 Hardware hacking village Welcome to Boston's hacking underground Quite literally we are in my basement socially distanced greetings from Down here Hopefully I managed to secure the location as in there is not going to be any noise and we get a reasonable recording and That's it let's get started We're going to take the mask off since you're sufficiently far away and Well, I certainly wanted to wear a fork bomb on a mask for a long time I Cannot go for a full hour doing that so we have 45 or odds and slides and the demo so let's get going now As a way of introduction, I had the privilege of spending my entire career in free and open source software I was the product. I am the product management director for red hat, Seth and I was previously Ubuntu server PM at Canonico and if you go back to decade I was the dreaded systems management Tsar at Sousa The talk has nothing to do with my job. Well, I guess it is storage after all I'm a manager these days. So as a former embedded developer. This is my definition of fun The obligatory disclaimer is that it will and that we will most likely break some hardware playing with this and it will come out of your pocket No, I ability if you follow our instructions and stub your toe or bring about the end of the world Or break your device, which is far more likely. So you have been warned. Let's get going We have a lot of slides in the demo. We need to hustle a bit Here is the idea a Processor is found in an SD card Hackaday featured somebody's blog pretty much went viral in a word of web process Virally blooming once Linux and was noticed on the device And hackaday made it famous lots of blogs SD card sized Almost a raspberry pi. Can we repurpose the device? The word of web process really got going once Linux was noticed on the device and So I noticed all this was going on and I wanted the project for Christmas That was five years and a bit more ago So you could say that it has taken me for quite a ride let me repeat that as There is always someone Who has no idea what I'm talking about? Here is the concept a Wi-Fi enabled SD card Automatically downloads your pictures several models exist We're after the embedded system in there in the card the CPU of the card itself It's like the Intel Edison. They originally promised us but for real this time Copious amounts of Google Translate were used in the making of the stock Really international effort. I saw blogs in French Japanese German Korean and of course English some Russian too and I believe some Spanish So copious use of Google Translate and in suing a larity, of course We explore the limits of machine translation, but it usually comes across clear enough to work with So we're looking at the Tresend Wi-Fi SD line here It comes in size from 8 gigabytes to 32 gigabytes. I Prefer them as they are more open even without hacking as there are no attempts at platform strategies Made by adding any middling cloud services that we do not want by some clever NBA that had a platforms class There is no stepping stone service that may make things easier to set up and Doesn't and adds yet another place your pictures are potentially in The software on the transcend card is simple and not perfect, but that is an asset for us as we will see So where do we get these cards you can go to Amazon you could also try eBay and They're going to be between $40 and $60 depending on capacity about the price of Raspberry Pi and up There are others like the PQI air card that are functionally the same The PQI air card is interesting because it is actually an adapter card You can put any storage you want in micro SD format in there and the adapter actually has the embedded system Toshiba makes another one and there is also the flu card and You can carry binaries through them as a matter of fact When you log into the system You may notice that there is a command buzz in there But there is no piezoelectric transducer here, so what is that for? But Looking at another one of the card designs that has a piezo So you can learn things on one card that applies to another And but we're getting a little bit sidetracked here, so let's go back to where we should be When the postman arrives here is what you get Inside the package let's unbox one here a card and then adapter the inevitable legal disclaimer, I don't think this conference has a legal track otherwise I would blame the lawyers and A microscopic bit of a manual which is actually not bad The adapter is there because you can write to the SD card directly by mounting it on your Mac for example or over the radio and When you have file systems mounted two places and you are writing from two places bad things happen The adapter signals to the card to disable the radio and Prevents simultaneous rights from the air and local mount of course that is exactly what we want to do But we think before we do we only want to use the radio, so we'll assemble it So it is actually not turned off So just what is in there? This is an SDHC class 10 card 16 gigabytes in the case of the ones I used Half and double the size exists This is a full-size SD card pictured is model TS 1 6 g w SDHC 10 You will have the slides at the end So if you want to search for the cards you have all the models there is no need to to take notes or any of that So physically breaking the device voids the warranty. I bet you did not see that one coming Exacto knifing our way to success we slice the card in two and find four large chips Interesting the parts on the left are the case nothing strange there It may help guide your dissection if you need to open one, but that's about it Incidentally, do you see the yellow tab in the center? That is the right protect switch cards have Interesting technical detail. There is nothing on the device reading the state of that toggle The reason for this is that SD cards work like floppy drives and In floppy drives if you still remember those devices Right protect is implemented by the drive If the drive sends a right the card will take it It and the if the car doesn't The car doesn't know and doesn't have to the drive will not send a right if the toggle is in the protect position So let's do a bit of overview of the components from the top left We have a trace antenna Definitely not a 3db antenna and not a 100 milli watts of broadcasting power as the whole card consumes less than that so Wi-Fi range will not be as Per the Wi-Fi specs maximum, but that's okay because we're still beating the pants off Bluetooth There is no antenna connector You could try your hand at adding one if you're master at soldering but Assuming you don't you're not gonna get the full Wi-Fi range, and I'm okay with that Then we have the Wi-Fi radio chip The SOC with the ARM CPU we are after is underneath it 16 gigs of flash in the big chip and The flash controller is the last thing on the right And up top we see the notch where the read-write tab rests that I was mentioning and There is no actual board sensing of any kind as I said the card is just making room for the tab to fit in that space flipside besides the standard SD leads Some of the smaller pads are TX and RX for a 3.3 volt 38 400 bod serial Annoyingly really annoyingly. They are not labeled They labeled resistors. We don't really give a hoot about instead for who knows what reason On the PQI air card the TX and RX serial pads are labeled so bonus points to those guys for that If you do wired serial you get access to a well-configured U-boot console U-boot is the bootloader of choice for embedded linux devices for those of you coming from windows a very handy tool to have Better than the kernel that is in here as it has been stripped to the bone Incidentally, I have been collecting all these details for a survey article If you hack the card and block the details, let me know send me the link and You prefer going if you prefer going the lazy way You will get a how-to from me soon. Hopefully I've been saying this for a while, but it's almost done What's in there are these four chips CPU Wi-Fi module flash controller and storage The SOC is 32 megabytes of RAM is the weakest spot of the board And but very suitable for embedded use fear not those of you who are used to gigabytes of RAM Besides you have lots of storage. You could expand this with swap If the kernel was built with support for swap In the SOC 8 megabytes of nor flash are used for system including a stripped-down kernel and compressed in a tramfs Interesting compromises were made there and of course massive amounts of storage So you could boot with a small system Loop mount a larger image and truth into it If you had loop mount in this kernel, I start seeing a pattern here But not all is lost we can add it Dimitri Greenberg has documented how to rebuild the kernel So we have the instructions and the steps on how to do this already worked out Let's look at the CPU. It's a 200 megahertz CPU Some report 400 megahertz and they are wrong They are confused by the 426 bogomips. It sports It's an arm nine to six EJS core An arm nine processor This is not a cortex a nine, but an older arm nine a low-cost cpu arm five Tej architecture With more than five billion with the b manufactured to date Interesting extensions for java But the gizelle runtime requires talking to arm as it was not shipped with the system And anyway who wants to do java these days? So interesting core The extensions E stands for dsp Then digital signal processing enhancements Because this processor used to be used for making feature phones J for java extensions or the gizelle jvm Java extensions make byte codes directly usable by the cpu, which is really cool There is a the cpu instruction bjx branch to java instruction, which switches the silicon to gizelle state The jvm still handles errors the os handles the traps But between 134 and 149 byte codes of the 203 in the jvm spec are handled in silicon I don't know why the the variation there I'm not why not a fixed number but a large chunk of the Of the byte code is running in hardware Now the original raspberry pi is a broadcom bcm 2835 processor an arm 11 76 jzf Dash s This is an arm 6k architecture It's closer to this processor than it is to a cortex arm So the idea is that instead of the chip in the pi you would use the chip in the card With different trade-offs you get built-in radio lose all the interfaces The price stays just about the same The radio is a fortune chip afn 31 gl Wi-Fi controller It comes with an atheros ar 63 wi-fi core, which was marketed as the smallest wi-fi Silicon design you could buy at the time I don't know if they still have the record, but it was a pretty impressive claim five years ago The bit we care about is that it does wi-fi b g and n With really low power draw Do not plan to saturate the wi-fi ethernet link with this device. You won't go much beyond one megabyte per second Incidentally, if you feel like going turtles all the way down There is a cpu to control the baseband radio An extensa mip score backed by 256 kilobytes of ram and 256 kilobytes of rom I didn't go in there. Maybe it could be the next project for one of you Also, uh, this chip does not Does not do bluetooth by the way. Not that we care Then we have 16 gigs of nand flash You will not be wanting for storage. That's for sure. That is definitely not the problem. This system has The flash controller is a silicon motion to six to six Uh, I can just read the slide 268 3en Thank you picture Nothing of interest here except there was a bit of annoyance in the community at the lack of redistributed sources for some system components Uh transcend the resolve this it's no longer an issue But one of the module's is proprietary the one that supports the flash controller um if you're familiar with ip uh restrictions for source code of Video drivers that is probably a similar reason there. There is some secret sauce that the vendors of A flash want to keep to themselves and not share with one another um We don't know what it is. But it's um, it's not really a concern. Um for us unless you are a Open source legal purist, uh, and you want everything in the open out of principle Uh The sources. I mean the sources for some of the modules are available The binaries for all three modules are available. So if we recompile the kernel, we can just drop the modules back in And and go on from there. It's not like we're going to modify our interface to the flash To the flash chip anyway We're not interested in that now, um This card clocks between 0.9 and 1.1 watts Uh while idle in my office It peaks at 1.5 with wireless clients connected And this is a 110 volt power supply, of course An apple switched power supply efficient, but still power conversion is a factor Presumably higher if you push the cpu to 100 while writing to flash um You could also try to push consumption by simultaneously pegging the cpu and massively writing to flash I got my numbers by exercising the radio only. I I didn't do a full suite of benchmarks at different types of load This is a relatively Lightweight system. So I didn't see the the need to push the envelope that far Interestingly, I checked to see if we uh, if we would get, uh, better efficiency um through uh eliminating the power conversion, um step Um, and we hardly see a difference 220 milliamps is about 1.1 watts at the five volts Same as we measured at 120 for idle So it closely it closely matches the other one Apple really knows what they're doing. Uh, that iphone switched power supply is really efficient Good for them Let's let start looking at the software side I'm going to walk you through what, um We do to make it work first And how we hack it second so it's not hanging in the void and confusing in as to how we got there How does this all work? First you set up the app on your phone Then it gives you access to basic setup and core functionality Setting up network mode names password Shoot and view here means putting the phone in a monitor mode of sorts Where any picture shot by the camera is automatically downloaded And presented on the screen with no intervention This will be important later It also offers you to upgrade the firmware Usually this is a concern as that precious security hole used for routing may disappear But it's not so in this case. It does not matter what version of the firmware you have You're going to get around it. So do not worry about it. The latest version is as open as the first It is both good and bad, I guess I say it is good. It lets us hack the card Security issues we bring about are not in the hacking of the binary support package, but we'll get to that layer By default, the system wants to be its own access point Great! Very convenient for development But not so for photo download Think of it. Do you want to switch APs on your handheld device every time to sync pictures? The seamless internet AP client mode is a great strength of this card for ease of use Compared to others that make it needlessly more complex by putting their service in the middle You just choose the mode you want and you get it So when it is up, it shows here from another machine in the same room Your sd card has now become its own access point Okay, what's next? Well, now we can connect to it Just like you would anywhere else And now we can ping it just like any other host Now let's look at how it works before we get into it Think about it. The app needs to find where the heck the card is Is is out there on the AP? But at what IP address? The entire the card broadcasts on udp 55777. I'm here. I'm here. I'm here Other cards are even more aggressive They arped the entire slash 24 subnet found out where every node is Then send the htdp requests to everyone until it finds the card Then maybe it stops most of the time it does anyway Don't worry. We can fix this. It's just funny to me The tools are only needed for initial AP discovery and password setup If you do not want to use them the card comes with a default user admin With a password of one two three four five six seven eight But that's not the part that will make you laugh We port scan the card to see what's going on here Here we see telnet because I already cracked this one The htdp server the pictures are published there The app just htdp gets them Services are offered as CGI scripts out of the web server That's how the app commands the card to do things The additional port 5566 broadcasts new entries in shoot and view mode If you're connected there you get a new url message for every picture That's how shoot and view works You get one line with url of new pictures when they're generated Very simple architecture not bad A few quirks. It downloads pictures twice A bit suboptimal that way but in this way it doesn't have to Spend cpu power to generate thumbnails on board Trades a little bit of bandwidth for Not having to spend cpu and power It also assumes that you are not downloading multiple pictures at once which you are not So simplicity prevails. I'm a fan of that type of design We can browse the card's htdp server directly. It's a boa web server It exposes directory listings In theory It should show you only the directory listings of the data And simple CGI bin scripts to set configuration These are in pearl App simply downloads the files via htdp and calls CGI scripts to configure the system And these scripts are way in that's how the card was broken into So this story starts with Pablo Who thinks there must be a cpu in these wi-fi enabled cards and turns out that he is right Pablo went out and started poking at the software looking for security holes Find several the size of a small barn Found dot dot slash dot dot slash backpats breaking out of the allowed inspection area He extracts the source files for the CGI bin Exploits a pearl script and in he goes And I went that way myself the first time But there is a better way A file called order on dot sh I think you know where this is going Write a file to the sd card named order on sh The system will read it and execute it with root privilege at boot So all I have to do is just go tell net please And tell net arrives so much nicer Now the security freaks among you will be horrified But in terms of actually working with the card, this is fabulous. It makes it so nice There is another aspect to this that is Um, humorously named I know what you're thinking But that's not it It stands for firmware update It's a clever mechanism. You supply auto run f ush and three files The innate rd the kernel the program bin The system starts program bin Turns out this is a copy of the cards you boot with the default script payload The script loads the new system onto the old and then reboots It's a nice way to prevent breaking. It also resets all configuration to the defaults Which may be handy if you screwed up It is a really nice way to revert breaking and also gives you a way back to the defaults But obviously you can only undo software breaking you can still break the hardware So it's time to try and do this live I usually unbox one of these But an virtual setting it doesn't really make it very useful and You have seen the pictures. So you have seen most of what there is to see in an unboxing I had to find So let's set it up I had to find An sd adapter that does not switch off the radio So I went to my local computer megastore and bought every single adapter in existence Tested them all returned nine out of ten and Now we have the right thing This thing boots really fast So much so that if I connected over the serial it would be up before I can connect to it You would not see boot messages It will just Be there already So got the advertisement And we are connected we got We got a connection now. I was connected to that card recently So let's just do it this way and see It got there way before me What are we going to see here? Let's start From version text. So the key ASIC Wi-Fi sd is the odm design that all these vendors purchase to make their own products And You can see that it confirms the 802 11n wi-fi The linux kernel is 2 6 32 28 One of our most popular linux kernels ever this one was in rel 6 it was in susa linux enterprise 11 sp1 in In a breaking of continuity from 11 kernel rebase And I believe it was in Ubuntu server 10.04. I thought that one wasn't mine. So don't quote me on that, but I'm pretty sure This is the kind of kernel that you would want to run when you have only 32 mags of ram. So it's a very very good choice It will not be expecting Geeks of ram either in this form or in its user land What else Well, let's see what's around here We want to see something else actually This is the actual vfat system of the sd card and you can see that I plugged it into A nikon digital camera that left its own fingerprint there and A few files that I've been poking around with Busy box is notable here. We could run that busy box and have a much more future full Shell environment, but I want to show you here how the card is rather than how we are going to make it the Making part we can defer to write up But yeah, very easy to replace the shell by just downloading a busy box and executing it Incidentally once you have a new busy box You can run the ntp module and Not be in 2012 anymore, which is great because then you can do proper secure connectivity not plain text telnet And now that your certificates are not coming from the future Crypto will actually work What do we have on the storage side? so You see the jffs2 file system that is The 8 megabyte partition that the system boots from that is the reason why things have been stripped down so much It is tiny Now i'm not an embedded developer anymore in my time jffs2 was the most popular file system for embedded linux devices This device is about seven years old in design. So I don't know if that has changed but It's nice to see familiar things Let's see what's in In mtd Oh, yeah, you can see the labels so mtd0 the spi flash nor that's the 8 megabytes Okay, then we have pearl 5.14 not bad Not an ancient single digit version. So That makes this potentially a system that you can develop on out of the box Let's see what is running on it Uh, we have The telnet that we started We have two of the udpsvd processes. Um, these are the ones that do the, um The broadcasting process that I described earlier We have the boa web server that's providing http support And we have, um, a dynamic dns advertisement You we have a dhcp server because in access point mode we have to serve out the hcp addresses to clients At the bodyguard process, uh, is the one that disables the radio. Uh, when you plug the card into, um An sd card slot so that there is no double right And, um, that's about it Let's see what do we have here, um Now we're ready to discuss the kernel version. Uh, we can see that it was compiled with sware surrey Um On an Ubuntu machine. It's funny what kind of details you leak out Um What else what else what else? Uh, we're gonna skip the message. It's too messy Um, so we discussed pretty much the Um The cpu extensively already, uh, you see that I got, um The cpu series right and, uh, yeah, the 421 bogomips there. It was mentioned before not 400 megahertz Just the lay cycle is 421 We can also look in here This is the one that makes me cry. So here We could really use, uh, some loop mount and some swap But we can put them back in so No crying One last thing We can list The network interfaces of an sd card just because it seems so wrong that we can pass up the opportunity to do it And we discover absolutely nothing but it's kind of fun to say that that you have done it So why not Now Okay Back to the slides Now be careful The system mounts the flash partition under Um Mount sd And accessing the file system from the card's own linux While an external host is doing the same could easily corrupt the file system Two live systems writing to the same host No good You can easily fix it by rebuilding the file system But you need to be aware of the problem so that you don't do it in production Development it's just fun and games but in production. That's not the way to go So what software do we have to play with here? In version 1.7 for more We have a kernel 2632 The modules the kernel modules are for the soc The atheris 6003 radio and yes the hc interface which as we discussed is proprietary um Your services that you can have out of the box are basically a Very stripped-down busy box that has telnet ftp and the hcpd A bit busy box is a little bit crippled, but once you replace it you can set up ssh Uh as soon as you can set up time properly and this is very easy to do. It's just one execution away. So easy fix On the kernel side the kernel is extremely thin due to the need to fit in the eight megabyte nor flash in the soc But we can load components from the larger storage once we have a system running Ideally loop mount a file in fat 32 to avoid corruption add swap to work around ram Truth to pivot into loop mount We need a new kernel to do this and robert figured out how to unpack the install files Then dimitri rebuilt the kernel by looking at caseins Since the dot configure file is not exposed in proc Some people could think it's secrecy, but I think it's again saving space Um, so how this would work would create on the live partition as a single file a system image Would loop mount this and truth into it Now somebody took this to the extreme Why do people always do this? So they downloaded an ubuntu 9.x image the last version of ubuntu compatible with uh arm 5 architecture But the image in there on the sd card loop mounted truthed forwarded x Started firefox and then complained that it was slow um okay Well, it's not that interesting to run ubuntu from 10 years ago, but it's pretty cool that one can take it that far It's nice to see that the bits actually work and can be stretched But we don't need to do things uh that crazy Where there is pearl there is everything I like to say Maybe pearl is not your cup of tea, but um It's better than not having it Uh, this is arm you can cross compile you can build on the system. You can use ipackage Can bring your own language You can steal packages from another device of the same architecture since there are 5 billion I'm done But if you want to be lazy pearl is a perfectly viable option And this is also a reason Reasonably recent pearl. It's not um pearl of the ancients like a pearl 5 6. It's 5 14 Big question for embedded devices Is how we find them Where is my device and we need to make it say for the internets You cannot use this device if you cannot tell What ip it's at so There are three approaches that are common to work this problem One is a known configuration Always be at the same address This is what I just did When the card is in ap mode. It is always at the same address 11 to 54 I know where it is. I do not need to find it Then there is what the card does natively broadcast It advertises where it is Besides the horror I described earlier There are proper advertisement protocols like mdns Multicast dns Is a perfectly fine way to discover things on the local network The third one is to announce Which is the device itself once it has a valid network configuration sends out an announcement My favorite is to send out an x mpp announcement meaning a jabber protocol announcement But you can use any protocol you want And you know, this is a unicast announcement not a broadcast one like the horror I was describing earlier It is going to a single endpoint and it's a fair game. No messing it up of the network I'm not going to go through all of these. There is an article I wrote for linux journal in 2009, I believe Search for my name and linux journal and there are scripts. They are implementing all of these for For this architecture. In fact, you can go and just grab the scripts. They are in the article You can also do this right If you're a standards person like some people rightly are And in this case doing it right means implementing dns update as specified in rfc 21 36 which I suffered through implementing a few years ago actually Contact me by a fixed dns name I will update that dns record when I boot so that it's always correct for my current device location This is also implemented in my linux journal article. You can do it in 15 lines of pearl or less. So Pearl may be hard to read sometimes But it's very very expressive and it's very nice for this purpose because there are modules to do anything So let's go back to the security aspect We were joking about the fact that it was easy to break in But realistically We have physical access We have the card and we can do things to it We can also Do it over wi-fi find that is Um less kosher But that hardly matters What matters is that this brings the lost usb key attack to a new level In a military base people are trained to shoot on site when they see a lost usb key But in industrial setting people are more lax so Picture this out of a tom clancy book. You need to break into somebody's network You drop news a usb key in their parking lot and some Good Samaritan dash fool will take it Inside the office and plug it into the wrong machine I don't think I need to tell this audience this So what's new here is the wi-fi aspect of course Also, there are a few devices that do this like Hack 5 has some devices that do exactly this but in this case it's in sd card format with the radio in it, which is interesting Counter measures are no different from the rogue access point ones From radio jamming Or your network actively knacking connection requests very cleverly for unknown access Points in a broadcast range Or if you have a security A policy against lost usb keys By locking down or pouring glue into usb and other ports If you can pour glue into sd ports just fine and prevent people from sticking things into ports. They are not supposed to use Neither approach is new Sure, the card is not super secured, but remember your security posture needs to be commensurate to your threat assessment You are not a nuclear reactor If you wear you need to account for this But if the question is the security of your instagram pictures, do people want them that badly? So your mileage may vary What is on the opportunity side is that this is a low power system with vast amounts of storage and wireless connectivity And really low power as in you could power it with a solar panel and put it up a tree And this is the ideal pirate box data exchange A pirate box being the term of art for anonymous data exchange Where people drop and retrieve files over wi-fi anonymously I don't think it's as popular as as it used to be once as a concept This is in practice as spy's dead drop if you want to use the Intel community's Comparison if you want to continue that line of thought Less ominously, you can make a solar powered geocache But seriously You can now realistically put a server in your wallet or even make a server throw away Or a beowulf cluster in a shoebox although I would recommend you do not do that You could put it in the sd slot of your car radio if you have one of those old ones and make it download music whenever you park at home There is one limitation sd cards are supposed to have spi interfaces and that would be awesome because spi means Arduino But sadly, uh, this is not viable with this uh with this card that won't work. Uh, somebody tried The integrated system Was bigger than the card itself. I mean the Support for spi to access Arduino was bigger than the card itself not not practical But this is nonetheless a very interesting platform to experiment with cross compiling is an option Uh, but you can take the lazy way out and prototype with pearl I solved the discovery problem for you. You have all the scripts And this is a very low cost same cost as the original raspberry pi So you have to decide if you want to trade ram for very low power and small format Or the other way around And it's a fair question It's a very niche hacking platform transcend has been very nice to the community. Sorry, it's a very Nice hacking platform transcend has been very nice to the community We broke this uh years ago and they haven't complained They haven't sued anybody They haven't shut us out or done anything on toward We get hardware to play with they sell more hardware. It's great for everyone The mechanism we used is part of the SDK But the SDK is not public. So we had to discover it the hard way We need a better distro image than the crap you have seen. Uh, I've worked on too many Linux distributions to stand for that But that is relatively easy to do and there are some tools out there that are workable already Um, I think we can do better, but it's adequate to at least experiment So if you come up with new ideas on how to use it, please send them to me Here is my contact info. You can find me on twitter or send me email Or you can find me in the discord channel and ask me questions there Uh, remember that speakers are Pavlovian devices. So if you like the talk, please let us know Write the talk send us comments submit feedback all of those things as you see fit If you do something with it Let us know what you did so we can spread the news Slides will be available and I'm available for questions if you have any Thank you and uh, stay safe Happy hacking