assisted discovery of on chip debug interfaces joe grand
play

Assisted Discovery of On-Chip Debug Interfaces Joe Grand (@joegrand) - PowerPoint PPT Presentation

Nov 28, 2023 •395 likes •766 views

Assisted Discovery of On-Chip Debug Interfaces Joe Grand (@joegrand) Introduction On-chip debug interfaces are a well-known attack vector - Used as a stepping stone to further an attack - Can provide chip-level control of a target

  1. Assisted Discovery of On-Chip Debug Interfaces Joe Grand (@joegrand)

  2. Introduction • On-chip debug interfaces are a well-known attack vector - Used as a stepping stone to further an attack - Can provide chip-level control of a target device - Extract program code or data - Modify memory contents - A fg ect device operation on-the-fly • Inconvenient for vendor to remove functionality - Would prevent capability for legitimate personnel - Obfuscated or password protected instead

  3. Introduction 2 • Identifying OCD interfaces can sometimes be difficult and/or time consuming ← http://spritesmods.com/?art=hddhack

  4. Goals • Create an easy-to-use tool to simplify the process • Attract non-HW folks to HW hacking

  5. Identifying Interfaces: External • Accessible to the outside world - Intended for engineers or manufacturers - Device programming or final system test • Usually hidden or protected - Underneath batteries - Behind stickers/covers • May be a proprietary/non-standard connector

  6. Identifying Interfaces: Internal • Test points or unpopulated pads • Silkscreen markings or notation • Easy-to-access locations

  7. Identifying Interfaces: Internal 2 • Familiar target or based on common pinout - Often single- or double-row footprint - JTAG: www.jtagtest.com/pinouts/ ← www.blackhat.com/html/bh-us-10/bh-us-10-archives.html#Jack → www.nostarch.com/xboxfree

  8. Identifying Interfaces: Internal 3 • Can use PCB/design heuristics - Traces of similar function are grouped together (bus) - Array of pull-up/pull-down resistors (to set static state of pins) - Test points usually placed on important/interesting signals ← http://elinux.org/images/d/d6/Jtag.pdf

  9. Identifying Interfaces: Internal 4 • Might be covered by soldermask ← Linksys WRT54G2 v1.3 → http://elinux.org/File:Peekjtag3.png

  10. PCB Input protection Status Level translation Target I/F (24 channels) Propeller USB *** 2x5 headers compatible w/ Bus Pirate probes, Op-Amp/DAC http://dangerousprototypes.com/docs/Bus_Pirate

  11. Propeller/Core • Completely custom, ground up, open source • 8 parallel 32-bit processors (cogs) • Code in Spin, ASM, or C *** INFORMATION: www.parallax.com/propeller/ *** DISCUSSION FORUMS: http://forums.parallax.com *** OBJECT EXCHANGE: http://obex.parallax.com

  12. Propeller/Core 2 • Clock: DC to 128MHz (80MHz recommended) • Global (hub) memory: 32KB RAM, 32KB ROM • Cog memory: 2KB RAM each • GPIO: 32 @ 40mA sink/source per pin • Program code loaded from external EEPROM on power-up

  13. Propeller/Core 3 • Standard development using Propeller Tool & Parallax Serial Terminal (Windows) • Programmable via serial interface (usually in conjunction w/ USB-to-serial IC)

  14. USB Interface • Allows for Propeller programming & UI • Powers JTAGulator from bus (5V) • FT232RL USB-to-Serial UART - Entire USB protocol handled on-chip - Host will recognize as a virtual serial port (Windows, OS X, Linux) • MIC2025 Power Distribution Switch - Internal current limiting, thermal shutdown - Let the FT232 enumerate first (@ < 100mA), then enable system load

  15. Adjustable Target Voltage (VADJ) • PWM from Propeller - Duty cycle corresponds to output voltage - Look-up table in 0.1V increments (1.2V-3.3V) • AD8655 Low Noise, Precision CMOS Amplifier - Single supply, rail-to-rail - Voltage follower configuration - ~150mA output current @ Vo = 1.2V-3.3V

  16. Level Translation • Allows 3.3V signals from Propeller to be converted to VADJ • Prevents potential damage due to over-voltage on target device's unknown connections • TXS0108E Bidirectional Voltage-Level Translator - Designed for both open drain and push-pull interfaces - Internal pull-up resistors (40k Ω when driving low, 4k Ω when high) - Automatic signal direction detection - High-Z outputs when OE low -> will not interfere with target when not in use

  17. Input Protection • Prevent high voltages/spikes on unknown pins from damaging JTAGulator • Diode limiter clamps input if needed • Vf must be < 0.5V to protect TXS0108Es

  18. On-Chip Debug Interfaces • JTAG • UART

  19. JTAG • Industry-standard interface (IEEE 1149.1) - Created for chip- and system-level testing - Defines low-level functionality of finite state machine/ Test Access Port (TAP) - http://en.wikipedia.org/wiki/Joint_Test_Action_Group • Provides a direct interface to hardware - Can "hijack" all pins on the device (Boundary scan/ test) - Can access other devices connected to target chip - Programming/debug interface (access to Flash, RAM) - Vendor-defined functions/test modes might be available

  20. JTAG: Architecture • Synchronous serial interface → TDI = Data In (to target device) ← TDO = Data Out (from target device) → TMS = Test Mode Select → TCK = Test Clock → /TRST = Test Reset (optional for async reset) • Test Access Port (TAP) w/ Shift Registers - Instruction (>= 2 bit wide) - Data - Bypass (1 bit) - Boundary Scan (variable) - Device ID (32 bit) (optional)

  21. JTAG: TAP Controller *** State transitions occur on rising edge of TCK based on current state and value of TMS *** TAP provides 4 major operations: Reset, Run-Test, Scan DR, Scan IR *** Can move to Reset state from any other state w/ TMS high for 5x TCK *** 3 primary steps in Scan: Capture, Shift, Update *** Data held in "shadow" latch until Update state

  22. JTAG: Protection • Implementation specific • Security fuse physically blown prior to release - Could be repaired w/ silicon die attack • Password required to enable functionality - Ex.: Flash erased after n attempts (so perform n-1), then reset and continue • May allow BYPASS, but prevent higher level functionality - Ex.: TI MSP430

  23. JTAG: HW Tools • RIFF Box - www.jtagbox.com • H-JTAG - www.hjtag.com/en/ • SEGGER J-Link - www.segger.com/debug-probes.html • Bus Blaster (open source) - http://dangerousprototypes.com/docs/Bus_Blaster • Wiggler or compatible (parallel port) - ftp://www.keith-koep.com/pub/arm-tools/jtag/ jtag05_sch.pdf

  24. JTAG: SW Tools • OpenOCD (Open On-Chip Debugger) - http://openocd.sourceforge.net • UrJTAG (Universal JTAG Library) - www.urjtag.org

  25. IDCODE Scan • 32-bit Device ID (if available) is in the DR on TAP reset or IC power-up - Otherwise, TAP will reset to BYPASS (LSB = 0) - Can simply enter Shift-DR state and clock out on TDO - TDI not required/used during IDCODE acquisition LSB

  26. BYPASS Scan • In BYPASS, data shifted into TDI is received on TDO delayed by one clock cycle

  27. BYPASS Scan 2 • Can determine how many devices (if any) are in the chain via "blind interrogation" - Force device(s) into BYPASS (IR of all 1s) - Send 1s to fill DRs - Send a 0 and count until it is output on TDO

  28. UART • Universal Asynchronous Receiver/Transmitter - No external clock needed - Data bits sent LSB first (D0) - NRZ (Non-Return-To-Zero) coding - Transfer speed (bits/second) = 1 / bit width - http://en.wikipedia.org/wiki/Asynchronous_serial_ communication *** Start bit + Data bits + Parity (optional) + Stop bit(s)

  29. UART 2 • Asynchronous serial interface → TXD = Transmit data (to target device) ← RXD = Receive data (from target device) ↔ DTR, DSR, RTS, CTS, RI, DCD = Control signals (uncommon for modern implementations) • Many embedded systems use UART as debug output/console/root shell

  30. UART Scan • 8 data bits, no parity, 1 stop bit (8N1) • Baud rates stored in look-up table - 75, 110, 150, 300, 900, 1200, 1800, 2400, 3600, 4800, 7200, 9600, 14400, 19200, 28800, 31250, 38400, 57600, 76800, 115200, 153600, 230400, 250000, 307200

  31. UART Scan 3

  32. Possible Limitations • No OCD interface exists • OCD interface is physically disconnected - Cut traces, missing jumpers/0 ohm resistors • OCD interface isn't being properly enabled - System requires other pin settings - Non-standard configuration - Password protected • Strong pull resistors on target prevent JTAGulator from setting/receiving proper logic levels • Could cause target to behave abnormally due to "fuzzing" unknown pins *** Additional reverse engineering will be necessary

  33. Future Work • Support for other interfaces - TI Spy-Bi-Wire, ARM Serial Wire Debug, Microchip ICSP, Atmel AVR ISP, Freescale BDM, LPC Bus, Flash memory (SPI NOR/eMMC NAND) • Level-shifting module? - Target voltage > 5V for industrial/SCADA equipment • Logic analyzer? - Interface w/ sigrok

  34. Get It • www.jtagulator.com *** Schematics, source code, BOM, block diagram, Gerber plots, photos, videos, other documentation • www.parallax.com *** Assembled units, accessories • http://oshpark.com/profiles/joegrand *** Bare boards

  35. Demonstration

Recommend

Assisted Discovery of On-Chip Debug Interfaces Joe Grand (@joegrand) Agenda Introduction

Assisted Discovery of On-Chip Debug Interfaces Joe Grand (@joegrand) Agenda Introduction

Assisted Discovery of On-Chip Debug Interfaces Joe Grand (@joegrand) Agenda Introduction Inspiration / Other Art Traditional HW RE Techniques On-Chip Debug Interfaces Design Requirements Hardware Firmware

1.05k views • 79 slides
System-on-Chip Design Microprocessor Interfaces Hao Zheng Comp Sci &amp; Eng U of South Florida

System-on-Chip Design Microprocessor Interfaces Hao Zheng Comp Sci &amp; Eng U of South Florida

System-on-Chip Design Microprocessor Interfaces Hao Zheng Comp Sci &amp; Eng U of South Florida 1 Basic Elements of HW/SW Interfaces 1. On-chip communica&gt;on fabrics, ex. buses 2 Memory Mapped Interfaces To resolve simultaneous writes

722 views • 25 slides
System-on-Chip Design HW/SW Interfaces and Communica;ons Hao Zheng Comp Sci &amp; Eng U of

System-on-Chip Design HW/SW Interfaces and Communica;ons Hao Zheng Comp Sci &amp; Eng U of

System-on-Chip Design HW/SW Interfaces and Communica;ons Hao Zheng Comp Sci &amp; Eng U of South Florida 1 System Structural Model Mem CPU P1 P2 Arbiter Bridge P3 P5 P4 HW HW 2 Basic Elements of HW/SW Interfaces 1. On-chip

235 views • 22 slides
Cool Cisco IOS Commands: debug interface debug interface When you are performing debugs you have

Cool Cisco IOS Commands: debug interface debug interface When you are performing debugs you have

Cool Cisco IOS Commands: debug interface debug interface When you are performing debugs you have at least two concerns: 1) making sure the that debug does not clobber the CPU of your device, and 2) filtering the debug output to get to the

460 views • 9 slides
Laser accelerator on a chip in Lund ? Why particle accelerators matter Discovery Science

Laser accelerator on a chip in Lund ? Why particle accelerators matter Discovery Science

Laser accelerator on a chip in Lund ? Why particle accelerators matter Discovery Science Particle accelerators are essential tools of discovery for particle and nuclear physics and for sciences that use x-rays and neutrons. Medicine Tens of

448 views • 16 slides
Robot-Assisted Discovery of Evacuation Routes in Emergency Scenarios Ettore Ferranti Niki

Robot-Assisted Discovery of Evacuation Routes in Emergency Scenarios Ettore Ferranti Niki

Robot-Assisted Discovery of Evacuation Routes in Emergency Scenarios Ettore Ferranti Niki Trigoni Computing Laboratory, University of Oxford, UK Multi-Service Networks, 11th July 2008 Scenario A Group of mini robots (agents) is exploring

863 views • 34 slides
To use it, you must compile your code with the -g option CXXFLAGS += -g g++ -g debug.cpp -o

To use it, you must compile your code with the -g option CXXFLAGS += -g g++ -g debug.cpp -o

To use it, you must compile your code with the -g option CXXFLAGS += -g g++ -g debug.cpp -o debug To run, type in gdb ./debug After typing in gdb ./debug you will enter the debugger Type run and it will run

502 views • 6 slides
Free Energy Calculation (John Chodera) and AI Assisted Committor Discovery (Gerhard Hummer) Siqin

Free Energy Calculation (John Chodera) and AI Assisted Committor Discovery (Gerhard Hummer) Siqin

Selected talk at the Molecular Kinetics conference held in Berlin: Free Energy Calculation (John Chodera) and AI Assisted Committor Discovery (Gerhard Hummer) Siqin Cao Department of Chemistry The Hong Kong University of Science and Technology

310 views • 11 slides
Mark W. Miller The Pennsylvania State University Architectural Engineering Lighting/Electrical

Mark W. Miller The Pennsylvania State University Architectural Engineering Lighting/Electrical

SIBLEY MEMORIAL HOSPITAL GRAND OAKS ASSISTED LIVING FACILITY Mark W. Miller The Pennsylvania State University Architectural Engineering Lighting/Electrical Option Faculty Advisor: Dr. Mistrick Grand Oaks Assisted Living Facility Building Overview

413 views • 39 slides
CSSE 220 Interfaces and Polymorphism Check out Interfaces from SVN Interfaces What, When,

CSSE 220 Interfaces and Polymorphism Check out Interfaces from SVN Interfaces What, When,

CSSE 220 Interfaces and Polymorphism Check out Interfaces from SVN Interfaces What, When, Why, How? What: Code Structure used to express operations that multiple class have in common No method implementations No fields

611 views • 12 slides
Architecture Design Principles for the Integration of Synchronization Interfaces into

Architecture Design Principles for the Integration of Synchronization Interfaces into

Architecture Design Principles for the Integration of Synchronization Interfaces into Network-on-Chip Switches Daniele Ludovici Alessandro Strano Davide Bertozzi Computer Engineering lab TUDelft - NL MPSoC research group

1.48k views • 32 slides
T Topic 7 i 7 Interfaces and Abstract Interfaces and Abstract Classes Interfaces Interfaces

T Topic 7 i 7 Interfaces and Abstract Interfaces and Abstract Classes Interfaces Interfaces

T Topic 7 i 7 Interfaces and Abstract Interfaces and Abstract Classes Interfaces Interfaces I prefer Agassiz in the abstract, rather than in the concrete. CS 307 Fundamentals of CS 307 Fundamentals of 1 2 Computer Science

325 views • 10 slides
Who are the Chip Doctors ? Since 1991 The Chip Doctors, LLC have been providing assistance to the

Who are the Chip Doctors ? Since 1991 The Chip Doctors, LLC have been providing assistance to the

M easure, A nalyze , C orrective action, and S ustainability In Search of Chip Quality &amp; Financial Return for Biomass Products Confidential: Proprietary information that is Patented and Trade Marked by The Chip Doctors, LLC and Fiber-M, Inc.

1.2k views • 46 slides
Debug Info for Optimized Code LLVM BoF Session Adrian Prantl &amp; Vedant Kumar, Apple October

Debug Info for Optimized Code LLVM BoF Session Adrian Prantl &amp; Vedant Kumar, Apple October

Debug Info for Optimized Code LLVM BoF Session Adrian Prantl &amp; Vedant Kumar, Apple October 2018 Ten years of LLVM Debug Info Ten years of debug info in LLVM #commits to LLVM 12000 9000 6000 3000 0 2007 2008 2009 2010 2011

380 views • 8 slides
Assisted warmup with the Zing JVM Ivn Kr lov @JohnWings Assisted warmup with the Zing JVM

Assisted warmup with the Zing JVM Ivn Kr lov @JohnWings Assisted warmup with the Zing JVM

Assisted warmup with the Zing JVM Ivn Kr lov @JohnWings Assisted warmup with the Zing JVM Overview of 3 technologies Falcon compiler ReadyNow &amp; Compile Stashing Challenges (largely universal to all AOTs) Identification

887 views • 86 slides
Debug info in optimized code how far can we go? Improving LLVM debug info with function entry

Debug info in optimized code how far can we go? Improving LLVM debug info with function entry

Debug info in optimized code how far can we go? Improving LLVM debug info with function entry values RT-RK LLC Speakers: Djordje Todorovic djordje.todorovic@rt-rk.com Nikola Prica nikola.prica@rt-rk.com 1 CONFIDENTIAL Reproduction

543 views • 30 slides
Influencing and voluntary assisted dying Slide Voluntary assisted dying, euthanasia, dying with

Influencing and voluntary assisted dying Slide Voluntary assisted dying, euthanasia, dying with

Influencing and voluntary assisted dying Slide Voluntary assisted dying, euthanasia, dying with dignity, physician assisted suicide however it is labelled has been an issue confronting communities and governments for many years. It is one

109 views • 7 slides
efforts count: Best practices with the CDT Debugger Marc Khouzam ABOUT Me Working with CDT

efforts count: Best practices with the CDT Debugger Marc Khouzam ABOUT Me Working with CDT

Making your debugging efforts count: Best practices with the CDT Debugger Marc Khouzam ABOUT Me Working with CDT Debug since 2007 CDT project co-lead, lead for Debug component Things you don't like about CDT Debug are probably my

636 views • 50 slides
DeBIN: Predicting Debug Information in Stripped Binaries ht https://debin.ai Jingxuan Pesho

DeBIN: Predicting Debug Information in Stripped Binaries ht https://debin.ai Jingxuan Pesho

DeBIN: Predicting Debug Information in Stripped Binaries ht https://debin.ai Jingxuan Pesho Petar Veselin Martin He Ivanov Tsankov Raychev Vechev Binaries with debug symbols Descriptive names for functions and variables Assembly

304 views • 29 slides
Interfaces Interfaces interface : A list of methods that a class promises to implement.

Interfaces Interfaces interface : A list of methods that a class promises to implement.

Interfaces Interfaces interface : A list of methods that a class promises to implement. Interfaces give you an is-a relationship without code sharing. Only method stubs in the interface Allows object with no common ancestor to act

268 views • 13 slides
Programmable Logic Core Based Post-Silicon Debug for SoCs Bradley R. Quinton and Steven J.E.

Programmable Logic Core Based Post-Silicon Debug for SoCs Bradley R. Quinton and Steven J.E.

Programmable Logic Core Based Post-Silicon Debug for SoCs Bradley R. Quinton and Steven J.E. Wilton University of British Columbia Vancouver, B.C., Canada What this talk is about: Enhancing ASIC debug using embedded FPGA cores - Use the

334 views • 17 slides
M.A.T. Medically Assisted Therapy Jeanne Kapenga, M.D. Medically Assisted Therapy

M.A.T. Medically Assisted Therapy Jeanne Kapenga, M.D. Medically Assisted Therapy

M.A.T. Medically Assisted Therapy Jeanne Kapenga, M.D. Medically Assisted Therapy Recognized to aid in successful recovery programs along with counseling for 90% of patients Allows the natural neurochemistry to return to opioid/drug

470 views • 17 slides
Interfaces Interfaces n interface : A list of methods that a class promises to implement. q

Interfaces Interfaces n interface : A list of methods that a class promises to implement. q

10/21/12 Interfaces Interfaces n interface : A list of methods that a class promises to implement. q Interfaces give you an is-a relationship without code sharing. Only method stubs in the interface n Allows object with no common

421 views • 7 slides
Debug Info Tutorial Eric Christopher (echristo@gmail.com), David Blaikie (dblaikie@gmail.com)

Debug Info Tutorial Eric Christopher (echristo@gmail.com), David Blaikie (dblaikie@gmail.com)

Debug Info Tutorial Eric Christopher (echristo@gmail.com), David Blaikie (dblaikie@gmail.com) What is debug info? Mapping of source to binary Program structure, lines, columns, variables Debuggers, Profiling, Editors Kaleidoscope Background

653 views • 36 slides

More recommend