Flash Memory, NAND, ECC, Oh My! Practical Techniques for Acquiring and Processing Raw NAND Images

y'all I hope you're not getting too cold you're still surviving here so uh we have next uh Jake Valletta from mandian and he's gonna do some awesome interesting stuff about blush and land and Hardware stuff so take it away Jake awesome all right thank you so much and I'm gonna do my best I don't want to eat this mic but I gotta kill it really close here um so I'm not gonna say the whole names because it's quite long but as you just heard we're gonna be talking about some nand processing techniques and I'm gonna go through a couple different steps here for us so just real quick about who I am I work at mandian which was on FireEye

now it's Google but it's still Mandy in my heart I've been around for about 11 years so I joined back in 2011 and I did mostly incident response and forensics my early career and then later in life I do more and more embedded work actually more of like a manager so it's I don't put that on here but my kind of passion area is embedded security and uh you know vulnerability research so I'm based in San Francisco so the weather's a little bit different and this is definitely the best view I've had it at besides or any conference usually it's in some stuffy hotel room so this is quite nice okay so I'm gonna do some quick overview

talk about different types of chips I'm actually kind of happy that you guys have a badge because I can use as a prop here and then we're going to talk about PCB inspection some chip removal um talk about how to get data off chips then we're going to go and kind of the meat of it the parsing and mounting techniques and then the last piece the example next steps is kind of like uh you know what do you do from here we could have a whole conversation about that particular phase so we're not going to be you know Finding bugs or demoing exploits or something like that so the purpose of the presentation is to

kind of help enable this sort of mission statement we have here so let's just say you go on Amazon you want to find some iot device and your your goal is to find bugs in it obviously step one is to buy the device get it probably take it apart plug it in set it up there's a number of obstacles that you may encounter while you're doing this right so you know even before you buy something you can look up on like the FCC docs to see if there's any images out there you could look for prior research once you have a device you're going to want to do a couple things so one you're probably going to want to

entertain the firmware images so you could Google around go on some forums maybe you can find a firmware update page for the manufacturer's website it's going to be really helpful to have a firmware image I would say just in terms of methodology you want to kind of shift it from like a black box approach to gray or white so any kind of information you can find out about this device is really going to help you be successful in finding bugs but what if you can't find the firmware image right it's not the end of the world but it does make things a little more challenging if you don't have access to that let's say also let's just say it's a

camera or some sort of iot device for a home you plug it in you get it on the network you run nmap on it and there's no ports right so now you have limited attack surface on the network side you know not really much you can look at there or maybe there's a web server running and it's got credentials that you don't know so you can't log in and finally you know let's say maybe you take this thing apart and you know like just like this guy here you look at it it's pretty clear there might be some uart on there maybe your device doesn't have uart or doesn't have JTAG so if these kind of

scenarios all play out you don't really have a lot to go on right so the solution what we're going to talk about here is if your device is using external flash so like a storage medium can we get data off the flash and use that to Aid our research right so I just listed a couple examples there but there's a lot of use cases here right you could be again looking for passwords for that web server obviously the firmware image has binaries on it or maybe keys to SSH or something but we'll go through a bunch of examples when I get further just a couple things that we're not really going to talk about so this isn't going

to be about like reverse engineering I don't think I have any idea screenshots sorry we're not going to go too much into binary analysis a little bit kind of set the stage we're not going to talk about Ur or JTAG like how I've got a protocol level talk a little bit about SPI um and I'm not going to go into any sort of power analysis or that kind of stuff so we're going to keep it kind of high level and I'm going to try to keep everyone awake so if I see people nodding off I'll click through some of the more boring slides okay so first just a few slides of theory then I'll move on to the fun

stuff promise not available storage right so in an embedded device you're gonna have to store data somewhere this is contrasted to something like Ram so right Ram is going to be like your memory where things loaded and when you turn it off you lose all that data uh there's two main locations or kind of ways you're gonna see this on a device one is going to be included inside of a chip so for example the badge here this is a esp32 right so this has flash inside of it and from like a physical perspective to get access to that would probably mean taking off this heat shield maybe decapping whatever chip is in there it's gonna be kind of hard not

not really my first attack that I would do here and then the other area is going to be on like another chip Elsewhere on the board so I didn't see any on this guy so if it did have one that would have been really cool because then we could use that as an example but um those are kind of the two main areas you're going to focus on if it's included in the stock I wouldn't spend sorry stock system on chip if it is included in there I don't think I would start off with that I would definitely start with the external or maybe I need some of those other avenues that I mentioned like the network side we're

looking for Ur or JTAG just because it can be way more complicated to get stuff off of an SLC uh two kind of main access mediums here parallel versus cereal I'm going to talk more about that in a particular slides so I'm not going to go too much into that here and then kind of setting the stage in terms of types so almost anything you'll see now is Flash based I'm not an electrical engineer so I'm not going to talk about like what how that actually works at a like fundamental level but a lot of things are Flash and then kind of another category which some of these are actually considered flash now so like

ROM and eprom those are usually much smaller for things like boot loaders and more like low-level devices but we're going to focus on flash memory here uh and then when you divide flash down one level you end up with usually nand versus nor so just to contrast them a little bit nor flash is usually a little smaller chip these are usually a Serial bus so for example like these eight pin chips on here these would be like a Serial interface using SPI uh nor is a lot faster for reading and a lot slower for writing right so usually when you have an embedded device and there is like a bootloader sort of Chip or maybe some

really low level configuration data doesn't change that may be stored on a nor Flash and maybe they developed the people who built the device won't have a mechanism to update that it just kind of stays the way it is um there's also an assumption that the data is valid in the newer world so I'll talk about that a lot in a couple of slides later here but there's no bad blocks in the norworld now on the nand side these are generally much larger especially more recent devices you can have multiple gigs on flash memory now and this is going to be where you're going to find things like kernels file systems you'll also see boot loaders here so it's not impossible

it would be there user data of course configuration log and all that stuff that's going to be usually on a nand flash two kind of main mechanisms for Access here you'll see parallel so parallel just uses more pins I have some pictures you'll see or a Serial protocol um like for MMC or SPI the big piece here is the bad blocks can be found on the device from the factory right so if you buy a chip let's say you buy like a sheet of a bunch of nand flashes it's entirely possible there's actually bad blocks on there right from the factory and you have to you being either yourself or a chip company who uses this

has to kind of account for that and that'll be that'll play into how we actually gain access to this I just one last thing readings a little slower here but writing is much faster than normal and that's why you'll see this use for like you know file systems and firmware okay so two types of mans we're going to focus kind of just on Nan for the rest of this talk one is referred to as raw nand so this is going to be kind of the lowest cost per bit you can think of this kind of a as like a bucket right it's like it's like a bucket and there's there's bits inside of that and somebody

else and I'm just calling it external management here has to actually manage this flash for you in the form of some like a controller right so this picture here on the left has two chips it's just off Wikipedia so this is a parallel land right here and parallel see all these pins on each side this is actually a 48 pin flash uh that's just those bits that's the bucket and then over here on the right this guy that's going to be the nand controller right so the data is all here it's kind of unstructured in the sense that you know the whoever's reading this whether it's an operating system or a microcontroller it's kind of

interfacing through this kind of this whole controller guy here and it's pretty transparent to him where those bad blocks are or if the data's some blocks are older than others that's called wear leveling that that's all transparent to the operating system uh and we're gonna be talking about Ross that's gonna be like kind of my main focus for this presentation uh generally speaking it's going to be using the onfi layer which is just a protocol used to read and write from nand uh manage the end on the other hand is actually quite popular right so you'll see this a lot and the reason I'm not talking about it is because I think it's a lot easier to deal with there's not as

many gotchas or nuances here because you're basically using the controller that's inside the chip here right so this picture over here we have the external controller hanging out this one it's on the die right so this is a I forget how many pins one 58 pin maybe 58 pin BGA chip this is a flash right here and the controller is part of this and you can go on Amazon and buy one of these all sockets here oh sorry 153. this is an emmc chip so the controller is in there all you have to do get it off the board plug it into the right socket here you can't see it on the other side but there's an um

like an SD card uh configuration there and you just plug that into your laptop right it's going to mount that as an SD card and your data is going to be there and it's super easy if there's any like encryption going on you'll have to kind of solve that separately but the idea is if you have MMC your biggest challenge is going to be getting the data off and then reading it these emmc which is what this is is extremely popular in mobile devices and devices that use socs so I see it a lot on like children's toys definitely cell phones conference room phones that kind of stuff a lot of the newer devices so think like Flagship

Samsung's I think even Apple they now use this Universal flash storage it's just another managed nand really and it's the readers are starting to become available they're definitely more expensive than the emmc readers this one's probably like 100 on Amazon and it's most of them that I've dealt with are this 153 or one 169 format um oh yeah so it does all the management of the bad blocks of the wear level and that's all handled inside of the Chip and that's why it's easier for you because you have to deal with any of that it's not written down here but one last thing I wanted to mention uh data sheets right so if let's say you're let's say You're

Building something let's say You're Building this badge and you want to use a raw nand you're definitely going to need the data sheet right so those are all publicly available like you will need access to that to actually do what you need to do on the right over here it is written but you don't usually get the data sheet here all you're going to get is the pin out so what the pins actually do and that's kind of all you need right you don't really need a lot of details about this chip to do things but for run and you're gonna need to know like the um the device ID some different parameters which we're going to do in a few slides

but the data sheets can be critical okay no more Theory let's we can actually do some more fun stuff so now we know we're focusing on raw and end uh the next step is to identify the demand on your device and then get it off the device so what I always recommend doing is if you buy a device or you know have a badge or something right here you're going to want to start off by making an inventory of everything on the PCB right so you know I've checked in this morning and I was looking at this I noticed this eight pin chip over here that's the I think it's a ch330 that's the USB to

uart chip which is conveniently located right next to the USB and then the pins go to the uart so that was pretty easy to identify the IC as I mentioned the main controller was an esp32 right so that's going to be your main processor here microcontroller and again I didn't notice any flash hanging out on this guy but if you did have that I would notice I would find that and then pull down the relevant docs for these things so grab the data sheets for each of them any sort of pin outs you can find and try to understand the purpose of each of these chips you don't need to worry about like transistors or resistors diodes at least

not for your initial analysis just focus on like what these things are doing functionally and then go from there so obviously it's part of this you're going to find the Flash the common package types you'll see it's actually better that this device actually has the soic 8 on it this is a 16 format this is really popular for Flash See The Flash usually in the eight pin arrangement though the one on the right there the to SP t-sop as I call it is the 48 pin parallel flash this is also a very popular format that you'll see in a lot of iot devices you'll also see the the top two where it's listed here the ones I just

mentioned soic and tsop those are both with the pins exposed right so those are my preferred ones I find the bottom two BGA and flat no lead the pins are usually going to be really small on the sides or all on the bottom right and that's just going to really change how you get these chips off the device it's still possible for both of them but it's definitely a little bit more complicated so taking it off this can seem if you've never done this before it can seem a little scary it was definitely scary for me I was so terrified that I was going to actually cause damage and over time you realize that these these chips are

pretty resilient even though the data sheets say like oh don't get it too hot they can get pretty hot and things will still work for long-term use I'm not sure but at least for our purposes of taking it off doing a reading of it and then probably throwing in the trash uh this these methods should work so you really have three main ways you could do this now the first one is to use a soldering station that's going to be when you have these right so you can definitely take chips off with just solder you don't need to use hot air what you can do is it's kind of kind of intuitive but if you watch a

couple YouTube videos it'll make sense you can use this idea called braking so basically just put a big old blob of solder right here and then kind of like break it across the pins and if you put enough on there it becomes like this whole pool of solder and if you make that whole thing molten you can use tweezers and kind of lift the chip up a little bit and then let it solidify do the other side and then kind of just like slowly lift the chip off the board you got to be careful you don't bend anything but it can be done and I've done that for these ones here because it's just it's easy to just put a bunch

of solder on here and just kind of lift it up slowly you could also use hot air that's what this picture is on the left here so it's kind of three things going on in this picture got the soldering iron off to the left and the middle is a PCB heater with a PCB in it and then a kind of a hot air gun over the top of it this is obviously a stage photo you wouldn't want to be that far away but that's kind of your Arrangement there and on the right is just the hot air gun set to about 300C but the idea is this thing right here is warming up the board for you so you set

that to I think it's it's pretty low in this picture again stage photo but it's a 160c here so what you're doing is kind of pumping heat into the PCB so that you're warming the whole board consistently and the reason for this is some pcbs will have like a lot of copper on them or they're really big pcbs and the second you start putting heat onto a chip all that heat can start going to other parts of the board and then you'll end up just sitting there forever trying to warm it up while the heat dissipates so the idea is what if you warm everything up then it doesn't have to disperse as much and

then it's a lot easier for you to actually get the chip off um and basically you can just kind of sit there and warm up a specific spot and then the solder will become molten and you can kind of lift the chip off and let it cool down your mileage will vary depending on if it's leaded solder versus unleaded obviously it melts at a different temperature so you'll have to kind of factor that in if when you're actually trying to do this just uh this picture on the right here this kind of gross looking it's kind of hard to see but it's like gross yellow stuff this is just a high heat tape that I like to use

to cover up everything else that's not what I want to take off because I don't want little resistors to go flying or maybe just make things molt into nearby but you basically would just end up with this right you have this is where the chip was this is where it is now see the solder is kind of still hanging out on this this chip here you're gonna have to clean that off the last thing and you can have like a whole slide deck on just desoldering and how all this stuff works I just want to kind of show you at a high level how you can do this the last method which is actually pretty cool is anyone use

infrared to take off ships it's pretty cool you can you can find cheap ones on like eBay and AliExpress but essentially using IR to kind of focus it on the ship and it looks like just a light turning on and off and then all of a sudden the solder is molten and there's maybe some smoke it's pretty cool the cheap ones are probably not recommended because you know you're doing some you know high voltage I guess it's like dangerous things for the thing you bought on on eBay uh the more expensive ones are very very much more expensive more commercial uh but it does work and that I've used those and it's been pretty fun

uh once you get the chip off you can well one clean it and then focus on reading the data so cleaning is actually really important not the most exciting part but once you have it'll chip off right so this one here you can see you know some of these pins are already touching and there's a lot of solder on here you're gonna have to get rid of that so the solution usually is to just use flux that's what this picture is here this stuff's really good I think it's amtec I buy it on Amazon there it's really good I'd recommend that if you're gonna do any sort of either BGA or uh kind of just like flash removal stuff

here it's it's probably like 40 bucks for that tube but you need to get all the all the solder off the pins and the chip should sit like pretty much completely flat right so if you set it down and kind of like touch it it wobbles that means there's still going to be a little bit of solder on there you can use some solder Wick which is kind of like a copper wire that you can heat up with some flux on it and it'll pull the solder off the IC but it should sit completely flat and you should be able to visually inspect it and say yeah there's no more solder on this next you're going to want to remove all

the residue that you left on there has anyone ever has ever done this by the way like taking this off the next thing you're going to have to do is get all that flux off of there which is like really sticky and kind of like discolored um so you could use acetone or isopropyl alcohol to just kind of you know use a toothbrush so I'll just like set the chip down and kind of scrub it a little bit and then it removes all this uh really sticky uh stuff down here so it's like extremely sticky it definitely use gloves once it's clean uh you're going to want to read the data off of it so a couple a

few different options you can do here I'm really going to talk about this one this is probably the easiest one option one there are like kind of feature built chips that you can use to how to make your own breakout board this is going to be the one that gives you the most versatility and um I guess control over things I've never done this I do I have one of these but I've never actually set it up because it seemed like a kind of a weekend project but it's really just a chip that allows you to kind of write your own reader for parallel flash there's blogs on it if you look it up it's pretty not too complicated but it's

that's not the easiest option two which is definitely the easiest is go on eBay just look up one of these two products here and these things are about 100 bucks they they come with like every socket adapter you can imagine all sorts of peripherals and cables of course comes with some nice software that uh conveniently doesn't want to run in VMS and has lots of WeChat links but it does work and it will support a lot of different ships for you um so I would recommend these are the two that I use I use them both because I've had issues where maybe one device doesn't have support for a chip the other one does or they both claim they

have support but I read it with one of them and the results are crazy so kind of having that redundancy works really well like I said they're both about 100 or less and then the last one is Flash ROM personally I use this more for SPI chips so when they're the eight pin ones and it's kind of similar to the first option here but it is a way and it's also open source right so you can use that you can write your own profiles for chips again a little bit more leg work if you have to write your own profile we could have a whole slide deck on just doing that so just throwing that out there is enough

an option if you wanted to but for option two here look how easy this is uh you put your chip in there that's nice and clean and then you close it and then you load up that software I talked about and then what gets spit out is basically just a binary dump of The Flash right because these readers come from China I'd recommend creating by two or three of them and then md5ing them just make sure that you're seeing consistency in the data sometimes about a couple bits be wrong here and there and that'll like that'll like really make things more challenging down the road when you're trying to like decrypt files it's failing you're like I know this is right

I know it's the password why isn't it working it turns out one one bite earlier on was was corrupted so definitely take a couple flash dumps and then at this point you're kind of done in the hardware world right you don't really need any more soldering irons or hot air or sockets you can kind of push all that stuff away and shift your analysis to a software one little thing that's kind of fun is in this this if you're thinking about like how you can use this and how you can be successful in whatever project you're doing it is possible to put the chips back on right so imagine a scenario where um you know you you plug in a device

it's got you are you connect over you are and you are just a serial connection right you connect in and it you turn it on and it says Hey welcome to Linux enter the password and that's how you don't know the password well you could take the chip off and then find that password and Etsy password RSV Shadow wherever they put it and then change it re-solder it and then boot it up again and then you wouldn't know the password you could log in so you could make changes and get this thing to boot back up I will say there's a number of things you have to consider and I'm not going to talk about all of

them but it is something that can be done and I've done that in the past this is it's not a great photo but you can see that it's soldered back on there I'm pretty proud of that sadder job um it's much easier when you can see the pins of course right so if you are re-soldering something that is BGA but I'm probably not visible it's a lot more challenging you have to buy these crazy uh VGA stencils off of eBay and then use some solder paste and re-ball it and then hope it all works this right here is actually kind of a fun example this is a little USB device it's a I think BGA

like 176 layout but I did take this desolder it clean it use the stencil in the middle here re-balled it with this stuff here that I bought this is um mg chemical I think is the brand um this stuff's also great good on Amazon re-balled it here put it back on there and then it did work so I was very shocked actually that it did work but it is possible you can use hot air and just kind of line it up and it will kind of reseat as you solder it back on I wouldn't recommend this as like your first thing this is like you've tried a lot of other things and they're not working this is like your last line of

defense even this one I wouldn't recommend doing until you've really exhausted a lot of other options they're probably better mediums out there but just something to think about when you start kind of coming up with an attack plan here okay next we have the Reed now we're going to focus on actually understanding how this data is arranged and because we're dealing with raw nand we have to assume that there was some kind of controller level in the middle and we're going to basically have to unpack that to make sure that we're looking at the data correctly right so if you go online and type in embedded embedded research blog or something or hacking a router or something you're

going to get to some guy's blog and it's going to be very informative but they're always going to run bin walk and be like I ran bin walk all the data was there I found the password and that's awesome but it's not going to work every step of the way and this is how I usually get involved with projects where I work is somebody will say hey I'm trying to work on this embedded device I ran bin walk it didn't work and then they send me something like this and then we have to kind of talk through like some of these these Concepts that we're going to go over and why you're seeing this um so it's not always going to work in

this example here this is some work that we did that we published on the manding blog a couple years ago um if you run Ben walk on it there's some it's good data right you see that there's a u-boot header up here some compressed data which is probably the kernel or maybe it's part of the bootloader and then you see all these file systems here and that's unusual right you would never see that many file systems in a better device and your other kind of indicator that something's wrong here are these offsets right so these are kind of wild offsets and it'd be very very unlikely that a file system is going to be at a

random hexadecimal also that doesn't align to a block right we'll talk about blocks in a second here so anyway something's wrong here so when you're dealing with manned you have two like kind of units of measurement I guess or storage so a page is going to be the smallest thing that you can write and a block is the smallest thing that you erase so when you do a bulk erase of an end you do that in a block and you write things at like a driver level in the page and all this data is going to be in the data sheet right so it's going to say the page is 2048 bytes and the block is

64 pages right and those you'll need to know that data when you're dealing with this I want to kind of nuance here to deal with is this concept of main versus spare data right so we're going to talk about that in the next slide here but you have to remember there's two of those and I just mentioned this on the last slide but file systems partitions whatever are almost always going to be on the Block boundary right because if you are doing like a nand wipe you want to make sure you can actually wipe blocks so you're not going to have a kernel taking up a block and a half right it's going to be one block three blocks four

blocks whatever so the spare area is actually really important and this is oftentimes the first thing wrong when somebody runs binwalk is they didn't account for this so I mentioned earlier in the slides that there's this out of band data I'm sorry that there was a bad block data and that's usually what you find and what the purpose of this out-of-band area is this is where you're going to store other things about the page that are to make sure the data can be trusted right and I'm going to go over that in a second here but the arrangement is usually recommended by the chip company so this is I think a micron one I found

they recommend well they're going to tell you one you have 20 48 bytes of main data and 64 of spare okay they they're recommending having main main main main main and then the four spares here at the end that's not always the case right it's really gonna depend on whatever's controlling the stand how they store things so you may have you know main spare main spare main spare main spare and hopefully once you start looking at the binary you can tell the difference but you're going to have to make sure you understand that because Ben walk has no idea about any stuff it's just reading the data and you'll have to kind of look at the button and see what happens

uh and the main thing yeah mostly for us since we're just trying to read data we just want to get rid of this right we don't really want any out-of-band data a couple caveats here in a minute but most of the time we just want to get rid of it all right so the first use of the bad of a spare area is bad blocks right so it's going to depend on again the controller or the chip but usually there's this little marker two byte marker and the first page of a block that will indicate that it's good if you find a block that doesn't have that then that's probably considered a bad block and again you have to pull up the data

sheet for your chip to confirm uh ECC is a checksum that's pretty cool because because not only does it tell you if something's wrong but it has data within itself to self-correct things which is pretty cool so you'll be able to identify a problem and potentially correct up to n Bits of data which can help you if there was a read error but this is going to be usually per page or per sub page right so this is going to be basically a check sum of all the page data right so back to this slide right you have data data data data and then usually you'll have like check some checks some check some checksum and

whatever nand driver is reading this is going to basically check are these eccs correct yeah um what else this one's really important if you are making changes right this is probably the most important thing if you plan on doing what I described earlier taking chips off putting them back on you have to recalculate the ECC right because otherwise it's going to turn on start checking those eccs and they're going to be wrong and it's going to think it's all bad data and mark the whole board bad bad blocks uh calculating ACC depends entirely on which algorithm is being used if it's open source versus closed the Linux kernel has its own drivers that use bch

so if it is a Linux based system that is probably pretty easy I've looked at devices particularly with like broadcom chips they use a lot of closed Source software they have their own ECC algorithms so I don't know how to calculate those and then finally there are use cases where file systems excuse me at a higher level are storing data in the out-of-band area so the two main culprits here are gyps which talk about you know really for us we don't really care about this so it doesn't matter yafs which is an older file system but I just did an assessment Yep this has been last year where there was GIF or yaps which seemed odd I haven't seen this in

probably seven or eight years but there are structural data inside at a band which are important when you're actually trying to mount these file systems okay uh what I wanted to show on this slide is this is just some Sam this is a random chip I was looking at here and this is going to be why Ben walk is largely failing for you so let's say you they I think this is part of the bootloader right you're looking at the bootloader you see all these strings here you know it's obviously binary because there's you know zero zeros here but then all of a sudden you'll see this kind of section down here where all of a

sudden it's just F's right and then immediately after we see strings again this is probably your out-of-band data right and if you look I made sure that I aligned it nice so there should be 64 bytes here which is pretty common right this is the data that you got to get out of it right because when you try to bin walk this it's just gonna include this and if it's like a zip file or a binary or something that stuff's got to go a couple other techniques you can use here I like if there is a page that's all zeroed or all effed um and then all of a sudden you see really high entropy data and that that high

entropy data repeats itself that usually means that there's four ECC ashes back to back all hashing the same thing right so if you can find an all zeroed or all left Page then that can help you confirm that it is ECC because it'll be the same because it's a hash right it's going to always be the same it's not encryption and you'll look you'll notice these patterns as you play around with them uh We're not gonna go through every line here but just something if this is really easy to do uh basically read in your file set the out of band size and set your page size and then all I do is I just

read Main and then out of band to do two different files and I just do that for the whole chip right and then you end up with two files one called dot main one that out of band and so that file you can probably pass the binwalk and it's going to be okay and of course you'll have to tweak this this kind of right section here depending on how that layout looks right so that's kind of an exercise for whatever's using this to do but it's not challenging to just remove that out there foreign the last thing we have to do before we start mounting things is to determine the partitions and how the flash is

arranged and this is again you could spend a lot of time just talking about this I'm just going to give you guys two techniques that'll work pretty well here one if you're dealing with a device that's using the u-boot bootloader so guys maybe if anyone's seen that in your travels u-boot it's pretty common it's a pretty small easy to embed bootloader and one of the things that it does is it'll include the layout of The Flash as an invariabant variable our config variable I guess that gets passed to the kernel right because your kernel or your microprocessor or whatever has no idea what this man looks like right so it's just going to assume that there's some

data here and this needs to be told what that looks like the MD MDT Parts variable is really useful right you can kind of see it full skewed over here but basically it's going to be um the size of a partition and then the name of that right so this one here has got like FBI which is probably like first bootloader SBI which makes secondary boot loader and then you can see down here we'll have like configuration root file system right but you can use this along with your knowledge of how the at a Band-Aid is structured to basically split this firmware dump into a bunch of small partition dumps that you can actually play with individually you

don't have to do this right you could use bin walk and if that works great but I like to do this and have it all be divided out so that I can see exactly what each one of these files is yeah that's kind of the easy example sometimes you'll see this where you're scrolling through and all of a sudden you see this kind of just blob of binary data here it's the same thing right so it's the same data the name of the file the name of the partition with the size but this time it's just in a binary structure right so this will take a little bit of analysis to figure out like you know at byte one is that the

size or is it the end data but you could write a little parse here this is the that's really hard to see sorry this is um this is what the Solar City device that we looked at that we put on our blog it's just a binary format write a little python script I just kind of chews through it prints out the partition sizes but this will take you a little bit of time to understand what looks like maybe some ring of the bootloader okay and I just alluded to this right now we know both those two things you can actually try to mount these file systems and actually have some fun so let's talk about that

all right so I'm going to cover each of these so I'm in a little bit more detail because some are more popular and some are easier so these are the ones that I've experienced and that I see I would say if it's an SOC device it's probably going to be EXT or maybe maybe Ubi or Jeff's gifs yaps I haven't seen in a long time except that one device last year squash FS I've seen and I've seen this used when combined with like a secure boot or a disc encryption method that was the only one I listed on here is read only it's because squash FS is usually mounted read only and usually don't change that it's more like it's

basically like an archive like it's mounted as a file system and let's see before I go through each of these slides I just want to give you kind of how my brain works um whatever project I'm working on I'll use basically a make file with like a pretty defined directory structure and that helps me remember what I was doing so if I have a kind of a task in my head called you know Mount ubiffs I'll usually wrap it in a script and then I'll have that get called here and you can kind of chain these together so you say like you know mount just carve whatever and then put that like in a readme so you don't forget I

always forget this stuff and then I'm like digging through my bash history but I used I like to name things very detailed so I'll have you know Ubi FS underscore raw.bin dot main so it's clear to me that I'm working on just the main data versus out of band I'm not saying you guys have to do this but I do find it to be useful um starting with the easy ones right so these are bin walk we'll have no problem with these by the way these are super easy and even for you guys it's really easy to do just basically make a directory and then use Mount right so nothing crazy here Mount will handle all

the kind of behind the scenes stuff for you you can use file or bin walk to basically find these it'll say hey squash FS or EXT out of Band-Aid is obviously not important here so you don't need that in anything uh capacity but these are really easy right I would definitely recommend just mounting them things get a little more complicated when we deal with uh gifs and Ubi and you'll have to use has anyone ever used Nan Sim anyone ever gone through this kind of chaotic Journey here um so Nan Sim is a Linux driver that will simulate a raw nand in your device and that's really helpful because if we know the device that we're dealing with

we can tell Linux and have it simulate one for us and then all the sections will be the right size and then what we can do is essentially copy over the data we just dumped and then mount it that way I just described it in like two sentences it's probably a lot more complicated than when you guys start digging in here you'll probably have to read some uh some stuff from this guy's website he's got a very dry humor and has strong opinions about driver technology but you guys enjoy that um really what you'll need here is that four byte chip ID that you can get when you're actually reading the chip so when you're actually dumping it using one of

those Chinese readers they'll give you the four byte uh chip identifier and we'll use that in a couple slides coming up here uh I'm not gonna go through all these because I could probably talk about MBT drivers for a while and you guys don't want to hear about that but the main things are this this lower level MBT one is kind of they call it the flash trans translation layer or transition layer and that's going to be representing both the main and the spare right so it's going to have both the sections per how that ship thinks it should look on top of that it's kind of like a pseudo block driver where it's going to be just the main data right so

this is going to be at one higher level up that's usually where you'll hang out unless you have to manipulate the at a band or let's say you want to basically mount a UB ifs and then create a copy of that and then flash that to your chip that one's going to be where you'll use that one the actual uh MBT layer okay I'm gonna go quick so I have five minutes left here uh this is what the data sheet will look like you'll get that four byte identifier from it here and it's going to be all defined for you one f1001d you'll basically plug that into Nan Sim here right so the same bytes I added

here this is for gifs this one you can basically create a named simulation and then use DD to just copy it to the block driver right so the the higher level one and then you can mount it using uh Mount down here so that one's actually pretty straightforward uh ubifs in the interest of time I'm not going to bore you guys with how the kind of intermediary layers work but it's pretty similar this case you'll just use whatever the correct bytes are here and then you can if you want to you can basically zero it all out and you can use a combination of Ubi format and attach with all their crazy arguments to actually

attach and mount a Ubi file system so these slides will be available after the after the presentation so you guys can probably just copy this stuff out but the nitty-gritties aren't super important you'll have to kind of figure out what these offsets mean here because they'll be tied to your specific chip but again you're using your ultimately using Mount at the end of the day um yaps I would love to talk a lot of detail about because I really don't like yafs but there's basically like one person out there who knows how this works and he hasn't touched this project in 20 years so uh there's a project that's called yaf2 utils that's archived and Google code that you can use to try

to unpack things I've had a lot of mixed experience with it and if the out-of-band data is not exactly how that tool wants it to be then it just doesn't work so you have to like move the data back to where it should be but that means you have to know what the driver wants and what his tool wants and it's yeah it's not it's not not fun anyway you do the same thing here though these are the parameters here you have to kind of tweak and I think I've just set up leave you with the the now what right so we just spent 45 minutes talking about how to get access to a device and I'm

kind of leaving you with like now you have to draw the rest of the owl here because once you have access to it the next step is to kind of go back to that mission statement and find bugs and there's again a lot of things you could do here we've edited files and re-soldered we've removed different encryption things that we're complicating things we've pulled source code off and use that to find bugs there's a lot of different things you could do here but that's a totally different talk right like that's a just that's a bug hunting or a binary analysis presentation but now that you have the data you kind of can do whatever you want right so I'll leave

this here just for a second because there's a couple cool things you can do but then I'll roll in the conclusions okay so just to kind of summarize what I talked about and how I would approach this one identify external nand and by inspecting the PCB two remove the chips using solder hot air IR whatever three use a universal reader to get the data off the chip or identify the layout in the partitions by analyzing the binary five Mount the relevant file systems do what we didn't we just talked about find something cool make some change do something and then optionally put it back on right so that that process is going to be essentially repeated each time you do

this and each one of these will kind of pose its own unique challenges once you once you get into it um and with that I think I have like one or two minutes left here um this just some material here um I did just pick Mania Vlogs but there's plenty of blogs out there the reason I picked the menu ones because mostly they're mine and I can talk about them if you guys want to like learn more about the research there's plenty of research out there in the space I think people this isn't like new material right like it's just flash memory at the end of the day but I want to kind of get

it all in one place for people to chew through if you guys want to contact me um I don't use Twitter very often but I'm much more active on email both my work and personal emails are there my GitHub is there and my website so with that I don't know if I have any time for questions but you guys tell me minutes for questions so do you have any questions okay

[Music] yeah now I would say not through this mean but I've definitely done um and the definition of back door is always like is it a is it admin util is it a purpose-built back door I've definitely found some sketchy binaries running that you know expected specific Flags to then do things like run commands so is that a back door sure but is it also like maybe something that the developers left on there for use testing but I don't know it depends but yeah definitely there's some weird things that you'll find when you uh dive into this world

standardized everything's custom like the reading is different the mountains different patterns I mean it's there are like kind of a bunch of diverging paths right like if this type of thing do these four things uh there are things like bin walk though like the tool itself is quite good right this I don't hopefully no one leaves here is like Jake doesn't like Ben walk um it's a great tool it does a lot of this stuff for you but when it doesn't work you gotta take a step back and understand what kind of differences there are also commercial solutions that are that exist that you could buy that you know they they expect a firmware dump and then you get like a nessus

report essentially but that's for like if you're doing this professionally or kind of want to automate things so there are this this has been automated in some capacities but it will be a little bit different per chip and device thank you