Qhov no yog qhov thib ob thiab zaum kawg ntawm tsab xov xwm hais txog kev nyiag nkas sab nraud tus kheej-encrypting drives. Cia kuv ceeb toom rau koj tias ib tug npoj yaig tsis ntev los no coj kuv lub Patriot (Aigo) SK8671 hard drive, thiab kuv txiav txim siab thim rov qab, thiab tam sim no kuv tab tom qhia dab tsi tawm ntawm nws. Ua ntej nyeem ntxiv, nco ntsoov nyeem lus.
4. Peb pib muab pov tseg los ntawm lub sab hauv PSoC flash drive
Yog li, txhua yam qhia tau hais tias (raws li peb tau tsim nyob rau hauv [thawj ntu] ()) tias tus lej PIN tau khaws cia hauv qhov tob flash ntawm PSoC. Yog li ntawd, peb yuav tsum nyeem cov flash depths. Pem hauv ntej ntawm kev ua haujlwm tsim nyog:
- tswj "kev sib txuas lus" nrog lub microcontroller;
- nrhiav txoj hauv kev los xyuas seb qhov "kev sib txuas lus" no puas muaj kev tiv thaiv los ntawm kev nyeem ntawv los ntawm sab nraud;
- nrhiav txoj hauv kev los hla kev tiv thaiv.
Muaj ob qhov chaw uas nws ua rau kev nkag siab zoo rau nrhiav tus lej PIN siv tau:
- internal flash nco;
- SRAM, qhov twg tus pin code tuaj yeem khaws cia los sib piv nrog tus pin code nkag los ntawm tus neeg siv.
Saib ua ntej, kuv yuav nco ntsoov tias kuv tseem tau tswj hwm lub pob pov tseg ntawm sab hauv PSoC flash drive - hla nws txoj kev ruaj ntseg siv lub cuab yeej kho vajtse hu ua "txias khau raj tracing" - tom qab thim rov qab cov peev txheej tsis muaj ntaub ntawv ntawm ISSP raws tu qauv. Qhov no tso cai rau kuv ncaj qha mus pov tseg tus lej PIN tiag tiag.
$ ./psoc.py
syncing: KO OK
[...]
PIN: 1 2 3 4 5 6 7 8 9Qhov kawg program code:
- ;
- .
5. ISSP raws tu qauv
5.1. ISSP yog dab tsi
"Kev sib txuas lus" nrog lub microcontroller tuaj yeem txhais tau ntau yam: los ntawm "tus neeg muag khoom mus rau tus neeg muag khoom" mus rau kev sib cuam tshuam siv cov txheej txheem serial (piv txwv li, ICSP rau Microchip's PIC).
Cypress muaj nws tus kheej cov txheej txheem rau qhov no, hu ua ISSP (hauv-system serial programming raws tu qauv), uas yog ib feem piav qhia hauv . kuj muab ib co lus qhia. Kuj tseem muaj qhov sib npaug ntawm OpenSource hu ua HSSP (peb yuav siv nws me ntsis tom qab). ISSP ua haujlwm raws li hauv qab no:
- reboot PSoC;
- tso tawm tus lej khawv koob rau cov ntaub ntawv serial tus pin ntawm PSoC no; nkag mus rau sab nraud programming hom;
- xa cov lus txib, uas yog cov hlua me ntsis ntev hu ua "vectors".
Cov ntaub ntawv ISSP txhais cov vectors rau tsuas yog ib qho me me ntawm cov lus txib:
- Pib-1
- Pib-2
- Initialize-3 (3V thiab 5V xaiv)
- ID-SETUP
- NYEEM-ID-WORD
- SET-BLOCK-NUM: 10011111010ddddddddd111, qhov twg ddddddddd=block #
- BULK ERASE
- PROGRAM-BLOCK
- VERIFY-SETUP
- NYEEM-BYTE: 10110aaaaaaZDDDDDDDDDDZ1, qhov twg DDDDDDDD = cov ntaub ntawv tawm, aaaaaa = chaw nyob (6 ntsis)
- WRITE-BYTE: 10010aaaaaaadddddddd111, where ddddddddd = data in, aaaaaa = chaw nyob (6 ntsis)
- RAWS
- CHECKSUM-SETUP
- READ-CHECKSUM: 10111111001ZDDDDDDDDZ110111111000ZDDDDDDDDDDZ1, qhov twg DDDDDDDDDDDDDDDDDD = data out: ntaus ntawv checksum
- ERASE BLOCK
Piv txwv li, vector rau Initialize-2:
1101111011100000000111 1101111011000000000111
1001111100000111010111 1001111100100000011111
1101111010100000000111 1101111010000000011111
1001111101110000000111 1101111100100110000111
1101111101001000000111 1001111101000000001111
1101111000000000110111 1101111100000000000111
1101111111100010010111Tag nrho cov vectors muaj tib qhov ntev: 22 ntsis. Cov ntaub ntawv HSSP muaj qee cov ntaub ntawv ntxiv ntawm ISSP: "Ib qho ISSP vector tsis muaj dab tsi ntau tshaj li qhov me me uas sawv cev rau cov lus qhia."
5.2. Demystifying Vectors
Cia peb kawm seb yuav ua li cas rau ntawm no. Thaum xub thawj, kuv xav tias cov vectors tib yam no yog cov qauv ntawm M8C cov lus qhia, tab sis tom qab kuaj xyuas qhov kev xav no, kuv pom tias cov kev ua haujlwm tsis sib xws.
Tom qab ntawd kuv googled lub vector saum toj no thiab tuaj hla ib qho kev kawm uas tus kws sau ntawv, txawm hais tias nws tsis mus rau hauv cov ntsiab lus, muab qee cov lus qhia muaj txiaj ntsig: "Txhua qhov kev qhia pib nrog peb cov khoom sib txuas rau ib qho ntawm plaub mnemonics (nyeem los ntawm RAM, sau rau RAM, nyeem sau npe, sau npe). Tom qab ntawd muaj 8 qhov chaw nyob, ua raws li 8 cov ntaub ntawv (nyeem lossis sau) thiab thaum kawg peb nres. "
Tom qab ntawd kuv tuaj yeem khaws qee cov ntaub ntawv muaj txiaj ntsig zoo los ntawm ntu "Supervisory ROM (SROM)". . SROM yog ib qho nyuaj-coded ROM hauv PSoC uas muab cov khoom siv hluav taws xob (zoo ib yam li Syscall) rau cov txheej txheem kev ua haujlwm hauv cov neeg siv qhov chaw:
- 00h: SWBbootReset
- 01h: ReadBlock
- 02h :xav
- 03h: lwv
- 06h: lus
- 07h :qw
- 08h :ua 0
- 09h :ua 1
Los ntawm kev sib piv cov npe vector rau SROM kev ua haujlwm, peb tuaj yeem qhia txog ntau yam kev ua haujlwm txhawb nqa los ntawm cov txheej txheem no rau qhov xav tau SROM tsis. Ua tsaug rau qhov no, peb tuaj yeem txiav txim siab thawj peb ntu ntawm ISSP vectors:
- 100 => "nqe"
- 101 => "rwm"
- 110 => "txog"
- 111 => "rov"
Txawm li cas los xij, kev nkag siab tag nrho ntawm cov txheej txheem ntawm cov txheej txheem tuaj yeem tau txais los ntawm kev sib txuas lus ncaj qha nrog PSoC.
5.3. Kev sib txuas lus nrog PSoC
Txij li thaum Dirk Petrautsky twb muaj lawm Cypress's HSSP code ntawm Arduino, Kuv siv Arduino Uno los txuas rau ISSP connector ntawm cov keyboard board.
Thov nco ntsoov tias hauv chav kawm ntawm kuv qhov kev tshawb fawb, kuv hloov Dirk tus lej me ntsis. Koj tuaj yeem pom kuv qhov kev hloov kho ntawm GitHub: thiab cov ntawv Python sib raug rau kev sib txuas lus nrog Arduino, hauv kuv qhov chaw cia khoom .
Yog li, siv Arduino, kuv thawj zaug tsuas yog siv cov vectors "official" rau "kev sib txuas lus". Kuv sim nyeem cov ROM sab hauv siv VERIFY hais kom ua. Raws li kev cia siab, kuv ua tsis tau li no. Tej zaum vim qhov tseeb tias nyeem cov khoom tiv thaiv tau qhib rau hauv lub flash drive.
Tom qab ntawd kuv tsim ob peb yam ntawm kuv tus kheej cov vectors yooj yim rau kev sau ntawv thiab nyeem ntawv nco / sau npe. Thov nco ntsoov tias peb tuaj yeem nyeem tag nrho SROM txawm tias lub flash drive tiv thaiv!
5.4. Kev txheeb xyuas ntawm on-chip registers
Tom qab saib cov "disassembled" vectors, kuv pom tias cov cuab yeej siv cov ntawv sau npe tsis muaj ntaub ntawv (0xF8-0xFA) los qhia M8C opcodes, uas raug tua ncaj qha, hla kev tiv thaiv. Qhov no tso cai rau kuv khiav ntau yam opcodes xws li "ADD", "MOV A, X", "PUSH" lossis "JMP". Ua tsaug rau lawv (los ntawm saib cov kev mob tshwm sim uas lawv muaj nyob rau hauv kev sau npe) Kuv muaj peev xwm txiav txim siab seb qhov twg ntawm cov ntawv sau npe tsis muaj ntaub ntawv tau sau npe tsis tu ncua (A, X, SP thiab PC).
Raws li qhov tshwm sim, "disassembled" code tsim los ntawm HSSP_disas.rb cov cuab yeej zoo li qhov no (Kuv ntxiv cov lus qhia kom meej):
--== init2 ==--
[DE E0 1C] wrreg CPU_F (f7), 0x00 # ΡΠ±ΡΠΎΡ ΡΠ»Π°Π³ΠΎΠ²
[DE C0 1C] wrreg SP (f6), 0x00 # ΡΠ±ΡΠΎΡ SP
[9F 07 5C] wrmem KEY1, 0x3A # ΠΎΠ±ΡΠ·Π°ΡΠ΅Π»ΡΠ½ΡΠΉ Π°ΡΠ³ΡΠΌΠ΅Π½Ρ Π΄Π»Ρ SSC
[9F 20 7C] wrmem KEY2, 0x03 # Π°Π½Π°Π»ΠΎΠ³ΠΈΡΠ½ΠΎ
[DE A0 1C] wrreg PCh (f5), 0x00 # ΡΠ±ΡΠΎΡ PC (MSB) ...
[DE 80 7C] wrreg PCl (f4), 0x03 # (LSB) ... Π΄ΠΎ 3 ??
[9F 70 1C] wrmem POINTER, 0x80 # RAM-ΡΠΊΠ°Π·Π°ΡΠ΅Π»Ρ Π΄Π»Ρ Π²ΡΡ
ΠΎΠ΄Π½ΡΡ
Π΄Π°Π½Π½ΡΡ
[DF 26 1C] wrreg opc1 (f9), 0x30 # ΠΠΏΠΊΠΎΠ΄ 1 => "HALT"
[DF 48 1C] wrreg opc2 (fa), 0x40 # ΠΠΏΠΊΠΎΠ΄ 2 => "NOP"
[9F 40 3C] wrmem BLOCKID, 0x01 # BLOCK ID Π΄Π»Ρ Π²ΡΠ·ΠΎΠ²Π° SSC
[DE 00 DC] wrreg A (f0), 0x06 # Π½ΠΎΠΌΠ΅Ρ "Syscall" : TableRead
[DF 00 1C] wrreg opc0 (f8), 0x00 # ΠΠΏΠΊΠΎΠ΄ Π΄Π»Ρ SSC, "Supervisory SROM Call"
[DF E2 5C] wrreg CPU_SCR0 (ff), 0x12 # ΠΠ΅Π΄ΠΎΠΊΡΠΌΠΌΠ΅Π½ΡΠΈΡΠΎΠ²Π°Π½Π½Π°Ρ ΠΎΠΏΠ΅ΡΠ°ΡΠΈΡ: Π²ΡΠΏΠΎΠ»Π½ΠΈΡΡ Π²Π½Π΅ΡΠ½ΠΈΠΉ ΠΎΠΏΠΊΠΎΠ΄
5.5. Cov khoom ruaj ntseg
Nyob rau theem no kuv tuaj yeem sib txuas lus nrog PSoC, tab sis kuv tseem tsis muaj cov ntaub ntawv txhim khu kev qha txog kev ruaj ntseg ntawm lub flash drive. Kuv xav tsis thoob los ntawm qhov tseeb tias Cypress tsis muab rau tus neeg siv ntawm lub cuab yeej nrog txhua txoj kev los xyuas seb qhov kev tiv thaiv puas tau qhib. Kuv khawb tob rau hauv Google thaum kawg nkag siab tias HSSP code muab los ntawm Cypress tau hloov kho tom qab Dirk tso nws qhov kev hloov kho. Thiab yog li ntawd! Qhov vector tshiab no tau tshwm sim:
[DE E0 1C] wrreg CPU_F (f7), 0x00
[DE C0 1C] wrreg SP (f6), 0x00
[9F 07 5C] wrmem KEY1, 0x3A
[9F 20 7C] wrmem KEY2, 0x03
[9F A0 1C] wrmem 0xFD, 0x00 # Π½Π΅ΠΈΠ·Π²Π΅ΡΡΠ½ΡΠ΅ Π°ΡΠ³ΡΠΌΠ΅Π½ΡΡ
[9F E0 1C] wrmem 0xFF, 0x00 # Π°Π½Π°Π»ΠΎΠ³ΠΈΡΠ½ΠΎ
[DE A0 1C] wrreg PCh (f5), 0x00
[DE 80 7C] wrreg PCl (f4), 0x03
[9F 70 1C] wrmem POINTER, 0x80
[DF 26 1C] wrreg opc1 (f9), 0x30
[DF 48 1C] wrreg opc2 (fa), 0x40
[DE 02 1C] wrreg A (f0), 0x10 # Π½Π΅Π΄ΠΎΠΊΡΠΌΠ΅Π½ΡΠΈΡΠΎΠ²Π°Π½Π½ΡΠΉ syscall !
[DF 00 1C] wrreg opc0 (f8), 0x00
[DF E2 5C] wrreg CPU_SCR0 (ff), 0x12Siv cov vector no (saib read_security_data hauv psoc.py), peb tau txais tag nrho cov khoom ruaj ntseg hauv SRAM ntawm 0x80, qhov twg muaj ob qhov kev tiv thaiv thaiv.
Qhov tshwm sim yog kev nyuaj siab: txhua yam muaj kev tiv thaiv nyob rau hauv "lov tes taw kev nyeem ntawv thiab sau ntawv" hom. Yog li ntawd, tsis tsuas yog peb tuaj yeem nyeem tsis tau dab tsi los ntawm flash drive, tab sis peb tsis tuaj yeem sau ib yam dab tsi (piv txwv li, txhawm rau nruab ROM dumper muaj). Thiab tib txoj hauv kev los lov tes taw kev tiv thaiv yog kom tshem tawm tag nrho cov nti. π
6. Thawj (ua tsis tiav) nres: ROMX
Txawm li cas los xij, peb tuaj yeem sim ua kom yuam kev hauv qab no: txij li thaum peb muaj peev xwm ua tiav qhov kev txiav txim siab tsis txaus ntseeg, vim li cas ho tsis ua ROMX, uas yog siv los nyeem flash nco? Txoj kev no muaj txoj hauv kev zoo rau kev vam meej. Vim tias ReadBlock muaj nuj nqi uas nyeem cov ntaub ntawv los ntawm SROM (uas yog siv los ntawm vectors) xyuas seb nws puas raug hu los ntawm ISSP. Txawm li cas los xij, ROMX opcode conceivably yuav tsis muaj xws li daim tshev. Yog li ntawm no yog Python code (tom qab ntxiv ob peb chav pabcuam rau Arduino code):
for i in range(0, 8192):
write_reg(0xF0, i>>8) # A = 0
write_reg(0xF3, i&0xFF) # X = 0
exec_opcodes("x28x30x40") # ROMX, HALT, NOP
byte = read_reg(0xF0) # ROMX reads ROM[A|X] into A
print "%02x" % ord(byte[0]) # print ROM byteHmoov tsis qhov no code tsis ua haujlwm. π Los yog nws ua haujlwm, tab sis ntawm cov zis peb tau txais peb tus kheej opcodes (0x28 0x30 0x40)! Kuv tsis xav tias qhov sib txuas ua haujlwm ntawm lub cuab yeej yog ib qho ntawm kev tiv thaiv kev nyeem ntawv. Qhov no zoo li kev ua kom yuam kev engineering: thaum ua cov opcodes sab nraud, ROM tsheb npav raug xa mus rau ib ntus tsis pub dhau.
7. Thib Ob Attack: Khaub thuas khau raj Tracing
Txij li thaum ROMX ua kom yuam kev tsis ua haujlwm, kuv pib xav txog lwm qhov kev hloov pauv ntawm qhov ua kom yuam kev no - piav qhia hauv kev tshaj tawm .
7.1. Kev nqis tes ua
Cov ntaub ntawv ISSP muab cov vector nram qab no rau CHECKSUM-SETUP:
[DE E0 1C] wrreg CPU_F (f7), 0x00
[DE C0 1C] wrreg SP (f6), 0x00
[9F 07 5C] wrmem KEY1, 0x3A
[9F 20 7C] wrmem KEY2, 0x03
[DE A0 1C] wrreg PCh (f5), 0x00
[DE 80 7C] wrreg PCl (f4), 0x03
[9F 70 1C] wrmem POINTER, 0x80
[DF 26 1C] wrreg opc1 (f9), 0x30
[DF 48 1C] wrreg opc2 (fa), 0x40
[9F 40 1C] wrmem BLOCKID, 0x00
[DE 00 FC] wrreg A (f0), 0x07
[DF 00 1C] wrreg opc0 (f8), 0x00
[DF E2 5C] wrreg CPU_SCR0 (ff), 0x12Qhov no tseem ceeb hu ua SROM muaj nuj nqi 0x07, raws li qhia hauv cov ntaub ntawv (italics kuv):
Qhov no muaj nuj nqi checksum pov thawj. Nws suav 16-ntsis checksum ntawm tus naj npawb ntawm cov neeg siv tshwj xeeb thaiv hauv ib lub txhab nyiaj flash, pib ntawm xoom. BLOCKID parameter yog siv los hla tus naj npawb ntawm cov blocks uas yuav raug siv thaum xam cov checksum. Tus nqi ntawm "1" tsuas yog suav cov checksum rau thaiv xoom; hos "0" yuav ua rau tag nrho cov checksum ntawm tag nrho 256 blocks ntawm lub txhab nyiaj flash yuav raug xam. 16-ntsis checksum raug xa rov qab los ntawm KEY1 thiab KEY2. KEY1 parameter khaws cov kev txiav txim qis 8 khoom ntawm cov tshev, thiab KEY2 parameter khaws cov kev txiav txim siab 8 khoom. Rau cov khoom siv nrog ob peb lub txhab nyiaj flash, lub checksum muaj nuj nqi raug hu rau txhua tus nyias. Tus lej nyiaj hauv tuam txhab uas nws yuav ua haujlwm tau teeb tsa los ntawm FLS_PR1 sau npe (los ntawm kev teeb tsa me ntsis hauv nws sib raug rau lub hom phiaj flash bank).
Nco ntsoov tias qhov no yog qhov yooj yim checksum: cov bytes tsuas yog ntxiv ib qho tom qab lwm qhov; tsis muaj qhov zoo nkauj CRC quirks. Tsis tas li ntawd, paub tias M8C core muaj ib qho me me ntawm cov ntawv sau npe, kuv xav tias thaum xam cov checksum, cov nqi nruab nrab yuav raug kaw rau hauv tib qhov sib txawv uas yuav kawg mus rau cov zis: KEY1 (0xF8) / KEY2 ( 0 xf9).
Yog li hauv txoj kev xav kuv qhov kev tawm tsam zoo li no:
- Peb txuas ntawm ISSP.
- Peb pib qhov kev xam cov checksum siv CHECKSUM-SETUP vector.
- Peb reboot lub processor tom qab lub sijhawm teev T.
- Peb nyeem RAM kom tau txais daim tshev tam sim no C.
- Rov ua cov kauj ruam 3 thiab 4, nce T me ntsis txhua zaus.
- Peb rov qab tau cov ntaub ntawv los ntawm flash drive los ntawm rho tawm cov checksum C dhau los ntawm qhov tam sim no.
Txawm li cas los xij, muaj teeb meem: Initialize-1 vector uas peb yuav tsum xa tom qab reboot overwrites KEY1 thiab KEY2:
1100101000000000000000 # ΠΠ°Π³ΠΈΡ, ΠΏΠ΅ΡΠ΅Π²ΠΎΠ΄ΡΡΠ°Ρ PSoC Π² ΡΠ΅ΠΆΠΈΠΌ ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌΠΈΡΠΎΠ²Π°Π½ΠΈΡ
nop
nop
nop
nop
nop
[DE E0 1C] wrreg CPU_F (f7), 0x00
[DE C0 1C] wrreg SP (f6), 0x00
[9F 07 5C] wrmem KEY1, 0x3A # ΠΊΠΎΠ½ΡΡΠΎΠ»ΡΠ½Π°Ρ ΡΡΠΌΠΌΠ° ΠΏΠ΅ΡΠ΅Π·Π°ΠΏΠΈΡΡΠ²Π°Π΅ΡΡΡ Π·Π΄Π΅ΡΡ
[9F 20 7C] wrmem KEY2, 0x03 # ΠΈ Π·Π΄Π΅ΡΡ
[DE A0 1C] wrreg PCh (f5), 0x00
[DE 80 7C] wrreg PCl (f4), 0x03
[9F 70 1C] wrmem POINTER, 0x80
[DF 26 1C] wrreg opc1 (f9), 0x30
[DF 48 1C] wrreg opc2 (fa), 0x40
[DE 01 3C] wrreg A (f0), 0x09 # SROM-ΡΡΠ½ΠΊΡΠΈΡ 9
[DF 00 1C] wrreg opc0 (f8), 0x00 # SSC
[DF E2 5C] wrreg CPU_SCR0 (ff), 0x12Cov lej no sau peb cov ntawv txheeb xyuas muaj txiaj ntsig los ntawm kev hu rau Calibrate1 (SROM function 9)... Tej zaum peb tuaj yeem xa tus lej khawv koob (los ntawm qhov pib ntawm tus lej saum toj no) nkag mus rau hom programming, thiab tom qab ntawd nyeem SRAM? Thiab yog, nws ua haujlwm! Arduino code uas siv qhov kev tawm tsam no yooj yim heev:
case Cmnd_STK_START_CSUM:
checksum_delay = ((uint32_t)getch())<<24;
checksum_delay |= ((uint32_t)getch())<<16;
checksum_delay |= ((uint32_t)getch())<<8;
checksum_delay |= getch();
if(checksum_delay > 10000) {
ms_delay = checksum_delay/1000;
checksum_delay = checksum_delay%1000;
}
else {
ms_delay = 0;
}
send_checksum_v();
if(checksum_delay)
delayMicroseconds(checksum_delay);
delay(ms_delay);
start_pmode();- Nyeem checkum_delay.
- Khiav checksum xam (send_checksum_v).
- Tos rau lub sijhawm teev tseg; coj mus rau hauv tus account hauv qab no pitfalls:
- Kuv nkim sijhawm ntau mus txog thaum kuv pom tias nws hloov tawm li cas ua haujlwm kom raug tsuas yog ncua sijhawm tsis pub dhau 16383 ΞΌs;
- thiab tom qab ntawd rov tua tib lub sijhawm kom txog rau thaum kuv pom tias qhov ncua sijhawmMicrosconds, yog tias 0 dhau mus rau nws raws li kev tawm tswv yim, ua haujlwm tsis raug!
- Reboot lub PSoC rau hauv hom programming (peb tsuas yog xa tus lej khawv koob, tsis tas xa cov vectors pib).
Cov lej kawg hauv Python:
for delay in range(0, 150000): # Π·Π°Π΄Π΅ΡΠΆΠΊΠ° Π² ΠΌΠΈΠΊΡΠΎΡΠ΅ΠΊΡΠ½Π΄Π°Ρ
for i in range(0, 10): # ΠΊΠΎΠ»ΠΈΡΠ΅ΡΡΠ²ΠΎ ΡΡΠΈΡΡΠ²Π°Π½ΠΈΡ Π΄Π»Ρ ΠΊΠ°ΠΆΠ΄ΠΎΠΉΠΈΠ· Π·Π°Π΄Π΅ΡΠΆΠ΅ΠΊ
try:
reset_psoc(quiet=True) # ΠΏΠ΅ΡΠ΅Π·Π°Π³ΡΡΠ·ΠΊΠ° ΠΈ Π²Ρ
ΠΎΠ΄ Π² ΡΠ΅ΠΆΠΈΠΌ ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌΠΈΡΠΎΠ²Π°Π½ΠΈΡ
send_vectors() # ΠΎΡΠΏΡΠ°Π²ΠΊΠ° ΠΈΠ½ΠΈΡΠΈΠ°Π»ΠΈΠ·ΠΈΡΡΡΡΠΈΡ
Π²Π΅ΠΊΡΠΎΡΠΎΠ²
ser.write("x85"+struct.pack(">I", delay)) # Π²ΡΡΠΈΡΠ»ΠΈΡΡ ΠΊΠΎΠ½ΡΡΠΎΠ»ΡΠ½ΡΡ ΡΡΠΌΠΌΡ + ΠΏΠ΅ΡΠ΅Π·Π°Π³ΡΡΠ·ΠΈΡΡΡΡ ΠΏΠΎΡΠ»Π΅ Π·Π°Π΄Π΅ΡΠΆΠΊΠΈ
res = ser.read(1) # ΡΡΠΈΡΠ°ΡΡ arduino ACK
except Exception as e:
print e
ser.close()
os.system("timeout -s KILL 1s picocom -b 115200 /dev/ttyACM0 2>&1 > /dev/null")
ser = serial.Serial('/dev/ttyACM0', 115200, timeout=0.5) # ΠΎΡΠΊΡΡΡΡ ΠΏΠΎΡΠ»Π΅Π΄ΠΎΠ²Π°ΡΠ΅Π»ΡΠ½ΡΠΉ ΠΏΠΎΡΡ
continue
print "%05d %02X %02X %02X" % (delay, # ΡΡΠΈΡΠ°ΡΡ RAM-Π±Π°ΠΉΡΡ
read_regb(0xf1),
read_ramb(0xf8),
read_ramb(0xf9))Hauv kev txiav txim siab, qhov code no ua li cas:
- Reboots PSoC (thiab xa nws tus lej khawv koob).
- Xa tag nrho pib vectors.
- Hu rau Arduino muaj nuj nqi Cmnd_STK_START_CSUM (0x85), qhov twg qhov ncua sij hawm hauv microseconds dhau los ua qhov ntsuas.
- Nyeem cov checksum (0xF8 thiab 0xF9) thiab cov ntawv sau npe tsis muaj ntaub ntawv 0xF1.
Cov cai no raug tua 10 zaug hauv 1 microsecond. 0xF1 suav nrog ntawm no vim tias nws tsuas yog kev sau npe uas tau hloov pauv thaum xam cov checksum. Tej zaum nws yog qee yam kev hloov pauv ib ntus siv los ntawm chav ntsuas lej lej. Nco ntsoov tus dab phem hack Kuv siv los rov pib dua Arduino siv picocom thaum Arduino tsis pom cov cim ntawm lub neej (tsis muaj lub tswv yim yog vim li cas).
7.2. Nyeem qhov tshwm sim
Cov txiaj ntsig ntawm Python tsab ntawv zoo li qhov no (simplified rau kev nyeem tau):
DELAY F1 F8 F9 # F1 β Π²ΡΡΠ΅ΡΠΏΠΎΠΌΡΠ½ΡΡΡΠΉ Π½Π΅ΠΈΠ·Π²Π΅ΡΡΠ½ΡΠΉ ΡΠ΅Π³ΠΈΡΡΡ
# F8 ΠΌΠ»Π°Π΄ΡΠΈΠΉ Π±Π°ΠΉΡ ΠΊΠΎΠ½ΡΡΠΎΠ»ΡΠ½ΠΎΠΉ ΡΡΠΌΠΌΡ
# F9 ΡΡΠ°ΡΡΠΈΠΉ Π±Π°ΠΉΡ ΠΊΠΎΠ½ΡΡΠΎΠ»ΡΠ½ΠΎΠΉ ΡΡΠΌΠΌΡ
00000 03 E1 19
[...]
00016 F9 00 03
00016 F9 00 00
00016 F9 00 03
00016 F9 00 03
00016 F9 00 03
00016 F9 00 00 # ΠΊΠΎΠ½ΡΡΠΎΠ»ΡΠ½Π°Ρ ΡΡΠΌΠΌΠ° ΡΠ±ΡΠ°ΡΡΠ²Π°Π΅ΡΡΡ Π² 0
00017 FB 00 00
[...]
00023 F8 00 00
00024 80 80 00 # 1-ΠΉ Π±Π°ΠΉΡ: 0x0080-0x0000 = 0x80
00024 80 80 00
00024 80 80 00
[...]
00057 CC E7 00 # 2-ΠΉ Π±Π°ΠΉΡ: 0xE7-0x80: 0x67
00057 CC E7 00
00057 01 17 01 # ΠΏΠΎΠ½ΡΡΠΈΡ Π½Π΅ ΠΈΠΌΠ΅Ρ, ΡΡΠΎ Π·Π΄Π΅ΡΡ ΠΏΡΠΎΠΈΡΡ
ΠΎΠ΄ΠΈΡ
00057 01 17 01
00057 01 17 01
00058 D0 17 01
00058 D0 17 01
00058 D0 17 01
00058 D0 17 01
00058 F8 E7 00 # Π‘Π½ΠΎΠ²Π° E7?
00058 D0 17 01
[...]
00059 E7 E7 00
00060 17 17 00 # Π₯ΠΌΠΌΠΌΠΌΠΌΠΌ
[...]
00062 00 17 00
00062 00 17 00
00063 01 17 01 # Π, Π΄ΠΎΡΠ»ΠΎ! ΠΠΎΡ ΠΎΠ½ ΠΆΠ΅ ΠΏΠ΅ΡΠ΅Π½ΠΎΡ Π² ΡΡΠ°ΡΡΠΈΠΉ Π±Π°ΠΉΡ
00063 01 17 01
[...]
00075 CC 17 01 # ΠΡΠ°ΠΊ, 0x117-0xE7: 0x30Uas tau hais tias, peb muaj ib qho teeb meem: txij li thaum peb tab tom ua haujlwm nrog qhov tseeb checksum, null byte tsis hloov tus nqi nyeem. Txawm li cas los xij, txij li tag nrho cov txheej txheem suav (8192 bytes) siv sijhawm 0,1478 vib nas this (nrog me ntsis kev hloov pauv txhua lub sijhawm nws khiav), uas sib npaug li ntawm 18,04 ΞΌs ib byte, peb tuaj yeem siv lub sijhawm no los kuaj xyuas tus nqi checksum ntawm lub sijhawm tsim nyog. Rau thawj khiav, txhua yam yog nyeem tau yooj yim heev, txij li lub sijhawm ntawm kev suav cov txheej txheem yog ib txwm yuav luag tib yam. Txawm li cas los xij, qhov kawg ntawm qhov pov tseg no tsis tshua muaj tseeb vim tias "me me lub sij hawm sib txawv" ntawm txhua qhov kev sib tw ntxiv los ua qhov tseem ceeb:
134023 D0 02 DD
134023 CC D2 DC
134023 CC D2 DC
134023 CC D2 DC
134023 FB D2 DC
134023 3F D2 DC
134023 CC D2 DC
134024 02 02 DC
134024 CC D2 DC
134024 F9 02 DC
134024 03 02 DD
134024 21 02 DD
134024 02 D2 DC
134024 02 02 DC
134024 02 02 DC
134024 F8 D2 DC
134024 F8 D2 DC
134025 CC D2 DC
134025 EF D2 DC
134025 21 02 DD
134025 F8 D2 DC
134025 21 02 DD
134025 CC D2 DC
134025 04 D2 DC
134025 FB D2 DC
134025 CC D2 DC
134025 FB 02 DD
134026 03 02 DD
134026 21 02 DDQhov ntawd yog 10 dumps rau txhua microsecond ncua. Lub sijhawm ua haujlwm tag nrho rau kev pov tseg tag nrho 8192 bytes ntawm lub flash drive yog li 48 teev.
7.3. Flash binary reconstruction
Kuv tseem tsis tau ua tiav kev sau cov lej uas yuav rov tsim kho qhov program code ntawm lub flash drive, suav nrog txhua lub sijhawm sib txawv. Txawm li cas los xij, kuv twb tau rov qab pib qhov chaws no lawm. Txhawm rau kom paub tseeb tias kuv tau ua nws raug, kuv disassembled nws siv m8cdis:
0000: 80 67 jmp 0068h ; Reset vector
[...]
0068: 71 10 or F,010h
006a: 62 e3 87 mov reg[VLT_CR],087h
006d: 70 ef and F,0efh
006f: 41 fe fb and reg[CPU_SCR1],0fbh
0072: 50 80 mov A,080h
0074: 4e swap A,SP
0075: 55 fa 01 mov [0fah],001h
0078: 4f mov X,SP
0079: 5b mov A,X
007a: 01 03 add A,003h
007c: 53 f9 mov [0f9h],A
007e: 55 f8 3a mov [0f8h],03ah
0081: 50 06 mov A,006h
0083: 00 ssc
[...]
0122: 18 pop A
0123: 71 10 or F,010h
0125: 43 e3 10 or reg[VLT_CR],010h
0128: 70 00 and F,000h ; Paging mode changed from 3 to 0
012a: ef 62 jacc 008dh
012c: e0 00 jacc 012dh
012e: 71 10 or F,010h
0130: 62 e0 02 mov reg[OSC_CR0],002h
0133: 70 ef and F,0efh
0135: 62 e2 00 mov reg[INT_VC],000h
0138: 7c 19 30 lcall 1930h
013b: 8f ff jmp 013bh
013d: 50 08 mov A,008h
013f: 7f retZoo heev plausible!
7.4 ib. Nrhiav tus PIN code cia chaw nyob
Tam sim no peb tuaj yeem nyeem cov checksum thaum lub sijhawm peb xav tau, peb tuaj yeem tshawb xyuas seb nws hloov pauv li cas thaum peb:
- sau tus lej PIN tsis raug;
- hloov tus pin code.
Ua ntej, txhawm rau nrhiav qhov kwv yees qhov chaw nyob, kuv tau muab cov khoom pov tseg hauv 10 ms increments tom qab reboot. Tom qab ntawd kuv nkag mus rau tus PIN tsis raug thiab ua tib yam.
Qhov tshwm sim tsis zoo siab heev, vim muaj ntau yam kev hloov pauv. Tab sis thaum kawg kuv muaj peev xwm txiav txim siab tias qhov checksum hloov qhov chaw ntawm 120000 Β΅s thiab 140000 Β΅s ntawm kev ncua. Tab sis cov "pincode" uas kuv tau tso tawm yog qhov tsis raug kiag li - vim yog cov khoom cuav ntawm cov txheej txheem qeebMicroseconds, uas ua txawv txawv thaum 0 dhau mus rau nws.
Tom qab ntawd, tom qab siv sij hawm yuav luag 3 teev, kuv nco qab tias SROM system hu rau CheckSum tau txais kev sib cav raws li cov tswv yim uas qhia txog cov blocks rau checksum! Qhov ntawd. peb tuaj yeem yooj yim txheeb xyuas qhov chaw nyob ntawm tus lej PIN thiab "kev sim tsis raug" txee, nrog qhov tseeb txog li 64-byte thaiv.
Kuv qhov kev khiav haujlwm pib ua rau cov txiaj ntsig hauv qab no:
Tom qab ntawd kuv hloov tus lej PIN ntawm "123456" rau "1234567" thiab tau txais:
Yog li, tus lej PIN thiab lub txee ntawm qhov kev sim tsis raug zoo li khaws cia rau hauv thaiv No. 126.
7.5. Noj ib lub pob zeb thaiv No. 126
Thaiv # 126 yuav tsum nyob ib puag ncig ntawm 125x64x18 = 144000ΞΌs, txij li pib ntawm kev suav suav suav, hauv kuv qhov pov tseg tag nrho, thiab nws zoo li plausible. Tom qab ntawd, tom qab manually sifting tawm ntau qhov chaw tsis raug cai (vim qhov sib txuam ntawm "me me sij hawm sib txawv"), kuv tau txais cov bytes no (ntawm latency ntawm 145527 ΞΌs):
Nws yog qhov pom tseeb heev tias tus lej PIN yog khaws cia rau hauv daim ntawv tsis muaj ntaub ntawv! Cov txiaj ntsig no, tau kawg, tsis tau sau rau hauv ASCII cov lej, tab sis raws li nws hloov tawm, lawv cuam tshuam cov kev nyeem los ntawm cov keyboard capacitive.
Thaum kawg, kuv tau khiav qee qhov kev sim ntxiv kom pom qhov twg qhov kev sim tsis zoo tau khaws cia. Nov yog qhov tshwm sim:
0xFF - txhais tau tias "15 sim" thiab nws txo qis nrog txhua qhov kev sim ua tsis tiav.
7.6. PIN code rov qab
Nov yog kuv tus lej tsis zoo uas tso cov lus saum toj no ua ke:
def dump_pin():
pin_map = {0x24: "0", 0x25: "1", 0x26: "2", 0x27:"3", 0x20: "4", 0x21: "5",
0x22: "6", 0x23: "7", 0x2c: "8", 0x2d: "9"}
last_csum = 0
pin_bytes = []
for delay in range(145495, 145719, 16):
csum = csum_at(delay, 1)
byte = (csum-last_csum)&0xFF
print "%05d %04x (%04x) => %02x" % (delay, csum, last_csum, byte)
pin_bytes.append(byte)
last_csum = csum
print "PIN: ",
for i in range(0, len(pin_bytes)):
if pin_bytes[i] in pin_map:
print pin_map[pin_bytes[i]],
printNov yog qhov tshwm sim ntawm nws qhov kev ua tiav:
$ ./psoc.py
syncing: KO OK
Resetting PSoC: KO Resetting PSoC: KO Resetting PSoC: OK
145495 53e2 (0000) => e2
145511 5407 (53e2) => 25
145527 542d (5407) => 26
145543 5454 (542d) => 27
145559 5474 (5454) => 20
145575 5495 (5474) => 21
145591 54b7 (5495) => 22
145607 54da (54b7) => 23
145623 5506 (54da) => 2c
145639 5506 (5506) => 00
145655 5533 (5506) => 2d
145671 554c (5533) => 19
145687 554e (554c) => 02
145703 554e (554e) => 00
PIN: 1 2 3 4 5 6 7 8 9Hooray! Ua haujlwm!
Thov nco ntsoov tias qhov latency qhov tseem ceeb uas kuv siv yuav cuam tshuam rau ib qho tshwj xeeb PSoC - qhov kuv siv.
8. Tom ntej no yog dab tsi?
Yog li, cia peb xaus rau ntawm PSoC sab, hauv cov ntsiab lus ntawm peb Aigo tsav:
- peb tuaj yeem nyeem SRAM txawm tias nws tau nyeem kev tiv thaiv;
- Peb tuaj yeem hla qhov kev tiv thaiv los so los ntawm kev siv lub khau txias khau raj thiab ncaj qha nyeem tus lej PIN.
Txawm li cas los xij, peb qhov kev tawm tsam muaj qee qhov tsis zoo vim muaj teeb meem synchronization. Nws tuaj yeem txhim kho raws li hauv qab no:
- sau cov khoom siv kom raug txiav txim siab cov ntaub ntawv tso tawm uas tau txais los ntawm qhov "txias khau raj kab" nres;
- siv FPGA gadget los tsim kom meej lub sij hawm ncua sij hawm (los yog siv Arduino hardware timers);
- sim lwm qhov kev tawm tsam: nkag mus rau tus lej PIN tsis raug, rov pib dua thiab pov tseg RAM, vam tias tus lej PIN raug yuav raug cawm hauv RAM rau kev sib piv. Txawm li cas los xij, qhov no tsis yooj yim ua rau Arduino, txij li Arduino teeb liab theem yog 5 volts, thaum lub rooj tsavxwm peb tab tom tshuaj xyuas ua haujlwm nrog 3,3 volt signals.
Ib qho nthuav uas tuaj yeem sim yog ua si nrog qib voltage kom hla kev nyeem ntawv tiv thaiv. Yog tias txoj hauv kev no ua haujlwm, peb yuav tuaj yeem tau txais cov ntaub ntawv raug tseeb los ntawm lub flash drive - tsis txhob cia siab rau kev nyeem cov ntawv txheeb xyuas nrog lub sijhawm tsis meej.
Txij li thaum SROM tej zaum nyeem cov khoom tiv thaiv ntawm ReadBlock system hu, peb tuaj yeem ua tib yam li ntawm Dmitry Nedospasov's blog - rov ua dua ntawm Chris Gerlinski qhov kev tawm tsam, tshaj tawm ntawm lub rooj sib tham .
Lwm qhov kev lom zem uas tuaj yeem ua tau yog zom cov ntaub ntawv los ntawm cov nti: coj SRAM pob tseg, txheeb xyuas qhov tsis muaj ntaub ntawv hu xov tooj thiab qhov tsis zoo.
9. Xaus
Yog li, kev tiv thaiv ntawm tus tsav no tawm ntau yam uas xav tau, vim tias nws siv lub microcontroller tsis tu ncua (tsis yog "hardened") microcontroller los khaws tus lej PIN ... Ntxiv rau, kuv tsis tau saib (tseem) ntawm cov khoom mus nrog cov ntaub ntawv li cas. encryption ntawm lub cuab yeej no!
Koj tuaj yeem pom dab tsi rau Aigo? Tom qab tshuaj xyuas ob peb tus qauv ntawm encrypted HDD drives, hauv 2015 kuv tau ua ntawm SyScan, uas nws tau tshuaj xyuas cov teeb meem kev nyab xeeb ntawm ob peb sab nraud HDD drives, thiab tau txais cov lus pom zoo txog qhov yuav txhim kho hauv lawv. π
Kuv siv ob lub lis piam thiab ob peb yav tsaus ntuj ua qhov kev tshawb fawb no. Tag nrho txog 40 teev. suav txij thaum pib (thaum kuv qhib lub disk) mus rau qhov kawg (PIN code dump). Tib 40 teev suav nrog lub sijhawm kuv siv sau cov lus no. Nws yog ib qho kev lom zem heev.
Tau qhov twg los: www.hab.com