AIS3-Firmware Security Analysis

Transcript

1. Firmware Security Analysis 李倫銓 Alan, NiNi

2. About Linkit7697 LinkIt7697 是一塊針對物聯網應用的開發版，基於 MT7697 系統單晶片， 具有含浮點運算的 ARM Cortex-M4 微控制器，

   並整合了 802.11b/g/n WiFi 無線網路與 Bluetooth 4.2 低功耗藍牙。

3. What is firmware ROM EPROM flash memory firmware firmware firmware

   Firmware is a piece of code stored in ROM, EPROM, flash memory. It may provide some functions to software to control hardware. Or, it may be the only program that will run on the embedded system.

4. Before starting…. 先把 firmware 燒上去

5. UART UART 1 UART 2 Tx Rx Tx Rx

6. UART UART 1 UART 2 Tx Rx 1 0 1

   1 1 0 1

7. PC RAM BIOS Hard Disk MBR boot loader Boot loader

8. PC RAM BIOS Hard Disk MBR boot loader Boot loader

   BIOS 抓

9. PC RAM BIOS Hard Disk boot loader MBR Boot loader

   MBR BIOS 抓完

10. Boot loader PC RAM Hard Disk boot loader MBR MBR

    MBR 抓

11. Boot loader PC RAM Hard Disk boot loader MBR MBR

    Boot MBR 抓沒完

12. Boot loader PC RAM Hard Disk boot loader MBR MBR

    Boot MBR 再抓

13. Boot loader PC RAM Hard Disk boot loader MBR MBR

    Boot loader Boot loader完成載入

14. Boot loader DEMO

15. ARM ARM 架構有需多版本， 從最早的 ARMv1 到現在的 ARMv8 每個版本都有引入一些新的特色。

16. ARM ARM不賣晶片，而是靠授權架構賺錢， 實作則是由購買的公司進行(一般不能改架構)， CPU 名字跟架構版本沒有關係， 如 ARM7EJ 對應 ARMv5，ARM11 對應

    ARMv6。

17. ARM 但 ARM11 之後改變了命名的方式，改為 Cortex-A Application profile Cortex-R Real-time profile

    Cortex-M Microcontroller profile

18. ARM ARM 有兩個模式 一個 ARM，一個 Thumb Thumb 是 ARM 的子集，

    ARM 一條指令需要 4Byte 的編碼 ， Thumb 則是 2 or 4 byte

19. ARM 00010400 <main>: 10400: b580 push {r7, lr} 10402: af00

    add r7, sp, #0 10404: 4b03 ldr r3, [pc, #12] ; (10414 <main+0x14>) 10406: 0018 movs r0, r3 10408: f7ff ff68 bl 102dc <puts@plt> 1040c: 2300 movs r3, #0 1040e: 0018 movs r0, r3 10410: 46bd mov sp, r7 10412: bd80 pop {r7, pc} 000103fc <main>: 103fc: e92d4800 push {fp, lr} 10400: e28db004 add fp, sp, #4 10404: e59f000c ldr r0, [pc, #12] ; 10418 <main+0x1c> 10408: ebffffb3 bl 102dc <puts@plt> 1040c: e3a03000 mov r3, #0 10410: e1a00003 mov r0, r3 10414: e8bd8800 pop {fp, pc}

20. ARM 後來則增強為 Thumb2 ，code density 與 Thumb 接近 但有類似 ARM

    的性能

21. ARM 快問快答

22. ARM http://infocenter.arm.com/help/topic/com.arm.doc.dui0553b/DUI0553.pdf http://infocenter.arm.com/help/topic/com.arm.doc.qrc0001m/QRC0001_UAL.pdf Cortex-M4 Manual ARM Thumb2 cheatsheet

23. ARM 暫存器 R0 R1 R2 R3 R4 R5 R6 R7

    R8 R9 R10 R11 R12 SP(R13) LR(R14) PC(R15) 2.1.3 Core registers

24. ARM 基本運算 opcode Rd, Rn opcode Rd, Rn, Op2

25. ARM MOV R0 R1 R2 R3 R4 R5 R6 R7

    R8 R9 R10 R11 R12 SP(R13) LR(R14) PC(R15) 0x0000FA05 MOV R1, #0xFA05 3.5.6 MOV and MVN

26. ARM R0 R1 R2 R3 R4 R5 R6 R7 R8

    R9 R10 R11 R12 SP(R13) LR(R14) PC(R15) 0x0000FA05 0x00000100 MOV R1, #0xFA05 MOV R5, #256 MOV 3.5.6 MOV and MVN

27. ARM R0 R1 R2 R3 R4 R5 R6 R7 R8

    R9 R10 R11 R12 SP(R13) LR(R14) PC(R15) 0x0000FA05 0x0000BEEF 0x00000100 MOV R1, #0xFA05 MOV R5, #256 MOVW R3, #0xBEEF MOV 3.5.6 MOV and MVN

28. ARM R0 R1 R2 R3 R4 R5 R6 R7 R8

    R9 R10 R11 R12 SP(R13) LR(R14) PC(R15) 0x0000FA05 0xDEADBEEF 0x00000100 MOV R1, #0xFA05 MOV R5, #256 MOVW R3, #0xBEEF MOVT R3, #0xDEAD MOV 3.5.6 MOV and MVN

29. ARM R0 R1 R2 R3 R4 R5 R6 R7 R8

    R9 R10 R11 R12 SP(R13) LR(R14) PC(R15) 0x0000FA05 0xFFFFFFF0 0xDEADBEEF 0x00000100 MOV R1, #0xFA05 MOV R5, #256 MOVW R3, #0xBEEF MOVT R3, #0xDEAD MVN R2, #0xF MOV 3.5.6 MOV and MVN

30. ARM LDR/STR 只有 ldr 跟 str 可以存取記憶體 其他 opcode 的運算子都不能存取記憶體

    3.4 Memory access instructions

31. ARM LDR/STR R0 R1 R2 R3 R4 R5 R6 R7

    R8 R9 R10 R11 R12 SP(R13) LR(R14) PC(R15) 0xFFFFFFF0 0xDEADBEEF 0x00000100 0x100 0x104 0xfaceb00c 0xdeadbeef LDR R1, [R5] 3.4 Memory access instructions

32. ARM LDR/STR R0 R1 R2 R3 R4 R5 R6 R7

    R8 R9 R10 R11 R12 SP(R13) LR(R14) PC(R15) 0xfaceb00c 0xFFFFFFF0 0xDEADBEEF 0x00000100 LDR R1, [R5] 0x100 0x104 0xfaceb00c 0xdeadbeef 3.4 Memory access instructions

33. ARM LDR/STR R0 R1 R2 R3 R4 R5 R6 R7

    R8 R9 R10 R11 R12 SP(R13) LR(R14) PC(R15) 0xfaceb00c 0xFFFFFFF0 0xDEADBEEF 0x00000100 LDR R1, [R5] STR R2, [R5,#4] 0x100 0x104 0xfaceb00c 0xdeadbeef 3.4 Memory access instructions

34. ARM LDR/STR R0 R1 R2 R3 R4 R5 R6 R7

    R8 R9 R10 R11 R12 SP(R13) LR(R14) PC(R15) 0xfaceb00c 0xFFFFFFF0 0xDEADBEEF 0x00000100 0x100 0x104 0xfaceb00c 0xFFFFFFF0 LDR R1, [R5] STR R2, [R5,#4] 3.4 Memory access instructions

35. ARM LDR/STR R0 R1 R2 R3 R4 R5 R6 R7

    R8 R9 R10 R11 R12 SP(R13) LR(R14) PC(R15) 0xfaceb00c 0xFFFFFFF0 0xDEADBEEF 0x00000100 0x100 0x104 0xfaceb00c 0xFFFFFFF0 LDR R1, [R5] STR R2, [R5,#4] LDR R2, [R5],#4 3.4 Memory access instructions

36. ARM LDR/STR R0 R1 R2 R3 R4 R5 R6 R7

    R8 R9 R10 R11 R12 SP(R13) LR(R14) PC(R15) 0xfaceb00c 0xfaceb00c 0xDEADBEEF 0x00000104 0x100 0x104 0x108 0xfaceb00c 0xFFFFFFF0 LDR R1, [R5] STR R2, [R5,#4] LDR R2, [R5],#4 3.4 Memory access instructions

37. ARM LDR/STR R0 R1 R2 R3 R4 R5 R6 R7

    R8 R9 R10 R11 R12 SP(R13) LR(R14) PC(R15) 0xfaceb00c 0xfaceb00c 0xDEADBEEF 0x00000104 0x100 0x104 0x108 0xfaceb00c 0xFFFFFFF0 LDR R1, [R5] STR R2, [R5,#4] LDR R2, [R5],#4 STR R2, [R5,#4]! 3.4 Memory access instructions

38. ARM LDR/STR R0 R1 R2 R3 R4 R5 R6 R7

    R8 R9 R10 R11 R12 SP(R13) LR(R14) PC(R15) 0xfaceb00c 0xfaceb00c 0xDEADBEEF 0x00000108 0x100 0x104 0x108 0xfaceb00c 0xFFFFFFF0 0xfaceb00c LDR R1, [R5] STR R2, [R5,#4] LDR R2, [R5],#4 STR R2, [R5,#4]! 3.4 Memory access instructions

39. ARM 單位 10101010 10101010 10101010 10101010 10101010 10101010 10101010 1

    BYTE 1 Half Word 1 Word LDR LDRH, LDRSH LDRB, LDRBH

40. ARM condition execution N -> negative Z -> zero C

    -> carry V -> overflow CMP R1, #3 LDREQ R1, [R5] 3.3.7 Condition execution

41. ARM condition execution N -> negative Z -> zero C

    -> carry V -> overflow if( r1 == 3 ) r1 = *r5 3.3.7 Condition execution

42. ARM condition execution CMP R1, #3 IT EQ LDREQ R1,

    [R5] N -> negative Z -> zero C -> carry V -> overflow 3.3.7 Condition execution

43. ARM condition execution N -> negative Z -> zero C

    -> carry V -> overflow if( r1 == 3 ) r1 = *r5 3.3.7 Condition execution

44. ARM condition execution CMP R1, #3 ITT EQ LDREQ R1,

    [R5] LDREQ R2, [R5] N -> negative Z -> zero C -> carry V -> overflow 3.3.7 Condition execution

45. ARM condition execution N -> negative Z -> zero C

    -> carry V -> overflow if( r1 == 3 ){ r1 = *r5 r2 = *r5 } 3.3.7 Condition execution

46. ARM condition execution CMP R1, #3 ITTE EQ LDREQ R1,

    [R5] LDREQ R2, [R5] ADDNE R1, #1 N -> negative Z -> zero C -> carry V -> overflow 3.3.7 Condition execution

47. ARM condition execution N -> negative Z -> zero C

    -> carry V -> overflow if( r1 == 3 ){ r1 = *r5 r2 = *r5 }else{ r1 += 1 } 3.3.7 Condition execution

48. ARM B{cond} lable 跳轉 BL{cond} lable 跳轉,把 return address 放進

    LR BX{cond} Rm 跳轉 BXL{cond} Rm 跳轉,把 return address 放進 LR 3.10 Branch and control instructions

49. Find the main Literal Pool

50. Find the main

51. BONUS TIME

52. Secure Boot

53. Secure Boot 所以在 Bootloader 執行時 我們要確保即將掛載的 firmware 不是修改過的

54. Secure Boot Reset ROM Bootloader Bootloader input Signed? yes no

    Bootloader firmware input Signed? yes no Stop
 or Recover

55. Secure Boot Bootloader hash ##### encrypt flash memory key

56. Secure Boot Bootloader hash ##### encrypt flash memory key burn

    eFuse

57. Secure Boot Firmware digital signature hash ##### private key (on

    your PC) signature algorithm

58. Secure Boot Firmware digital signature hash ##### public key (in

    bootloader) signature algorithm Same?

59. Secure Boot But this is not the end……

60. Secure Boot Tegra X1

61. Secure Boot Tegra X1 USB Recovery Mode https://http.download.nvidia.com/tegra-public-appnotes/tegra-boot-flow.html#_error_handling_and_recovery_mode

62. Secure Boot Fusée Gelée:https://github.com/Qyriad/fusee-launcher ShofEL2:https://fail0verflow.com/blog/2018/shofel2/