Playwright Aristophanes wanted to show the world just how pretentious db whack he really was. What’s that? You want a how to and not just tips? Hmmm…OK, here is an excellent blog showing you the step by step details of reversing some code from a…product…. That is the true Holy Grail of hacking embedded systems, but we’ll cover that next blog. If you decode a OEM suppliers firmware you may have hit a real jackpot since most C code is modularized and reused in other devices, so this the gift that keeps on givin’!! At this point you can gather the data and test certain conditions you have mined OR you can move up to the graduate level of hacking and start looking at disassembly with IDA Pro and start installing rootkits in firmware. – Contact information, which is great for social engineeringĪnd of course some of the funniest comments you have seen. – Internal server ip addresses of the code house pem files that allowed me to do a super effective bogus SSL connection! – Mountable filesystems that actually allow me to mount the firmware and interact with it. Now you have some readable ASCII extracted from firmware. I just do a LS to see the results, then view those results in my hex editor and Kazam! it’s hammertime! I run it thru DeeZee, with the command:ĭeeZee will chew on it few a while then spit out the results into the same directory I run it at. If I run a file thru strings or view it in a hex editor and see nothing but unreadable crap, then I assume it must be ZLIB’ed or encrypted but that is very rare. Look at the best practices for a simple ACL. Human behavior is such that we write and comment stuff out all the time. DeeZee will search thru a binary file for ZLIB signatures then extract them and print out the results. It is older but works really well still for binary dissection. There is a great tool called DeeZee which is part of the Black Bag Tool Kit from Matasano. In outsourced code larger then 3Meg this is very common. Tip 00×03 Some firmware will be compressed in what is called ZLIB compressed chunks. The -t is an option I use to tell me the offsets just in case I need to…use them later on… Simple but powerful command with few options. The default character limit is 4 but you can change that. Strings is a command that will print out any ascii character sequences that is followed by a an unprintable character. The first thing I do is run firmware thru the *Nix command Strings. I am interested in about 1% of the file which contains ASCII text. Tip 00×02 Firmware files are in hex and have a ton of unreadable data in them. Tip 00×01 I normally like to look for bootcode if I have the choice. But before your go download firmware and opening it up in your favorite hex editor, here are a few pointers to get ya started: Remember Stuxnet? Oh Yeah… Most firmware out there today is unsigned and unencrypted which means I can read it in a simple hex editor. (I just found two days ago in a vendor device) Basically, low rent firmware hacking is really a piece of cake to understand.Plus it can really yield huge…benefits. These can be comments about debug interfaces, HARD CODED ACCOUNTS!!!! Private keys, hidden commands and yes even backdoor passwords. Now to keep this code straight from vendor to vendor many code houses place comments in their firmware. These code houses do not just buzz the code for one vendor but for 50 or more. They have a marketing plan, money, call centers, etc…but code jockeys are something that is normally outsourced. Many vendors out there today do not have firmware developers in house. The firmware can be like the wardroom door to Narina if you look deeply into it. I just use a 10 minute emailer like Mailinator or I give them Robb’s email and then I start downloading firmware. Many vendors out there today offer up firmware freely without authentication or with only a email address so they can gather marketing data. I just go for the low hangin’ fruit! Firmware! say with me…What do we want! Firmware!! f.i.r.m.w.a.r.e!! Firmware baby!!! Matter of fact, it is very rare for me to get actual gear. Now my wife is not a fan of guns but if I started purchasing all the stuff I hack around here weekly, my guess is that she would change her mind real quick… So I need another method…a more…low cost method of hacking a device without ever purchasing the device. When I see electronic firmware based stuff work I always wonder “How did they code that one up?” I am not trying to be a whank about it and post how to steal a case of Sundrop from a Dixie-Narco vending machine, I just want to know from an engineering stand point. It doesn’t matter really what it is, I just enjoy the challenge of figuring out how stuff works and how to bypass certain controls. I had a customer at Interop NYC yesterday ask me if I still hack stuff? Still?!?! Of course!! It’s something that’s just in your blood daddy-o! I just like to hack stuff.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |