Software Exploitation Via Hardware Exploitation
This class debuted to a Sold Out class at Black Hat 2014 and has sold out at every public offering since.
Subscribe for updates on this course!
![]()
|
Next Classes:
|
Where THis Training Has Been Taught (publicly & Privately)...
Overview:
"Software EXploitation Via Hardware EXploitation" or "SExViaHEx" (as we jokingly refer to it) teaches how to reverse engineer and exploit software on embedded systems via hardware. It teaches all this against real-world Commercial Off The Shelf (COTS) products such as routers, game systems, and other appliances. This course has an intense focus on results oriented vulnerability discovery (not just hardware hacking and tinkering for fun).
Concepts taught (hands-on) in the course include:
Students will get hands on experience with tools like:
Details:
Length: 4 days
Format: Lecture and Lab
Dates & Location:
"Software EXploitation Via Hardware EXploitation" or "SExViaHEx" (as we jokingly refer to it) teaches how to reverse engineer and exploit software on embedded systems via hardware. It teaches all this against real-world Commercial Off The Shelf (COTS) products such as routers, game systems, and other appliances. This course has an intense focus on results oriented vulnerability discovery (not just hardware hacking and tinkering for fun).
Concepts taught (hands-on) in the course include:
- Bus spying, tampering, spoofing, injection on simple serial interfaces like UART, SPI, I2C and others
- Finding, identifying, analyzing, and interfacing with JTAG, Serial, and other interfaces
- Configuring, Interfacing, Using, Misusing, and Abusing JTAG for reverse engineering, manipulation, and exploitation
- Non-destructively extracting firmware via software, JTAG and serial interfaces
- Invasively extracting firmware by directly accessing or physically removing flash storage
- Parsing, extracting, and analyzing firmware images
- Manipulating firmware images to embed backdoors or other functionality
- Binary analysis of executables on firmware to enable software exploitation
Students will get hands on experience with tools like:
- The Shikra
- USB serial cables
- Bus Pirate
- JTAG Adapters
- Logic Analyzers
- Multimeters
- JTAGULATOR
- OpenOCD
- UrJtag
- GDB
- IDA
Details:
Length: 4 days
Format: Lecture and Lab
Dates & Location:
Contact us for a private on-site version of this course. (10 students or more)
Preview Content:
Who Should Attend:
"Makers", Tinkerers, Developers, IT Professionals, Mobile Developers, Hackers, Penetration Testers, Forensic Investigators, reverse engineers, software security auditors/analysts, software exploitation engineers, jail breakers, and anyone interested.
"Makers", Tinkerers, Developers, IT Professionals, Mobile Developers, Hackers, Penetration Testers, Forensic Investigators, reverse engineers, software security auditors/analysts, software exploitation engineers, jail breakers, and anyone interested.
What To Bring:
Laptop with:
What Will Be Provided:
Students will be provided with a Lab manual and USB drive with the virtual machine and all software installed. Each student will be provided a lab kit for the duration of the class containing target embedded systems including wireless routers, NAS devices, android tablets, and embedded development boards, as well as tools for identifying and interfacing with test, debug, and peripheral interfaces including serial cables, bus pirates, logic analyzers, multimeters, jtag adapters, etc.
Participant Skillset:
Laptop with:
- Wireless and wired connectivity
- 4+ gb of RAM
- 3+ usb ports or a reliable USB hub
- VMWare Player, Workstation or Fusion (freeware is sufficient)
What Will Be Provided:
Students will be provided with a Lab manual and USB drive with the virtual machine and all software installed. Each student will be provided a lab kit for the duration of the class containing target embedded systems including wireless routers, NAS devices, android tablets, and embedded development boards, as well as tools for identifying and interfacing with test, debug, and peripheral interfaces including serial cables, bus pirates, logic analyzers, multimeters, jtag adapters, etc.
Participant Skillset:
- No prior experience with hardware based exploitation necessary.
- Novice or Intermediate software exploitation experience recommended (ARM, x86, etc.)
- Familiarity with IDA or disassemblers recommended.
- Understanding of software development, executable file formats, and debuggers recommended.
- Familiarity with assembly (ARM, x86, etc) recommended.
- Novice to Intermediate knowledge of a powerful scripting language required (Ruby, Python, Java, etc.)
- Familiarity with C and C++ recommended.
Class Syllabus:
Unit 1: Basic UART
Introduce UARTs, their Common uses, and Tools to interface them. In lab, participants will acquire a root console on an embedded device via serial cable.
Unit 2: Exploit via UART
Discuss attack surface exposed via UART. In lab, participants will embed a remotely accessible backdoor via hardware access with serial cable.
Unit 3: Finding Pinouts Manually
Show various methods of locating and identifying debug headers on a board. In lab, participants will experimentally determine pinouts of an unknown debug port.
Unit 4: Basic JTAG
Introduce JTAG, its history and uses, and tools for interfacing. In lab, participants will configure and connect JTAG hardware and software for run control of an embedded cpu.
Unit 5: Finding Pinouts Automatically
Discuss algorithms and methods for automatically identifying debug ports. In lab, participants will use tools to automatically find and identify a JTAG interface
Unit 6: JTAG Exploration
Discuss the potential for undocumented and obscured features hidden in JTAG. In lab, participants will identify and probe several features of an undocumented jtag controller.
Unit 7: JTAG Enabling
Present several ways that manufacturers could disable or disconnect JTAG, and how to reverse them. In lab, participants will re-enable jtag access on an unmodified android tablet
Unit 8: JTAG Exploitation
Present multiple methods of escalating software privilege via jtag. In lab, participants will manipulate memory via jtag to modify kernel operations and privileges
Firmware:
Unit 1: Basic Firmware Dumping
Introduce basics of flash storage and common partitioning. In lab, participants will identify and examine the raw flash contents via root console
Unit 2: Intermediate Firmware Dumping
Present multiple methods of accessing firmware via jtag for times when root privileges are not yet available. In lab, participants will dump firmware off a target via JTAG.
Unit 3: Advanced Firmware Dumping
Present non-invasive methods of directly accessing various flash storage chips. In lab, participants will quickly dump the full firmware by directly interfacing with flash chips.
Unit 4: Invasive Firmware Dumping
Discuss destructive methods of firmware extraction and reasons why it might be necessary. Instructors will demonstrate removing and dumping a chip with a dedicated programmer.
Unit 5: Basic Firmware Analysis
Introduce multiple procedures for firmware analysis, helpful tools, and easy exploits. In lab, participants will analyze and make minor modifications to exploit a firmware, and flash it back to the target device.
Unit 6: Intermediate Firmware Analysis
Discuss further methods for extracting, modifying, and repackaging filesystem images. In lab, participants will manipulate the filesystem to add a backdoor to be remotely accessed.
Unit 7: Advanced Firmware Analysis
Introduce tools for binary reverse engineering of executables found in firmware. In lab, participants will reverse engineer the firmware for a small game console and extract key elements.
Exploitation
Unit 1: Embedded Exploitation
Introduce common issues with embedded code on ARM. In lab, participants will identify and exploit vulnerabilities in code found on an embedded ARM device.
Unit 2: Exotic Interfaces and Attack Vectors
Briefly cover other exotic communication interfaces such as RF communications protocols and Automotive interfaces such as CAN, SWCAN, LSFT CAN, DW CAN, OBD, ISO 14239, ISO 14229
Unit 1: Basic UART
Introduce UARTs, their Common uses, and Tools to interface them. In lab, participants will acquire a root console on an embedded device via serial cable.
Unit 2: Exploit via UART
Discuss attack surface exposed via UART. In lab, participants will embed a remotely accessible backdoor via hardware access with serial cable.
Unit 3: Finding Pinouts Manually
Show various methods of locating and identifying debug headers on a board. In lab, participants will experimentally determine pinouts of an unknown debug port.
Unit 4: Basic JTAG
Introduce JTAG, its history and uses, and tools for interfacing. In lab, participants will configure and connect JTAG hardware and software for run control of an embedded cpu.
Unit 5: Finding Pinouts Automatically
Discuss algorithms and methods for automatically identifying debug ports. In lab, participants will use tools to automatically find and identify a JTAG interface
Unit 6: JTAG Exploration
Discuss the potential for undocumented and obscured features hidden in JTAG. In lab, participants will identify and probe several features of an undocumented jtag controller.
Unit 7: JTAG Enabling
Present several ways that manufacturers could disable or disconnect JTAG, and how to reverse them. In lab, participants will re-enable jtag access on an unmodified android tablet
Unit 8: JTAG Exploitation
Present multiple methods of escalating software privilege via jtag. In lab, participants will manipulate memory via jtag to modify kernel operations and privileges
Firmware:
Unit 1: Basic Firmware Dumping
Introduce basics of flash storage and common partitioning. In lab, participants will identify and examine the raw flash contents via root console
Unit 2: Intermediate Firmware Dumping
Present multiple methods of accessing firmware via jtag for times when root privileges are not yet available. In lab, participants will dump firmware off a target via JTAG.
Unit 3: Advanced Firmware Dumping
Present non-invasive methods of directly accessing various flash storage chips. In lab, participants will quickly dump the full firmware by directly interfacing with flash chips.
Unit 4: Invasive Firmware Dumping
Discuss destructive methods of firmware extraction and reasons why it might be necessary. Instructors will demonstrate removing and dumping a chip with a dedicated programmer.
Unit 5: Basic Firmware Analysis
Introduce multiple procedures for firmware analysis, helpful tools, and easy exploits. In lab, participants will analyze and make minor modifications to exploit a firmware, and flash it back to the target device.
Unit 6: Intermediate Firmware Analysis
Discuss further methods for extracting, modifying, and repackaging filesystem images. In lab, participants will manipulate the filesystem to add a backdoor to be remotely accessed.
Unit 7: Advanced Firmware Analysis
Introduce tools for binary reverse engineering of executables found in firmware. In lab, participants will reverse engineer the firmware for a small game console and extract key elements.
Exploitation
Unit 1: Embedded Exploitation
Introduce common issues with embedded code on ARM. In lab, participants will identify and exploit vulnerabilities in code found on an embedded ARM device.
Unit 2: Exotic Interfaces and Attack Vectors
Briefly cover other exotic communication interfaces such as RF communications protocols and Automotive interfaces such as CAN, SWCAN, LSFT CAN, DW CAN, OBD, ISO 14239, ISO 14229