Extracting and Modifying Firmware with JTAG

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey there this is Matt Brown coming at you with another iot hacking video today we are going to be dumping firmware using JTAG from a Raspberry Pi microcontroller that is on the Defcon 30 badge we will then modify that firmware and re-upload it to the device and prove that we can successfully modify firmware as well using JTAG I would like to thank everybody who has commented and subscribed to my previous videos really encouraging please tell me in the comments continue to what I can continue to improve on in these videos what type of topics you'd like to see in these videos in the realm of iot hacking so with that said we are going to hop over to the desk and check out what we're going to be looking at today so first I'm going to swing my microscope out of the way and just look at what we have on the desk so on the desk today I've got my Defcon 30 badge Defcon was awesome this year had a great time and it was an electronic badge that was based around the Raspberry Pi's new microcontroller so we're going to hit go ahead and actually take a look at this and see what what's going on on this board so I will hop over to my microscope camera here and let you see what I see and get this focused so here on the board we see that we actually have two chips right next to each other we first have the Raspberry Pi microcontroller right here and then we have an external flash chip so this is going to be really important for us to understand as we continue into using JTAG to dump this firmware because the important firmware that runs on this board is actually not on the microcontroller itself I believe this microcontroller does support a limited amount of uh internal flash but the the code that's actually like running the bulk of the the programming on this board is housed on this flash chip and so we are going to want to dump that off for our modification so with that I'm going to flip this board over and we're going to take a look at a very useful Port that we have located on the back of this board if you have done any type of JTAG work or microcontroller debugging or arm debugging in the past you will note that this is a very common uh 10 pin arm debug connector and I also happen to have a corresponding uh Pogo pin connector and I'm going to show something under the microscope because it's a lot easier to see that actually interfaces with it with this uh with this connector and I can even show you the so the way this works is that so you don't have to solder onto this connector and then you can see these are just kind of these spring loaded pins that when this connector is put onto onto this part on the board and you apply some pressure or you just get it into a position where it's not going to move then you're going to have a solid connection to your debug interface which is fully open and not protected on this board so I'm going to switch back over to my desk cam get my microscope out of the way and I'll kind of show how we're going to connect this to our JTAG Port so some of you might be wondering what this is doing here this is the jtagulator if you haven't uh heard about this tool this is a really awesome tool that's useful for reverse engineering uh random pins on a board so if I didn't know if I didn't have this nicely labeled well well known set of pins here for a debug connection then I would need to use a tool like the JTAG layer to figure out which debug pins are which or if I just had a bunch of pins on the board and I don't know which one if any of them are JTAG the JTAG later could help me assess that situation on the board but today we're going to set that aside because we have a very common 10 pin arm arm debug slot here so I I'm using a j-link here as my debugger and I'm simply going to put the connector in there and then I'm actually going to flip it over so that some of that pressure of it sitting like that will keep all those Pogo pins exactly where I want them and then I'm going to power on the device and when I do that you'll see it's probably hard to see but there's a menu that comes up and uh you can you can play it's a musical instrument it's a pretty cool badge so uh now that I have my debugger connected I'm going to go and flip over to my other screen here so uh we're gonna look at a couple data sheets here so if you noticed when I had the microscope over those two chips those two chips on the boards I've got both of their data sheets or just product pages sitting up here in my web browser so here we have the data sheet for our Raspberry Pi so we're going to need a key piece of information out of this data sheet and it's going to be nicely labeled in this address map section so what I'm looking for here is this xip value that stands for execute in place and so what this address does is this is the address where that external flash Chip is going to be mapped in place so it can be directly addressed like any other memory address on the microcontroller so this is going to be something that I'm just going to copy and then I've got a little text file over here and I'm just going to paste that and save that for later and then the other thing that we need to know so again under the microscope we were able to obtain this information the that was labeled on the chip so this is our flash chip and then the really I don't even need to open the data sheet all I need to do for this item is to go down and see the memory size of this device right here and so we can see that the memory size is 16 megabits and then so just so we're ready for this command that we're going to do in the j-link because the j-link command is going to want to know the number of bytes not bits so just some quick math and python here we can say 16. million wait did I do that right a million bits divided by eight that gives us the number of bytes and then it's going to want that number to appear in HEX so we will just grab that hex value and again I'm going to copy that into a text editor I have on another screen we're gonna get that out of there um oh yeah one other link I just wanted to show you all so again this is a a j-link product and a j-link connector that I'm using here this is the 10 pin uh adapter and I believe they have a like a picture yeah so here here's another picture that I kind of tried to show on the microscope of what this connector looks like um again it's just a way to get that specific 10 pin uh 10 pin Pogo pin set up to connect to the j-link debugger um yeah so with that I'm actually now going to run the j-link exe command so this is the command line interface it's some sometimes called j-link Commander uh you'll you'll see it referenced that way a lot online and so I'm just going to run this and it's plugged in as a USB device it recognizes it and one useful tidbit here is it's actually detecting the reference voltage of the board as being 3.3 volts this is just a helpful dummy check that you can always do to see if the Pogo pins are somewhat connected I mean if they're not connected having a good connection with the board you'll often see that this is zero volts and then any of the commands you try to do after that are not going to not going to really do anything for you and not going to work so but I do it the board does detect a reference voltage of 3.3 volts which I know to be correct on the board so now I'm going to go and I'm going to type the connect command and although I already have the Raspberry Pi microcontroller pre-selected I'm going to show you what this dialog looks like when I hit the question mark or when I send the question mark I can search through this for all the different types of microcontrollers and other uh CPUs that the j-link supports in debugging and uh but for the Raspberry Pi one I can just search Raspberry Pi and it only supports this one from Raspberry Pi because as far as I know this is the only microcontroller they make so I'm just going to select this first device model to say okay honestly for the second this this Choice here is going to tell me what type of Target interface again since this is an ARM device I mean uh swd is always a good option but you could do jteg also and it would probably work I'm going to use the default speed that it wants to use and it is giving me some kind of an error that's interesting so I'm going to try to reset the board and then see if I can halt the CPU and I can I can halt the CPU and so this is this is a sign that my my debug connection is operating correctly and then I can also like run this command like is halted and it actually says the CPU is halted so um and then yeah I can show you that by jumping back over to my desk and seeing that if I it's kind of hard to see but if I click this button it actually isn't doing and doing anything this debugger has completely halted the operation of code on this device so we will jump back to my screen and now what we want to do is we want to dump the firmware off of this device so I'm gonna do the question mark to bring up all these commands so the command we are going to use to dump the firmware is this save bin command so this save bin command we're going to just start typing out save bin so it wants a file name so we're just going to call it firmware dump dot bin let's just call it whatever you want and then for the address that's where that you know one with all the preceding zeros comes from that address where that execute in place uh uh yeah where that where the XP execute in place address is and then uh the command there it is yeah number of bytes okay and that's where that value is that we kind of calculated in Python so that's based on the size of the external flash ship which is uh 16 megabits converted to bytes and then converted to uh hexadecimal so with that we can hit enter and it will it will read into a file that memory and then it says okay it says it's done so we are going to just exit out of that for a second and here we have a firmware dump file that is the correct size that we expected it to be and then we can even you know run a hex editor and kind of look at some of the code and let's see what's going on here it seems to have not read anything at all well that's fascinating you know what I think it has to do with how I halted the CPU so we're gonna we're just gonna try that again I'm just gonna save in all right we're we're gonna try that again actually I'm going to turn it off and on again and run the command even again could not read memory all right connect there we go there we go all right third time's charm there we go ah okay so now we have now now we have our firmware so we have now successfully dumped that firmware off the device and so we'll get we can go ahead and just kind of like look at a hex stomp of it um we can see lots of fun and interesting stuff and then uh for modification we're gonna look at we're gonna go ahead and actually look at some of the strings on this device um so just as a proof of concept this is not going to be an amazing Elite uh firmware dump but there is a part of this device that just displays the credits of who made the badge and things like that so I'm actually going to look for this string so we can see in here there's these strings uh yeah in inner intermixed like in in this binary with other data where it says artwork this person's name EE and code and this other person's name and so we are going to go and look back at our desk and I'll actually show that right now I'm going to turn it off and on again because who knows what that state that debugger put it in so I'm going to hit credits and you can see here it displays on this screen those strings that we're seeing from the firmware we dumped so what we're going to attempt to do is we're going to attempt to replace those strings with our own message in the modified binary just going to put this back into a good state for when we're ready to push all right so with that I'm going to try to keep that original firmware and then I'm going to call this other firmware mod.bin and I'm actually going to open this up in vim and so this is like the very a very crude method of firmware modification obviously if we were trying to modify code this would in no way work another thing I had to do when I was testing this before is I had to add this line to my vmrc so it wouldn't add a new line onto the end of the binary file so with that said we're going to open this in Vim so we see a bunch of binary data obviously that we would not be able to modify in any useful way but down here we can find where that artwork string is and those other strings so I'm just going to modify three of these and you'll you'll see how I'm going to do that and I'm going to be really careful when modifying this to to leave the same amount of bytes in each string because we don't want to mess up any addressing of any subsequent strings in code so I'm going to actually be counting out loud uh one two three four five six seven eight okay and then one two three four five six seven eight if you get the idea one two three four five six seven eight nine ten one two three four five six seven eight nine ten and for the last one one two three four five six seven eight one two three four five six seven eight all right so if we do that and then as a quick check if we LS both those files that they are the same size it did not add the new line character to the end of this mod file so now we are going to go back into our debugger connect use the Dylan default device speed is okay and now we are going to run another command called load file so load file you just give it a file name to the to the firmware file that you want to load and then the address so we already know all those values so we're going to go ahead and type load file and then the file name is mod and then the address is one zero zero zero and then four more zeros and then if all works it will tell me that it's pushing it to the device and then we can go back over to our desk and again I'm going to turn it off get it disconnected from the debugger and now I'm going to turn it on and if we go down to our credit screen it will say hacked by nmat and so now we have demonstrated today that using JTAG against a Raspberry Pi microcontroller we are able to bolt dump firmware and then modify that firmware and push it back onto the device all using the JTAG Port that is available on this uh this is why when I'm performing pen tests uh JTAG is something that is is always on on top of mine for me when I'm looking at uh yeah different embedded devices iot devices that's something that you want to disable if you're a developer of an iot product it's an incredibly useful debugging tool to you as a developer you do need that but then you have to think about what can an attacker do with that same functionality and so that's why it's really important to disable those types of features or uh not allow firmware to be read out before it is wiped and things like that you have like right protection read protection that you can do on microcontrollers those security features tend to be specific to the different manufacturers that are out there so you really just need to check the data sheets of your specific device to figure out how to implement those security controls so with that please continue to like comment and subscribe let me know what other type of videos you would like me to do and have an awesome day

Info

Channel: Matt Brown

Views: 21,154

Rating: undefined out of 5

Keywords:

Id: dlHJCF-SSKc

Channel Id: undefined

Length: 21min 3sec (1263 seconds)

Published: Wed Oct 26 2022