Analysis of a door locking system Introduction Signals Hardware - - PowerPoint PPT Presentation

Analysis of a door locking system Rémi Audebert, Pierre Surply Introduction Signals Hardware Software In situ Conclusion

Analysis of a door locking system

Rémi Audebert Pierre Surply 2014-07-17

Rémi Audebert, Pierre Surply Analysis of a door locking system 2014-07-17 1 / 51

Analysis of a door locking system Rémi Audebert, Pierre Surply Introduction Signals Hardware Software In situ Conclusion

Introduction

Rémi Audebert, Pierre Surply Analysis of a door locking system 2014-07-17 2 / 51

Analysis of a door locking system Rémi Audebert, Pierre Surply Introduction Signals Hardware Software In situ Conclusion

The situation

The door lock is broken: fix-it! Power is working, the door is always locked Control is not working

Rémi Audebert, Pierre Surply Analysis of a door locking system 2014-07-17 3 / 51

Analysis of a door locking system Rémi Audebert, Pierre Surply Introduction Signals Hardware Software In situ Conclusion

This talk is about. . .

Part 1: Electrical reverse engineering

Power, signals, 9N1, . . .

Part 2: Hardware reverse engineering

Microcontrollers, converters, PHY, . . .

Part 3: Software reverse engineering

PIC16F87, architecture, banking, . . .

Part 4: A practical use of this knowledge

The big picture, controlling a door ourself

Rémi Audebert, Pierre Surply Analysis of a door locking system 2014-07-17 4 / 51

Analysis of a door locking system Rémi Audebert, Pierre Surply Introduction Signals Hardware Software In situ Conclusion

Signals

Rémi Audebert, Pierre Surply Analysis of a door locking system 2014-07-17 5 / 51

Analysis of a door locking system Rémi Audebert, Pierre Surply Introduction Signals Hardware Software In situ Conclusion

Probing

Figure 1: Probe points

Rémi Audebert, Pierre Surply Analysis of a door locking system 2014-07-17 6 / 51

Analysis of a door locking system Rémi Audebert, Pierre Surply Introduction Signals Hardware Software In situ Conclusion

Probing

Our goal: identify signals Possible signals:

Power Ground(s) Clock Data Differential data Pull up

Tools Multimeters Digital Oscilloscope (ATTEN ADS1102CAL 100MHz) Logic analyser (Saleae Logic)

Rémi Audebert, Pierre Surply Analysis of a door locking system 2014-07-17 7 / 51

Analysis of a door locking system Rémi Audebert, Pierre Surply Introduction Signals Hardware Software In situ Conclusion

Probing

Figure 2: Probe points

Rémi Audebert, Pierre Surply Analysis of a door locking system 2014-07-17 8 / 51

Analysis of a door locking system Rémi Audebert, Pierre Surply Introduction Signals Hardware Software In situ Conclusion

Pinout

5V Ground ? ? ? ?

Rémi Audebert, Pierre Surply Analysis of a door locking system 2014-07-17 9 / 51

Analysis of a door locking system Rémi Audebert, Pierre Surply Introduction Signals Hardware Software In situ Conclusion

Frame analysis

Figure 3: Frame

Rémi Audebert, Pierre Surply Analysis of a door locking system 2014-07-17 10 / 51

Analysis of a door locking system Rémi Audebert, Pierre Surply Introduction Signals Hardware Software In situ Conclusion

Frame analysis

Figure 4: Frame

Rémi Audebert, Pierre Surply Analysis of a door locking system 2014-07-17 11 / 51

Analysis of a door locking system Rémi Audebert, Pierre Surply Introduction Signals Hardware Software In situ Conclusion

Standard data signals

UART TTL I2C RS232 SPI . . .

Rémi Audebert, Pierre Surply Analysis of a door locking system 2014-07-17 12 / 51

Analysis of a door locking system Rémi Audebert, Pierre Surply Introduction Signals Hardware Software In situ Conclusion

SPI

Figure 5: Frame

Rémi Audebert, Pierre Surply Analysis of a door locking system 2014-07-17 13 / 51

Analysis of a door locking system Rémi Audebert, Pierre Surply Introduction Signals Hardware Software In situ Conclusion

Chip Select

Figure 6: Frame

Rémi Audebert, Pierre Surply Analysis of a door locking system 2014-07-17 14 / 51

Analysis of a door locking system Rémi Audebert, Pierre Surply Introduction Signals Hardware Software In situ Conclusion

MOSI

Figure 7: Frame

Rémi Audebert, Pierre Surply Analysis of a door locking system 2014-07-17 15 / 51

Analysis of a door locking system Rémi Audebert, Pierre Surply Introduction Signals Hardware Software In situ Conclusion

Pinout (SPI)

5V Ground MOSI MISO SS SCK

Rémi Audebert, Pierre Surply Analysis of a door locking system 2014-07-17 16 / 51

Analysis of a door locking system Rémi Audebert, Pierre Surply Introduction Signals Hardware Software In situ Conclusion

MISO

Figure 8: Frame

Rémi Audebert, Pierre Surply Analysis of a door locking system 2014-07-17 17 / 51

Analysis of a door locking system Rémi Audebert, Pierre Surply Introduction Signals Hardware Software In situ Conclusion

Probing

Figure 9: Probe points

Rémi Audebert, Pierre Surply Analysis of a door locking system 2014-07-17 18 / 51

Analysis of a door locking system Rémi Audebert, Pierre Surply Introduction Signals Hardware Software In situ Conclusion

The hanging connector

Figure 10: Ceiling cable

Rémi Audebert, Pierre Surply Analysis of a door locking system 2014-07-17 19 / 51

Analysis of a door locking system Rémi Audebert, Pierre Surply Introduction Signals Hardware Software In situ Conclusion

Probing

Our goal: identify signals Possible signals:

Power: 12V Ground: Yes Clock Data Differential data: On two wires

Rémi Audebert, Pierre Surply Analysis of a door locking system 2014-07-17 20 / 51

Analysis of a door locking system Rémi Audebert, Pierre Surply Introduction Signals Hardware Software In situ Conclusion

Standard data signals

UART TTL SPI I2C RS232 Ethernet PHY CAN RS485

Rémi Audebert, Pierre Surply Analysis of a door locking system 2014-07-17 21 / 51

Analysis of a door locking system Rémi Audebert, Pierre Surply Introduction Signals Hardware Software In situ Conclusion

Standard data signals

UART TTL SPI I2C RS232 Ethernet PHY CAN RS485 RS485 in short Two wires: A and B Differential signal:

A - B <-200mV is 1 A - B >+200mV is 0

Rémi Audebert, Pierre Surply Analysis of a door locking system 2014-07-17 21 / 51

Analysis of a door locking system Rémi Audebert, Pierre Surply Introduction Signals Hardware Software In situ Conclusion

Multidrop RS485

Same bus One master, many slaves Bidirectional communication:

Master polls slaves periodically Slave answer when talked to

Rémi Audebert, Pierre Surply Analysis of a door locking system 2014-07-17 22 / 51

Analysis of a door locking system Rémi Audebert, Pierre Surply Introduction Signals Hardware Software In situ Conclusion

Frame

No clock!

Figure 11: A word in this protocol

Principles of 9bit data mode 9th bit is used to signal an address The slave only listen when the address matches it’s own

Rémi Audebert, Pierre Surply Analysis of a door locking system 2014-07-17 23 / 51

Analysis of a door locking system Rémi Audebert, Pierre Surply Introduction Signals Hardware Software In situ Conclusion

Messages

Figure 12: Message structure

Rémi Audebert, Pierre Surply Analysis of a door locking system 2014-07-17 24 / 51

Analysis of a door locking system Rémi Audebert, Pierre Surply Introduction Signals Hardware Software In situ Conclusion

Modbus

Modbus RTU Another serial communication protocol Similarities Same CRC polynom Message format Differences with modbus RTU Not the same function Use an address bit Broadcast address is FF

Rémi Audebert, Pierre Surply Analysis of a door locking system 2014-07-17 25 / 51

Analysis of a door locking system Rémi Audebert, Pierre Surply Introduction Signals Hardware Software In situ Conclusion

Probing: done!

Figure 13: Probe points

Rémi Audebert, Pierre Surply Analysis of a door locking system 2014-07-17 26 / 51

Analysis of a door locking system Rémi Audebert, Pierre Surply Introduction Signals Hardware Software In situ Conclusion

Hardware

Rémi Audebert, Pierre Surply Analysis of a door locking system 2014-07-17 27 / 51

Analysis of a door locking system Rémi Audebert, Pierre Surply Introduction Signals Hardware Software In situ Conclusion

We have boards

Identify the parts Dump what you can

Rémi Audebert, Pierre Surply Analysis of a door locking system 2014-07-17 28 / 51

Analysis of a door locking system Rémi Audebert, Pierre Surply Introduction Signals Hardware Software In situ Conclusion

Recognizing the parts

“Passive” components:

Resistors Capacitors Inductors

“Active” components:

Microcontrollers PHY, signal converters

Rémi Audebert, Pierre Surply Analysis of a door locking system 2014-07-17 29 / 51

Analysis of a door locking system Rémi Audebert, Pierre Surply Introduction Signals Hardware Software In situ Conclusion

Components

Screen Board UART to RS232 PIC16F877 Secu Board UART to RS485 Relay PIC18F6720 Unknown Board UART to RS485 Ethernet PHY PIC18F2480

Rémi Audebert, Pierre Surply Analysis of a door locking system 2014-07-17 30 / 51

Analysis of a door locking system Rémi Audebert, Pierre Surply Introduction Signals Hardware Software In situ Conclusion

The board we worked on

Rémi Audebert, Pierre Surply Analysis of a door locking system 2014-07-17 31 / 51

Analysis of a door locking system Rémi Audebert, Pierre Surply Introduction Signals Hardware Software In situ Conclusion

Software

Rémi Audebert, Pierre Surply Analysis of a door locking system 2014-07-17 32 / 51

Analysis of a door locking system Rémi Audebert, Pierre Surply Introduction Signals Hardware Software In situ Conclusion

Microcontroller: PIC16F877

A very common 8bit µC. RISC: 35 instructions 8K Flash program memory 368 bytes of RAM 256 bytes of EEPROM Program instruction bus: 14bits Program counter: 13bits Data bus: 8bits Dumping the flash Code protection: No!

Rémi Audebert, Pierre Surply Analysis of a door locking system 2014-07-17 33 / 51

Analysis of a door locking system Rémi Audebert, Pierre Surply Introduction Signals Hardware Software In situ Conclusion

Harvard computer architecture

Code and data are stored in different memories

Program memory Data memory Control Unit Harvard

Rémi Audebert, Pierre Surply Analysis of a door locking system 2014-07-17 34 / 51

Analysis of a door locking system Rémi Audebert, Pierre Surply Introduction Signals Hardware Software In situ Conclusion

PIC16F87: reverse engineering hints

Software sleeps Banking systems Indirect read/writes PIC’s version of progmem/progspace

Rémi Audebert, Pierre Surply Analysis of a door locking system 2014-07-17 35 / 51

Analysis of a door locking system Rémi Audebert, Pierre Surply Introduction Signals Hardware Software In situ Conclusion

PIC16F87: Sleeping

Rémi Audebert, Pierre Surply Analysis of a door locking system 2014-07-17 36 / 51

Analysis of a door locking system Rémi Audebert, Pierre Surply Introduction Signals Hardware Software In situ Conclusion

PIC16F87: Memory Banks

Rémi Audebert, Pierre Surply Analysis of a door locking system 2014-07-17 37 / 51

Analysis of a door locking system Rémi Audebert, Pierre Surply Introduction Signals Hardware Software In situ Conclusion

PIC16F87: Memory Banking

Rémi Audebert, Pierre Surply Analysis of a door locking system 2014-07-17 38 / 51

Analysis of a door locking system Rémi Audebert, Pierre Surply Introduction Signals Hardware Software In situ Conclusion

PIC16F87: Indirect read/write macros

Rémi Audebert, Pierre Surply Analysis of a door locking system 2014-07-17 39 / 51

Analysis of a door locking system Rémi Audebert, Pierre Surply Introduction Signals Hardware Software In situ Conclusion

PIC16F87: Storing data in program space

Rémi Audebert, Pierre Surply Analysis of a door locking system 2014-07-17 40 / 51

Analysis of a door locking system Rémi Audebert, Pierre Surply Introduction Signals Hardware Software In situ Conclusion

PIC16F87: Storing data in program space

Figure 14: PIC paging

Rémi Audebert, Pierre Surply Analysis of a door locking system 2014-07-17 41 / 51

Analysis of a door locking system Rémi Audebert, Pierre Surply Introduction Signals Hardware Software In situ Conclusion

In situ

Rémi Audebert, Pierre Surply Analysis of a door locking system 2014-07-17 42 / 51

Analysis of a door locking system Rémi Audebert, Pierre Surply Introduction Signals Hardware Software In situ Conclusion

The situation

The door lock is broken: fix-it! Power is working, the door is always locked Control is not working

Rémi Audebert, Pierre Surply Analysis of a door locking system 2014-07-17 43 / 51

Analysis of a door locking system Rémi Audebert, Pierre Surply Introduction Signals Hardware Software In situ Conclusion

Topology

Figure 15: Topology

Rémi Audebert, Pierre Surply Analysis of a door locking system 2014-07-17 44 / 51

Analysis of a door locking system Rémi Audebert, Pierre Surply Introduction Signals Hardware Software In situ Conclusion

Hook

Figure 16: Our wire

Rémi Audebert, Pierre Surply Analysis of a door locking system 2014-07-17 45 / 51

Analysis of a door locking system Rémi Audebert, Pierre Surply Introduction Signals Hardware Software In situ Conclusion

Topology

Figure 17: Topology

Rémi Audebert, Pierre Surply Analysis of a door locking system 2014-07-17 46 / 51

Analysis of a door locking system Rémi Audebert, Pierre Surply Introduction Signals Hardware Software In situ Conclusion

Conclusion

Rémi Audebert, Pierre Surply Analysis of a door locking system 2014-07-17 47 / 51

Analysis of a door locking system Rémi Audebert, Pierre Surply Introduction Signals Hardware Software In situ Conclusion

Our analysis

This system is too rigid: custom hardware, half-duplex Not resilient too power failure: every thing is online, multiple SPOF No security: clear text communication

Rémi Audebert, Pierre Surply Analysis of a door locking system 2014-07-17 48 / 51

Analysis of a door locking system Rémi Audebert, Pierre Surply Introduction Signals Hardware Software In situ Conclusion

Going further

• Misc. good reads

http://www.bunniestudios.com http://www.spritesmods.com http://www.devttys0.com Hardware hacking exercices http://blog.scrt.ch/2013/03/26/insomnihack-2013-life-is- hardware/ http://www.balda.ch/posts/2014/Apr/01/ins14-life-is- even-harder/ https://microcorruption.com

Rémi Audebert, Pierre Surply Analysis of a door locking system 2014-07-17 49 / 51

Analysis of a door locking system Rémi Audebert, Pierre Surply Introduction Signals Hardware Software In situ Conclusion

Thanks

Pierre Bourdon Théo Christian Dujardin Evolutek<< Prologin

Rémi Audebert, Pierre Surply Analysis of a door locking system 2014-07-17 50 / 51

Analysis of a door locking system Rémi Audebert, Pierre Surply Introduction Signals Hardware Software In situ Conclusion

Conclusion

Contact Rémi ‘halfr’ Audebert

IRC: halfr@irc.rezosup.org Mail: halfr@lse.epita.fr Twitter: @halfr

Pierre ‘Ptishell’ Surply

IRC: Ptishell@irc.rezosup.org Mail: surply@lse.epita.fr Twitter: @Ptishell

Rémi Audebert, Pierre Surply Analysis of a door locking system 2014-07-17 51 / 51