Posts Tagged ‘hack’

Hacking ARM TrustZone / Secure Boot on Amlogic S905 SoC

October 6th, 2016 4 comments

Amlogic S905 processor used in many Android TV boxes and ODROID-C2 development board implements ARM TrustZone security extensions to run a Trusted Execution Environment (TEE) used for DRM & other security features.


He explains the steps they went through and how they managed to exploit vulnerability to bypass secure boot in a detailed technical blog post.

They first started by looking for info in Amlogic S905 datasheet, but most info about TrustZone had been removed from the public version. So not that much help here except a potential address for BOM Root (ROMBOOT_START   0xD9040000). The next step was to connect the UART pins in order to access the serial console, but he could not read the BootROM from there most probably because you can’t access secure code from an non-secure memory.

However, a closer look at the boot log lead them to find the bootloaders were based on the ARM Trusted Firmware (ATF) reference implementation, which include BL1x (BootROM in SoC), BL2, and BL3x bootloaders as shown in the diagram below.


At this point everything becomes much more technical, as he explains various attempts using U-Boot bootloader, SMC (Secure Monitor Call) interface, and bypassing the Secure Boot chain. The first attempt was a non-stater, the second could have been exploitable but might have required some expert skills and time, but the third one was successful after an analysis of  the mechanism used by BL2 to parse and authenticate the BL31 image, and finding out the cryptographic code came from OSS PolarSSL/mbed TLS project.

Further reverse-engineering of the “authentication” header revealed that BL2 is only using SHA-256 hash to verify the integrity of the firmware, and that there’s no actually authentication. To confirm their findings, they customized a BL31 firmware, updated the SHA-256 hash (using aml-bootloader-tool script), and it would boot, and eventually they managed to dump the BootROM from Amlogic S905 SoC.

That’s the conclusion:

The S905 SoC provides hardware features to support Secure Boot, however OEMs can still choose to enable it or not. But even when Secure Boot is enforced, a flaw in the current version of Amlogic’s BL2 allows to bypass it. So Trusted Execution Environment cannot be trusted. The good news is BL2 can be patched, unlike BootROM.

Routers, IP Cameras/Phones & IoT Devices can be Security Risks even with the Latest Firmware, and a Strong Admin Password

October 6th, 2016 43 comments

I’ve just read an interesting article entitled “who makes the IoT things under attack“, explaining that devices connected to the Internet such as router, IP cameras, IP Phones, etc.. may be used by Botnet to launch DDoS attacks, and they do so using the default username and password. So you may think once you’ve updated the firmware when available, and changes the default admin/admin in the user interface, you’d be relatively safe. You’d be wrong, because the malware mentioned in the article, Mirai, uses Telnet or SSH trying a bunch of default username and password.

That made me curious, so I scanned the ports on my TP-Link wireless router and ZTE ZXHN F600W fiber-to-the-home GPON modem pictured below, and installed by my Internet provider, the biggest in the country I live, so there may be hundred of thousands or millions of such modems in the country with the same default settings.

zte-zxhn-f600wI’ve started by scanning the TP-Link router in the local network:

UPnP and the web interface ports are open, plus an extra post likely opened by UPnP, which looked fine.

Now I did the same on the ZTE modem in the local network first:

The telnet port is opened that’s not good… I would be much worse if  it was also open with the public IP:

Oh boy…. That’s not good at all. Can I access it from the outside?

No, because I don’t know the password. That is until I do a quick web search and find this video telling me to use root and Zte521 to login to ZTE modem. Bingo!

That’s huge as it means millions of modem routers can be access (likely) around the world with minimal knowledge, I would not even consider this a hack…. Telnet is also kind enough to return the modem model number (F600W), so any script would be able to detect that and try the default username / password. This little trick should also works on other ZTE modems/routers, and since the HTTP server is also running by default, you don’t even need to check the model number as the server field indicates it’s a ZTE device…

I don’t know if the Internet provided uses telnet for any purpose, but it could be a good idea to at least change the password or completely disable the service. However the rootfs is in read-only mode:

Normally, this is no problem as you can remount the root partition in read/write mode:

But it’s not working in this case… I’m not there must be a way to remount the system to change the password, or edit the configuration to disable telnet, but I have not found a solution yet. Those are the command at our disposal:

BusyBox v1.01 (2015.01.15-08:36+0000) multi-call binary

Currently defined functions:
[, ash, awk, brctl, busybox, cat, chmod, chrt, cmp, cp, cut, date,
df, diagput, echo, egrep, free, fuser, getty, grep, hexdump, hostname,
ifconfig, init, insmod, kill, killall, linuxrc, ln, login, ls,
lsmod, mkdir, mknod, mount, mv, passwd, ping, ping6, ps, pwd,
reboot, rm, rmdir, rmmod, sed, sh, sleep, sync, taskset, test,
tftp, top, traceroute, umount, wget

A temporary solution is to kill telnet:

But obviously telnet will run again, at next boot time…

Anyway, it would be good if the service providers could make sure to change the default password before installing them on the customer premise, and hopefully, they’ll be able to change the password, or disable them remotely in due time…

ArduBoy Arduino Compatible Portable Game Console Sells for $39

September 9th, 2016 1 comment

Ardubox feels like the little brother of PocketCHIP portable & hackable game console with its transparent case, but instead of running Linux on a 32-bit ARM processor, Ardubox is based on the same Atmel ATmega32u4 MCU used in Arduino Leonardo & Micro boards.

arduboyArduboy specifications:

  • MCU – Atmel ATmega32u4 AVR MCU with 32KB flash, 2.5KB RAM, and 1KB EEPROM
  • Display – 128×64 1-bit OLED display
  • USB – 1x micro USB 2.0 port for power and programming
  • User Inputs – 6x momentary tactile buttons
  • Audio – 2 channel Piezo Speaker
  • Misc – 1x LED
  • Battery – 180 mAh Thin-Film Li-Po battery good for over 8 hours

Beside the Arduino IDE, The board can also be programmed with Codebender, GCC & AVRDude. There’s also a fairly long list of games to play with, and it can be hacked as a virtual business card, a USB mouse and keyboard, a synthesizer, and more.

The Arduino game console was first launched via Kickstarter last year, raised $433,038 out of 7,221 backers, and has been shipped to all backers in August. However, it’s now available for pre-order on Arduboy website for $39, and SeeedStudio is organizing a crowdbuy where it can be had for $37.95. More details can be found on Arduboy website which features a community forum, and a getting started guide.

Categories: Atmel AVR, Hardware, Video Tags: arduino, battery, games, hack, oled

USB Fun – Tiny USB WiFi and Hub Boards and micro USB Hub

September 1st, 2016 10 comments

I’ve come across a few interesting tiny USB boards and hubs in the last few days, so instead of writing a post for each, I’ve gathered all info into a single article.

Small ESP8285 USB Board

A couple of weeks ago, CNLohr released his first ESPUSB virtual USB implementation for ESP8266 allowing to use USB with external hardware, barring a resistor, and only two GPIOs. He has now made a tiny board based on ESP8285 with a USB interface leveraging ESPUSB.

ESP8285_USB_BoardHardware files can be found on github. So what can you do with it? CNLohr leveraged the work of the community in order to emulate a keyboard and mouse using a smartphone.

The only bit of bad news in the video is that finally USB full speed (12 Mbps) can’t be supported.

NanoUSB Hub Board

Mux wanted to add more USB devices to its tablets, but there was none free, so he decided to create a USB hub board small enough to fit inside tablets and called it NanoUSB measuring just 12x12x1.5mm, and provides two USB ports from one USB host port in the target hardware.

Tiny_USB_Hub_PortHe could use it to add a Bluetooth USB dongle inside Cube i7 Stylus tablet as shown in the video below.

You can find documentation on Muxtronics, and purchase the board on Tindie for $8.90 + shipping.

Micro USB hub

Smartphones usually only have one micro USB OTG port or USB-C port, but for example if you want re-purpose your smartphone for other tasks, or want to use a USB device while charging your phone, you’d need a hub connected via a USB OTG adapter. Another solution is to directly use a micro USB hub with 3 USB ports and one micro USB port which I found on DealExtreme for $4.71 including shipping.


micro-USB-hub-smartphoneIt could also be useful for Raspberry Pi Zero board for example. If you have a more recent device with a USB-C connector you might consider a USB-C to USB hub instead. DX sells one for $5.12.

Categories: Espressif, Hardware, Video Tags: esp8285, hack, hardware, usb

ESP8266 Gets USB Support Thanks to ESPUSB Software Stack

August 8th, 2016 5 comments

Neither ESP8266 nor ESP32 support USB, so what am I babbling about? No, ESP8622 did not suddenly grow a USB PHY, but cnlohr decided to implement virtual USB support using two GPIOs (12 & 13) for the D+/D- USB signals, meaning you can connect any ESP8266 module through USB, or even update the firmware through USB without external hardware, apart from a single extra resistor.

ESP8266_USB_Firmware_UpdateThe source code is available on espusb repo on github. Please note that the code is currently work in progress, and USB implementation currently only works at 1.5 Mbit/s, with potentially future support for 12 Mbit/s.

That’s the demo, and an explanation about the design process.

Categories: Espressif, Hardware, Video Tags: esp8266, hack, usb

DIY Wireless Window/Glass Mounted Camera Based on Raspberry Pi Zero Board

June 22nd, 2016 2 comments

A few weeks ago, the Raspberry Pi foundation announced a new version of the Raspberry Pi Zero with a CSI camera connector. Since the solution is quite lightweight, Steven Cassidy had the idea to make a WiFi enabled window camera by soldering a USB WiFi module and fitting the hardware to a plastic part with two suction cups.

Raspberry_Zero_Camera_Suction_CupsOnce the assembly is done, you can stuck the hardware to a window or glass of your choice in your home, car, aquarium, etc…

Pi_Zero_Camera_WindowIf you like the concept but would like to have something working out of the box instead of making your own, the Pi Hut has design ZeroView on the same principle, and which will sell for 7 GBP (~$10.3).

Pebble 2 & Time 2 Smartwatches, and Pebble Core for Runners and Hackers Launched on Kickstarter

May 25th, 2016 No comments

Pebble launched one of the first smartwatches in 2012, and is now one of the most famous name for wearables. The company has now launched another crowdfunding campaign for three wearables: Pebble 2 & Time 2 watches, and Pebble Core which can be either be used as a fitness tracker for runner, or by hardware hacker to play with IoT apps.

Pebble 2 and Time 2 can receive notifications from your Android or iOS smartphone, include a built-in HRM for activity tracking, and a microphone for voice record and SMS, and are waterproof of up to 30 meters. To me the two key features of Pebble wearables are always-on displays, and long battery life, and the two new watches have a black & white (Pebble 2) or color (Time 2) always-on display, and up to one week of battery life for Pebble 2, and 10 days for Time 2.

Pebble_CorePebble Core is a completely new device for the company and available in two versions: one for runners, one for hackers. Core is lightweight, 3G, Bluetooth, and WiFi connected clip that can replace your phone while running, or other activities where you don’t really want to take your phone with you. It can stream music from Spotify or play music from the 4GB built-in storage, track your pace, distance and location with GPS, and even send an emergency SMS. A microphone will also allow you to take voice notes. The battery is good enough for 9 hours of GPS tracking or offline music playing, and Bluetooth connectivity make it possible to pair it with your Pebble watch to control music playback and monitor activity tracking.

Core for Hackers has many of the same features with GPS, 3G, WiFI and Bluetooth, and is said to run Android 5.0. The device features two buttons that can be programmed to unlock your car, turn on/off your lights, record voice notes, etc..  Voice recording would require a Bluetooth or wired headset. The Core is normally charged vi USB cable, but it can be optionally charged with a $20 wireless pad.

Pebble Core goes for as low as $69, Pebble 2 for $99 and up, and Time 2 for $179 (All $169 early bird rewards are gone). Shipping is not included and adds $10 to $15, with delivery scheduled for September – October 2016 for the two smartwatches, and January 2017 for the Core.

AAduino Arduino Compatible Board Fits Neatly into an AA Battery Holder

April 19th, 2016 2 comments

Johan Kanflo has been using Arduino compatible boards based on Tiny328 MCU with an ISM radio module (wireless Arduino clone), but he found that finding a case was not easy, and was quite not ready to to design its own and print it with a 3D printer. So instead he shrank the board to fit into an AA battery case bought on Ebay with two AA batteries taking the remaining slots. That’s the result.

Click to Enlarge

Click to Enlarge

AAduino board specifications:

  • MCU – Atmel ATMega328p clocked at 8 MHz to save power
  • Radio – RFM69C ISM transceiver module
  • Sensors – Two DS18B20 temperature sensors
  • Misc – Indicator LED
  • Keystone battery terminals rotated 180° to act as positive and negative terminals.
  • Power – 2x AA batteries
Triple AA Battery Case Closed

Triple AA Battery Case Closed

The project is also open source hardware, with all hardware files released under the MIT license on Github, where you’ll also find a demo sketch for the board.

Via Free Electrons Tweet

Categories: Atmel AVR, Hardware Tags: arduino, battery, hack