Recently, I haven’t come up with any substantial findings, so I will share some small knowledge and tips learned during my research on smart hardware for beginners to study.
Hardware Debugging
UART: Commonly referred to as TTL level serial port, it is the most widely used debugging interface I encountered in smart hardware, usually for debugging communication with embedded systems. If the embedded system is Linux, the UART interface generally corresponds to a virtual console (tty device).
JTAG: The JTAG interface was initially designed just to verify PCB connections, but it has gradually evolved into a hardware-level debugging interface. Using JTAG to debug hardware and software can almost completely take over the CPU, allowing arbitrary interruption of CPU operation and setting breakpoints.
However, due to the differences in JTAG instructions among various architectures and CPUs (as far as I remember, the IEEE JTAG standard only specifies the binary codes for two instructions, BYPASS and EXTEST, and does not define the length of instruction binary codes; other instructions are vendor-specific, and most debugging instructions are vendor-extended, which means the JTAG standard does not specify that the JTAG interface can be used for debugging CPU cores), there is no universal JTAG debugger. Fortunately, for ARM series CPUs, JTAG instructions are relatively common and can be used with OpenOCD to debug embedded system firmware.
USB-OTG: I have encountered a Huawei 4G CPE device that exposes a USB interface, which can usually be plugged into a USB flash drive for storage. After specific operations, this USB interface can be directly connected to a PC with a USB A-to-A cable to act as a 4G modem and can also enable telnet.
Extracting Firmware
Disassembling Flash Method: The simplest and most brute-force method to extract firmware from embedded systems is to disassemble the Flash and use a programmer (common Flash types include SOP8, SOP16, and TSOP48 pins. Experienced individuals can identify which IC is the Flash just by looking at a PCB), but this method requires certain soldering skills and additional hardware to read the firmware, which is not ideal for individual players.
Reading mtd Devices: If the embedded operating system is Linux, the Flash storing the firmware is usually mounted to /dev/mtd* devices. You can check the purpose of each mtd block using the command cat /proc/mtd. Then, use the command cat /dev/mtd0 > /mnt/usb0_0/mtd0.bin to export the contents of mtd0, achieving the purpose of dumping the system firmware.
Firmware Analysis
binwalk: This tool is widely used by many experts to analyze binary firmware, but I haven’t used it, so I won’t elaborate further.
squashfs: In my experience with smart hardware, most system firmware is in squashfs format or packaged in that format. This format can be directly decompressed using 7Zip on Windows, but advanced unpacking and packing operations can only be performed under Linux. This format has a magic header: sqsh or hsqs, which can be searched in hex editing tools to locate the file system.
Software Debugging
Telnet: Most smart hardware will have telnet functionality, but it is generally not enabled by default. You need to run vendor-specific tools or perform specific operations to open the device’s Telnet port (for example, Huawei ONT’s enable tool or a tool called OpenTelnet from Xiongmai IPC). At this point, you gain shell access to the device’s system.
SSH: Devices that open this port are relatively rare, possibly because SSH consumes more resources than Telnet. The functionalities are similar, providing a remote terminal to run some commands.
The above content is based on my research experiences with smart hardware devices, and some may be inaccurate; please correct me if there are any mistakes.
This article is originally by bxc from the Kuanxue Forum.
Please indicate the source from the Kuanxue Community when reprinting.
For those interested in hardware security, here comes your benefit!
Kuanxue specially opened a Hardware Security Training Camp
“Smart Camera Vulnerability Discovery Practical Training”
Details are as follows:
Course Title:
“Smart Camera Vulnerability Discovery Practical Training”
Course Introduction:
With the development of the Internet of Things, the use of security devices has become increasingly common, especially the use of cameras, which has led to increasingly prominent security issues with cameras, and the current security situation is not optimistic.
While pursuing rapid development, quality and security issues have not been well guaranteed, and many cameras have various security problems.
This course mainly provides a comprehensive analysis of the security issues present in IoT cameras (testing 8 popular devices) from aspects such as firmware extraction, firmware unpacking, binary reverse engineering, system backdoors, system vulnerability discovery, conventional web vulnerability discovery, web source code auditing, web backdoors, and cloud security.
While explaining the methods and experiences, practical hands-on activities will be conducted for disassembling cameras, extracting and analyzing firmware, and discovering vulnerabilities, truly transitioning from theory to practice.
Course Directory:
1. Methods and Practices for Obtaining Firmware from Smart Devices
2. Common Methods and Techniques for Firmware Unpacking
3. Introduction to Common Tools and Methods for Firmware Reverse Analysis
4. Vulnerability Discovery Methods in Smart Device Hardware
5. Camera Identification Methods and Techniques
6. Sensitive Information Collection
7. System Vulnerability Discovery
8. Protocol-Related Vulnerability Discovery
9. Web Vulnerability Discovery
10. Cloud Business Vulnerability Discovery
11. Other Experiences and Techniques
Training Time:
July 20, 2018, 9:00 AM – 6:00 PM
Note:
1. Participants need to bring their own laptops;
2. The organizer will provide a free lunch for participants;
3. The necessary hardware equipment for the course will be provided by the organizer.
Basic Knowledge Preparation:
Participants should have a certain understanding of basic computer and network knowledge, preferably familiar with the principles of common web and system vulnerabilities, and most importantly, be interested in IoT security and vulnerability discovery.
Registration
By purchasing the Hardware Security Training Camp course, you can also participate in the Kuanxue 2018 Security Developer Summit for free!
Registration Methods:
1. Click “Read the original text to register” in the lower left corner, or scan the QR code below to purchase tickets
2. Go to the Kuanxue Security Developer Summit official website and click “Tickets”.
3. Choose the type of ticket you want, then click “I want to register”.
4. Registration successful!
Scan the QR code to follow us for more valuable content!
