OPENING BLACK BOX SYSTEMS WITH GREATFET+FD · 2021. 8. 16. · USBPROXY NOUVEAU USBProxy is a tool...
Transcript of OPENING BLACK BOX SYSTEMS WITH GREATFET+FD · 2021. 8. 16. · USBPROXY NOUVEAU USBProxy is a tool...
![Page 1: OPENING BLACK BOX SYSTEMS WITH GREATFET+FD · 2021. 8. 16. · USBPROXY NOUVEAU USBProxy is a tool that allows us to proxy the connectionbetween a USB host and device. While proxyinga](https://reader035.fdocuments.us/reader035/viewer/2022071607/61452c8a34130627ed50d0fe/html5/thumbnails/1.jpg)
OPENING BLACK BOX SYSTEMS
TROOPERS18WITH GREATFET+FD
KATE TEMKIN & DOMINIC SPILL
![Page 2: OPENING BLACK BOX SYSTEMS WITH GREATFET+FD · 2021. 8. 16. · USBPROXY NOUVEAU USBProxy is a tool that allows us to proxy the connectionbetween a USB host and device. While proxyinga](https://reader035.fdocuments.us/reader035/viewer/2022071607/61452c8a34130627ed50d0fe/html5/thumbnails/2.jpg)
WHO WE ARE
Kate Temkin (@ktemkin):• slayer of Tegras, destroyer of worlds• glitch witch & tool-builder• educational (reverse) engineer
Dominic Spill (@dominicgs):• cannot stop being extraordinary,
on penalty of deportation• shark whisperer & demo dancer
![Page 3: OPENING BLACK BOX SYSTEMS WITH GREATFET+FD · 2021. 8. 16. · USBPROXY NOUVEAU USBProxy is a tool that allows us to proxy the connectionbetween a USB host and device. While proxyinga](https://reader035.fdocuments.us/reader035/viewer/2022071607/61452c8a34130627ed50d0fe/html5/thumbnails/3.jpg)
MANY THANKS TO• Travis Goodspeed (@travisgoodspeed)• Sergey Bratus (@sergeybratus)• Michael Ossmann (@michaelossmann)
PEOPLE WHO GIVE US MONEY• Great Scott Gadgets (@gsglabs)
![Page 4: OPENING BLACK BOX SYSTEMS WITH GREATFET+FD · 2021. 8. 16. · USBPROXY NOUVEAU USBProxy is a tool that allows us to proxy the connectionbetween a USB host and device. While proxyinga](https://reader035.fdocuments.us/reader035/viewer/2022071607/61452c8a34130627ed50d0fe/html5/thumbnails/4.jpg)
Why target USB?USB is everywhere.
![Page 5: OPENING BLACK BOX SYSTEMS WITH GREATFET+FD · 2021. 8. 16. · USBPROXY NOUVEAU USBProxy is a tool that allows us to proxy the connectionbetween a USB host and device. While proxyinga](https://reader035.fdocuments.us/reader035/viewer/2022071607/61452c8a34130627ed50d0fe/html5/thumbnails/5.jpg)
WHY USB?The capability to monitor, MITM, & emulate USB devices enables:
● Understanding the behaviors of USB and driver stacks● Building tools that work with existing hardware / software● Building implants and tools for playing NSA.● One to get a foot in the door for understanding black box systems.
![Page 6: OPENING BLACK BOX SYSTEMS WITH GREATFET+FD · 2021. 8. 16. · USBPROXY NOUVEAU USBProxy is a tool that allows us to proxy the connectionbetween a USB host and device. While proxyinga](https://reader035.fdocuments.us/reader035/viewer/2022071607/61452c8a34130627ed50d0fe/html5/thumbnails/6.jpg)
WHY PROXY?All too often-- as with black box systems-- we don’t control the host software stack:
● Game consoles [e.g. the Nintendo Switch]● In car entertainment [e.g. Tesla consoles]● Point of sale● Televisions
● … pretty much any embedded device that can act as a USB host!
![Page 7: OPENING BLACK BOX SYSTEMS WITH GREATFET+FD · 2021. 8. 16. · USBPROXY NOUVEAU USBProxy is a tool that allows us to proxy the connectionbetween a USB host and device. While proxyinga](https://reader035.fdocuments.us/reader035/viewer/2022071607/61452c8a34130627ed50d0fe/html5/thumbnails/7.jpg)
USBPROXY NOUVEAUUSBProxy is a tool that allows us to proxy the connection between a USB host and device. While proxying a connection we can:
● Log USB packets (cheap protocol analysis)● Modify data being sent to or received from a device● Inject new packets into the connection, or absorb packets ● capture side-channel information and precisely time glitching attacks
Original version was based on a BeagleBone Black in C++. We’ve rewritten it to take advantage of FaceDancer’s more granular control.
![Page 8: OPENING BLACK BOX SYSTEMS WITH GREATFET+FD · 2021. 8. 16. · USBPROXY NOUVEAU USBProxy is a tool that allows us to proxy the connectionbetween a USB host and device. While proxyinga](https://reader035.fdocuments.us/reader035/viewer/2022071607/61452c8a34130627ed50d0fe/html5/thumbnails/8.jpg)
[let’s monitor some USB]
https://github.com/ktemkin/Facedancer/blob/master/facedancer-usbproxy.py
![Page 9: OPENING BLACK BOX SYSTEMS WITH GREATFET+FD · 2021. 8. 16. · USBPROXY NOUVEAU USBProxy is a tool that allows us to proxy the connectionbetween a USB host and device. While proxyinga](https://reader035.fdocuments.us/reader035/viewer/2022071607/61452c8a34130627ed50d0fe/html5/thumbnails/9.jpg)
USB CLASSESIn addition to specifying the standard protocol used for enumeration/configuration, the specs also specify protocols for standard device classes, allowing e.g. operating systems to provide standardized drivers.
● Human Interface Device (keyboards, mice, datagloves; the usual)● Serial (e.g. CDC-ACM)● Mass storage (UMS bulk only / UAS)● Audio / Video● Midi● Scanners● Networking● etc.
![Page 10: OPENING BLACK BOX SYSTEMS WITH GREATFET+FD · 2021. 8. 16. · USBPROXY NOUVEAU USBProxy is a tool that allows us to proxy the connectionbetween a USB host and device. While proxyinga](https://reader035.fdocuments.us/reader035/viewer/2022071607/61452c8a34130627ed50d0fe/html5/thumbnails/10.jpg)
[let’s slack off]
https://github.com/ktemkin/Facedancer/blob/master/usbproxy-switch-invertx.py
![Page 11: OPENING BLACK BOX SYSTEMS WITH GREATFET+FD · 2021. 8. 16. · USBPROXY NOUVEAU USBProxy is a tool that allows us to proxy the connectionbetween a USB host and device. While proxyinga](https://reader035.fdocuments.us/reader035/viewer/2022071607/61452c8a34130627ed50d0fe/html5/thumbnails/11.jpg)
EXPLORATORY REThere are many USB hosts and devices for which firmware isn’t easily available--but we don’t always need firmware to do interesting things to a system.
● Can we discover behaviour?● Find firmware functions?● What about identifying hosts?
![Page 12: OPENING BLACK BOX SYSTEMS WITH GREATFET+FD · 2021. 8. 16. · USBPROXY NOUVEAU USBProxy is a tool that allows us to proxy the connectionbetween a USB host and device. While proxyinga](https://reader035.fdocuments.us/reader035/viewer/2022071607/61452c8a34130627ed50d0fe/html5/thumbnails/12.jpg)
EXPLORING FUNCTIONALITYBy monitoring and modifying USB packets we can discover functionality of a host system
● Does it take firmware updates via USB?○ What filename is it looking for?○ Does it read that file multiple times?
● How does the host enumerate the device?○ Order and length of requests○ Timing○ Windows Compatibility ID○ umap2 already does this, let’s port it to new FaceDancer
![Page 13: OPENING BLACK BOX SYSTEMS WITH GREATFET+FD · 2021. 8. 16. · USBPROXY NOUVEAU USBProxy is a tool that allows us to proxy the connectionbetween a USB host and device. While proxyinga](https://reader035.fdocuments.us/reader035/viewer/2022071607/61452c8a34130627ed50d0fe/html5/thumbnails/13.jpg)
EXPLORING FUNCTIONALITYBy monitoring and modifying USB packets we can discover functionality of a host system
● Does it take firmware updates via USB?○ What filename is it looking for?○ Does it read that file multiple times?
● How does the host enumerate the device?○ Order and length of requests○ Timing○ Windows Compatibility ID○ umap2 already does this; let’s port it to new FaceDancer
● What are the device’s access patterns?
![Page 14: OPENING BLACK BOX SYSTEMS WITH GREATFET+FD · 2021. 8. 16. · USBPROXY NOUVEAU USBProxy is a tool that allows us to proxy the connectionbetween a USB host and device. While proxyinga](https://reader035.fdocuments.us/reader035/viewer/2022071607/61452c8a34130627ed50d0fe/html5/thumbnails/14.jpg)
[let’s run a simulated firmware update]
![Page 15: OPENING BLACK BOX SYSTEMS WITH GREATFET+FD · 2021. 8. 16. · USBPROXY NOUVEAU USBProxy is a tool that allows us to proxy the connectionbetween a USB host and device. While proxyinga](https://reader035.fdocuments.us/reader035/viewer/2022071607/61452c8a34130627ed50d0fe/html5/thumbnails/15.jpg)
UMS DOUBLE FETCHOf course, nothing says our emulated devices have to behave nicely.
Example: most systems assume that disk contents don’t change on their ownReality: in practice, they totally can
Example firmware update sequence:
● USB host reads firmware off flash drive, computing a checksum as it does● USB host verifies the checksum, which passes● USB host rereads the firmware and flashes it to ROM
![Page 16: OPENING BLACK BOX SYSTEMS WITH GREATFET+FD · 2021. 8. 16. · USBPROXY NOUVEAU USBProxy is a tool that allows us to proxy the connectionbetween a USB host and device. While proxyinga](https://reader035.fdocuments.us/reader035/viewer/2022071607/61452c8a34130627ed50d0fe/html5/thumbnails/16.jpg)
[let’s fetch... twice]
https://github.com/ktemkin/Facedancer/blob/master/facedancer-ums-doublefetch.py
![Page 17: OPENING BLACK BOX SYSTEMS WITH GREATFET+FD · 2021. 8. 16. · USBPROXY NOUVEAU USBProxy is a tool that allows us to proxy the connectionbetween a USB host and device. While proxyinga](https://reader035.fdocuments.us/reader035/viewer/2022071607/61452c8a34130627ed50d0fe/html5/thumbnails/17.jpg)
EXPLORING FUNCTIONALITYBy monitoring and modifying USB packets we can discover functionality of a host system
● Does it take firmware updates via USB?○ What filename is it looking for?○ Does it read that file multiple times?
● How does the host enumerate the device?○ Order and length of requests○ Timing○ Windows Compatibility ID○ umap2 already does this, let’s port it to new FaceDancer
![Page 18: OPENING BLACK BOX SYSTEMS WITH GREATFET+FD · 2021. 8. 16. · USBPROXY NOUVEAU USBProxy is a tool that allows us to proxy the connectionbetween a USB host and device. While proxyinga](https://reader035.fdocuments.us/reader035/viewer/2022071607/61452c8a34130627ed50d0fe/html5/thumbnails/18.jpg)
[let’s talk about firmware filenames]
![Page 19: OPENING BLACK BOX SYSTEMS WITH GREATFET+FD · 2021. 8. 16. · USBPROXY NOUVEAU USBProxy is a tool that allows us to proxy the connectionbetween a USB host and device. While proxyinga](https://reader035.fdocuments.us/reader035/viewer/2022071607/61452c8a34130627ed50d0fe/html5/thumbnails/19.jpg)
Synchronization Features
StimulusGeneration Triggering Features
GlitchKit
Event Routing
Clock Management
USB Host
eMMC Device(not yet complete)
USB Device
Simple Event Triggers
UART Triggers
Trigger Output
![Page 20: OPENING BLACK BOX SYSTEMS WITH GREATFET+FD · 2021. 8. 16. · USBPROXY NOUVEAU USBProxy is a tool that allows us to proxy the connectionbetween a USB host and device. While proxyinga](https://reader035.fdocuments.us/reader035/viewer/2022071607/61452c8a34130627ed50d0fe/html5/thumbnails/20.jpg)
GLITCHKIT LIBRARYgf = GreatFET()gf.switch_to_external_clock()gf.glitchkit.provide_target_clock(VBUS_ENABLED);
gf.glitchkit.simple.watch_for_event(1, [('EDGE_RISING', 'J1_P7')])
gf.glitchkit.use_events_for_synchronization(COUNT_REACHED)
gf.glitchkit.trigger_on_events(HOST_SETUP_TRANSFER_QUEUED)gf.glitchkit.usb.capture_control_in(request=GET_DESCRIPTOR,
value=GET_DEVICE_DESCRIPTOR, length=18)
![Page 21: OPENING BLACK BOX SYSTEMS WITH GREATFET+FD · 2021. 8. 16. · USBPROXY NOUVEAU USBProxy is a tool that allows us to proxy the connectionbetween a USB host and device. While proxyinga](https://reader035.fdocuments.us/reader035/viewer/2022071607/61452c8a34130627ed50d0fe/html5/thumbnails/21.jpg)
THANKS FOR LISTENING!QUESTIONS?
JOIN US: https://github.com/greatscottgadgets/greatfethttps://github.com/ktemkin/Facedancerhttps://github.com/glitchkit