack is uh you cannot execute the stack so we would have to warp it and that's tedious. But um cool stuff is like if you look for there is like a system call in that binary that I think also I added. And we do control L4. So if we put also if we can put a string
43:05
in memory in an address we know that could be a valid like system command. And put the the address in L4 we're good. Um so if you think about it DHCP clients, DH client sorry, receive configuration values from the server. So probably there is going to be stuff that are stored somewhere and um it turns out that the ASLR is disabled. Sorry I forgot to
43:24
mention that. Uh but then we the idea is like I just like sending like AAAs as like a bunch of uh options and look at memory to see if I could find that string somewhere. And so um now I can show you uh a cool demo that's what happens when you actually run the
43:42
whole stuff. So uh on the um on the left side we have the phone that's booting. Can I do it? The phone is booting and the window uh the terminal window is like on the left side is a rock DHCP client running our payload. And on the right side is um it's a web server that uh will provide like uh post exploitation kind of stuff. So we can see the
44:03
packet is running. To make sure it works I was uh counting uh dev random on the uh on the screen so that's why it looks like a noise. It's fetching data from the um web server and I don't know if you can see but it's loading like steve.data. Uh FYI like Steve is actually my uh boss. That's him. And uh just then I'm uh still like ex- I don't know
44:25
if that's sound but I'm exfiltrating audio from the main speaker and you can see it in VLC that when I'm speaking and clapping my hands it's actually like reading the audio on the attacker laptop. So that's pretty scary because you can turn your um phone into um you know listening device. Thank you. So um yeah and just FYI like all the tools I use are
44:51
like actually already on the phone like you have like netcat, you have like stuff to like dump the audio to like stdin so you it's just like writing some shell script like bash script whatever. So um as a conclusion uh for mitigation like you want to make
45:04
sure you monitor your network so that you don't have like punks like sending uh you know like weird DHCP packets and uh actually like McAfee uh firewall like can detect that uh FYI. You want to segregate your network um to make sure that for instance the coffee pot is not able to like send the weird DHCP packets to your phone. And make sure
45:22
IT actually patch your phone because you know it's the patch got released like Avaya released a patch like a month ago. So make sure it's actually patched. And uh if you want to think about why this kind of bug happened like technical debt is really hard to handle and you know probably ask someone like in good faith um okay um someone in good faith um fogged the stuff and they forget about it so um and just as a really quick um
45:45
embedded systems are not black boxes so I would just encourage everyone to um look at them and uh you can do it now as well. So if you have questions uh ask me on Twitter or whatever and thank you for your time guys.