Exetools

Exetools (https://forum.exetools.com/index.php)
-   Electric Section (https://forum.exetools.com/forumdisplay.php?f=53)
-   -   Reversing embedded systems (https://forum.exetools.com/showthread.php?t=20739)

rcer 11-08-2023 02:45
Reversing embedded systems
 
Hi, this is a little bit off topic/forum, but I didn't know exactly to post this.

Does anybody know any good reversing forums specialized in hacking/reverse engineering embedded systems.

Reason for asking is that I have a controller board, containing an Atmega 1280 MCU, which is bricked. I would like to extract the firmware from the MCU flash, but the LB1 or LB2 lock-bits are set, which prevents programming/reading/verifying flash & EEPROM contents.
Apparently the only way to reset the lock-bits is to completely erase the chip, which of course is not a viable option for me. Would be interesting to see if somebody managed to rest the 2 bits without erasing the flash & EEPROM

blue_devil 11-08-2023 14:52
I cannot help you on this specific situation; unfortunately!

What about the famous "chip-off" way? Is it possible for you?

rcer 11-08-2023 18:46
Quote:
Originally Posted by blue_devil (Post 129092)
I cannot help you on this specific situation; unfortunately!

What about the famous "chip-off" way? Is it possible for you?
Unfortunately that is not possible, because I don't own the million dollar equipment required to perform this type of operations

blue_devil 11-08-2023 19:00
Quote:
Originally Posted by rcer (Post 129099)
Unfortunately that is not possible, because I don't own the million dollar equipment required to perform this type of operations
I feel you bro :( Don't you have any debug or JTAG pins to move on?

rcer 11-08-2023 20:35
Yes the board has a 6pin SPI header & 10 pin JTAG header, and I can read the chip with SPI, but JTAG access, debugging, and verifying memory contents has been disabled, and the the LB1 and LB2 lock-bits have been set, so its not possible anymore to change any fuse settings, unless you completly erase the chip first. Reading the flash & eeprom contents with the current settings returns garbage (i.e FFFF FFFF )for the complete memory contents

Dr.FarFar 11-08-2023 22:51
Introduction to Embedded Systems Security and Reverse Engineering (Chinese)
 
Introduction to Embedded Systems Security and Reverse Engineering (Chinese)
Quote:
hxxps://zhuanlan.zhihu.com/p/49831082

rcer 11-08-2023 22:53
O.K. I will check this out

Trit0n 11-09-2023 04:26
This is generally a very, very interesting topic!
But the page hxxps://zhuanlan.zhihu.com/p/49831082 is a bit too *Chinese" for me (purely linguistically).
Can someone translate it into English?
(I have problems with the translation and probably not only me)
Would be worth a new entry in the "General" category of Exetools ?
Example: "Reversing embedded systems" (Little hint for the admins)
Would surely enrich the forum ?
(Maybe we could vote on it, if the topic would be desired)

rcer 11-09-2023 22:51
Quote:
Originally Posted by Trit0n (Post 129108)
This is generally a very, very interesting topic!
But the page hxxps://zhuanlan.zhihu.com/p/49831082 is a bit too *Chinese" for me (purely linguistically).
Can someone translate it into English?
(I have problems with the translation and probably not only me)
Would be worth a new entry in the "General" category of Exetools ?
Example: "Reversing embedded systems" (Little hint for the admins)
Would surely enrich the forum ?
(Maybe we could vote on it, if the topic would be desired)
I have the same problem with translation, also without registering it seems that you cannot query anything.

I know that exetools is the lead forum for software hacking/reversing, and in general not geared towards hardware hacking/reversing, but it would be nice if this could be added/implemented, because there are a lot of very knowledgeable members on this forum who could assist/help less skilled members

ahmadmansoor 11-10-2023 19:02
Quote:
Originally Posted by Trit0n (Post 129108)
This is generally a very, very interesting topic!
But the page hxxps://zhuanlan.zhihu.com/p/49831082 is a bit too *Chinese" for me (purely linguistically).
Can someone translate it into English?
(I have problems with the translation and probably not only me)
Would be worth a new entry in the "General" category of Exetools ?
Example: "Reversing embedded systems" (Little hint for the admins)
Would surely enrich the forum ?
(Maybe we could vote on it, if the topic would be desired)
to be honest, I am thinking about this too, but we need to know how many people are interest in this topic so we can open it.

chants 11-10-2023 19:42
Interesting article on a real world example:

Quote:
https://www.wired.com/story/unciphered-ironkey-password-cracking-bitcoin/
Quote:
To fully reverse engineer the device, Unciphered scanned an IronKey with a CT scanner, then began the elaborate surgery necessary to deconstruct it. Using a precise laser cutting tool, they carved out the Atmel chip that serves as the USB stick's “secure enclave” holding its cryptographic secrets. They bathed that chip in nitric acid to “decap” it, removing the layers of epoxy designed to prevent tampering. They then began to polish down the chip, layer by layer, with an abrasive silica solution and a tiny spinning felt pad, removing a fraction of a micron of material from its surface at a time, taking photos of each layer with either optical microscopes or scanning electron microscopes, and repeating the process until they could build a full 3D model of the processor.

Because the chip's read-only memory, or ROM, is built into the layout of its physical wiring for better efficiency, Unciphered's visual model gave it a head start toward deciphering much of the logic of the IronKey's cryptographic algorithm. But the team went much further, attaching tenth-of-a-millimeter gauge wires to the secure element’s connections to “wiretap” the communications going into and out of it. They even tracked down engineers who had worked on the Atmel chip and another microcontroller in the IronKey that dated back to the 1990s to quiz them for details about the hardware. ...

That cracking process culminated in July, when Unciphered's team gathered at an Airbnb in San Francisco. They describe standing around a table covered with millions of dollars’ worth of lab equipment when a member of the team read out the contents of a decrypted IronKey for the first time.

dion 11-10-2023 20:21
i guess, maybe the most recent tech i know is decap. there is also glitch based exploit, but that is very rare information.

tonyweb 11-11-2023 20:33
1 Attachment(s)
Quote:
Originally Posted by Trit0n (Post 129108)
But the page hxxps://zhuanlan.zhihu.com/p/49831082 is a bit too *Chinese" for me (purely linguistically).
Can someone translate it into English?
Attached you can find an english-translated version (google).
Hope this helps.

P.S. Apologies if you weren't meaning you need a translated page.

bolo2002 11-12-2023 00:38
1 Attachment(s)
Quote:
Originally Posted by tonyweb (Post 129169)
Attached you can find an english-translated version (google).
Hope this helps.

P.S. Apologies if you weren't meaning you need a translated page.
pdf converted in case...

Antonio 11-12-2023 01:05
1 Attachment(s)
I do not have download permissions, so I cannot know what was already posted as the translated version. Maybe my version is worse than the posted one.
But this is my humble contribution of the PDF translated version to the forum.
Hope this helps someone.

Dr.FarFar 11-13-2023 05:32
Reversing Embedded Device BootLoader (IoT Hacking)
 
Reversing embedded device bootloader (U-Boot) (Part 1)
Quote:
hxxps://www.shielder.com/blog/2022/03/reversing-embedded-device-bootloader-u-boot-p.1/
Reversing embedded device bootloader (U-Boot) (Part 2)
Quote:
hxxps://www.shielder.com/blog/2022/03/reversing-embedded-device-bootloader-u-boot-p.2/
IoT Hacking (Qiling + Shielder)
Quote:
hxxps://www.youtube.com/watch?v=14NQJkvR_gU/

rcer 11-14-2023 00:13
Quote:
Originally Posted by chants (Post 129150)
Interesting article on a real world example:
That is a really interesting and amazing story.
Poor Thomas must have nightmares about his locked-away fortune

binarylaw 11-14-2023 14:13
Quote:
Originally Posted by ahmadmansoor (Post 129149)
to be honest, I am thinking about this too, but we need to know how many people are interest in this topic so we can open it.
I would love this, as well.

Quote:
Originally Posted by rcer (Post 129219)
That is a really interesting and amazing story.
Poor Thomas must have nightmares about his locked-away fortune
What's odd is how he ignores the very ones who have cracked it. I suspect this motivation may be financial: if they can do it, surely others out there can do it too ...and for cheaper cost.

RAMPage 12-18-2023 22:10
Maybe this book can help:

IoT Penetration Testing Cookbook
By : Aaron Guzman, Aditya Gupta


Quote:
hxxs://subscription.packtpub.com/book/security/9781787280571/3/ch03lvl1sec30/emulating-firmware-for-dynamic-analysis
Quote:
hxxps://libgen.is/book/index.php?md5=96F8AB63EDF966F8979D84FF88E54BEF


All times are GMT +8. The time now is 22:27.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX