44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas
2 likes1,141 views
Josh Thomas, a partner at Atredis Partners, presented a talk at 44con 2014 about robots and hardware, focusing on hardware design, iteration, and security mechanisms in devices like the Amazon Kindle Fire and Qualcomm Snapdragon SoC. The talk covered the evolution of hardware systems, the importance of security features like bootloaders and trust chains, and specific observations about various hardware devices and manufacturers. It underscored why hardware analysis is essential for understanding device security and the challenges involved in exploiting hardware vulnerabilities.
![story arc
✤ preface[0] = “Tongue Tied by many nights of NDA curiosity”!
✤ preface[1] = “What is the point / Where is the squishy?”!
✤ history lesson [0] = “The story of Wang and the Bed”!
✤ story[0] = “Hardware Design”!
✤ story[1] = “Iteration”!
✤ story [2] = “SoC, Bootloaders and trust chains”](https://image.slidesharecdn.com/44con-igaveatalkaboutrobotsandhardware-140915050637-phpapp01/85/44CON-2014-I-gave-a-talk-about-robots-and-hardware-Josh-Thomas-4-320.jpg)
![history lesson [0]: could be true?
The story of Wang and the Bed
…had a kid, scada-curious, , talked about StuxNet, met at the pub…
proof that I am not a EE and that some people are just damn cool](https://image.slidesharecdn.com/44con-igaveatalkaboutrobotsandhardware-140915050637-phpapp01/85/44CON-2014-I-gave-a-talk-about-robots-and-hardware-Josh-Thomas-9-320.jpg)
![story[0]
All hardware has a story to tell
stick with me here… I promise the following
has a point and is more that “vacation pics”](https://image.slidesharecdn.com/44con-igaveatalkaboutrobotsandhardware-140915050637-phpapp01/85/44CON-2014-I-gave-a-talk-about-robots-and-hardware-Josh-Thomas-12-320.jpg)
![story[1]
Background Complete:
Exploring Iterative Design with Amazon Prime](https://image.slidesharecdn.com/44con-igaveatalkaboutrobotsandhardware-140915050637-phpapp01/85/44CON-2014-I-gave-a-talk-about-robots-and-hardware-Josh-Thomas-76-320.jpg)
![story[2]:
SoC, Bootloaders and trust chains](https://image.slidesharecdn.com/44con-igaveatalkaboutrobotsandhardware-140915050637-phpapp01/85/44CON-2014-I-gave-a-talk-about-robots-and-hardware-Josh-Thomas-89-320.jpg)
44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas
- 1. I gave a talk about robots and hardware! A story of Research by: ! Josh “m0nk” Thomas / @m0nk_dot! 44CON 2014
- 2. this hour, your talking head is… ✤ Josh “m0nk” Thomas! ✤ @m0nk_dot ! ✤ Partner and Chief Breaking Officer @ Atredis Partners! ✤ Recovering software developer (AI / Crypto / Mobile “stuff”)! ✤ Atredis Partners! ✤ Focused and targeted security firm! ✤ Specializing in advanced hardware and software assessments! ✤ Mobile and embedded systems! ✤ Societal infrastructure! ✤ Black boxes! ✤ Advanced malware and rootkit analysis! ✤ Handcrafted artisanal and deep bespoke research
- 3. @m0nk_dot likes to put trite commentary in front of pretty pictures
- 4. story arc ✤ preface[0] = “Tongue Tied by many nights of NDA curiosity”! ✤ preface[1] = “What is the point / Where is the squishy?”! ✤ history lesson [0] = “The story of Wang and the Bed”! ✤ story[0] = “Hardware Design”! ✤ story[1] = “Iteration”! ✤ story [2] = “SoC, Bootloaders and trust chains”
- 5. I haz NDA? ✤ I hate this, but it is sadly worth mentioning! ✤ … and you thought open source licenses were annoying! ✤ Words I can say:! ✤ Sony! ✤ HTC! ✤ LG! ✤ I can sometimes say the words:! ✤ Nokia! ✤ Qualcomm! ✤ BlackBerry! ✤ Words I cannot say:
- 6. Why to care?
- 7. Why Hit Hardware? ✤ Hard to get Code Exec / Control! ✤ Forensic OS Dumps! ✤ Crypto Keys & Boot Settings What to look for? ✤ JTAG & Debug Access! ✤ Direct NAND Access! ✤ Bootloader Access & Manipulation
- 8. Functionality aside, why is hardware interesting ✤ Pretty! ✤ It is just as raw as source code, ASM or IDA! ✤ A concrete example of how much a company cares / what level of effort should be expected to break it! ✤ Not normally “patchable” / LOOOOOOOONG shelf life
- 9. history lesson [0]: could be true? The story of Wang and the Bed …had a kid, scada-curious, , talked about StuxNet, met at the pub… proof that I am not a EE and that some people are just damn cool
- 12. story[0] All hardware has a story to tell stick with me here… I promise the following has a point and is more that “vacation pics”
- 13. What Simple Looks Like: MasterLock dialSpeed
- 15. What Complex Looks Like: Microsoft Xbox 360
- 17. Traces I Love: Samsung ChromeBook (Daisy)
- 19. Ol’ Grand Dad: Qualcomm Dragon Board
- 21. The Godfather Phone: Qualcomm Snapdragon 8974 Dev Platform
- 27. One Sided Conversation / Traces I Hate: Motorola Moto X
- 30. Grumble Grumble RF Shields: BlackBerry Z30
- 34. Hidden for a Reason: HTC One
- 37. Advanced Game: Apple iPhone 5S
- 43. XXX: Nokia Lumia 635
- 49. Speaking of… Microsoft Surface RT (V1)
- 53. Squares and NAND: Sony Arc S
- 56. Squares and Burner: Sony Xperia Z
- 59. XXX: LG Nexus 5
- 65. Old School: LG Nexus 4
- 68. Not a Monster: Samsung Galaxy Note 3
- 72. Oddly Normal: Samsung Galaxy 4
- 75. Lessons Learned ✤ Motorola tends to make one sided boards that are very simple and masked! ✤ Samsung likes uber dense complexity and non-euclidean shapes! ✤ Sony is just kinda boring and square! ✤ BlackBerry and Nokia internals look oddly identical! ✤ No one is a dense as Apple! ✤ Microsoft should QA a bit more! ✤ The new style is to hide Qualcomm below the NAND
- 76. story[1] Background Complete: Exploring Iterative Design with Amazon Prime
- 77. Catching Fire - An Evolution ✤ Amazon has released 7 iterations of the Kindle Fire platform since late 2011:! ✤ Kindle Fire (1st Generation - 11/15/2011)! ✤ Kindle Fire (2nd Generation - 09/14/2012)! ✤ Kindle Fire HD 7" (1st Generation - 09/14/2012)! ✤ Kindle Fire HD 8.9" (1st Generation - 11/20/2012) (also has a cellular variant)! ✤ Kindle Fire HD 7" (2nd Generation - 10/02/2013)! ✤ Kindle Fire HDX 7" (3rd Generation - 10/18/2013) (also has a cellular variant)! ✤ Kindle Fire HDX 8.9" (3rd Generation - 11/07/2013) (also has a cellular variant)! ✤ Fire Phone (released 07/25/2014).
- 81. Amazon Fire V1
- 82. Amazon Fire V2
- 83. Amazon Fire V1
- 84. Amazon Fire V2
- 85. Amazon Fire HD V1
- 86. Amazon Fire HD V2
- 87. Amazon Fire HDX V1
- 88. Amazon Fire HDX V1
- 89. story[2]: SoC, Bootloaders and trust chains
- 91. TEE on the MSM8960 SoC ✤ Hosts a collection of Trusted Execution Environments! ✤ Krait Core 0 (Trust Zone)! ✤ The ARM7 based RPM (Resource and Power Management System)! ✤ The Modem System (assume this is the Hexagon Baseband platform)! ✤ The SPS (Smart Peripheral System)
- 92. Hardware of Note ✤ eFuses / QFPROM hold a lot of data (covered later)! ✤ The SoC reuses the ARM7 and ARM9 cores for different functions depending on the current processing needs! ✤ Hardware hosts 2 discrete “Crypto Engine” processors in hardware! ✤ CE1 is hardware latched to fuses for the the Primary Hardware Key ! ✤ CE2 is hardware latched to fuses for the User Hardware Key! ✤ Assumed to be the ARM9 cores
- 93. A Glance at the Boot Chain before the “Bootloader”
- 95. The Secure Boot 3.0 Process Interesting tidbits ✤ RPM PBL starts executing at physical address 0x00! ✤ Multitude of Bootloader options here specifying where to look for more code to execute! ✤ All Authentication pre TZ load uses the Crypto Engine 1 (CE1) & the Primary Hardware Key (PHK) from the eFuse block! ✤ (Supposedly) Debuggable via “proprietary” tools! ✤ Highly eFuse controlled! ✤ Supports an “Emergency Download Mode” upon crash
- 96. Things are getting fused
- 97. How Fuses Work ✤ Total of 16kb block of eFuses / QFPROM on MSM8960! ✤ 4kb mapped and easily accessible:! ✤ QFPROM BASE PHYSICAL: 0x00700000! ✤ QFPROM SHADOW BASE: 0x00706000! ✤ Can be read whenever / Written Once! ✤ To write, need to hold voltage for $TIME_PERIOD
- 99. Interesting QFPROM ✤ A 256-bit Primary Hardware Key (PHK used by CE1)! ✤ A 256-bit Secondary Hardware Key (SHK used by CE2)! ✤ A 128-bit OEM Customer key! ✤ A 2048-bit Customer private key! ✤ Fuses to disable debug / JTAG! ✤ Fuses to reenable debug / JTAG! ✤ Possible large swaths of unmapped free space
- 100. <insert POC||GTFO source here>
- 101. There is no conclusion, only Zuul thanks for letting me talk… any questions?