network of physical devices, vehicles, buildings and other items—embedded with electronics, software, sensors, actuators, and network connectivity that enable these objects to collect and exchange data. (Wikipedia)
are serial. • UART, I2C, SPI, JTAG. • We are talking hardware but this isn’t engineering major, this stuff is simple. • Yes, we are talking about complete physical access but for vulnerability research
by far the most common interface for diagnostic and debug output from embedded devices. • Simple & inexpensive. • Available on almost every embedded devices. • Gets you a console or shell access to the device(sometimes root shell without authentication).
connect to the device from computer. • Use software like minicom to get to the console. • You’ll get debug information, access to boot loader, shell(maybe root access, filesystems).
you avoid frying your boards) 3.3v data 5v is power 0v is ground - Connect oscilloscope to find square wave(indicates digital signals) - Better, use logical analyzer for detecting digital signals. - Use things like JTAGulator - If you found your pins.. start memory analysis, dumping, reversing etc
the PCB components. • How about components talking to each other?? • I2C, SPI enables IC’s to talk to each other(like a LAN connection between components). • Extremely simple(Sometimes just one pin). • Possibility of spying.
embedded device. • HDMI, VGA etc. • SDcards use SPI for data transfer. • I2C is what laptops use to update the remaining battery status. • GeoHot’s first Apple jailbreak involved I2C spying. • Charlie Miller research on MACBook power management involved I2C spying(presented at BlackHat 2012)
from a separate computer. • UART relies on dedicated code execution on the device(a shell, an interactive boot loader etc) but JTAG helps to debug the device at any point. (You can even get a GDB server for debugging and can get full memory dumps). • Software debugging is just part of JTAG specification and is not strictly standardized so it depends on the vendor. • Single stepping, breakpoints, power resets, watch-points, register viewing, and boundary scanning are part of JTAG implementations.
communication. • The way communication happens over JTAG pins is vendor specific.(Which serial protocol to use etc) • Implementation differences between each device can take a lot of time and effort to figure out. • Identifying JTAG and it’s implementations in the wild is a lot of effort.
understand hundreds or thousands of JTAG implementations. • Segger J-Link is relatively inexpensive, supports long list of devices, USB powered, acts as GDB server.
of implementations but it has to be used along with some hardware like Bus Pirate that comes with no software. • Using OCD is heavy lifting, you need to be aware of pins, configurations and wiring etc.
happening on a pin. • If there is data being transmitted on a pin it shows you the square wave of that data and even attempts to decode it for you using a number of different filters.
time consuming and tedious. • It all depends on the manufacturer and if they try to hide JTAG adapters, it gets even worse. • Good news: We care about only 5 pins • TDO: Test Data Out • TDI: Test Data In • TMS: Test Mode Select • TCK: Test Clock • TRST: Test Reset (TRST is just for reset so we just need 4 pins)
a variety of protocols. • Similar to JTAGulator. Connect with USB and interact using Minicom or Putty. • Once connected bus pirate makes it easy to interact with device over serial protocols. • Extensive number of macros and scripts are available from the community. • You can do everything you do with bus pirate using a USB-TTL cable but Bus pirate makes things easier
Systems: Linux based OS, RTOS etc. • Embedded system are built on RISC architectures opposing to CISC like X86. • Exploitation principals are still the same, just a little different. • ROP attacks are convoluted but works. • Exploit mitigations(like NX) exist in ARM.
and more registers so attacks like ROP can get more convoluted and tedious. • Hovav Shacham in his paper on ROP explains that it’s possible to build turing complete machines using ROP gadgets. (Especially on X86 due to it’s dense instruction set)
- Try to understand ARM, the edge cases - Get comfortable with debugging, disassembly - Gera insecure programs, Exploit exercises - Get some real hardware - Raspberry - Beagle Board - ARMini - CuBox - Gumstix