HydraBus An Open Source Platform HydraBus/HydraFW GitHub Hardware - PowerPoint PPT Presentation

HydraBus An Open Source Platform

HydraBus/HydraFW GitHub ● Hardware / Schematics on GitHub (format Eagle 6.x/7.x) – https://github.com/hydrabus/hydrabus – License CC-BY-NC ● Firmware HydraFW Wiki on GitHub – https://github.com/hydrabus/hydrafw/wiki – Apache License External libraries use their own license ●

HydraFW ● HydraFW is the embedded software/firmware for HydraBus hardware (support also hw extensions like HydraNFC/HydraFlash...) ● It is compatible with Bus Pirate commands : http://dangerousprototypes.com/docs/Bus_Pirate_me nu_options_guide#Bus_interaction_commands FW = F irm W are

HydraBus & The IoT

Communication with external world / IoT ● Serial Port (USART/UART) ● I2C Bus: Slow Bus, sensors, memories... ● CAN/LIN Bus: Slow Bus, sensors (mainly automotive) ● SPI Bus: Fast Bus Wifi / BlueTooth / NFC... ● SD/SDIO (microSD, SDIO Bluetooth/Wifi...) ● USB Bus ● ADC & DAC (Analog <=> Digital) ● GPIO (Input/Output) ● Parallel Bus (Nand Flash)

What to do with an HydraBus ? The HydraBus is 40x faster than a BusPirate or an Arduino Uno, which is very convenient in order to communicate with ● fast signals (Serial/Parallel...) MCU HydraBus: STM32F415@168MHz Cortex M4F 32bits, 44/IO (84MHz max), 1MB flash, 192KB SRAM, power ● consumption < 100mA (less than 2mA with low power mode) Use cases ● "Speak" with electronic device/chipset – Sensors like Wifi module(ESP32), NFC, Nand Flash, EEPROM... ● Arduino (SPI, UART ...) ● "Spy" (MITM) electronic device (SPI/UART/CAN Bus...) – Spy Car(CAN), IoT gadgets... ● "Analyze" signals (analog or digital) with the help of SUMP protocol and open source software like sigrok / – PulseView "Reverse engineering" electronic device (IoT ...) – Router(WRT54G JTAG, UART), Car, RFID(NFC...), Smart Lighting... ●

HydraFW main console commands ● Commands OS (chibios): show system/memory/threads ● Commands sdcard (sd): mount/umount, erase, cd <dir>, pwd, ls [opt dir], test_perf, cat <filename>, hd <filename>, rm <filename>, mkdir <filename>, script <filename> ● Commands: ADC/DAC, PWM, GPIO ● Bus Modes: SPI, I2C, UART, JTAG, 1-2&3 wire, CAN (HydraCAN), Flash (HydraFlash), NFC (HydraNFC)

HydraFW Bus Mode protocol Interaction Protocol Interaction (similar commands for any protocol support ) ● [ Start (for SPI, I2C means Enable Chip Select) – ] Stop (for SPI, I2C means Disable Chip Select) – : Repeat (e.g. r:10) – & DELAY us (support optional repeat :) – % DELAY ms (support optional repeat :) – 123 0x12 0b110 "hello" Write 8bits val/string (support optional repeat :) – r Read or hd HexDump (support optional repeat :) – During a blocking read or write which wait for data(for example Slave mode) you can abort the wait – by pressing HydraBus UBTN , else you can also wait timeout which is about 10s. Example: HexDump of an SPI EEPROM: [ 0b11 0 hd:32 ] –

Use cases

What is IoT ? ● Device somehow connected to a smartphone or to the Internet ● Which can be an embedded GNU/Linux system or a proprietary firmware ● Which is a SoC or a microcontroller with peripherals or sensors ● ... ● Which basically is a bunch of chips communicating with each other

Bug hunting IoT ● Primary target : Device firmware – Main source of vulnerabilities found there ● Not always accessible from the vendor website – Firmware update can be encrypted ● Hidden interfaces can be available – Serial console or debugging interfaces

Case 1 ● Home router ● Crack open the case ● Undoubtely the trickiest part in the process

Components ● List main components – Read their serial number, search for datasheets

$CHIP1 ● Serial number : RT63365e ● Search for serial number online – « ADSL2+ processor for residential gateways » – MIPS architecture – No flash memory Firmware must be stored elsewhere ● ● Let’s skip this for the moment

$CHIP2 ● Serial number : 25q16bvsig ● Search for serial number online – SPI EEPROM ● Electrically-Erasable Programmable Read Only Memory – Memory array – Data is stored even if the chip is not powered – Used to store data ● Probable firmware location !

SPI ● Serial Peripheral Interface ● Bus topology ● Four wires – SCLK (Clock) – MISO (Master In/Slave Out) – MOSI (Master Out/Slave In) – SS (Slave Select)

Connect EEPROM to Hydrabus ● From datasheet, get the chip pinout ● From Hydrabus CLI, get the SPI pins – show pins ● Wire everything together – Either wires, hooks or clip http://www.datasheetlib.com/datasheet/374450/25q16bvsig_winbond-electronic.html

Send EEPROM commands ● Read datasheet, and send correct read command. ● Display hex dump of content > s p i D e v i c e : S P I 1 G P I O r e s i s t o r : f l o a t i n g M o d e : m a s t e r F r e q u e n c y : 3 2 0 k h z ( 6 5 0 k h z , 1 . 3 1 m h z , 2 . 6 2 m h z , 5 . 2 5 m h z , 1 0 . 5 0 m h z , 2 1 m h z , 4 2 m h z ) P o l a r i t y : 0 P h a s e : 0 B i t o r d e r : M S B f i r s t s p i 1 > [ 0 x 0 3 0 x 0 0 : 3 h d : 1 6 ] / C S E N A B L E D W R I T E : 0 x 0 3 0 x 0 0 0 x 0 0 0 x 0 0 0 0 0 0 0 8 2 5 0 0 0 0 1 0 2 5 0 0 0 0 1 8 2 5 0 0 0 0 2 0 2 5 | . . . % . . . % . . . % . . % / C S D I S A B L E D s p i 1 > http://www.datasheetlib.com/datasheet/374450/25q16bvsig_winbond-electronic.html

Dump the whole image ● Reading bytes is fine to i m p o r t s e r i a l i m p o r t s t r u c t s e r = s e r i a l . S e r i a l ( ' / d e v / h y d r a b u s ' , 1 1 5 2 0 0 ) prove that everything is f o r i i n x r a n g e ( 2 0 ) : working s e r . w r i t e ( " \ x 0 0 " ) i f " B B I O 1 " n o t i n s e r . r e a d ( 5 ) : p r i n t " C o u l d n o t g e t i n t o b b I O m o d e " Q u i t ( ) ● Now, create a script that s e r . w r i t e ( ' \ x 0 1 ' ) i f " S P I 1 " n o t i n s e r . r e a d ( 4 ) : dumps the whole EEPROM p r i n t " C a n n o t s e t S P I m o d e " q u i t ( ) in a file a d d r = 0 b u f f = ' ' p r i n t " R e a d i n g d a t a " w h i l e ( a d d r < 4 0 9 6 * s i z e ) : s e r . w r i t e ( ' \ x 0 4 \ x 0 0 \ x 0 4 \ x 1 0 \ x 0 0 ' ) s e r . w r i t e ( ' \ x 0 3 ' ) s e r . w r i t e ( s t r u c t . p a c k ( ' > L ' , a d d r ) [ 1 : ] ) s e r . r e a d ( 1 ) b u f f + = s e r . r e a d ( 4 0 9 6 ) a d d r + = 4 0 9 6 p r i n t " " e n d = t i m e . t i m e ( ) o u t = o p e n ( ' / t m p / i m a g e . b i n ' , ' w ' ) o u t . w r i t e ( b u f f ) o u t . c l o s e ( )

Result $ s t r i n g s i m a g e . b i n [ . . . ] A T H E p r i n t h e l p A T B A x c h a n g e b a u d r a t e . 1 : 3 8 . 4 k , 2 : 1 9 . 2 k , 3 : 9 . 6 k 4 : 5 7 . 6 k 5 : 1 1 5 . 2 k A T E N x , ( y ) s e t B o o t E x t e n s i o n D e b u g F l a g ( y = p a s s w o r d ) A T S E s h o w t h e s e e d o f p a s s w o r d g e n e r a t o r A T T I ( h , m , s ) c h a n g e s y s t e m t i m e t o h o u r : m i n : s e c o r s h o w c u r r e n t t i m e A T D A ( y , m , d ) c h a n g e s y s t e m d a t e t o y e a r / m o n t h / d a y o r s h o w c u r r e n t d a t e A T D S d u m p R A S s t a c k A T D T d u m p B o o t M o d u l e C o m m o n A r e a A T D U x , y d u m p m e m o r y c o n t e n t s f r o m a d d r e s s x f o r l e n g t h y [ . . . ]

Signal analysis ● Some unused headers are visible, but we don’t know what they are used for – Labelled RX1 / TX1 ● Use the logic analyzer function

Logic analyzer ● Analyses digital signals – Only logic states ● Usually coupled with a PC software – Decodes logic signals to values ● Captures n samples – Capture start can be triggered

Signal analysis ● Connect those headers to Hydrabus ● Open Pulseview, setup the capture ● Search through the available decoders to find a match – Requires experience / tests to recognize the protocols

UART Bridge ● Hydrabus can act as a USB / UART bridge – In UART mode, use the bridge command ● Serial console is now available on the router

Result

RHME2 Challenge

RHME2 - Whac The Mole ● Whac The Mole Challenge – https://github.com/hydrabus/rhme-2016/blob/master/Other/Whac kTheMole.md

RHME2 - Whac The Mole ● Whac The Mole Challenge with Logic Analyzer