SlideShare una empresa de Scribd logo

Intro to embedded device hardware firmware hacking

A
Andrew Freeborn

This document provides an overview of a workshop on introductory hardware firmware hacking. It outlines the agenda which includes discussing embedded devices, security issues, and solutions. It then demonstrates analyzing the firmware of a DVRF device by exploring stack buffer overflows, disassembling MIPS binaries, and using static and dynamic analysis tools to investigate the device's functions and potential exploits.

Tecnología
1 de 22
Descargar para leer sin conexión
Intro to Hardware Firmware Hacking Andrew Freeborn 1
• The Wild West • What’s MIPS • Let’s break it • Pictures! Agenda 2
Embedded Devices 3
• Cheap and everywhere • Lots of options for home routers, modems, etc • New models every year with new features • No real regulation of the safety and strength of the security of the device (CyberUL to help?) • Krebs attack / Ukraine power grid Embedded Devices Are Awesome 4
We get it, they’re bad 5
TLC? 6
• Easy to get into surprisingly • Easier if you stick to the rivers and lakes.... Software • Like many problems, issues can be fixed when there is attention on them They’re not bad, they just need TLC 7
• All software updated • Kernel updates • Kernel hardening • Compiler protections • Make updating easy and secure with little effort • Scanned for vulnerabilities Embedded Device Solutions 8
• DVRF • MIPS CPU • MIPS assembly >> • ??? • Profit • MIPS binaries When do we get to see dat MIPS
• hello.c • MIPS diassembly What the MIPS? https://www.onlinedisassembler.com/odaweb/ GzjLonX7
•Anybody can do this search and find this information
 
 
 
 
 
 
 
 
 • Source: https://www.shodan.io/search?query=netgear What about security?
• Prologue
 • Middle- logue?
 • Epilogue Show me that MIPS again
•Why do we care?
 •Are there other buffer overflows? • Source: https://en.wikipedia.org/wiki/Call_stack What’s a stack buffer overflow? 13
• Why start here? • How many challenges are there? Stack buffer overflows in DVRF Intro •stack_bof_01 •heap_overflow_01 •uaf_01 ShellCode_Required •stack_bof_02 •socket_bof •socket_cmd 14
• Let’s run it! stack_bof_01 15
• Hulk smash! stack_bof_01
• Static analysis with floss (the new strings!) Smashed the stack, now what
• Lots of ways to do this • • IDA • Online Disassembler >> Graph me like one of your French binaries www.onlinedisassembler.com/ odaweb/OXabeNP7
• Functions • main • dat_shell • other things we don’t care about What’s on the menu?
• Debugger like GDB • Plain GDB is not pretty • pwndbg makes it nice >> • Use gdb-multiarch • This really is helpful >> Dynamic analysis
• You just need the right amount of “As” • Provide the memory address of dat_shell Python to the rescue 21
• vivirytech@gmail.com • https://vivirytech.blogspot.com • Twitter: @vivirytech Thanks! 22

Recomendados

Hardware hacking 101
Hardware hacking 101Hardware hacking 101
Hardware hacking 101Tiago Henriques
 
Hardware Hacking
Hardware HackingHardware Hacking
Hardware HackingAndrew Brockhurst
 
A BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKING
A BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKINGA BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKING
A BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKINGSilvio Cesare
 
Arduino Forensics
Arduino ForensicsArduino Forensics
Arduino ForensicsSteve Watson
 
Hardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to RootHardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to RootYashin Mehaboobe
 
Hacker's and painters Hardware Hacking 101 - 10th Oct 2014
Hacker's and painters Hardware Hacking 101 - 10th Oct 2014Hacker's and painters Hardware Hacking 101 - 10th Oct 2014
Hacker's and painters Hardware Hacking 101 - 10th Oct 2014Takeda Pharmaceuticals
 
Hardware Hacking Primer
Hardware Hacking PrimerHardware Hacking Primer
Hardware Hacking PrimerYashin Mehaboobe
 
PyTriage: A malware analysis framework
PyTriage: A malware analysis frameworkPyTriage: A malware analysis framework
PyTriage: A malware analysis frameworkYashin Mehaboobe
 

Recomendados

Hardware hacking 101
Hardware hacking 101Hardware hacking 101
Hardware hacking 101Tiago Henriques
 
Hardware Hacking
Hardware HackingHardware Hacking
Hardware HackingAndrew Brockhurst
 
A BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKING
A BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKINGA BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKING
A BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKINGSilvio Cesare
 
Arduino Forensics
Arduino ForensicsArduino Forensics
Arduino ForensicsSteve Watson
 
Hardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to RootHardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to RootYashin Mehaboobe
 
Hacker's and painters Hardware Hacking 101 - 10th Oct 2014
Hacker's and painters Hardware Hacking 101 - 10th Oct 2014Hacker's and painters Hardware Hacking 101 - 10th Oct 2014
Hacker's and painters Hardware Hacking 101 - 10th Oct 2014Takeda Pharmaceuticals
 
Hardware Hacking Primer
Hardware Hacking PrimerHardware Hacking Primer
Hardware Hacking PrimerYashin Mehaboobe
 
PyTriage: A malware analysis framework
PyTriage: A malware analysis frameworkPyTriage: A malware analysis framework
PyTriage: A malware analysis frameworkYashin Mehaboobe
 
Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONLyon Yang
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangLyon Yang
 
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...DefconRussia
 
Arduino1.0 RC
Arduino1.0 RCArduino1.0 RC
Arduino1.0 RC馬 萬圳
 
BSides DFW2016-Hack Mode Enabled
BSides DFW2016-Hack Mode EnabledBSides DFW2016-Hack Mode Enabled
BSides DFW2016-Hack Mode Enabledpricemcdonald
 
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23Chase Schultz
 
Arduino i rremote 1112
Arduino i rremote 1112Arduino i rremote 1112
Arduino i rremote 1112馬 萬圳
 
Audible Objects
Audible ObjectsAudible Objects
Audible ObjectsLeif Bloomquist
 
Bsides Puerto Rico-2017
Bsides Puerto Rico-2017Bsides Puerto Rico-2017
Bsides Puerto Rico-2017Price McDonald
 
Adventures in Femtoland: 350 Yuan for Invaluable Fun
Adventures in Femtoland: 350 Yuan for Invaluable FunAdventures in Femtoland: 350 Yuan for Invaluable Fun
Adventures in Femtoland: 350 Yuan for Invaluable Funarbitrarycode
 
Stm32 f4 first touch
Stm32 f4 first touchStm32 f4 first touch
Stm32 f4 first touchBenux Wei
 
Internet Of Things: Hands on: YOW! night
Internet Of Things: Hands on: YOW! nightInternet Of Things: Hands on: YOW! night
Internet Of Things: Hands on: YOW! nightAndy Gelme
 
Netloab toolkit 1112
Netloab toolkit 1112Netloab toolkit 1112
Netloab toolkit 1112馬 萬圳
 
BSides Indy 2017 - Hardware Hacking - Abusing the Things
BSides Indy 2017 - Hardware Hacking - Abusing the ThingsBSides Indy 2017 - Hardware Hacking - Abusing the Things
BSides Indy 2017 - Hardware Hacking - Abusing the ThingsPrice McDonald
 
Hardware Hacking area: Make Cool Things with Microcontrollers (and learn to s...
Hardware Hacking area: Make Cool Things with Microcontrollers (and learn to s...Hardware Hacking area: Make Cool Things with Microcontrollers (and learn to s...
Hardware Hacking area: Make Cool Things with Microcontrollers (and learn to s...codebits
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsAleksandr Timorin
 
Hyperchem Ma, badbarcode en_1109_nocomment-final
Hyperchem Ma, badbarcode en_1109_nocomment-finalHyperchem Ma, badbarcode en_1109_nocomment-final
Hyperchem Ma, badbarcode en_1109_nocomment-finalPacSecJP
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsqqlan
 
Rdl esp32 development board trainer kit
Rdl esp32 development board trainer kitRdl esp32 development board trainer kit
Rdl esp32 development board trainer kitResearch Design Lab
 
side-channel-kevin2600
side-channel-kevin2600side-channel-kevin2600
side-channel-kevin2600Kevin2600
 
amrapali builders @@ hardware hacking and robotics using the raspberry pi.pdf
amrapali builders @@ hardware hacking and robotics using the raspberry pi.pdfamrapali builders @@ hardware hacking and robotics using the raspberry pi.pdf
amrapali builders @@ hardware hacking and robotics using the raspberry pi.pdfamrapalibuildersreviews
 
Hardware Hacking caso práctico Ingeniería Inversa Smartcards
Hardware Hacking caso práctico Ingeniería Inversa SmartcardsHardware Hacking caso práctico Ingeniería Inversa Smartcards
Hardware Hacking caso práctico Ingeniería Inversa SmartcardsAndres Lozano
 

Más contenido relacionado

La actualidad más candente

Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONLyon Yang
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangLyon Yang
 
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...DefconRussia
 
BSides DFW2016-Hack Mode Enabled
BSides DFW2016-Hack Mode EnabledBSides DFW2016-Hack Mode Enabled
BSides DFW2016-Hack Mode Enabledpricemcdonald
 
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23Chase Schultz
 
Arduino i rremote 1112
Arduino i rremote 1112Arduino i rremote 1112
Arduino i rremote 1112馬 萬圳
 
Bsides Puerto Rico-2017
Bsides Puerto Rico-2017Bsides Puerto Rico-2017
Bsides Puerto Rico-2017Price McDonald
 
Adventures in Femtoland: 350 Yuan for Invaluable Fun
Adventures in Femtoland: 350 Yuan for Invaluable FunAdventures in Femtoland: 350 Yuan for Invaluable Fun
Adventures in Femtoland: 350 Yuan for Invaluable Funarbitrarycode
 
Stm32 f4 first touch
Stm32 f4 first touchStm32 f4 first touch
Stm32 f4 first touchBenux Wei
 
Internet Of Things: Hands on: YOW! night
Internet Of Things: Hands on: YOW! nightInternet Of Things: Hands on: YOW! night
Internet Of Things: Hands on: YOW! nightAndy Gelme
 
Netloab toolkit 1112
Netloab toolkit 1112Netloab toolkit 1112
Netloab toolkit 1112馬 萬圳
 
BSides Indy 2017 - Hardware Hacking - Abusing the Things
BSides Indy 2017 - Hardware Hacking - Abusing the ThingsBSides Indy 2017 - Hardware Hacking - Abusing the Things
BSides Indy 2017 - Hardware Hacking - Abusing the ThingsPrice McDonald
 
Hardware Hacking area: Make Cool Things with Microcontrollers (and learn to s...
Hardware Hacking area: Make Cool Things with Microcontrollers (and learn to s...Hardware Hacking area: Make Cool Things with Microcontrollers (and learn to s...
Hardware Hacking area: Make Cool Things with Microcontrollers (and learn to s...codebits
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsAleksandr Timorin
 
Hyperchem Ma, badbarcode en_1109_nocomment-final
Hyperchem Ma, badbarcode en_1109_nocomment-finalHyperchem Ma, badbarcode en_1109_nocomment-final
Hyperchem Ma, badbarcode en_1109_nocomment-finalPacSecJP
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsqqlan
 
Rdl esp32 development board trainer kit
Rdl esp32 development board trainer kitRdl esp32 development board trainer kit
Rdl esp32 development board trainer kitResearch Design Lab
 
side-channel-kevin2600
side-channel-kevin2600side-channel-kevin2600
side-channel-kevin2600Kevin2600
 

La actualidad más candente (20)

Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCON
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
 
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
 
Arduino1.0 RC
Arduino1.0 RCArduino1.0 RC
Arduino1.0 RC
 
BSides DFW2016-Hack Mode Enabled
BSides DFW2016-Hack Mode EnabledBSides DFW2016-Hack Mode Enabled
BSides DFW2016-Hack Mode Enabled
 
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23
 
Arduino i rremote 1112
Arduino i rremote 1112Arduino i rremote 1112
Arduino i rremote 1112
 
Audible Objects
Audible ObjectsAudible Objects
Audible Objects
 
Bsides Puerto Rico-2017
Bsides Puerto Rico-2017Bsides Puerto Rico-2017
Bsides Puerto Rico-2017
 
Adventures in Femtoland: 350 Yuan for Invaluable Fun
Adventures in Femtoland: 350 Yuan for Invaluable FunAdventures in Femtoland: 350 Yuan for Invaluable Fun
Adventures in Femtoland: 350 Yuan for Invaluable Fun
 
Stm32 f4 first touch
Stm32 f4 first touchStm32 f4 first touch
Stm32 f4 first touch
 
Internet Of Things: Hands on: YOW! night
Internet Of Things: Hands on: YOW! nightInternet Of Things: Hands on: YOW! night
Internet Of Things: Hands on: YOW! night
 
Netloab toolkit 1112
Netloab toolkit 1112Netloab toolkit 1112
Netloab toolkit 1112
 
BSides Indy 2017 - Hardware Hacking - Abusing the Things
BSides Indy 2017 - Hardware Hacking - Abusing the ThingsBSides Indy 2017 - Hardware Hacking - Abusing the Things
BSides Indy 2017 - Hardware Hacking - Abusing the Things
 
Hardware Hacking area: Make Cool Things with Microcontrollers (and learn to s...
Hardware Hacking area: Make Cool Things with Microcontrollers (and learn to s...Hardware Hacking area: Make Cool Things with Microcontrollers (and learn to s...
Hardware Hacking area: Make Cool Things with Microcontrollers (and learn to s...
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanisms
 
Hyperchem Ma, badbarcode en_1109_nocomment-final
Hyperchem Ma, badbarcode en_1109_nocomment-finalHyperchem Ma, badbarcode en_1109_nocomment-final
Hyperchem Ma, badbarcode en_1109_nocomment-final
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via sms
 
Rdl esp32 development board trainer kit
Rdl esp32 development board trainer kitRdl esp32 development board trainer kit
Rdl esp32 development board trainer kit
 
side-channel-kevin2600
side-channel-kevin2600side-channel-kevin2600
side-channel-kevin2600
 

Destacado

amrapali builders @@ hardware hacking and robotics using the raspberry pi.pdf
amrapali builders @@ hardware hacking and robotics using the raspberry pi.pdfamrapali builders @@ hardware hacking and robotics using the raspberry pi.pdf
amrapali builders @@ hardware hacking and robotics using the raspberry pi.pdfamrapalibuildersreviews
 
Hardware Hacking caso práctico Ingeniería Inversa Smartcards
Hardware Hacking caso práctico Ingeniería Inversa SmartcardsHardware Hacking caso práctico Ingeniería Inversa Smartcards
Hardware Hacking caso práctico Ingeniería Inversa SmartcardsAndres Lozano
 
Hardware Hacking in schools (ACEC2014)
Hardware Hacking in schools (ACEC2014)Hardware Hacking in schools (ACEC2014)
Hardware Hacking in schools (ACEC2014)Dan Bowen
 
Coders need to learn hardware hacking NOW
Coders need to learn hardware hacking NOWCoders need to learn hardware hacking NOW
Coders need to learn hardware hacking NOWMatt Biddulph
 
JTAG Interface (Intro)
JTAG Interface (Intro)JTAG Interface (Intro)
JTAG Interface (Intro)Nitesh Bhatia
 
CNIT 126 4: A Crash Course in x86 Disassembly
CNIT 126 4: A Crash Course in x86 DisassemblyCNIT 126 4: A Crash Course in x86 Disassembly
CNIT 126 4: A Crash Course in x86 DisassemblySam Bowne
 
FSEC 2014 - I can haz your board with JTAG
FSEC 2014 - I can haz your board with JTAGFSEC 2014 - I can haz your board with JTAG
FSEC 2014 - I can haz your board with JTAGDobrica Pavlinušić
 
Cheap, good, hackable tools from China: AVR component tester
Cheap, good, hackable tools from China: AVR component testerCheap, good, hackable tools from China: AVR component tester
Cheap, good, hackable tools from China: AVR component testerDobrica Pavlinušić
 
Raspberry Pi - best friend for all your GPIO needs
Raspberry Pi - best friend for all your GPIO needsRaspberry Pi - best friend for all your GPIO needs
Raspberry Pi - best friend for all your GPIO needsDobrica Pavlinušić
 
Hardware hacking for software people
Hardware hacking for software peopleHardware hacking for software people
Hardware hacking for software peopleDobrica Pavlinušić
 
Let's hack cheap hardware 2016 edition
Let's hack cheap hardware 2016 editionLet's hack cheap hardware 2016 edition
Let's hack cheap hardware 2016 editionDobrica Pavlinušić
 
CNIT 126 5: IDA Pro
CNIT 126 5: IDA Pro CNIT 126 5: IDA Pro
CNIT 126 5: IDA Pro Sam Bowne
 
Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...
Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...
Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...Knowledge Group
 

Destacado (17)

amrapali builders @@ hardware hacking and robotics using the raspberry pi.pdf
amrapali builders @@ hardware hacking and robotics using the raspberry pi.pdfamrapali builders @@ hardware hacking and robotics using the raspberry pi.pdf
amrapali builders @@ hardware hacking and robotics using the raspberry pi.pdf
 
Hardware Hacking caso práctico Ingeniería Inversa Smartcards
Hardware Hacking caso práctico Ingeniería Inversa SmartcardsHardware Hacking caso práctico Ingeniería Inversa Smartcards
Hardware Hacking caso práctico Ingeniería Inversa Smartcards
 
Playful
PlayfulPlayful
Playful
 
Hardware Hacking in schools (ACEC2014)
Hardware Hacking in schools (ACEC2014)Hardware Hacking in schools (ACEC2014)
Hardware Hacking in schools (ACEC2014)
 
Hardware hacking
Hardware hackingHardware hacking
Hardware hacking
 
Breaking Bad EACS Implementations
Breaking Bad EACS ImplementationsBreaking Bad EACS Implementations
Breaking Bad EACS Implementations
 
Coders need to learn hardware hacking NOW
Coders need to learn hardware hacking NOWCoders need to learn hardware hacking NOW
Coders need to learn hardware hacking NOW
 
Router forensics
Router forensicsRouter forensics
Router forensics
 
JTAG Interface (Intro)
JTAG Interface (Intro)JTAG Interface (Intro)
JTAG Interface (Intro)
 
CNIT 126 4: A Crash Course in x86 Disassembly
CNIT 126 4: A Crash Course in x86 DisassemblyCNIT 126 4: A Crash Course in x86 Disassembly
CNIT 126 4: A Crash Course in x86 Disassembly
 
FSEC 2014 - I can haz your board with JTAG
FSEC 2014 - I can haz your board with JTAGFSEC 2014 - I can haz your board with JTAG
FSEC 2014 - I can haz your board with JTAG
 
Cheap, good, hackable tools from China: AVR component tester
Cheap, good, hackable tools from China: AVR component testerCheap, good, hackable tools from China: AVR component tester
Cheap, good, hackable tools from China: AVR component tester
 
Raspberry Pi - best friend for all your GPIO needs
Raspberry Pi - best friend for all your GPIO needsRaspberry Pi - best friend for all your GPIO needs
Raspberry Pi - best friend for all your GPIO needs
 
Hardware hacking for software people
Hardware hacking for software peopleHardware hacking for software people
Hardware hacking for software people
 
Let's hack cheap hardware 2016 edition
Let's hack cheap hardware 2016 editionLet's hack cheap hardware 2016 edition
Let's hack cheap hardware 2016 edition
 
CNIT 126 5: IDA Pro
CNIT 126 5: IDA Pro CNIT 126 5: IDA Pro
CNIT 126 5: IDA Pro
 
Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...
Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...
Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...
 

Similar a Intro to embedded device hardware firmware hacking

Opening last bits of the infrastructure
Opening last bits of the infrastructureOpening last bits of the infrastructure
Opening last bits of the infrastructureErwan Velu
 
The Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageThe Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageKernel TLV
 
Making and breaking security in embedded devices
Making and breaking security in embedded devicesMaking and breaking security in embedded devices
Making and breaking security in embedded devicesYashin Mehaboobe
 
Implementing AI: Running AI at the Edge: ClickCV – Providing high-performance...
Implementing AI: Running AI at the Edge: ClickCV – Providing high-performance...Implementing AI: Running AI at the Edge: ClickCV – Providing high-performance...
Implementing AI: Running AI at the Edge: ClickCV – Providing high-performance...KTN
 
Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Luis Grangeia
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon chinaPeter Hlavaty
 
Platform Clouds, Containers, Immutable Infrastructure Oh My!
Platform Clouds, Containers, Immutable Infrastructure Oh My!Platform Clouds, Containers, Immutable Infrastructure Oh My!
Platform Clouds, Containers, Immutable Infrastructure Oh My!Stuart Charlton
 
Allwinner Kernel Upstreaming Experiences
Allwinner Kernel Upstreaming ExperiencesAllwinner Kernel Upstreaming Experiences
Allwinner Kernel Upstreaming ExperiencesChen-Yu Tsai
 
The end of embedded Linux (as we know it)
The end of embedded Linux (as we know it)The end of embedded Linux (as we know it)
The end of embedded Linux (as we know it)Chris Simmonds
 
Who needs iot security?
Who needs iot security?Who needs iot security?
Who needs iot security?Justin Black
 
The Truth About Viruses on IBM i
The Truth About Viruses on IBM iThe Truth About Viruses on IBM i
The Truth About Viruses on IBM iHelpSystems
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
 
Null mumbai-reversing-IoT-firmware
Null mumbai-reversing-IoT-firmwareNull mumbai-reversing-IoT-firmware
Null mumbai-reversing-IoT-firmwareNitesh Malviya
 
Sullivan white boxcrypto-baythreat-2013
Sullivan white boxcrypto-baythreat-2013Sullivan white boxcrypto-baythreat-2013
Sullivan white boxcrypto-baythreat-2013Cloudflare
 
One Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationOne Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationQuinn Wilton
 
20140228 fp and_performance
20140228 fp and_performance20140228 fp and_performance
20140228 fp and_performanceshinolajla
 
Kubernetes at NU.nl (Kubernetes meetup 2019-09-05)
Kubernetes at NU.nl (Kubernetes meetup 2019-09-05)Kubernetes at NU.nl (Kubernetes meetup 2019-09-05)
Kubernetes at NU.nl (Kubernetes meetup 2019-09-05)Tibo Beijen
 
DEFCON 23 - Mickey Shkatov Jesse Michael - scared poopless lte vulnerabilities
DEFCON 23 - Mickey Shkatov Jesse Michael - scared poopless lte vulnerabilitiesDEFCON 23 - Mickey Shkatov Jesse Michael - scared poopless lte vulnerabilities
DEFCON 23 - Mickey Shkatov Jesse Michael - scared poopless lte vulnerabilitiesFelipe Prado
 
DESIGN West 2013 Presentation: Accelerating Android Development and Delivery
DESIGN West 2013 Presentation: Accelerating Android Development and DeliveryDESIGN West 2013 Presentation: Accelerating Android Development and Delivery
DESIGN West 2013 Presentation: Accelerating Android Development and DeliveryDavid Rosen
 

Similar a Intro to embedded device hardware firmware hacking (20)

Opening last bits of the infrastructure
Opening last bits of the infrastructureOpening last bits of the infrastructure
Opening last bits of the infrastructure
 
The Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageThe Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast Storage
 
Making and breaking security in embedded devices
Making and breaking security in embedded devicesMaking and breaking security in embedded devices
Making and breaking security in embedded devices
 
Implementing AI: Running AI at the Edge: ClickCV – Providing high-performance...
Implementing AI: Running AI at the Edge: ClickCV – Providing high-performance...Implementing AI: Running AI at the Edge: ClickCV – Providing high-performance...
Implementing AI: Running AI at the Edge: ClickCV – Providing high-performance...
 
Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1
 
Reverse engineering
Reverse engineeringReverse engineering
Reverse engineering
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
 
Platform Clouds, Containers, Immutable Infrastructure Oh My!
Platform Clouds, Containers, Immutable Infrastructure Oh My!Platform Clouds, Containers, Immutable Infrastructure Oh My!
Platform Clouds, Containers, Immutable Infrastructure Oh My!
 
Allwinner Kernel Upstreaming Experiences
Allwinner Kernel Upstreaming ExperiencesAllwinner Kernel Upstreaming Experiences
Allwinner Kernel Upstreaming Experiences
 
The end of embedded Linux (as we know it)
The end of embedded Linux (as we know it)The end of embedded Linux (as we know it)
The end of embedded Linux (as we know it)
 
Who needs iot security?
Who needs iot security?Who needs iot security?
Who needs iot security?
 
The Truth About Viruses on IBM i
The Truth About Viruses on IBM iThe Truth About Viruses on IBM i
The Truth About Viruses on IBM i
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
 
Null mumbai-reversing-IoT-firmware
Null mumbai-reversing-IoT-firmwareNull mumbai-reversing-IoT-firmware
Null mumbai-reversing-IoT-firmware
 
Sullivan white boxcrypto-baythreat-2013
Sullivan white boxcrypto-baythreat-2013Sullivan white boxcrypto-baythreat-2013
Sullivan white boxcrypto-baythreat-2013
 
One Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationOne Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform Exploitation
 
20140228 fp and_performance
20140228 fp and_performance20140228 fp and_performance
20140228 fp and_performance
 
Kubernetes at NU.nl (Kubernetes meetup 2019-09-05)
Kubernetes at NU.nl (Kubernetes meetup 2019-09-05)Kubernetes at NU.nl (Kubernetes meetup 2019-09-05)
Kubernetes at NU.nl (Kubernetes meetup 2019-09-05)
 
DEFCON 23 - Mickey Shkatov Jesse Michael - scared poopless lte vulnerabilities
DEFCON 23 - Mickey Shkatov Jesse Michael - scared poopless lte vulnerabilitiesDEFCON 23 - Mickey Shkatov Jesse Michael - scared poopless lte vulnerabilities
DEFCON 23 - Mickey Shkatov Jesse Michael - scared poopless lte vulnerabilities
 
DESIGN West 2013 Presentation: Accelerating Android Development and Delivery
DESIGN West 2013 Presentation: Accelerating Android Development and DeliveryDESIGN West 2013 Presentation: Accelerating Android Development and Delivery
DESIGN West 2013 Presentation: Accelerating Android Development and Delivery
 

Último

SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 

Último (20)

SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 

Intro to embedded device hardware firmware hacking

  • 1. Intro to Hardware Firmware Hacking Andrew Freeborn 1
  • 2. • The Wild West • What’s MIPS • Let’s break it • Pictures! Agenda 2
  • 4. • Cheap and everywhere • Lots of options for home routers, modems, etc • New models every year with new features • No real regulation of the safety and strength of the security of the device (CyberUL to help?) • Krebs attack / Ukraine power grid Embedded Devices Are Awesome 4
  • 5. We get it, they’re bad 5
  • 7. • Easy to get into surprisingly • Easier if you stick to the rivers and lakes.... Software • Like many problems, issues can be fixed when there is attention on them They’re not bad, they just need TLC 7
  • 8. • All software updated • Kernel updates • Kernel hardening • Compiler protections • Make updating easy and secure with little effort • Scanned for vulnerabilities Embedded Device Solutions 8
  • 9. • DVRF • MIPS CPU • MIPS assembly >> • ??? • Profit • MIPS binaries When do we get to see dat MIPS
  • 10. • hello.c • MIPS diassembly What the MIPS? https://www.onlinedisassembler.com/odaweb/ GzjLonX7
  • 11. •Anybody can do this search and find this information
 
 
 
 
 
 
 
 
 • Source: https://www.shodan.io/search?query=netgear What about security?
  • 12. • Prologue
 • Middle- logue?
 • Epilogue Show me that MIPS again
  • 13. •Why do we care?
 •Are there other buffer overflows? • Source: https://en.wikipedia.org/wiki/Call_stack What’s a stack buffer overflow? 13
  • 14. • Why start here? • How many challenges are there? Stack buffer overflows in DVRF Intro •stack_bof_01 •heap_overflow_01 •uaf_01 ShellCode_Required •stack_bof_02 •socket_bof •socket_cmd 14
  • 15. • Let’s run it! stack_bof_01 15
  • 17. • Static analysis with floss (the new strings!) Smashed the stack, now what
  • 18. • Lots of ways to do this • • IDA • Online Disassembler >> Graph me like one of your French binaries www.onlinedisassembler.com/ odaweb/OXabeNP7
  • 19. • Functions • main • dat_shell • other things we don’t care about What’s on the menu?
  • 20. • Debugger like GDB • Plain GDB is not pretty • pwndbg makes it nice >> • Use gdb-multiarch • This really is helpful >> Dynamic analysis
  • 21. • You just need the right amount of “As” • Provide the memory address of dat_shell Python to the rescue 21