I Boot when U-Boot

hello everyone so Bernardo and I we will be talking about hacking bootloaders are creating a boot kit and our talk is called high boot when you boot so yeah yeah I get to get the pun so we first of all begin with the introduction what we do who you are then we're gonna talk about malware that already exists it runs on embedded devices we're gonna see how embedded device boots then we're gonna have a look at gaining persistence on embedded devices then we're going to talk about riding a boot kit and then how you can detect the boot kid and I can mitigate involved here so my name is Vincent I work at the Cape Ian Red Team I'm a

motivator for New Amsterdam so you know if you want to talk someday just let us know I think beeping is around here as well it's right there you can you know ping us send some slides you can do a talk I like Linux I like low level stuff and since we're giving a talk about boot kits I might not go to us anytime soon and yeah I live in Amsterdam so my name is Bernardo I'm Brazilian I'm also working at the Cape Ian Red Team I place it here F of the Goonies it's a Brazilian CTF team and I'm very good at breaking routers so let's start so mower or targeting embedded devices spoiler alert

this is not something new so there are like lots of mower already targeting embedded devices so the CIA cherry blossom on the likud documents from WikiLeaks they all describe it how they are creating backdoor dreamers and that we can like flash on home routers but there's also known botnets like me right so targeting embedded devices using weak passwords but also you know flasher dot a witchy it was basically a dd-wrt modified femur so there are like lots of kinds of our targeting embedded devices some of them don't care about persistence for example Mira Mira is just in like infecting a device and just start scanning the internet and some some like more like the CI they want

from CI a is like the flash of a they have like some kind of but they don't care about the bootloader they just like flashing a new femur so so yeah boot process of on a meta device is like slightly derivative here everyday x86 device so the none or the nord in this case in nor flash it's a hard-coded inside the cpu boot code so the moment you turn on the CPU it boots to the flash and on the flash it like goes through bootloader the bootloader initializes the hardware and then it like jumps to the firmware that's gonna decompress the lzma because the kernel is usually compressed because it saves space so it like on lzma is the kernel

into rum and then it you know jumps to the jumps to on jumps to the first instruction of the kernel and then from there on the kernel mounts a file system and then kicks off in it and there you go you're in better devices booted you can see the typical boot process over there boot loader firmware on LC mains rom and then you're basically done so persistence why having a persistence at a boot loader level why is it interesting it's because when you have like a few more upgrade you know you don't you go to the d-link website you download the femur when you flash your femur it's not changing the bootloader partition it's just changing like the

femur and all the other partitions but it doesn't care about boot loaders because reflashing boot loaders is a sensitive operation if you do something wrong you will be weaker device and you need like to open and manually reflash the spi chip we had to do this a lot yes even we were preparing our demos like yesterday I picked the virus and it's also very interesting because you bypass lots of security features from the operating system so all those UEFI boot kits on Windows and all those sort of thing and it's very difficult for you to detect but so just like NSA I'm also really good at like breaking routers so there's this document from on the

Snowden documents so that's a soldering basically said that NSA tried to like reflash a femur from like a syrian router and it kind of broke the internet for the whole country for a couple of like hours so it's a very sensitive operation it's very easy for you to mess up and it's not like if you create like a boot kit or a boot boot boot kit for one device it doesn't mean it's gonna work for other devices other similar devices so it's very like particular to socks it's very pretty it's quite something like that you need to work a lot and yeah so yeah persistence can be gained in like various ways one of them is by

modifying the in it or the in it Rd scripts you can also make a loadable kernel module that loads like after the kernel loads the file system modules you can modify ufi or BIOS code you can also modify the code in the MBR and the VBR and also again spoiler let boot kits they are not new so nowadays there are like handsome wares like targeting MBR so they're just putting like something it's a message there and they were only unlock after you pay stuff but so - introducing boot kits here is like the old boot Android boot kit so some people said that was either like compromising devices physically or something like firmware update they

don't know exactly but it's a boot key targeting Android devices so if you just like reflash or femur it's also like not changing the bootloader partition so it's something like very difficult for you to fix and also the hacking team they had like a commercial you ufi boot kit but they're more like an implant so if some some motherboards like some notebooks they had like they wouldn't protect that you you have UEFI area so sometimes you could exploit that to rewrite that but most of the time it's by opening the device physically and reflashing the spi the bios or the UEFI so there's like no more and they just like infect your computer the normal way just like

fishing drive-by downloads and they they use a boot kit for maintaining persistence so the boot kit we created it's based on you boot which is like a bootloader for embedded devices it works for lots of arm devices also MIPS devices it's open-source we will explain in a bit but in order for us to change the device we don't need the physical access we just need root access on the device and we we're going to explain how it works so Linux devices they 3d part the flash partition as a memory technology device MTD and it's it's not exactly like char blocks or you know blocks block file systems that you're used to on Linux they just like a raw flash memory and

you there's not like a partition is not stored on the like each partition before starting each partition that is not like nothing like a partition table so the kernel it's listed on the kernel where the partition begin and where the partition ends so on this case you can see like the you boot partition I also like the actual film where like an AR TIFF partition and the bad thing for us when we were like started testing this it's like the bootloader partition is always mounted as read-only like not always but most of the time so if we get a root shell on the device we need to DD our boot get into the device but that

that like partition is read-only so how can we do how can we fix that there's like this - kernel model called MTD RW so which is basically a linux kernel module so I can just install load that Linux kernel module and that would change the partition flags from read-only to read and write so this is good for us because now from a root shell we can change that partition to something else so it this is like the code of the Linux kernel module but it's just simply changing the flags and this is really good because now we don't need a shell we don't need physical access we just need the shell and we can just like

the D and one thing that's important to mention like if I have wanted two similar devices the bootloader the u-boat you boot partition is not going to be exactly the same because there are like variable areas like serial like mac address they're kind of different so what we can do is just we can just DD but like the offsets will related to the u-boot bootloader and we can just ignore this zero like and just copy and that and just you know like skip it so yeah yeah you boot is a open source yeah boot loader so you could just like download it from the internet it's GPL source code so GPL v2 license which means that any vendor using you

boot has to provide you with the source code so writing a boot kit like this becomes a lot easier than you know writing your custom boot kit and we use in this case you would not just an open source project from pepper 2000 which is awesome program so why you put we there is this web website called wiki Devi it describes lots of information about routers and better devices cameras and other stuff so you boot is the most used bootloader on the website so the second most used is CF e which stands for common femur environment its proprietor is from Broadcom so it's also like open source but it's not as easy to modify as

you boot and it's not as used as much as you boot so that's why we chose it so because we were planning on breaking the device like a lot we had to make some preparations we have a great guy in our team's name's Frank and he can solar everything like literally everything so we diesel the SPI flash where the firmware and a bootloader is on and he connected like the small pins that are connected to the SPI he hooked him up to some wires and then we use our yeah the two we use for flashing SPI chips we just hooked it up directly so when you wanted to boot the firmware we just put it in the thing and the moment we picked

it we just put that thing in our Hardware flasher and restored it back to how it was they saved us a lot of time so you would have some interesting functions if one is print n print environment variables it has TVP boot which allows you to boot images from TFTP it has an f-stop string which can be used to protect the bootloader menu from people who don't know the stop string it's not a password it's a stop string and there's also a boot CMD and a boot CD is the command the bootloader will execute once the device has booted and ping is like ICMP pink so you can see if hos are alive and do some things when that word

so you can also have scripts and the scripts look a lot like the bash scripting language here's like doogal example we will ping a hard-coded server IP which is in the environment variables and then if it's alive with you a tcp boot to load address of a backdoor image and yeah once it's done we will yeah booted and otherwise we will put a hard-coded address that is from the normal firmware so their dependent function prints environment variables and the environment variables are all stored in a null byte separated list so it's like two loops going over the nobod and reading environment variables and the function that prints the environment variables is inside yeah the env edit puts you command and

we made some changes to it we basically made two functions like one function is called get match in the other one finds the variables so we made a list also of MIL separated environment variables that we want to backdoor and in the moment you want to print an environment variable it's like iterates through our list and if it sees like yeah I'm not gonna print boot CMD which is gonna print our own custom boot ox or our own custom boot Sidney another interesting function is the boots in the function like the first command executed by it boot loader is boots in D so once everything is initialized it will just execute boots Indian boots a specific

memory address and we over out there in source as you can see here it's usually an environment variable but we decided to like yeah skip that part is hard-coded in the source so we'll always use this as a boots boot CMD now we have a demo where we are do booting

like my first oh yeah so now it's like not alive because this is our TV server it's not on yet so you can't reach our hardcore server IP so the ping field and it's not currently booting the normal program it's interesting but because this function we created like we ping our server if your server is not alive we just put the regular femur so it's like a cue switch so if our server is alive we can do stuff so this is like he's checking the version of the kernel which is like the regular one and now in able the server in a moment we can ping serve it means that the bootloader can ping the server and it will start

downloading the boot our customized kernel from our server you can do this interior over the Internet we haven't tried that yet but it should be possible it's the G line it is a very small margin it's on his backpack so we can show you yeah so now we boot our custom kernel and it's a newer version we're currently building a custom kernel but it is a little bit more tricky so we're actually we're back we're downloading we're using TFTP to get a modify it a kernel but like the actual file system is the same because we can just say like yeah the kernel is this one different one but like you do everything else just

like you do like regularly the custom kernel and the custom kernel can make changes to the filesystem which is later mounted by the regular one so yeah we can put like Linux kernel modules put a cpio and like you just like is tracked and load that before mounting everything so yeah it's a different kernel so we can do everything we want exactly exactly yeah by having control the kernel we can load the existing file system and make changes to the normal file system so we can be persistent yeah on a new next level so yeah you boot has a password protection when you go google a you boot password the first thing that will come

up is the end stop string we're using here it is not a password protection and it should not be used as a passive protection because you can just download the firmware run strings on it and you'll see the password so never use it as a password it's lots of vendors use it as a password and you can also really easily by pairs by glitching which we are going to show you right now if I can get my mouse yeah so what we do now we're pressing R we're gonna wipe the device first so what we did is we we created this top string but we've made some changes to the code that way if you

press an incorrect key or you press it you try an incorrect password it will wipe the device so you cannot use the device so if you have like an incident response team that wants to take a look at our malware yeah we don't want that

now we're gonna wipe the device so first we're putting it in a regular way and then we will reboot it and Percy invalid key

it's also important to mention that like you only see all those information if you're connected to a serial if you're using like a serial connector USB so now we're rebooting trying to press the key and says now and so and we can just like DD we can just like put zeros and we can do everything so you boot has a native erase command we can use but we can also write zeros is like write memory to the actual partition and we can even write to the variables that are you know the clock speed so we could even overclock the device and fried a device so you can never use it's really great so we hide

from strings because I play some CTS where I just run strings and you see the secret token so we use a little trick and the trick is to make a byte array and then we use string copy to copy the byte array into the string and then when you run strings on it you won't see anything and when you put it in ER this is like an x86 is an example of what's going to happen it's going to move the individual bytes into a string and then compares the string so you need to look a bit harder into the source code but you can easily bypass this so we had we had some wires that are connected to the

data out pin and so we load the bootloader into memory and then the moment you want to load the kernel you just short two data out pin and then it will fall back to the bootloader so you have access to the bootloader that's what we're gonna do right now thank well and there you go bypass special protection it's really easy

so what can you as a defender do to like detect boot kits or to do stuff so you Buddha has this thing called reproducible boots which means that I can compile your boot and I can hard code a time stamp and if like I compiled today and someone compiles tomorrow and or if someone compiles using a different system it's all like the data partition the code partition is always going to have the same hash so there's like this source date epoch variable so you can already do that so for example Debian is using reproducible builds for the audio package there dpkg so you can also you can actually check if the source code and everything is they actually one you

download so it's something really useful so Debian was back good by the CIA ones and they were entirely compromised in this story too [Music] so there is also this project from Intel I think called chip sack and which is basically a framework where you can use to parse read the content from like Beals UEFI it's not more it's not very focused on like you boot and all those stuff but yeah we can always like write patches or you know submits and pull requests and do stuff and there's also this really interesting project called known UEFI exec tables so it's also from Intel which is just like a github repository with no UEFI images with and

so you can just like hashes from all different vendors so it's just like a big repository so you can just query and look up and to make sure like you're running an actual like valid or known femur or if it's someone temperature or modify it and this is like the output from ships axe so you can for example run it on a MacBook and check if someone tampered with the bios or if someone like disable their write read write flag you know so it's not read-only anymore so you can do lots of stuff so basically chip sack it strips away the variables that are custom to your device and just looks at the code that devices have in

common so when you place a back door one of the common cold segments will be different and chips I quit attack that so there's this presentation from the Google security team so very few companies nowadays they're good enough to find you know in Hardware implants or modifications inside their their femur so Google I think it was during ruts cone in Australia so they expect they explain it what are how did like Technic how they're dealing with that and like they have this tool called Google rapid response and they were explaining how they're integrating chip sack - they're like incident response and like the agents and also like it's why is it so difficult so it's just like we explained

it on the u-boot case you have a code area and you have like a variable area if I'm just comparing hashes it's not gonna match so I need to be able to parse that unpack and like for every different vendors or things like that so trusted computing is something like very important so there's like this to it so and you know it's basically saying like if you AF I secure boot suddenly started booting unsigned images how many companies how many people would just like could find that it's something very difficult so in spec above systems this is something like that we need nowadays and this example here so also liquid on the Snowden documents showing that NSA

was basically intercepting packets this is like a Cisco device and reflashing the femur with a backdoored femur and then you know as soon as it arrives on the guy on the other side they just have they can collect data they can like access that so very few companies would know if they device that arrived there is the actual device that supported the vendor Center so some companies are starting to use secure boot so there's this company called open mesh they they also their devices is just like the device we showed here it's they quite similar it's an AP wireless repeaters and all those things so they're using secure boot so they're also using your boot and

they have sign ID images so the bootloader is sign using an RSA key so the RS see the problem here is that the RSA key is inside the same femur flesh flesh so the same blob so you have like all your data and you have somewhere there where it's there's the signature so if the signature doesn't match if I'm trying to put a modified bootloader it would just don't boot so what happens is because you boot is gplv2 some guys they just ask at the source code they code reviewed and they found out that if you erase so this is just like some a series of DD commands so if you just erase the signature from the

flash it's not going to check and it's gonna bypass it so yes there's also a stack overflow on the u-boot TFTP boot so on our case we use TFTP boot to download an image from the internet but there's also a stack overflow on that component so you could just like download a really big image like causing an overflow and then you could just jump to the bootloader itself then you could do whatever you want which is really hard and you probably need a JTAG debugger but it's yeah something really cool and it's a feature not a bug yeah so bypassing secure boot there's like some talks from Rhys cool guys it's really interesting like using glitching

and all those stuff so the gate we did like the poor men poor man's glitching it's just like a simple way but you can always use like specialized in hardware or things different things to bypass secure boot there's also this a left research so it's a really interesting they have all kinds of bypass for mostly boot mostly for mobile boot loaders like cell phones and all those things and yes the conclusion is that like secure boot is important so we have to like to start thinking about that also for embedded devices for small routers and also thing and we need to reduce femur opacity which means that transparency is important so vendors nowadays they worry

too much about temper proofing so there's all like smart cards and all those stuff they don't want you to tamper with that but they don't offer any good way for you to know if the hardware that you got there is the actual like legit hardware so Intel Emmy which if you guys like to look about it they had like this backdoor and it's very difficult for the operating the actual CPU to know what what it's doing or what it's doing not doing and Meakin controls parts of the CPU so you could do basically anything so it's really important that we develop tools and get a hold of tools create tools and so we can have a look at our hardware and what

runs on a hardware because if we don't know what's running on our hardware how can we trust our software because the hardware eventually controls the system and people older people here I'm not sure if you had like autos odd mod motherboards and there was like this jumper that you had to actually use because it's a physical impediment so the the bio to be BIOS is read-only if you remove it then you can write it so it's a simple thing it's so it's a physical impediment so if you can have that you have like it's more secure suppose you need you want to update your like roam home router you can just switch it or just remove a jumper so

it's simple things that people are not using anymore so also we need also better documentation reverse engineering scripts and you know and we need like better parsers for boot loaders it's something that we need to understand so we can respond accordingly and questions questions [Applause]

the real question yeah so I think it's interesting for us to show ways for you to attack devices so people would start like better protecting them so I think for example there's no like no no Mauer targeting boot kids nowadays so I think why we found it's interesting for us to like give a talk about that it's something like not that complex but because it's so easy for you to hack in and buy the device and like me right me right doesn't care so if the it infects the device it's gonna if it's someone turn turns off its even in a couple of minutes two minutes four minutes five minutes it's gonna hack it again so I

think people should like to start like showing proof of concepts you know and trying to reach okay yeah and yet basically so I think we should like have pops proof of concepts you know so like ways for you to attack device and so people can understand the threat yeah

so the device is well-documented it's open-source but for a lot of the first phase of disassembling a device like this is like reconnaissance phase right like like right up in a kill chain we're gonna have a look at the chips that are on it we're gonna Google the chips in the moment you find a datasheet it explains everything so yeah it's very easy for you if you can just look the device you can google the and find the datasheet and it explains like this is the DI this is the data in this is data out this is the ground so you just connect it accordingly and there's like flashers there's like Hardware flashers you can just plug plug and and them or

if you have for example a Raspberry Pi or a BeagleBone black for example they have all those connections for interfacing with SPI so you just need to connect the correct wires and you can just reflash it so the way we did I think you can show them the device but what we did we got the device we disordered the SPI flash and we connected those wires okay so it's not here yeah we can show you but yeah so we disordered it and yeah and then it's very easy for us to use a hardware or just like Raspberry Pi or anything like that and if the chip you can't find anything on the chip then you need to go

with a logic analyzer no no but there's going to be a lot harder so what happens is mostly most devices are going to use some kind of RSA signatures so it's most of the time is 2 2 K 2 K so 2048 bits so it is like it's good enough so you can just like hard code the public key on our case we just erased the public key and only as the person who has the private key can sign a new bootloader can new firmware and can like update the framework so but what we need nowadays we need also Hardware protections like TPM like in smart cards and all those from module yeah trusted platform so

just by using software based solutions it's you can always bypass it's good but not good enough I think say these six devices we are very mature right now so like Microsoft is supported TPM thingy Linux nowadays yet Canada secure boot so every single part of the boot process is analyzed hash and you can basically trust it and there are devices there's nothing yet mostly because they're cheap and people don't spend money on that a charger from China it's

you