Jump to content
Tuts 4 You

Hardware Reversing

Hacking and reverse engineering hardware...

5 files

  1. A Proposal For a Stateless Laptop

    By Teddy Rogers

    Modern Intel x86-based endpoint systems, such as laptops, are plagued by a number of security-related problems. Additionally, with the recent introduction of Intel Management Engine (ME) microcontroller into all new Intel processors, the trustworthiness of the Intel platform has been seriously questioned.

    In a recently published paper the author has presented an in-depth survey of these topics. In this paper the author proposes what she believes might be a reasonable, practical and relatively simple solution to most of the problems.

    The main principle introduced below is the requirement for the laptop hardware to be stateless, i.e. lacking any persistent storage. This includes it having no firmware-carrying flash memory chips. All the state is to be kept on an external, trusted device. This trusted device is envisioned to be of a small USB stick or SD card form factor.

    This clean separation of state-carrying vs. stateless silicon is, however, only one of the requirements, itself not enough to address many of the problems discussed in the article referenced above. There are a number of additional requirements: for the endpoint (laptop) hardware, for the trusted “stick”, and for the host OS. We discuss them in this paper.

    The author thinks the solution proposed here is not limited to solving the Intelspecific challenges and might be useful for other future platforms also.

    Those readers who can’t help but think that the (Intel) x86 is an already a lost battle, and that we should be moving to other architectures, are advised to have a look at the end of the paper where such alternatives are quickly discussed, and then. . . potentially jump back here to continue reading.

    114 downloads

    0 comments

    Submitted

  2. Hacking Blues

    By Teddy Rogers

    When each day brings a new collection of stories about the horrors of the cyberage, it's easy to forget why anyone would spend their professional lives in the security industry. Microsoft urged to sue exploit vendors! Huawei is coming -- hide your kids! The project I'm going to describe reminded me of the many tasks in this industry I enjoy. It also functioned as a soft target to run up the score a bit – after spending time fighting DEP, ASLR and process sandboxing, it is nice to pop a shell without the Rube Goldberg quality of a modern exploit every now and then (but that's fun too).

    97 downloads

    0 comments

    Submitted

  3. HDMI Hacking Displays Made Interesting

    By Teddy Rogers

    Picture this scene, which incidentally happens thousands of times every day all around the world: Someone walks into a meeting room, sees a video cable and plugs it into their laptop. The other end of the cable is out of sight – it just disappears through a hole in the table. What is it connected to? Presumably the video projector bolted to the ceiling, but can it be trusted to just display their PowerPoint presentation?

    In this paper I will explain the circumstances in which display devices send data to their connected host and show that this data could potentially contain threats (which could compromise a laptop for example). I will describe video protocol data-structures, data-sequences and practical challenges. I will also explain how to build a hardware-based fuzzer, provide some example firmware fuzzing code, and describe some interesting findings from the fuzzing which has been undertaken so far.

    This paper discusses the security of video drivers which interpret and process data supplied to them by external displays, projectors and KVM switches. It covers all the main video standards, including VGA, DVI, HDMI and DisplayPort.

    This is a relatively new area of research and there is more research that could be performed in this area, so by summarising and sharing these resources, it is hoped that this will enable others to more quickly discover and investigate potential threats.

    124 downloads

    0 comments

    Submitted

  4. Printed Circuit Board Deconstruction Techniques

    By Teddy Rogers

    The primary purpose of printed circuit board (PCB) reverse engineering is to determine electronic system or subsystem functionality by analyzing how components are interconnected. We performed a series of experiments using both inexpensive home-based solutions and state-of-the-art technologies with a goal of removing exterior coatings and accessing individual PCB layers. This paper presents our results from the most effective techniques.

    146 downloads

    0 comments

    Submitted

  5. The C64 PLA Dissected

    By Teddy Rogers

    The programmable logic array (PLA) in the Commodore 64 (C64) is used to create chip select signals from various other signals, e.g., from the current address. These signals control which chip is to be connected to the data bus. Therefore the PLA is responsible to implement the memory map of the C64.
    If the PLA is broken, the CPU and the VIC-II direct memory access (DMA) can not access the right memory and I/O devices anymore. In this case some chips can not be selected or more than one chip is active at the same time. A total or partial malfunction of the computer is the result. If a PLA is replaced with a part which does not meet certain timing or electrical constraints of the chips connected to it, the computer becomes unstable, possibly depending on temperature or hardware extensions used or may refuse to work at all.
    The logic implemented in the PLA defines the memory map. The logic equations are described in chapter 2, among a short overview of previous reverse engineering work related to it. Also the meaning of all signals connected to the PLA for the working of the C64 is explained there. Appendix A contains the actual memory maps in a readable form as a reference.
    A list of PLAs found in C64s and measurements on some of them are shown in chapter 3. This chapter also describes which parameters are important when a PLA is replaced with a different part. Most C64s shipped with a PLA made by Commodore Semiconductor Group (CSG), better known under their original name MOS Technology (MOS). A PLA of this type was opened, photographed through a microscope and completely reverse engineered for this article, down to the transistor level. Chapter 4 contains information about the inner workings of the PLA, a redrawn chip layout and schematics. That chapter also contains some background information by former Commodore/MOS engineers.
    An actual implementation of a PLA replacement called realPLA is introduced in chapter 5 which can be built with parts being in production at the time of writing. This implementation aims at highest compatibility possible while using low-cost parts only. The design files for the realPLA are available under a Creative Commons license. Finally, chapter 6 gives a conclusion about the findings in this document. It also evaluates the compatibility of different PLA replacements.

    98 downloads

    0 comments

    Submitted

×
×
  • Create New...