![]() Note: If you are looking to do your own wiring, the 30-gauge wirewrap wire I used is a Polyvinylidene fluoride coated insulation wire under the brand name of Kynar. This is because we found during testing that if we ran wires directly next to each other, it caused the partitions to fail to mount properly, most likely because noise was induced into the lines from the other lines affecting the signal. This wiring was then attached to a SD Card breakout board as shown below in Figure 1:Īlso, as you can see in the above images, the wires do not run parallel against each other, but have a reasonable gap between them and pass over each other perpendicularly when they cross over. So, all the wiring was presoldered before the IoT Village event using 30-gauge color-coded wirewrap wire. When it comes to soldering the needed wiring for this exercise, we realized allowing attendees to do the soldering connection would be much more complex than we could support. Hooking both sources – normal and SD Card – into the devices will lead to permanent damage to the device. When using an SD Card reader to supply voltage, we must avoid hooking up the device's normal source of power also. In this example, we found that the PHISON eMMC chip and NAND memory could be powered by supplying the voltage externally via the SD Card reader. This often works well when different VCC and VCCq voltages are required, but in those cases, we also have to hold the microcontroller unit (MCU) at reset state to prevent the processor from causing interruption when trying to read memory. When connecting to and interacting with an eMMC device, we usually can utilize the internal power supply of the device. However, in this case, we determined that the PHISON PS8211-0 eMMC chip did not have a different controller voltage for VCCq, meaning that the voltage used was only 3.3v for this example. To interact with typical eMMC devices, we typically need the following connections.Īs shown in the above bullets, there are typically two different voltages required to interact with eMMC chips. Wiring up eMMC and SD card breakout board In this first section of the exercise, we focused on understanding the process of gaining access to the NAND flash memory by interacting with a PHISON PS8211-0 embedded multimedia controller (eMMC). Finally, the attendee was able to power up the device and login over ethernet using SSH with root access and default device password. After the modification where completed the filesystems were repacked and written back to the modem device. Next, the user extracted the filesystem from the partition binary files and was then able to modify key elements to enable SSH access over the ethernet connection. With NAND flash memory access, the user was able to identify the partitions of interest and extract those partitions using the Linux dd command. ![]() To do this, the user interacted with the device via a PHISON PS8211-0 embedded multimedia controller (eMMC) to mount up and gain access to the NAND flash memory storage. The goal of this year's hands-on hardware hacking exercise was to gain root access to a Arris SB6190 Cable modem without needing to install any external code. Alter startup files within the embedded Linux operating system to execute code during device startup.Use unsquashfs and mksquashfs commands to unpack and repack read only squash file systems.Using Linux dd command to make binary copy of flash memory.This year's exercise focused on the following key areas: Like last year, we had many IoT Village attendees request a copy of our exercise manual, so again I decided to create an in-depth write-up about the exercise we ran, with some expanded context to answer several questions and expand on the discussion we had with attendees at this year's DEF CON IoT Village. Over the years, these exercises have covered several different embedded device topics, including how to use a Logic Analyzer, extracting firmware, and gaining root access to an embedded IoT device. ![]() Rapid7 was back this year at DEF CON 30 participating at the IoT Village with another hands-on hardware hacking exercise, with the goal of teaching attendees' various concepts and methods for IoT hacking.
0 Comments
Leave a Reply. |