Video Converter
Audio Converter
Image Converter
PDF Converter
File Compressor
hacking cell phone embedded systems

Hacking Cell Phone Embedded Systems Keegan Ryan RECON 2017 The - PowerPoint PPT Presentation

Jul 26, 2023 •224 likes •686 views

Hacking Cell Phone Embedded Systems Keegan Ryan RECON 2017 The Target The Target brendangates The Target Meriac (2010), Churchill Legacy ICLASS Introduced in 2007 Broken in 2010 Master key on every reader Security

  1. Hacking Cell Phone Embedded Systems Keegan Ryan – RECON 2017

  2. The Target

  3. The Target brendangates

  4. The Target Meriac (2010), Churchill

  5. Legacy ICLASS • Introduced in 2007 • Broken in 2010 • Master key on every reader • Security of card reader broken • Protocol reverse engineered • New version of iCLASS released, but many still use Legacy iCLASS • Uses ISO15693 Meriac (2010), Inside Contactless (2004)

  6. Nexus S • Introduced in 2010 • One of earliest to support NFC, including ISO15693 • Android source code available • Cheap

  7. Nexus S • Try Android app first Android • Transceive raw bytes Application • CRC added automatically, but we don’t want a CRC • Not added by libraries libnfc Library • Not added by kernel • Must be added by NFC controller chip Kernel Driver NFC Controller

  8. PN544 • Separate from Nexus S CPU • Powered by host or external field • Supports ISO 15693, Mifare, FeliCa • Supports firmware upgrades • Uses 80C51MX Processor DATA CODE NXP (2010), Wharton (1980)

  9. Investigating the PN544

  10. Firmware Recovery • PHDNLD_CMD_READ • Pull from update file • Code signing • Protected with SHA1 and RSA-1024 • Introduced after first devices shipped • Need a device never updated past Gingerbread Libnfc-nxp

  11. PATCH_TABLE EEPROM/CFG FW_CODE PATCH_CODE

  12. Reverse Engineering • There aren’t any. Look for strings. • They don’t exist. Look for CRC constants. • Look for usage of the XOR instruction. No help. • Just start reversing until we find something useful.

  13. PATCH_TABLE EEPROM/CFG FW_CODE PATCH_CODE

  14. Reverse Engineering • Reverse commonly called functions • Find switch function • Find command switching • Trace known command IDs through code

  15. Reverse Engineering Libnfc-nxp

  16. Problem: PATCH_TABLE EEPROM/CFG FW_CODE PATCH_CODE

  17. Problem: Missing Code PATCH_TABLE EEPROM/CFG FW_CODE ??? PATCH_CODE

  18. Problem: Missing Code PATCH_TABLE EEPROM/CFG FW_CODE KERNEL_CODE PATCH_CODE

  19. Kernel Recovery • We understand and can modify FW_CODE • FW_CODE doesn’t have access to kernel • We can modify PATCH_CODE • Don’t know how to trigger PATCH_CODE • Want to maximize chances of executing our code

  20. Kernel Recovery PATCH_CODE

  21. Kernel Recovery PATCH_CODE

  22. Kernel Recovery

  23. Problem: Missing Code PATCH_TABLE EEPROM/CFG FW_CODE KERNEL_CODE PATCH_CODE

  24. Problem: Missing Code PATCH_TABLE EEPROM/CFG FW_CODE KERNEL_CODE PATCH_CODE

  25. Reverse Engineering Kernel Reverse Engineering • Still aren’t any. Look for strings. • Still don’t exist. Look for CRC constants. • Look for usage of the XOR instruction. No help. • CRC creation is done by hardware • Still not impossible, but we need a new approach

  26. Wireless Protocols

  27. SDR Setup Signal Source Antenna Radio Upconverter

  28. SDR Setup <s> 10 01 10 00 01 00 00 00…

  29. Transfer Speed • ISO15693 has two modes: • Slow (1.65 kbps) • Fast (26.48 kbps) • Nexus S uses slow mode • ICLASS only uses fast mode Inside Contactless (2004)

  30. Problem: Transfer Speed • Capability probably exists, but is unused. • Find transmission code • Loads settings from EEPROM/CFG • Only uses one set of values • Swap around values in EEPROM/CFG • Fast mode!

  31. Mifare Libnfc-nxp

  32. Problem: Checksum Generation Find differences here Android Apply difference here FW_CODE Command Handler MIFARE Setup MIFARE Setup ISO15693 Setup (CRC) (No CRC) (CRC) RF Transmit

  33. Patching the Kernel PATCH_TABLE EEPROM/CFG FW_CODE KERNEL_CODE PATCH_CODE

  34. Exploitation

  35. Patching Checksum Generation PATCH_TABLE EEPROM/CFG FW_CODE KERNEL_CODE PATCH_CODE

  37. Putting It All Together PATCH_TABLE EEPROM/CFG FW_CODE KERNEL_CODE PATCH_CODE

  38. Demo

  39. Demo

  40. Future Research What can be done with a hacked NFC controller? • Surreptitiously read a badge • Information storage • Information exfiltration

  41. Future Research • What other embedded systems do we carry everywhere? • Bluetooth • USB controller • Baseband radio • Camera • Fingerprint reader • What could you make these systems do?

  42. The End Keegan Ryan Keegan.Ryan@nccgroup.trust @inf_0_

  43. Bypassing Firmware Signing? if (*flag == 0xa55a) doInsecureDownload(); else doSecureDownload();

  44. Bibliography Brendangates . “Badge reader.” Licensed under a Creative Commons Attribution 2.0 Generic (CC BY-NC-ND 2.0). Accessed 11 June 2017. https://www.flickr.com/photos/brendangates/2384518688. Churchill, Sam. “ nfc.phone .” Licensed under a Creative Commons Attribution 2.0 Generic (CC BY 2.0). Accessed 11 June 2017. https://www.flickr.com/photos/samchurchill/5181496553 Inside Contactless. "Datasheet PicoPass 2KS." Rapport technique (2004). Libnfc-nxp Library. Accessed June 11, 2017. https://android.googlesource.com/platform/external/libnfc-nxp. Meriac, Milosch. "Heart of darkness-exploring the uncharted backwaters of hid iclass (TM) security." In 27th Chaos Communication Congress . 2010. NXP. “NXP NFC controller PN544 for mobile phones and portable equipment." On Line: http://www.nxp.com/documents/leaflet/75016890.pdf (2010). Wharton, John. "An Introduction to the Intel-MCS-51 Single-Chip Microcomputer Family." Intel Corporation (1980).

Recommend

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical? Legality VS Ethics State Sanctioned hacking BLACK HAT - Stereotypical Hacker -Stealing data for personal gain -Obviously not ethical -Using

1.18k views • 10 slides
EMBEDDED EMBEDDED REAL TIME SYSTEMS REAL TIME SYSTEMS EMBEDDED EMBEDDED REAL TIME SYSTEMS

EMBEDDED EMBEDDED REAL TIME SYSTEMS REAL TIME SYSTEMS EMBEDDED EMBEDDED REAL TIME SYSTEMS

EMBEDDED EMBEDDED REAL TIME SYSTEMS REAL TIME SYSTEMS EMBEDDED EMBEDDED REAL TIME SYSTEMS REAL TIME SYSTEMS

1.37k views • 26 slides
Bacteria Without a Cell Wall L-forms Pros &amp; Cons of Cell Wall Cell membrane Cell wall DNA

Bacteria Without a Cell Wall L-forms Pros &amp; Cons of Cell Wall Cell membrane Cell wall DNA

A New Chassis for Synthetic Biology: Bacteria Without a Cell Wall L-forms Pros &amp; Cons of Cell Wall Cell membrane Cell wall DNA Cell membrane ribosomes RNA metabolites Bacterium with Bacterium cell wall without cell wall Previous

680 views • 35 slides
Cell Communication and Cell Signaling Why is cell signaling important? Why is cell signaling

Cell Communication and Cell Signaling Why is cell signaling important? Why is cell signaling

Cell Communication and Cell Signaling Why is cell signaling important? Why is cell signaling important? Allows cells to communicate and coordinate functions/activities of the organism Usually involves the cell membrane Cell

412 views • 36 slides
Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June

Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June

Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June 15, 2017 Outline Drone Architectures RF Basics Information Gathering RF Hacking Tools Exploits &amp; Demos Q&amp;A Why? Wrights Law

500 views • 27 slides
Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking

Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking

Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking AI-Corp Hacking RL 1. Information gathering 2. Scanning 3. Exploitation &amp; privilege escalation 4. Maintaining access &amp; covering tracks

961 views • 62 slides
Embedded PC The modular Industrial PC for mid-range control Embedded PC 1 Embedded OS

Embedded PC The modular Industrial PC for mid-range control Embedded PC 1 Embedded OS

Embedded PC The modular Industrial PC for mid-range control Embedded PC 1 Embedded OS Operating Systems Major differences Details XPE / CE Embedded PC 2 The Windows Embedded OS family The modular, real The modular, real- -time

616 views • 22 slides
Does God play dice with the cell? Does God play dice with the cell? Does God play dice with the

Does God play dice with the cell? Does God play dice with the cell? Does God play dice with the

Does God play dice with the cell? Does God play dice with the cell? Does God play dice with the cell? Does God play dice with the cell? Does God play dice with the cell? Does God play dice with the cell? Does God play dice with the cell? Does

353 views • 33 slides
Platform Convergence Journey Windows Embedded Standard 7 Windows Embedded Standard 8 Converged

Platform Convergence Journey Windows Embedded Standard 7 Windows Embedded Standard 8 Converged

Platform Convergence Journey Windows Embedded Standard 7 Windows Embedded Standard 8 Converged OS kernel Windows Embedded 8.1 Windows Embedded 8 Converged app model Windows 10 Windows Embedded 8.1 Windows Embedded 8 Handheld Handheld

794 views • 29 slides
HW/SW Codesign w/ FPGAs Embedded Systems ECE 495/595 Overview (Slides from Embedded Systems

HW/SW Codesign w/ FPGAs Embedded Systems ECE 495/595 Overview (Slides from Embedded Systems

HW/SW Codesign w/ FPGAs Embedded Systems ECE 495/595 Overview (Slides from Embedded Systems Design, F. Vahid and T. Givargis) Embedded computing systems definition: Computing systems embedded within electronic devices. Hard to define

403 views • 26 slides
Embedded Embedded Architecture Architecture Systems Systems Jakob Engblom, PhD Jakob

Embedded Embedded Architecture Architecture Systems Systems Jakob Engblom, PhD Jakob

Embedded Systems Systems Embedded Computer Computer Embedded Embedded Architecture Architecture Systems Systems Jakob Engblom, PhD Jakob Engblom, PhD Uppsala Unive University rsity &amp; Virtutech Inc. &amp; Virtutech Inc. Uppsala

601 views • 21 slides
Embedded PC The modular Industrial PC for mid-range control Stefan Hoppe 14.09.2007 1 Embedded

Embedded PC The modular Industrial PC for mid-range control Stefan Hoppe 14.09.2007 1 Embedded

Embedded PC The modular Industrial PC for mid-range control Stefan Hoppe 14.09.2007 1 Embedded Software - TwinCAT on embedded Systems - HMI solutions on embedded systems Software TwinCAT TwinCAT System TwinCAT in embedded Systemen

291 views • 26 slides
Building Tools for Hacking Deeply Embedded Systems Travis Goodspeed Recon, Montral -- 11 July,

Building Tools for Hacking Deeply Embedded Systems Travis Goodspeed Recon, Montral -- 11 July,

Building Tools for Hacking Deeply Embedded Systems Travis Goodspeed Recon, Montral -- 11 July, 2010 Sunday, July 25, 2010 Brief Introduction 8, 16-bit Embedded Systems No operating system, no symbol table, etc. Very different

905 views • 74 slides
Phone System Integration with Synergy Enterprise Phone Integration This Phone Integration

Phone System Integration with Synergy Enterprise Phone Integration This Phone Integration

Phone System Integration with Synergy Enterprise Phone Integration This Phone Integration allows a VOIP phone system to link with Synergy. The phone system may be either an on-premises or a hosted service. Incoming Calls pull up the

408 views • 28 slides
Ce ll Phone s in Sc hools Ce ll Phone s in Sc hools Ra nde e J. Wa ld ma n E mo ry L a w Sc

Ce ll Phone s in Sc hools Ce ll Phone s in Sc hools Ra nde e J. Wa ld ma n E mo ry L a w Sc

4/26/2019 Ce ll Phone s in Sc hools Ce ll Phone s in Sc hools Ra nde e J. Wa ld ma n E mo ry L a w Sc ho o l rwa ldm2@ e mo ry.e du April 2019 April 2019 CE CE L L L L PHONE PHONE S &amp; SMART S &amp; SMART PHONE PHONE S: S:

420 views • 18 slides
Contents 1. Introduction 2. How do Cell Phone Towers work? 3. What is the radiation produced by

Contents 1. Introduction 2. How do Cell Phone Towers work? 3. What is the radiation produced by

Contents 1. Introduction 2. How do Cell Phone Towers work? 3. What is the radiation produced by a cell phone? 4. How are people exposed to the energy from cellular phone towers? 5. Do cellular phone towers cause cancer? 6. what CAN we do? 7.

575 views • 14 slides
17-11-14 Todays Goals/Invitations Collaboration - Explore/play with the

17-11-14 Todays Goals/Invitations Collaboration - Explore/play with the

17-11-14 Todays Goals/Invitations Collaboration - Explore/play with the kits in partners or in small groups! Hands-On Literacy Kits Idea Generation - Share an idea/kit you've seen from other sources (i.e.

441 views • 7 slides
AMERICAS ANDROID ALPHABET SOUP Darryn Campbell Senior Software Architect Developer Session

AMERICAS ANDROID ALPHABET SOUP Darryn Campbell Senior Software Architect Developer Session

AMERICAS ANDROID ALPHABET SOUP Darryn Campbell Senior Software Architect Developer Session Agenda Android Alphabet Soup How the enterprise got here Where were going Android Marshmallow &amp; demos Android Nougat

339 views • 29 slides
PromCon closing talk Sleep is optional and for the weak Richard Hartmann, RichiH@ {

PromCon closing talk Sleep is optional and for the weak Richard Hartmann, RichiH@ {

Intro Behind the scenes Thank you Goodbye PromCon closing talk Sleep is optional and for the weak Richard Hartmann, RichiH@ { freenode,OFTC,IRCnet } , richih@ { fosdem,debian,richih } .org, @TwitchiH 2018-08-10 Richard Hartmann, RichiH@ {

430 views • 16 slides
Introduc)on*to*Android* Mobile*and*Ubiquitous*Compu)ng* MEIC/MERC*2015/16* * Nuno*Santos*

Introduc)on*to*Android* Mobile*and*Ubiquitous*Compu)ng* MEIC/MERC*2015/16* * Nuno*Santos*

Introduc)on*to*Android* Mobile*and*Ubiquitous*Compu)ng* MEIC/MERC*2015/16* * Nuno*Santos* 1.#SOME#CONTEXT# Mobile*and*Ubiquitous*Compu)ng*2015/16* What*Is*Android?* Android*delivers*a*complete*set*of*soIware*for*

599 views • 24 slides
Imperfect competition and intra- industry trade Giovanni Marin Department of Economics, Society,

Imperfect competition and intra- industry trade Giovanni Marin Department of Economics, Society,

Imperfect competition and intra- industry trade Giovanni Marin Department of Economics, Society, Politics Universit degli Studi di Urbino Carlo Bo References for this lecture BBGV Chapter 4, paragraphs 4.1, 4.2, 4.3, 4.4, 4.5,

539 views • 52 slides
Lab 1 Introduction to Android &amp; Hello World Example KUAN-TING LAI 2018/9/10 Android

Lab 1 Introduction to Android &amp; Hello World Example KUAN-TING LAI 2018/9/10 Android

Lab 1 Introduction to Android &amp; Hello World Example KUAN-TING LAI 2018/9/10 Android History Code Version Linux kernel Initial release API version [1] name number date level (No codename) [2] 1.0 ? September 23, 2008 1 Petit

1.4k views • 40 slides
AVT 691 Erin Jacobs Wed. 4:30-7:10 Rm L004 Wednesday, August 28, 13 WISH TREES AVT 691 Erin

AVT 691 Erin Jacobs Wed. 4:30-7:10 Rm L004 Wednesday, August 28, 13 WISH TREES AVT 691 Erin

AVT 691 Erin Jacobs Wed. 4:30-7:10 Rm L004 Wednesday, August 28, 13 WISH TREES AVT 691 Erin Jacobs Wed. 4:30-7:10 Rm L004 Wednesday, August 28, 13 AVT 691 Erin Jacobs Wed. 4:30-7:10 Rm L004 IMAGINED PETS Wednesday, August 28, 13 AVT

274 views • 14 slides
im watch the first Android Smartwatch Nicola La Gloria, Ph.D. Field Application Engineer

im watch the first Android Smartwatch Nicola La Gloria, Ph.D. Field Application Engineer

Software &amp; Systems Design im watch the first Android Smartwatch Nicola La Gloria, Ph.D. Field Application Engineer Agenda Introduction Hardware Design OS firmware design Enterprise (quick introduction) Q&amp;A

465 views • 30 slides

More recommend

Explore More Topics

Stay informed with curated content and fresh updates.

animals pets art culture automotive transportation business finance computer internet construction architecture education-career electronics communication

Logo Sambuz

Unleash a World of Digital Possibilities—Browse, Share, and Explore Content Without Boundaries

Useful Links

About Us Privacy Services FAQ's Contact

Newsletter

Stay Informed & Inspired—Subscribe for the Latest Updates, Tips, and Exclusive Content Directly to Your Inbox.

Mail Us

mail@sambuz.com

2026 SAMBUZ, All right reserved.