27C3 - Version 1.6.3

27th Chaos Communication Congress
We come in peace

Speakers
Nathan Fain
Vadik
Schedule
Day Day 1 - 2010-12-27
Room Saal 3
Start time 14:00
Duration 01:00
Info
ID 4011
Event type Lecture
Track Hacking
Language used for presentation English
Feedback

JTAG/Serial/FLASH/PCB Embedded Reverse Engineering Tools and Techniques

a dump of simple tools for embedded analysis at many layers

Bring your target. Will release a slew of simple tools that explore attack surfaces and explain of how to use: jtag/serial scanners, parallel flash dumper, DePCB board routing analysis. So, crossover from software RE and start hacking/improving like its 1996 again. (full documentation and reference at: http://events.ccc.de/congress/2010/wiki/Embedded_Analysis)

"All non-trivial abstractions, to some degree, are leaky." -- Joel on Software

This applies just as well to hardware. In the soft center of embedded security are the human abstraction layers between embedded developers, pcb designers and asic designers which expose attack surfaces that are often rudimentary and unmovable.

Using a theoretical embedded target we walk through each surface overcoming obfuscation to gain control. Will release a slew of embedded analysis tools, some lolarduino based, some not. These tools are based on frameworks that support Industrial Design students with electronics prototyping. Meaning, with little technical background you can adapt these tools to your needs.

The audience is invited to bring their target where contributors will be clustered in the hack center and be available to suggest means of protection or application of analysis techniques in your project.

Tools discussed

  • [Serial Scanner] Arduino based, will scan 30+ pins for a Serial Port at any baudrate. Includes stimulating lines with wakeup signals (\n,etc).
  • [JTAGenum] Arduino based, will scan 30+ pins for a JTAG port. Once found can be used to scan for undocumented instructions and functionality.
  • [Parallel FLASH Dumper] Arduino based, dumps FLASH memory. Flash programmers can be expensive or distribution restricted. Includes discussion for how to dump FLASH where public documentation/footprint cannot be found.
  • [DePCB] (in progress) Given images of PCB layers, can be used to auto-route IC interconnects. Research in-progress. Based on DeGate which does the same at the transistor level of IC's.

Topics covered

  • Overview of debug surfaces
  • Basic electrical analysis of pins to narrow target scans
  • Using Serial and JTAG scanners
  • Examining undocumented FLASH targets
  • Dumping FLASH
  • Discussion of clues that can be found in PCB design choices