SlideShare a Scribd company logo

Reverse engineering

Daniel Stenberg, profile picture
Daniel Stenberg

Daniel Stenberg recounts the story of how he and two friends reverse engineered the firmware of early 2000s MP3 players to create their own improved open source firmware called Rockbox. They grew bored with the poor quality firmware on early players like the Archos and were able to analyze, disassemble and modify the firmware through techniques like examining the hardware, analyzing differences between firmware versions, using debug tools, and eventually developing workarounds to load custom code. Their open source Rockbox firmware now runs on over 100 different MP3 player models and helped spur innovation in the portable music player market.

Technology
Related topics:
Reverse Engineering
1 of 36
Downloaded 51 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
Яev3rse eng1neering Daniel Stenberg, May 21st 2014
Agenda A saga about a bunch of people who grew bored with a factory installed firmware in consumer electronics and wrote their own implementation
Daniel Stenberg Email: daniel@haxx.se Twitter: @bagder Web: daniel.haxx.se Blog: daniel.haxx.se/blog hacker at
Please ask! Feel free to interrupt and ask at any time!
Let me tell you a story... •this story begins in the early 2001 •3 men in their best years •embedded systems hackers •the dawn of the mp3 player revolution
Archos mp3 players •December 2000 •First mp3 player with a HDD •Probably the crappiest firmware in the world •Surely we could do better? How hard can it be?
What's inside? •Read the onboard circuits and search or ask •Used to be a good away •… barely gives away anything nowadays •Can it be hacked? •Almost universally: yes
Firmware upgrade option! •Look you can upgrade firmware... •What's the architecture again? •Collect several firmware files •Analyze differences •Throw everything and everyone at it •This can take a lot of time
Intermission: legality •Were we allowed to do this? •The world is full of jurisdictions •We are Swedish, what does EU laws say? •The 1991 EU Computer Programs Directive, article 6: •The 2009 EU Computer Program Directive: The authorization of the rightholder shall not be required where reproduction of the code and translation of its form ... are indispensable to obtain the information necessary to achieve the interoperability of an independently created computer program with other programs performance of the acts of reproduction and translation by or on behalf of a person having a right to use a copy of the program is legitimate and compatible with fair practice and must therefore be deemed not to require the authorisation of the rightholder. An objective of this exception is to make it possible to connect all components of a computer system, including those of different manufacturers, so that they can work together
XORing a fixed string •By guessing parts of the decrypted file some “encryption” is easier than others •Early devices just scrambled firmwares like this
How do things work in there? •Figure out how your architecture works •Master things like the CPU instruction set and how a stack works •These days things are “always” ARM •The CPU core is not the problem, the peripherals, busses and associated HW are the challenges
Disassembly •Objdump is an excellent tool •Is not as hard as you might think •Look for register addresses / memory layout patterns •Error messages/strings/bitmaps or pointers to them
Disassembly even easier •IDApro is an advanced tool to automate the task even more • Detects lots of C/C++ magic by itself • Stack frames • Bitmaps • Structs • Strings • Memory layout
Scan the bare PCB and beep them BGA removed! Surprisingly many clues printed on the PCB
Hiding what's inside •Rub off all markings •Use chips without public documentation •Use chips unsupported by gcc
Hardware debuggers •Many devices leave debug points for BDM / JTAG or debug uarts •Like this:
Attaching stuff on their HW •Hm, what do we have here...
oh so useful
Stripped and attached
Anti-bricking measures •Have multiple devices •Primary boot-loader feature: run the original •If possible, load and run from RAM only until tested
Software decoding targets •Our first targets had mp3 decoding hardware •New architectures entered •More XOR and checksums •Detect code patterns and search online for data sheets. •Partial matches may give “similar chips” that have documentation
Early ipods •Used hidden hard-drive partitions •Used completely (publicly) undocumented chips •Took a long time to master
Later target examples •Boot-loader that loads and decrypts firmware •Magic constants in the boot-loader code revealed algorithm. •Boot-loader also upgradable (plain) gave away crypto keys •Known flags in digital signature algorithm (DSA) offered shortcut in code signing
So what about true cryptography?
Loading encrypted payloads •Target loads only encrypted files •User finds flaw in one firmware version that crashes the device •A buffer overflow in the HTML reader •Look, if we add crafted data in that HTML file we can execute code •When we used a loop to write in memory we managed to toggle the backlight
A backlight reading device
From backlight to restored key • dump memory using a videocamera and toggle backlight • 32MB contents took many hours • analyze what's in memory • code, data, clues • see, there's a pattern of USB registers • rewrite the memory dump program to send contents over USB, insert the whole thing into a HTML file, load it on target device • there seems to be code referencing an SRAM • dump SRAM too • Look, there's something that looks like a crypto key!
It takes time and people •Many volunteers •Skilled volunteers •Devoted volunteers •Lots of time •> 1 year from buffer overflow to running code
Getting it done faster? •What if there was (lots of) money to gain? •More clever people spending more of their time •More computers cracking crypto •More hardware analyzers •If you can upgrade the device, reverse engineering it will be possible
From tiny to Android 2001 2MB RAM 6GB HDD 12 MHz CPU 2010 64MB RAM 120GB HDD 500 MHz CPU Today: the dedicated mp3 player market is dead or dying and everyone is going Android Reverse engineering is still done mostly the same
Linux-based reverse engineering •More devices use full-fledged Linux •More flaws, more drivers, less ways to have “unique” solutions hard to figure out •Manufacturers stick to undocumented hardware •… and booting encrypted blobs •Once “hacked”, putting your own SW can be much easier: • familiar APIs (libc, u-boot, standard libs) • familar drivers (even if binary blobs will be there) • gcc!
Rockbox A complete and very portable open source mp3 player firmware replacement, including multi-tasking operating system and application suite... Started by me and my two friends Linus and Björn. Runs on almost 100 different mp3 players from brands such as Toshiba, Tatung, Sony, SanDisk, Samsung, Philips, Pandora, Onda, Olympus, MPIO, Creative, Apple, Archos, Cowon, HifiMan, Meizu, iRiver, Packard Bell, iAudio and more...
Tower of Rockbox
Thank you!
Learn more! •Rockbox http://www.rockbox.org/ •“Reverse Engineering for Beginners” http://yurichev.com/writings/RE_for_beginners-en.pdf
Doing good is part of our code

More Related Content

PDF
Bootkits: Past, Present & Future - Virus Bulletin
ESET
 
PDF
Unpack your troubles*: .NET packer tricks and countermeasures
ESET
 
PDF
Bare Metal from a Hardware Perspective: Embedded Frameworks & Build Systems
Omer Kilic
 
PPTX
Introduction to XMOS Software Defined Silicon Technology
Omer Kilic
 
PPTX
A Quick Introduction to Programmable Logic
Omer Kilic
 
PDF
Is Linux/Moose endangered or extinct?
ESET
 
PPTX
Fuzzing
Khalegh Salehi
 
PDF
高い並列性能と耐障害性を持つElixirとNervesでIoTの新しいカタチを切り拓く
Hideki Takase
 
Bootkits: Past, Present & Future - Virus Bulletin
ESET
 
Unpack your troubles*: .NET packer tricks and countermeasures
ESET
 
Bare Metal from a Hardware Perspective: Embedded Frameworks & Build Systems
Omer Kilic
 
Introduction to XMOS Software Defined Silicon Technology
Omer Kilic
 
A Quick Introduction to Programmable Logic
Omer Kilic
 
Is Linux/Moose endangered or extinct?
ESET
 
Fuzzing
Khalegh Salehi
 
高い並列性能と耐障害性を持つElixirとNervesでIoTの新しいカタチを切り拓く
Hideki Takase
 

What's hot (20)

PPTX
Nerves Project Intro to ErlangDC
Frank Hunleth
 
PDF
Is Rust Programming ready for embedded development?
Knoldus Inc.
 
PDF
LMG Lightning Talks - SFO17-205
Linaro
 
PPTX
Asus Tinker Board
Niyazi SARAL
 
PDF
Arm device tree and linux device drivers
Houcheng Lin
 
PDF
From Silicon to Software - IIT Madras
Aanjhan Ranganathan
 
PDF
Fuzzing underestimated method of finding hidden bugs
Pawel Rzepa
 
PPTX
Alessandro Abbruzzetti - Kernal64
Scala Italy
 
PDF
Kernel Recipes 2017 - What's inside the input stack? - Benjamain Tissoires
Anne Nicolas
 
PDF
Kernel Recipes 2017 - The Serial Device Bus - Johan Hovold
Anne Nicolas
 
PDF
[Wroclaw #4] Fuzzing - underestimated method of finding hidden bugs
OWASP
 
PDF
DEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tips
Felipe Prado
 
PPTX
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
midnite_runr
 
PDF
Bz backtrack.usage
djenoalbania
 
PDF
Jollen's Presentation: Introducing Android low-level
Jollen Chen
 
PPTX
Intel Edison: Beyond the Breadboard
yeokm1
 
PDF
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Maksim Shudrak
 
PPTX
Code Injection in Windows
n|u - The Open Security Community
 
PDF
Debian Linux on Zynq (Xilinx ARM-SoC FPGA) Setup Flow (Vivado 2015.4)
Shinya Takamaeda-Y
 
PDF
Cloud, Distributed, Embedded: Erlang in the Heterogeneous Computing World
Omer Kilic
 
Nerves Project Intro to ErlangDC
Frank Hunleth
 
Is Rust Programming ready for embedded development?
Knoldus Inc.
 
LMG Lightning Talks - SFO17-205
Linaro
 
Asus Tinker Board
Niyazi SARAL
 
Arm device tree and linux device drivers
Houcheng Lin
 
From Silicon to Software - IIT Madras
Aanjhan Ranganathan
 
Fuzzing underestimated method of finding hidden bugs
Pawel Rzepa
 
Alessandro Abbruzzetti - Kernal64
Scala Italy
 
Kernel Recipes 2017 - What's inside the input stack? - Benjamain Tissoires
Anne Nicolas
 
Kernel Recipes 2017 - The Serial Device Bus - Johan Hovold
Anne Nicolas
 
[Wroclaw #4] Fuzzing - underestimated method of finding hidden bugs
OWASP
 
DEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tips
Felipe Prado
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
midnite_runr
 
Bz backtrack.usage
djenoalbania
 
Jollen's Presentation: Introducing Android low-level
Jollen Chen
 
Intel Edison: Beyond the Breadboard
yeokm1
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Maksim Shudrak
 
Code Injection in Windows
n|u - The Open Security Community
 
Debian Linux on Zynq (Xilinx ARM-SoC FPGA) Setup Flow (Vivado 2015.4)
Shinya Takamaeda-Y
 
Cloud, Distributed, Embedded: Erlang in the Heterogeneous Computing World
Omer Kilic
 
Ad

Viewers also liked (20)

PPT
reverse engineering
ayush_nitt
 
PPTX
intra and inter personal relations
Ganesh Sahu
 
PPT
Line balancing
Md. Mazadul Hasan Shishir
 
PPTX
Measurement System Analysis
Ronald Shewchuk
 
PPT
Reverse engineering
Saswat Padhi
 
PDF
Reverse Engineering of Software Architecture
Dharmalingam Ganesan
 
PPTX
Tools for capacity planning, measurement of capacity, capacity planning process
Rohan Monis
 
PPTX
Software reverse engineering
Parminder Singh
 
PPTX
Maintenance, Re-engineering &Reverse Engineering in Software Engineering
Manish Kumar
 
PPTX
Service Operation - Manajemen Layanan Teknologi Informasi
Muhammad Idil Haq Amir
 
PPTX
Measuring capacity lesson3
Lidia Marie
 
PPT
Unit 1 Service Operations Management
Gopinath Guru
 
PPT
Legacy Software Maintenance And Management
ValueCoders
 
PDF
Reverse Engineering
siddu019
 
PPT
Capacity 1
Marisa Bajada
 
PPTX
Reverse engineering
Hicube Infosec
 
PPTX
Capacity Planning with Free Tools
Adrian Cockcroft
 
PPT
Capacity Management
Antonio Gonzalez
 
PPT
Facility layout
Faiz Hamzah
 
PDF
Service Operation Processes
nuwulang
 
reverse engineering
ayush_nitt
 
intra and inter personal relations
Ganesh Sahu
 
Line balancing
Md. Mazadul Hasan Shishir
 
Measurement System Analysis
Ronald Shewchuk
 
Reverse engineering
Saswat Padhi
 
Reverse Engineering of Software Architecture
Dharmalingam Ganesan
 
Tools for capacity planning, measurement of capacity, capacity planning process
Rohan Monis
 
Software reverse engineering
Parminder Singh
 
Maintenance, Re-engineering &Reverse Engineering in Software Engineering
Manish Kumar
 
Service Operation - Manajemen Layanan Teknologi Informasi
Muhammad Idil Haq Amir
 
Measuring capacity lesson3
Lidia Marie
 
Unit 1 Service Operations Management
Gopinath Guru
 
Legacy Software Maintenance And Management
ValueCoders
 
Reverse Engineering
siddu019
 
Capacity 1
Marisa Bajada
 
Reverse engineering
Hicube Infosec
 
Capacity Planning with Free Tools
Adrian Cockcroft
 
Capacity Management
Antonio Gonzalez
 
Facility layout
Faiz Hamzah
 
Service Operation Processes
nuwulang
 
Ad

Similar to Reverse engineering (20)

PDF
DEF CON 27 - PHILIPPE LAULHERET - introduction to hardware hacking extended v...
Felipe Prado
 
PDF
Hardware Reverse Engineering: From Boot to Root
Yashin Mehaboobe
 
PPTX
Making and breaking security in embedded devices
Yashin Mehaboobe
 
PDF
Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]
RootedCON
 
PDF
44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas
44CON
 
PDF
It's Assembler, Jim, but not as we know it: (ab)using binaries from embedded ...
Priyanka Aash
 
PDF
Tower defense for hackers: Layered (in-)security for microcontrollers
Milosch Meriac
 
PPTX
Armadillos - or how to bypass code readout protection on microcontrollers
Andrew Tierney
 
PDF
A BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKING
Silvio Cesare
 
PDF
Reverse Engineering the TomTom Runner pt. 2
Luis Grangeia
 
PDF
Hardware hacking
Tavish Naruka
 
PDF
Cracking Hardware
Black Sea Summit — IT-conference in Odessa
 
PPT
Vectors
Yashin Mehaboobe
 
PPTX
BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...
BlueHat Security Conference
 
PDF
Programming the Real World: Javascript for Makers
pchristensen
 
PPT
Embabded system security for feuture .ppt
gunjansingh2917683
 
PPTX
Pentesting embedded
antitree
 
PDF
BYOD Revisited: Build Your Own Device (Embedded Linux Conference 2014)
Ron Munitz
 
PDF
Finding the needle in the hardware haystack - HRES (1)
Tim Wright
 
PDF
Demystifying Binary Reverse Engineering - Pixels Camp
André Baptista
 
DEF CON 27 - PHILIPPE LAULHERET - introduction to hardware hacking extended v...
Felipe Prado
 
Hardware Reverse Engineering: From Boot to Root
Yashin Mehaboobe
 
Making and breaking security in embedded devices
Yashin Mehaboobe
 
Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]
RootedCON
 
44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas
44CON
 
It's Assembler, Jim, but not as we know it: (ab)using binaries from embedded ...
Priyanka Aash
 
Tower defense for hackers: Layered (in-)security for microcontrollers
Milosch Meriac
 
Armadillos - or how to bypass code readout protection on microcontrollers
Andrew Tierney
 
A BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKING
Silvio Cesare
 
Reverse Engineering the TomTom Runner pt. 2
Luis Grangeia
 
Hardware hacking
Tavish Naruka
 
Cracking Hardware
Black Sea Summit — IT-conference in Odessa
 
Vectors
Yashin Mehaboobe
 
BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...
BlueHat Security Conference
 
Programming the Real World: Javascript for Makers
pchristensen
 
Embabded system security for feuture .ppt
gunjansingh2917683
 
Pentesting embedded
antitree
 
BYOD Revisited: Build Your Own Device (Embedded Linux Conference 2014)
Ron Munitz
 
Finding the needle in the hardware haystack - HRES (1)
Tim Wright
 
Demystifying Binary Reverse Engineering - Pixels Camp
André Baptista
 

More from Daniel Stenberg (20)

PDF
What comes after world domination with Daniel Stenberg, April 2025
Daniel Stenberg
 
PDF
digital infrastruktur är open source-1.pdf
Daniel Stenberg
 
PDF
Tightening every bolt at FOSDEM 2025 by Daniel Stenberg
Daniel Stenberg
 
PDF
curl security by Daniel Stenberg from curl up 2024
Daniel Stenberg
 
PDF
rust in curl by Daniel Stenberg from- curl up 2024
Daniel Stenberg
 
PDF
trurl 2024 by Daniel Stenberg from curl up 2024
Daniel Stenberg
 
PDF
curl future 2024 by Daniel Stenberg from curl up 2024
Daniel Stenberg
 
PDF
The state of curl 2024 by Daniel Stenberg from curl up 2024
Daniel Stenberg
 
PDF
mastering libcurl part 2
Daniel Stenberg
 
PDF
mastering libcurl part 1
Daniel Stenberg
 
PDF
curl - openfourm europe.pdf
Daniel Stenberg
 
PDF
curl experiments - curl up 2022
Daniel Stenberg
 
PDF
curl security - curl up 2022
Daniel Stenberg
 
PDF
HTTP/3 in curl - curl up 2022
Daniel Stenberg
 
PDF
The state of curl 2022
Daniel Stenberg
 
PDF
Let me tell you about curl
Daniel Stenberg
 
PDF
Curl with rust
Daniel Stenberg
 
PDF
Getting started with libcurl
Daniel Stenberg
 
PDF
HTTP/3 is next generation HTTP
Daniel Stenberg
 
PDF
Landing code in curl
Daniel Stenberg
 
What comes after world domination with Daniel Stenberg, April 2025
Daniel Stenberg
 
digital infrastruktur är open source-1.pdf
Daniel Stenberg
 
Tightening every bolt at FOSDEM 2025 by Daniel Stenberg
Daniel Stenberg
 
curl security by Daniel Stenberg from curl up 2024
Daniel Stenberg
 
rust in curl by Daniel Stenberg from- curl up 2024
Daniel Stenberg
 
trurl 2024 by Daniel Stenberg from curl up 2024
Daniel Stenberg
 
curl future 2024 by Daniel Stenberg from curl up 2024
Daniel Stenberg
 
The state of curl 2024 by Daniel Stenberg from curl up 2024
Daniel Stenberg
 
mastering libcurl part 2
Daniel Stenberg
 
mastering libcurl part 1
Daniel Stenberg
 
curl - openfourm europe.pdf
Daniel Stenberg
 
curl experiments - curl up 2022
Daniel Stenberg
 
curl security - curl up 2022
Daniel Stenberg
 
HTTP/3 in curl - curl up 2022
Daniel Stenberg
 
The state of curl 2022
Daniel Stenberg
 
Let me tell you about curl
Daniel Stenberg
 
Curl with rust
Daniel Stenberg
 
Getting started with libcurl
Daniel Stenberg
 
HTTP/3 is next generation HTTP
Daniel Stenberg
 
Landing code in curl
Daniel Stenberg
 

Recently uploaded (20)

PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Cloud computing and distributed systems.
kkkkkhan
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 

Reverse engineering

  • 2. Agenda A saga about a bunch of people who grew bored with a factory installed firmware in consumer electronics and wrote their own implementation
  • 3. Daniel Stenberg Email: daniel@haxx.se Twitter: @bagder Web: daniel.haxx.se Blog: daniel.haxx.se/blog hacker at
  • 4. Please ask! Feel free to interrupt and ask at any time!
  • 5. Let me tell you a story... •this story begins in the early 2001 •3 men in their best years •embedded systems hackers •the dawn of the mp3 player revolution
  • 6. Archos mp3 players •December 2000 •First mp3 player with a HDD •Probably the crappiest firmware in the world •Surely we could do better? How hard can it be?
  • 7. What's inside? •Read the onboard circuits and search or ask •Used to be a good away •… barely gives away anything nowadays •Can it be hacked? •Almost universally: yes
  • 8. Firmware upgrade option! •Look you can upgrade firmware... •What's the architecture again? •Collect several firmware files •Analyze differences •Throw everything and everyone at it •This can take a lot of time
  • 9. Intermission: legality •Were we allowed to do this? •The world is full of jurisdictions •We are Swedish, what does EU laws say? •The 1991 EU Computer Programs Directive, article 6: •The 2009 EU Computer Program Directive: The authorization of the rightholder shall not be required where reproduction of the code and translation of its form ... are indispensable to obtain the information necessary to achieve the interoperability of an independently created computer program with other programs performance of the acts of reproduction and translation by or on behalf of a person having a right to use a copy of the program is legitimate and compatible with fair practice and must therefore be deemed not to require the authorisation of the rightholder. An objective of this exception is to make it possible to connect all components of a computer system, including those of different manufacturers, so that they can work together
  • 10. XORing a fixed string •By guessing parts of the decrypted file some “encryption” is easier than others •Early devices just scrambled firmwares like this
  • 11. How do things work in there? •Figure out how your architecture works •Master things like the CPU instruction set and how a stack works •These days things are “always” ARM •The CPU core is not the problem, the peripherals, busses and associated HW are the challenges
  • 12. Disassembly •Objdump is an excellent tool •Is not as hard as you might think •Look for register addresses / memory layout patterns •Error messages/strings/bitmaps or pointers to them
  • 13. Disassembly even easier •IDApro is an advanced tool to automate the task even more • Detects lots of C/C++ magic by itself • Stack frames • Bitmaps • Structs • Strings • Memory layout
  • 14. Scan the bare PCB and beep them BGA removed! Surprisingly many clues printed on the PCB
  • 15. Hiding what's inside •Rub off all markings •Use chips without public documentation •Use chips unsupported by gcc
  • 16. Hardware debuggers •Many devices leave debug points for BDM / JTAG or debug uarts •Like this:
  • 17. Attaching stuff on their HW •Hm, what do we have here...
  • 20. Anti-bricking measures •Have multiple devices •Primary boot-loader feature: run the original •If possible, load and run from RAM only until tested
  • 21. Software decoding targets •Our first targets had mp3 decoding hardware •New architectures entered •More XOR and checksums •Detect code patterns and search online for data sheets. •Partial matches may give “similar chips” that have documentation
  • 22. Early ipods •Used hidden hard-drive partitions •Used completely (publicly) undocumented chips •Took a long time to master
  • 23. Later target examples •Boot-loader that loads and decrypts firmware •Magic constants in the boot-loader code revealed algorithm. •Boot-loader also upgradable (plain) gave away crypto keys •Known flags in digital signature algorithm (DSA) offered shortcut in code signing
  • 24. So what about true cryptography?
  • 25. Loading encrypted payloads •Target loads only encrypted files •User finds flaw in one firmware version that crashes the device •A buffer overflow in the HTML reader •Look, if we add crafted data in that HTML file we can execute code •When we used a loop to write in memory we managed to toggle the backlight
  • 27. From backlight to restored key • dump memory using a videocamera and toggle backlight • 32MB contents took many hours • analyze what's in memory • code, data, clues • see, there's a pattern of USB registers • rewrite the memory dump program to send contents over USB, insert the whole thing into a HTML file, load it on target device • there seems to be code referencing an SRAM • dump SRAM too • Look, there's something that looks like a crypto key!
  • 28. It takes time and people •Many volunteers •Skilled volunteers •Devoted volunteers •Lots of time •> 1 year from buffer overflow to running code
  • 29. Getting it done faster? •What if there was (lots of) money to gain? •More clever people spending more of their time •More computers cracking crypto •More hardware analyzers •If you can upgrade the device, reverse engineering it will be possible
  • 30. From tiny to Android 2001 2MB RAM 6GB HDD 12 MHz CPU 2010 64MB RAM 120GB HDD 500 MHz CPU Today: the dedicated mp3 player market is dead or dying and everyone is going Android Reverse engineering is still done mostly the same
  • 31. Linux-based reverse engineering •More devices use full-fledged Linux •More flaws, more drivers, less ways to have “unique” solutions hard to figure out •Manufacturers stick to undocumented hardware •… and booting encrypted blobs •Once “hacked”, putting your own SW can be much easier: • familiar APIs (libc, u-boot, standard libs) • familar drivers (even if binary blobs will be there) • gcc!
  • 32. Rockbox A complete and very portable open source mp3 player firmware replacement, including multi-tasking operating system and application suite... Started by me and my two friends Linus and Björn. Runs on almost 100 different mp3 players from brands such as Toshiba, Tatung, Sony, SanDisk, Samsung, Philips, Pandora, Onda, Olympus, MPIO, Creative, Apple, Archos, Cowon, HifiMan, Meizu, iRiver, Packard Bell, iAudio and more...
  • 35. Learn more! •Rockbox http://www.rockbox.org/ •“Reverse Engineering for Beginners” http://yurichev.com/writings/RE_for_beginners-en.pdf
  • 36. Doing good is part of our code