Evilsploit – A Universal Hardware Hacking Toolkit

Presented at Black Hat USA 2017, July 26, 2017, 4 p.m. (50 minutes)

Hardware hacking is about to understand the inner working mechanism of hardware. Most of the time, the hardware hacking process starts from reversing. From the hardware point of view, reversing in static way includes uncovering the schematic and disassembling the binary. On the other hand, reversing in dynamic way includes finding a way to debug the hardware and to fuzz it accordingly. In practice, it is almost a standard operating procedure to obtain the binary of the hardware and reverse it consequently. As a supplementary technique for static binary reversing, debugging allows the real hardware operation process to be demystified in run time. In fact, the binary itself can be obtained by applying debugging technique- while it is not available from manufacturer. So, it is crucial to figure out the provisioning ports of the hardware in order to start performing hardware hacking. The conventional approach to identify provisioning ports is by using pin finder toolkits such as Jtagulator. However, it is impractical and inefficient once a provisioning port has been found; another toolkit such as Shikra has to be used to manipulate the provisioning port. It is not only prone to error, but not hacker-friendly. So, it is important to find a way to fill the gap between provisioning port identification and manipulation processes. With this, it allows the hardware hacking process to be automated by making it scriptable in high level. We will present a new method to allow provisioning port identification and manipulation by using connection matrix. With this, it is possible to construct arbitrary analog-alike connection in array form to implement all pattern of interconnect between bus interfacing chip and the target. Hence, once the appropriate provisioning port has been figured out, in the meantime, it is ready to be used for debugging or firmware dumping purposes. Besides, it is also an ideal assistive toolset for unknown signal analysis, side channel analysis (SCA), and fault injection (FI).

Presenters:

• Chui Yew Leong - Systems Architect, Guangzhou TYA Information Technology Co., Ltd.
  Chui Yew Leong is the systems architect of Guangzhou TYA Information Technology Co., Ltd., a company offering contemporary system design services for all kind of digital-based solutions, range from an individual product to a full-integrated solution. Besides, he is also the systems architect of AEX System Pty., Ltd., a large-scale network based public address system manufacturer. Embedded hardware and software design are his daily job scope.
• Mingming Wan - Senior Hardware Engineer, Guangzhou TYA Information Technology Co., Ltd.
  Wan Mingming is the senior hardware engineer of Guangzhou TYA Information Technology Co., Ltd., a company offering contemporary system design services for all kind of digital-based solutions, range from an individual product to a full-integrated solution. Embedded hardware and software design are his job scope in daily basis.

Links:

• https://www.blackhat.com/us-17/briefings/schedule/#evilsploit--a-universal-hardware-hacking-toolkit-7229
• https://www.youtube.com/watch?v=aHLJRcI5jcU
• https://www.blackhat.com/docs/us-17/wednesday/us-17-Chui-Evilsploit-A-Universal-Hardware-Hacking-Toolkit.pdf
• https://www.blackhat.com/docs/us-17/wednesday/us-17-Chui-Evilsploit-A-Universal-Hardware-Hacking-Toolkit-wp.pdf

Similar Presentations:

• DEF CON 12 (2004) / Advanced Hardware Hacking: Designs and Attacks of Secure Hardware
• DEF CON 14 (2006) / Hardware Hacking
• 33C3 (2016) / Making Technology Inclusive Through Papercraft and Sound: Introducing the Love to Code Platform