 I'm just here to destroy so it's definitely a learning curve for me where I'm just used to to breaking the thing down just to break it down versus breaking it down to actually get some value out of it and turn it into something cool so yeah I really appreciate all the support and and all the help so far it's it's been a great journey. Not standing not standing so we're getting close kind of to the start point just a minute or two out again for those joining in the actual zoom webinar there is a button down there where you can actually post questions I I encourage you to please do so the goal is is we will try to answer any questions that come up if we have the answer you boots kind of an amazing topic and none of us claim to be no possibly everything out there but we'll do our best to be able to give you some good feedback on your questions also after this is all over I'll be jumping over to Discord I think Garrett will be there also in the IoT Village Discord in the speaker area so if you have any follow-up questions after that please reach out to Garrett and and or me or Jonathan and we'd be more than glad to help you out so we're kind of at the go point so I'm going to turn this all over to Garrett to go ahead and get started so it's all yours Garrett all right right on we'll appreciate everyone taking some time out on Saturday I know that normally we're in Vegas right now so it would be no harm no foul to be taking time out on a Saturday but appreciate y'all you know taking some time and and tuning in today so without further ado let's get this party started so you should be able to see my screen we're looking at the UBOOTC 28 IoT Village is what we're going to be going over today so we got a couple agenda items to go over real quick you know what is you first off we're going to get that out of the way and then we're going to go into pin glitching a Philips Hue device and then potentially getting root on that machine and then we're going to switch switch gears a little bit and go over some common problems with Daryl Hyland and that's common problems related to UBOOTC and how UBOOTC can solve them then we're going to be rooting a Luma Wi-Fi access point it's like a mesh Wi-Fi device utilizing TFTP and then following that we're getting faded so that's the agenda for the day and without further ado let's get this party rolling so what is UBOOTC so UBOOTC is basically a universal bootloader it's loaded by the systems ROM or read-only memory or BIOS and for many one of these supported devices like you know SD cards flash you know using SPI or NAN flash and basically it runs a command line interface over a serial port and you know people like us can load and boot a kernel possibly changing any of the parameters in there you know from the default to make it do what we want to do kind of take over and give it our own instructions versus something that comes from the manufacturer you're also able to read device information read and write flash memory you know download files there's a lot of different things that you can do with this and you know basically you can choose the memory locations of the kernel and other boot information and explicitly you know tell it hey I want to look at this destination and I'm going to copy this information so it's it's really good at extracting data and pulling that out for further analysis you know outside of that UBOOTC connection so it's loaded from flash memory it's often accessible over a serial connection and that's what we've used today is we're using a shikra utilizing uR to connect to these devices it also comes with a limited set of commands so there's a lot of several commands that we're going to be going over that come with UBOOTC so moving on so ping glitch on the phillips hue so that's what we're going to be doing first I'm going to get out of these slides it's boring right let's get out of here so we're going to go up to my other screen over here and just to show you some of the devices we're working with we got the I'm looking all around me it's right in front of me the phillips hue it's it's basically it's been stripped down you know I can see the the underlying form factor here but you know this thing is to connect your your lights in your house so if you wanted to you know have a bunch of different colored lights and then control them from your phone you buy one of these devices so you can imagine a lot of people have these in their houses I think you can connect up to like 50 light bulbs with this thing then we have the luma which is looks like a little wi-fi access point or something like that but it's exactly what it is it's a mesh wi-fi access point it's got ethernet on board it's got a USB it's got a bunch of other stuff in there you can't really see because camera's not very clear but that's what we're going to be breaking down today so let me get my other situation going on here and first off I'm going to set this up so bear with me here and if you already have questions you know don't hesitate throw them out there while I get this thing set up here okay that's in there perfect so just get some wires out of the way I should remember that choice from last time all good so just to break down what is on this now so we have the uart connection over here to my shikra using ground ground over here receive and transmit over here so we're connected to some headers that are on this this mother board then we have another set of headers over here that's set up for my ground out wire so I have a wire that has a little paper clip shoved in the end of it that we may be using to glitch this thing out so that's a little bit about what's on this thing you also have the two flash chips that we're going to be looking at this one down here and this other rectangular guy right here so those are the two chips that are communicating that we're going to be disrupting so on the left hand side I have a terminal called software called cool terminal and it's free you can download it it's pretty versatile on Mac from you know the few times that I've been using it here and so far so good you can actually see when it's transmitting and receiving you can see when it's connected a lot of good detail here so I'm going to disconnect and clear the data and I'm also going to look at these options so there has been some things that we did prior to this call to kind of set this up for success so I did change the port to my USB serial because we are using a shikra I did change the bound rate to 115 200 and I also changed the some of the terminal settings so that we can actually interact with this terminal and not pull our hair out because you can't backspace you can't delete and things start getting crazy you know if I can't go backwards then how can we go forwards so a few of the options just wanted to highlight so now that that's all said and done let's get some power to this thing so you can't see it but I have a power strip with my controlled by my foot over here so let me just get power to this real quick okay so we got power there gotta take my shoe off because I can't do it with my shoe I totally forgot I have to use my toe so all good we're going to connect to this thing once we get some power on it and we're in so this is just the normal boot up of this device we're just looking at it from a terminal perspective and with this we can already get some good information good value because we all know when things boot up there's a lot of information that's kind of sprayed out there and sometimes it's machine communication sometimes it's detailed information that we can actually use and take back and you know learn more about this system so you know as it boots up I think it takes about 32 seconds so we're almost there this is a seconds timer on the left hand side if that wasn't clear so once we get to the login I think it's haha so we're here so here's the login prompt I don't know the password I tried to look it up then I didn't find it let's see roots admin just try one all right so it's not working okay so we cannot log in at this stage so let's take it to the motherboard right so I'm going to clear this out okay so we're going to start fresh I'm going to turn the power on this guy my trusty index toe there it is so I'm going to clear it and we get my my wire ready hopefully get this on the first shot here so clear the data we're connected power is on and that's the pin oh I'm shaking oh there it is perfect so we got the command line so if you didn't see it it was pretty quick but there is a pin that I just lightly touched and pressed against this little paperclip thing right in there so if I can keep my hand steady it's right around there so that is what got us to this point and what can we do here so a few things we can just ask for help I mean where are we I'm help me so we get a lot of different commands no there's boot commands there's echo commands we can echo echo arguments to the console we can loop infinite loop on an address range we can ping you know I think there's a ping option in here you have ping so we can even try to connect to other network assets you know that may be able to communicate to this device if we want to we can print the environment variables we can set the environment variables save the environment variables so we we have a lot of options here we can even boot tftp boot if we we wanted to so a lot of different things we can see at this point so we're just going to print the environment variables and see what else is in here so these environment variables are somewhat of the command and control area of this device so what we change in here does affect the entire system and the device so you know we can see the bot right there is set to 115200 which is how we're able to communicate we see some more flash boot up details with the kernel we also see some what else is in here we got version information production information oh we got an IP address so we got some IP information we got a server IP information a lot of information in here boot delay oh that looks good some security thing with a hash that's probably something let's see so I'm going to just so we don't have to do that ping glitch again I'm just going to set the boot delay right now because I don't know about you but might have got shaky hands and I don't want to have to do that every single time I reboot this thing so we're going to set the environment variable for boot delay to five seconds just to make sure that that held we're going to check it again and it's there so we got five seconds on that boot delay we have to save it otherwise it just goes away so we're going to save this and that's all the jibber jabber of saving that's environment let's just print it one more time for safe keeping and boot delay is five so we are there so I'm just going to reset let this thing boot up again except this time we should see a boot delay ah there it is so I am going to interrupt rude right so now that we're back in what else can we do with this thing so let's take a look around back in those environment variables and the one that kind of jumped out to me was the security and this weird hash following it 1984 maybe there's some type of underlying message in here but the security is something we can mess with so let's just set the environment of security to nothing and nothing can be just two single ticks okay so if I save that or set that let's check it uh ah security equals nothing perfect so we do need to make sure we save this save environment no matter what you always have to save so make sure that that's uh you know nailed down and we'll just try resetting see if that did anything for us so essentially what the manufacturer did with this is they hard coded the password into the device not a good idea in my opinion but that's what they did and that's why we're able to mess with it right now so we did let it go past the boot delay because we want to see what happens when it actually boots up now because before we got hit with a login prompt and I didn't have the password so we couldn't get anywhere with that so as this thing kind of boots up same kind of song and dance with the boot up information you know it's it's writing it's opening it's loading it's doing all these things and any of those environments that we've changed may affect you know this this time right now so if we just wait a few more seconds the magic of television and we are root so just by eliminating that environment variable security it actually cleared out the password and that was actually the password um in a hash so we're moving it gave us a root access so right on high fives air fives you know because the timing but air fives all around we got this thing so what can we do now well lots of things we can start looking at the mounted drives we can dig into the root file system we can look at the kernel on a bunch of different root drives in here the root file system data drive maybe there's some good detail in there you know we're we're clearly at the helm here you know we clearly have the reins of this device now um you know we can look at other information on this thing and see if there's more details that we can pull out of it more user details maybe some hashes who knows but uh we are in like Flynn here so any questions on that so far hey Garrett yeah looks like we have a couple questions here cropping up so strikeout looks like he's trying to do possibly some uh you bypassed through glitching on a wise came out door and this individual is asking where did you actually put the paperclip out on the chip a data line yes so that is a great question it is a data line and it's in between these two flash chips on the I don't know if I can get a better view of this thing but um that's looking terrible uh so I can't I don't have a micro uh I don't have a magnifier to get you a better view of this but basically there is a pin in between the two chips that is sending data it's basically this pin right here it's a little silver flat pin there and if you look close on the motherboard you can see the the tracks going between those chips you can kind of see it but now it's all blurry of course come on yeah to kind of add to that this is Darrell real quick um often one of the best thing to do is once you've identified the flash chips that you're going to attempt this on is to track down the data sheets on those and from the data sheets in this particular case I traced out the data zero line so between those two chips this particular glitch is a little easier timing wise because the the small the smaller chip that's toward the bottom actually has you boot on it the other chip has the kernel on it so the goal is to find the data line for the chip contained in a kernel and interrupt that by taking it to ground and the the the attempt there is as you boots load it and before it has a chance to actually load the kernel or call the kernel you literally take one of those data lines to ground causing it to fail to read it as as Garrett was talking about and as he showed there so awesome one other question here Garrett that is cropping up um individual asks uh what type of device are you using to interact with with the device here via uart are you using something like a chicra yeah let me show you I can show you what that is here um we got one right here to show you so let me kill out this thing real quick so we're going to disconnect pull this thing right out of my laptop for you a little power all right so to give you a better idea of what this thing is is it's basically just a little USB with a chip attached to it with several different header connections on it comes with a data sheet that kind of breaks down what these connectors are but that's literally all it is it has three cables I don't know where my camera is it's got three cables one for ground one for receive and transmit so that's that's how I'm connected directly to this device so hopefully that that helps but but you can pick these things up off like off the internet I think they're 30 or 40 bucks I can't remember how much they cost but they're they're doable and there's some other devices out there like pirate there's one called I think uart pirate or something like that or pirate bay I can't remember what the name of it is but uh there's several tools out there that do the same essentially the same thing this is just the one that that we use today cool that's the uh I think the last of the cube questions we have here and bus pirate I think was the word you're looking for that's what it was bus pirate oh man yep I knew it was something to do with the pirates pretty good too though I like the ring for that right on cool well let me uh that's all the questions let me just get back to the slides here and move on so now we're going to switch gears a little bit we're going to be going over some common problems with uh embedded devices and then using u-boot to solve them so I'm going to switch gears and pass it over to my colleague Daryl Highland and take it away from there let me just stop my share thanks Garrett let me go ahead and share my screen hopefully everyone can see my screen so uh kind of get back to um the actual hue so I wouldn't configure this this hue to kind of exhibit some of the a common problem that you will often encounter and I know I've hit it two three times working on IoT gear in the last year or so and I know Jonathan has also encountered it and again this is this is here is just a standard hue and then this here happens to be a quad u-art device I kind of like this one it's a little different than the chicra this one actually takes four different u-arts and you can switch by between three and a half and four volts and it's all usb based so it's kind of kind of sweet I like using that if I need multiple u-arts at the same time sometimes but let's go ahead and plug this device in make sure everything's going to come up here so again often when you're encountering devices they'll come up and if you notice it had the boot delay I put the boot delay on here just to avoid having to glitch again but the pin glitch to force into a u-boot console is literally very common method but as you see we hit a point here where it's literally disabled we no longer have a console and this is not uncommon you'll have a device where you're actually able to establish a u-art connection on the device and start seeing it boot up but then inevitably when it's booted up there's literally no console whatsoever on that device I've had it go up to this point you'll see console disabled I've seen it come up and not tell me console disabled just say loading kernel and then you see nothing after that so whether you need to use a pin glitch or they've enabled the the boot delay or some method you can gain access to it we're going to go ahead and go through that and often the fix for this is is typically very simple let's see if I can catch this here okay actually which is funny that did not work for me so we'll see this is going to be funny if this doesn't work it wouldn't surprise me if zoom caused the problem because okay we're able to get into it so back to those common commands that Garrett had mentioned like print environment so we're going to come over here and print environment and again there's literally tons of environment variables a lot of these environment variables are part of the boot process like Garrett said some of these actually pass commands to the kernel so the kernel knows what to do as it's loaded up and often where you see alterations that need to be made the most common one is boot args you'll see boot args showing the configurations but when we come over here we see boot args console is actually set normal so maybe it's somewhere else but here we found out they have another environment variable called standard boot args so apparently this is what's being called at some point thus we see the null taking place in here sometimes this will involve very experimental first time when I was setting this up to identify it that's when I found out that this boot args segment doesn't work and then you need to do it some other way and then turns out it was the standard boot args so to go ahead and do this again like you did you go you set the environment which was standard std boot args something always to remember also in this case I'm going to rewrite the entire one and we're going to set the console here and look at our standard boot args make sure there's not another one you would be surprised how many times I've misspelled something and it's easy to do and what you end up doing is just creating another argument that isn't read by the system or used so then you boot the system it goes well it didn't fix anything what went wrong often it's just a typo you've seen where people have made typos up here there's an example security security that's kind of weird so again that's probably a typo that took place there so at this point we'll go ahead and go save environment variables write the environment variables back out and then the reset command will cause the cpu to reset on the device from the uboot console so let's see if this will actually work and it's kind of amazing out of the number of times I've done this more than three quarters of the time when the device did boot up all that's interesting we seem to have a crash on the system we had a kernel panic that's interesting so demos do go bad so we will see what we have here this doesn't come up we're probably just going to move on typically you make these changes on the system yep we got another kernel panic I'm going to take one more check and see what corrupted so we're not going to waste much time on this and we're just going to move on typically there may be something in here sometimes these things go bad but normally just by fixing the console setting for some reason my kernels messed up I'm not sure how that happened maybe from constantly rebooting this thing over and over and over Maya finally said hey I'm not going to play anymore corrupted something but typically when you go into the uboot console and you've broke into it and you have a device that will not give you a console after boot up a lot of times you can go in here and alter either boot args or some other a reference that's used for the boot arguments that tell the kernel what console what bald rate all those typical things and set that and it'll come up usually three quarters of the time when I've encountered this on commercial gear where they've actually turned the console off trying to hide access when I do allow it to boot up it's giving me root access from the very get go versus giving me a password prompt it's giving me root access so again the best way to do this is check the console settings make sure they're correct make sure they haven't turned initialization and it off I've seen this messed with which would cause weird things and killing consoles and stuff like that but typically nine times out of ten it's literally going to be the console setting if it's not set often when you identify the processor that may be used in this case you can do a little google reference and identify the most common tty setting for that a lot of times it's in the data sheet and stuff like that to identify how it is naming its primary console tty so often data sheets a little google on the device or the processor in case to be able to identify that and that helps you to literally set the console where it actually needs to be so unfortunately that demo failed even though it's worked 40 times up till today and I will stop sharing and turn this over to Garrett so he can attempt his next demo is there any questions related to this particular failure let's see it looks like there's a couple folks that are helping the troubleshoot and I saw one of the issues too I think I guess it looks like boot args was double set also the board equals appeared to be missing the boot args I think for sure might have been one of them the board equals might take a little troubleshooting but that's a couple questions I guess they came up but another oh yeah got it right there I see it yep yeah good catch guys yep often when you're cutting and pasting it's very difficult to do that since I didn't define the board that obviously called it so good catch out there yeah yeah props to folks on twitch as well as here in the panel as well that kind of count that but there is a couple questions that did crop up one individual asks how often do you find that iot devices are actually using u-boot like would you say about 75 percent 50 percent I'd have to say it's still probably a little higher than 50 percent that I engage devices that u-boot used now if they're running the latest version of u-boot this typical pin glitch will not work so what happens is the newer version of u-boot that is out there if anyone is actually using it it's supposed to when it can't learn it can't load the kernel will actually restart the u-boot process so it'll just go into an infinite loop until it can load the kernel in that case there and that's how they kind of started to fix this problem I assure you there's probably attack methods in that case with that to get around to it but the best fix what we always recommend to most vendors on how do you solve the problem with u-boot being an issue is start using secure boot that actually answers the last question that I had here was what's the best way of overcoming some of these issues and it sounds like secure boots the best method for that yeah I would say secure boot is the best best solution to these issues that we're running through today and I think we had another question just popped up here that we can kind of squeeze in before we we move on because there's one more demo is that correct Garrett yeah yeah we still got one more but yeah more questions and more the merrier okay yeah so asher asks do you know why sometimes the environment variables cannot be modified even with root access to the u-boot console this apparently has happened for this individual uh the only thing I can think of off the top of my head is that the manufacturer hard set some of those environment variables to not allow change even at a root level or there's just some underlying permissions that you know even though we may feel we're rude there may be some hard-coded just permission set there that we just can't get into I don't know maybe someone else has more to speak on that but that's just my initial gut feeling I'd have to agree with that I actually had a device I was playing with the other day and there was probably a half dozen arguments in the environment variables that when I changed them and saved them they always they never save nothing so u-boots a funny beast everybody compiles it differently so the amount of features functions capabilities and how it works is very configurable and every vendor will compile it and use it different also I've seen somewhere boot args and all of those settings are not even used by the kernel that stuff is actually hard coded into some kernel configurations so alterations with boot args don't actually work which can be problematic too when you're trying to carry out some level of attacks based on that I think what Garrett's going to demo here just shortly will actually open up some other possible opportunities if you're able to break in to the u-boot console some of the stuff he's going to show may be very helpful in gaining a level of access into the system awesome any other questions out there John I think we're caught up on the queue I think we're good to go all right right on moving on so next next we're going to be going over the luma the the luma is that mesh device that we're looking at it's a lot it's got a little bit more to it on the motherboard itself you know it's there there's just a lot more going on it has onboard ethernet it's got a usb port it's got several different places to connect wires or some headers a lot of stuff going on I think it's got like a built-in wi-fi chip on it possibly I'm not sure but a lot of stuff going on there so we're going to boot to root here real quick out of these slides back into the live action here we go so now I got my luma set up here broken down ripped it apart I've got my my ur connection over here with my ground my my receive and my transmit were all good I have my ethernet actually plugged in because I'm just going direct line to this thing and then I also have a ground wire that you can't really see but there is a ground wire soldered on to the board over here so the way that I did get into this thing initially was a pin glitch and I'm not going to show that today but if it's something you want to see I can demo it later if we have time but basically this particular chip right here is the the chip that we are compromising to break into this thing and it's actually this pin right here this data pin right over here the second one up I don't know if you can even see that but there's eight pins around that square chip and we're we're going to short the data line or the data pin on that thing so that's how we would have got into this thing but since we already did that the magic of television we're just going to plug some power into this thing okay we got power now and a little bit more slack in that line the trusty toe come on toe there it is and we're connected and there it goes so what's funny about cool term is you have these receive and transmit lights going on in the bottom so we know that we're getting data in some way somehow and again with the boot up process a lot of information here you know and obviously we can all read extremely fast that's how we're able to read everything that's going down the screen no probably not there's there's ways to extract this if you wanted to kind of if you recorded this and just played it back slow and you could be taken like screenshots as it goes through there's there's plenty of ways to kind of extract everything that's going on here this one actually takes a little bit longer to boot up than the hue I think just because it has more functionality to it it's not just going to turn your lights blue or or green or red or whatever the ambiance for the evening happens to be this time it's actually going to provide internet connection so when people come over or you have you know parties not so much anymore but when we did you want to have everyone be able to have internet you know we got to be staying up to date on our on our socials we got to be you know staying up to date on everything so internet is good so we may not wait for this whole thing to boot up I think it takes about a couple minutes and my patience is weak so as this thing kind of rounds the bend here looks like it's doing stuff with wi-fi looks like some connections we're going on some different channels let's just see what happens oh okay so we got a login prompt we can try to log in I don't know the password though let's give it a shot anyway login incorrect so no no luck again we're over two there I'm trying to just log into these things so what can we do we're just gonna power cycle this thing all right so clear clear all right pinky toe in action all right so like I said before the you know how the cooking shows do it they they don't cook that whole turkey right in front of you that'd be crazy but they have one already in the oven so that's kind of what happened here is is I pin glitched this thing prior to this call so that I did set this boot delay so that I could break out of it and get in there and actually show you some stuff so similar to before print environment variables we could just ask for help though just see what's different about the luma versus the the hue so some slight differences this one's not as long as far as the list of items that we can do so just kind of piggybacking on that that final question before is you know u-boot is configured differently on every device or essentially it can be um so I was even reading up on this company called emac I think they do like uh skata devices and the way that they configure u-boot was completely different than another person who configured u-boot because I was when I was looking things up on this uh on this stuff I would find several different explanations like well wait a minute is this even the same thing like yeah it is it's just can be completely configured you know in several different ways uh or compiled I guess is the right word to use so if we look at some of these things what jumps out to me is the boot arguments the boot ipq boot from a flash device boot from memory boot from a network connection using tftp uh spoiler alert maybe uh we got ping so we can actually test ping connections uh print environment like we already know save environment set environment that's all there uh print the the memory flash information uh there's a tftp boot command right there and oh and a usb boot so a lot of stuff this thing has a usb on board so you know there's more opportunities here um so today let's get back into the print environment let's take a look back at this today we already have set the boot delay so that's already done boot delay is set um this boot command though is set to that boot ipq and if you don't remember we can just quickly look back at that boot ipq what the heck is that so uh here it is boot ipq and it's to boot from flash device so that's what it's set out of the box from the manufacturer there so if we get back into those environment variables what else can we mess with uh let's see so ip address ah ip address is important and we also have server ip so what can we do with those so basically this ip address this this luma device does not have networking configured out of the box so when it turns on it just has a random ip in there and i just set it to an available ip on the network that isn't already being used by like the xbox or the playstation or the the 10 raspberry pis or the the n64 you know what i'm saying all these devices out here so i just chose a random ip doesn't doesn't really matter um what does matter is the server ip the server ip is going to be the tftp server so we're going to be using tftp to boot this thing or to boot from tftp uh and that's where this extra server comes into play so i got my uh just a ubuntu 1604 just fresh iso i just pulled down the other day um and just found a couple articles online on how to set up a tftp server it's really straightforward you know if i can do it i'm sure anybody on the call can do it because it's uh just creating a file setting the right parameters in that file and then making sure the service is up and running i can't tell you how much pain i was having literally yesterday about trying to get this thing to work and literally i didn't really change much and it just started working again so we're gonna see how uh how well today goes but um anyway it looks like it's up and running we can just see if this is still good to go all the passwords super secret all right so we're still running as of 15 29 so right on right on schedule there um cool and if we look at the ip of this device that might help right i have config uh let's see so this is 192 168 118 so that's where that ip comes into play all right cool so jumping back to this now so this boot command is set to this we can actually override this particular boot command here and these boot arguments um sorry there might be a neighbor calling for their cat uh so i've actually already gone ahead and wrote out this command just for sake of typoing this thing a million times i'm just gonna copy it over and if you notice i didn't show it actually but if i go back to my vm um i have a kernel image over here that has been compiled uh using open wrt so it's uh this is the package or the the image that we're going to be calling from my tftp server so i just dropped it on the um the desktop here i have it in several locations just because i was testing so um i think it just needs to be on the root drive just accessible uh so good stuff there um and now that we're back here i'm just going to paste this command cool just like that so i'm using uh tftp boot which is one of those help arguments if you remember there was a tftp boot argument that we could use and then i'm telling it which piece of memory do i want to boot from and i want to boot this particular image and then boot at this particular address in memory so that's what this command is meant to do so without further ado let's see how it goes let's just hit the big red button and right away you can see that it's using an ethernet device eth0 so it is connected it's from the server my tftp server at one dot 18 and then from our address which is dot 25 so looks like we might be in good shape here on the first go around how about that looks like it's uncompressing the kernel image it's booting it up you can see the open wrt right here if you catch it and then it's off to the races so as this thing kind of boots up we'll see if we got any further than that login prompt that we had before and if you're not familiar with open wrt it is open source and those can also be kind of compiled a little bit differently depending on you know what you want to do with it so by the way the devices if you wanted to buy these devices very cheap on ebay you can pick them up here very cheap just search ebay but this open wrt it's basically just an open source project that you can compile different you know different things and connect to different devices it's just fully customizable so that's a little bit about what's going on there let's see so as this thing kind of boots up see if we just hit one of these random buttons over here boom so that did it we are in a built-in shell on the luma device so this technically is not the luma os so i want to be clear on that is we didn't just root the whole luma device what we did is we created a kind of a landing place or kind of like a before the os hits the ground we created our own os and say hey we want to boot to our os before you even get to yours okay so that's what this is and so it's not the direct file system on the luma but we can still do things similar to the hue where where we can you know dig into the root file system we can look at the kernel the firmware there's a lot of things that we can potentially get into there's several different techniques to do that one of them would be mounting these drives so assuming that we had full permission then we would just mount these drives and start extracting data from there if we don't you know in a situation where we don't have access say like for right now like we have all zeros here so it's possible that we don't have access to this right now so what we could do is use something like dd to extract the data that way it's a command line tool or something like tftp and just siphon the data to another medium and then perform you know additional analysis there but as far as from where we are right here there are some things that we can do but it is kind of in this open wrt console now where we have to get a little bit creative and kind of use our our noggins and find another path to the luma os but it's possible so that's a little bit about what we got going on on this thing we wanted to show you know booting to an os that we compiled on the device itself so that's a little bit about what we got going on here any questions on how we got to this point yep a couple questions here one individual asks i assume all of these attacks require physical access there's no way of performing this attack remotely is that correct yes so unfortunately if you did want to you know start doing some more driving or something or mess with your family members whatever it's all ethical right uh you know you would have to have physical access to these devices i imagine you could get physical access one time and then set up some type of logic bomb or some type of you know hook into the device so that if it were online it could call to us in some way or somehow probably some of the devices that have internet connection more so than than not but um uh i know that i have the the the light bulbs from cosco i think they're called uh oh man now i'm drawing a blank on it but it's basically the same thing as the phillips hue and it's the cosco version i can't remember the name of it now i'm not driving nuts but basically they were on the internet and they didn't have very much uh any security and i was just afraid to even mess with it at that point i'm like and it's on the network i'm just going to take it off so uh yeah you you do have to have physical access to this thing but you know uh you never know so good question all right i take a look at another question here um as far as uh i think this was touched on a little bit earlier as well um by daryl but how do you know which pin to take to ground when glitching i know earlier we're talking about uh data zero data one but as far as uh testing's concerned uh how would you know about taking which pin to ground whenever you're performing this type of glitching that's a good question um i do have the breakdown of that flash chip on another screen somewhere somehow um bear with me can you still see my screen is it still showing questions yes okay give me one second and i can get that that read out for you but basically it is a it is a data line and it is a uh the one that we would want to break into so when you look at the data sheets for these devices um you do want to look for the data lines it's kind of the idea and finding out where those actually exist let's see if i can't see if i can't get a good shot of this give me one second okay got that now let's just minimize some things okay so see if i can't get a better view of this device here okay so if you can still see my screen what i have on there now is basically the top down view of that exact uh chip so if i look back to the camera um this is the chip breakdown this one right here i don't know if you can see that but the one with the little orange paint drop um so that's what we're breaking down in this diagram here um if i can get my pen out there we go so the line that we're shorting is this s o line um this this s o line over here that's the uh data line um i can't remember exactly what it stands for maybe maybe daryl remembers but uh that's essentially what we're shorting in this in this example yeah exactly there's also an interesting question it came up when glitching wouldn't it be a little safer to use a resistor in lieu of a paper clip there's a possibility you could short a 3.3 or 5 volt trace pin and burn a register yeah there's always a chance um uh that's why it's very important to um i'm not against using a resistor i mean there is some value to that um if uh you'd have to experiment around because obviously you want to interrupt the data uh significantly enough and a resistor may or may not drop the voltage enough based on the resistor size but uh in in reference to doing that again like he's showing here go ahead and get the data sheets figure out what you're grounding out uh so literally you don't like just smoke something to randomly go into a device here and go oh i think i'll just start grounding stuff out it's almost a guarantee that you will brick the device permanently now i've had uh on these glitching attacks uh probably successful uh anytime there's two chips used where uh where u-boot is on one chip and the kernel file systems on another i've had a hundred percent success every time and actually doing that i've only had a problem on one device and it was using i can't remember the chip it was using it was very much more high speed so getting it at the right time was difficult we never destroyed the chip but during the attack even though i was taking the data line down the ground uh i end up actually um causing it to screw the u-boot up uh and it actually damaged the u-boot so that the uh chip would not uh boot up anymore it would come up actually giving you an error in the u-boot now how it altered part of the data in the u-boot during this process i have no clue maybe it did fry register in there or uh smoke something uh but we were able to pull the chip and then successfully pull the entire operating system off and recover it all anyways so problem solved yeah yeah and just to speak on that note too i've definitely broken enough devices just tinkering just like that and not really looking you know doing the right diligence of looking at the data sheet looking at what am i actually messing with it was more like if sell works in the movies so it's all works in real life you know i'm just going to touch a bunch of stuff and now i'm in so i definitely have a bunch of devices that uh just our paper weights around scattered around so uh but yeah that's that's funny dude uh good stuff so that is getting into the luma uh and being able to boot up you know another operating system such as open wrt so if those devices aren't readily available to you like the phillips you and the luma things like this or they're the ones that use in your house and you're not trying to lose internet in your house totally get that um but if you have a pie laying around you can do the same exercise with a raspberry pie there's several articles you know over the internet that you can find how to do this how to set it up what you can do with it and it's it's pretty wide so this is just an example of a raspberry pie that we had connected one of my colleagues set up for me for this demo so then you have u boot going on on the right hand side it's it's doing the same kind of song and dance of getting into uh you know the the flash memory the kernel and actually printing the environment variables so that we can tweak them and adjust them and then tell it what we want it to do so it's just another example of a raspberry pie cool so that is all folks i really appreciate everyone who was able to join this session on a saturday when we're not in vegas i'm assuming we're not in vegas but normally hungover at this time of the day and you know completely you know con funk is in full force uh you know i don't know what time it is i don't know where i am that's normally the status of this day for me so so it's a little bit of different doing this thing virtual so i appreciate everyone who's able to to join in all the questions and um you know really happy happy to be here so if you have any other questions throw them out there but that's the end of the show yeah there was one more question i saw come in in the chat and it said did you download someone else's build for the luma or did you do it yourself in this particular case uh this build was uh i actually built this a while back while i was doing some testing on the luma so i used open wrt's program this is built off an ipq 40 series processors which is what the processor is on that particular in luma and it's one of the chipsets that's actually supported within the open wrt now in this particular case uh the success of this wasn't 100 as garret pointed out that the root fs was showing um nothing there or zero location and the reason why that is is because remember this is a two chip system um and when you're building an actual firmware package you have to build out a device tree um now most of uh most of all of the data available on open wrt uh was very uh well available dealing with one chip environments but uh the second uh device or the device tree for the second chip has not been built into this yet which uh potentially made uh that an issue um but once you compile it and compile it with the right uh complete device tree complete it then when he showed with uh proc mtd uh which is the memory technology devices kind of an abstract later between the hardware the physical flash hardware and the other part you can literally from those uh potentially mount those file systems up or you can also dd them off by actually calling them directly through uh dev uh mtd 0 through 9 or 10 which is one of the methods it's really easy once you get some kind of console which will be the ultimate goal of bringing in a new kernel via tftp because you would come in it would uh have the device tree you would see the chips uh even though they're not mounted up you can easily dd all of those images off their file system the root file system uh and everything from a uh separate booted kernel like this giving you the ability to do some offline um ben walk and extract the data hopefully find the root or inevitably you could ev even uh when you find the root you could easily in this particular case dd it off exploded out uh and then um alter it rebuild it repack it back in and then dd it back over that partition area uh and then reboot the device uh and then that fast should actually change the root password so this particular attack as he addressed and talked about will really open up a lot of new avenues to uh some hardened devices but it all comes down to can you get access to that uboot console and also uh the the presentation or the demo i ran uh and the person pointed out where i missed board that was correct since we jumped off and he moved on i would have had fixed that typo uh failed to copy and rebooted and it came up to uh the root prompt so uh that worked out pretty good so good shout out to that person was able to visually uh quickly capture the idea that i missed that little piece so totally cool nice yeah i wanted i just wanted to add on that sometimes on the devices if you can still see my screen the uh uh the prompt the command prompts on the luma is actually the name of the chip the ipq 40 so sometimes you can get even more details from just the device itself just telling you like hey this is what i am hope this helps you know uh but yeah i just wanted to call that out i didn't mention it earlier but ipq 40 like what the heck is that it's the name it's the type of uh chipset uh that's on this thing type of processor so cool um well really appreciate everyone if that's all the questions not sure if there's any more but we're good to go right on time yeah jonathan do you see anything else on the twitch we might have missed taking a look here i do see that in zoom someone asks it looks like it identified the attached flash as well so i guess from the uh the u-boot output there it identifies the flash um pulling up twitch i think from twitch we're also good to go so the last question i guess was there in the nand um the question was it looks like it identified the type of flash um and that might be kind of equally a statement as it is a question it did it it identified the uh one of the flash chips um so um it could you actually from that booted kernel potentially get to those current chips yeah it's highly possible uh even even um you may have to do some manipulation i haven't tried it yet but typically the easiest way is to build it into the uh device tree for the kernel that you're uh building for that processor that's the most effective way once that's built in there uh it makes it 10 times easier for gaining access and and basically uh alternates data or extracting that data off there versus um not necessarily uh have to figure out how do i access a chip when i don't have a device tree for it it's going to be very difficult so yeah sorry i had someone that was playing the uh link in park at the full uh full capacity of the volume there so i apologize as i drove by okay yeah you have one you have one person out there says uh you need to put that cowboy hat on behind you uh so you look like uh billy ray cyrus oh y'all are cracking me up oh man i appreciate y'all yeah we'll see what we got here we go hats on we have to take this off so there we go we're we're locked and loaded now pretty great this is how you find the real volums nice i mean the people in the audience unless the presenters just need to leave we still have um there's no rush to to close out quite yet um there's uh 30 minutes before next next talk comes on so we still have just a little bit of time probably we could do another five minutes if the presenters um are still available hey let me go ahead and uh let me let me go ahead and boot my failure so let's switch over to that so let me go ahead and share my screen let's get that going okay hopefully everyone can see everything fine now uh so let's go ahead and power this watch this thing fail again i should know i should know when to walk away uh to a demo failure so let's go ahead and stop here real quick uh let's go print environment uh so we can see what i altered so i altered standard boot uh when i copied it over i missed this word right here board equals so it ended up uh specifying this board and what's kind of strange is often when you do boot args and i've mistyped things before i'd never had it cause a kernel panic like that before so it's kind of interesting i've had it just uh skip over that functionality or whatever so that was kind of interesting so um the change i did this originally said in all we were able to identify with a little legwork watching the system normally boot up looking at some of that stuff identify the type of tty and replace the console null out of there so so it's common to see these options also on devices uh that are outside of the u-boot where it says press f key enter into fail surf mode sometimes these will put you into a single user mode when the vendor's crazy enough to leave them available um something to think about from when you're watching a boot option it's not part of the u-boot stuff but it can be very helpful it will put you in a very locked down system there won't be network there won't be device drivers there won't be nothing on there um so inherently there you go so uh insulate you're able to get past that like i said this is kind of a common uh issue um that you can run into a number of times where they've just basically said turn the console off before you boot kernel or turn the console off when kernel uh before kernel runs and because of that you don't get a console if you can gain access to u-boot probably eight out of ten times you can change those settings um to be able to gain access to a console now whether you'll have full root access after boot uh is to be uh found or figured out uh but uh believe it or not i think over the last so many years i've encountered three or four devices that had it set up to um go ahead and halt the console so you didn't have it and when i changed the argument so the console was enabled at least half the time i had a full uh root console at that point uh and these settings here that i mentioned um the press one two to select a debug mode uh never had much luck with those sometimes they do things sometimes they don't but the f-key if you ever see that takes you to fail save mode this will give you root level access uh but it's amazing how complicated with root level access and no ability to move data on or out of the device uh it's doable uh but it becomes very problematic because often you actually have to build the device nodes uh and if they harden the device and turn certain programs off and remove them it becomes more difficult uh from the luma just out of curiosity from the luma this had this and i would work in to try to get data off of it in a way i originally did it was go into the f mode uh and actually build uh manually build all the device not totally manually but very close to manually reconstruct uh the device nodes um name it and all the correct pieces and parts to build a usb uh and then from there was able to move the data off to the usb uh just some stuff to think about small question just came up darryl i know you had mentioned this uh yesterday during your building the iot lab uh what is your ftdi device you're using for that one um its name escapes me someone was asking on twitch oh gosh this one i have right here yeah it was that cool one that could do like more than just you have like it's supported like spi and others in addition to uart yeah that's the one let's power this off let's see if this has this name has a name on it i don't know if this even has a name it's very generic and i do not even have the box for it anymore uh i bought this off amazon all i did was search for multi uart connector or um multi port uart connector and this came up if i remember the price of this was uh like 27 dollars um but to to the life of me i do not know the name uh this genetic uh generic build device coming out of china um and it works pretty good so cool sadly i do not know what its name is or who makes it gotcha um another question cropped up is there a url or github of some type where one could get roms to access a processor or access to a processor to play around with and do this type of stuff i i think they're asking um is there i guess any like uh i i i guess uh i think i think what's being asked with it is are there maybe like a list of of devices that that could be purchased in order to do things such as u-boot exploitation uh i would actually literally exactly what garret said go to um um go on to um ebay and look at buying uh some of the devices on ebay um i think would be bright you get the lumos uh you can get the um uh you can go ahead and get the hues out there he actually had a screen where he was showing some that were available uh they're in not expensive uh i'm not sure how this would work this is a product that that i was playing around with just recently and it's like 19 or 20 bucks and basically it has a open wrt running on it right now has zero connections um there's a flash chip so you can practice pulling the chip off if you want reading it uh or using spi chip reading techniques uh you can probably trace out versus some of these headers or connectors you may be able to trace out um the actual um j tags on this for the chip it has ethernet it has wi-fi it has usb and literally it's like 20 bucks so um this would be an easy cheap device to possibly play with and that's uh this one's like that's uh vixby 300 wireless travel router um i would try playing around with that but i have to admit this was kind of fudsy uh when it came to the actual u-boot arguments i had a couple arguments that didn't work and i couldn't alter and stuff like that uh here's another device it's i think it's exact same product they're just white labeled different uh gl inet and mini smart router also um has all the same functions and features on it i'm not sure if the mango is still on the market maybe able to buy one used so um but a lot of these cheap devices are out there and it gives you a chance to experiment with ur and j tag and um spi chips and sometimes nan chips and flash chips and i mean the list goes on and on and on and they're often cheap um the uh like i said the luma i like a lot because it has all of those same features uh and you can get them for 20 30 bucks used um you know it has the usb it has the ethernet it has uh ur connectivity uh it has nan flash chips on the device it has so i see eight uh spi flash memory chips on the device so it's a perfect platform for hacking attacking experimenting the pin glitch works on it also uh as an example so awesome you know i was just catching up in the chat it was a fight it was a fe it however you pronounce that it was a fight bulb that i had from cosco that i just decided to put and leave in the drawer because it's just didn't feel very secure about it so