For day two of DEF CON, I checked out tamper evident devices, the contests area, and a few embedded talks. Read all about it after the break.
Even if he hadn’t done any firmware hacking on this hard drive [Sprite_TM’s] digital exploration of the controller is fascinating. He gave a talk at this year’s Observe, Hack, Make (OHM2013) — a non-commercial community run event in the Netherlands and we can’t wait for the video. But all the information on how he hacked into the three-core controller chip is included in his write up.
[Sprite_TM] mentions that you’re not going to find datasheets for the controllers on these drives. He got his foot in the door after finding a JTAG pinout mentioned on a forum post. The image above shows his JTAG hardware which he’s controlling with OpenOCD. This led him to discover that there are three cores inside the controller, each used for a different purpose. The difference between [Sprite_TM’s] work and that of mere mortals is that he has a knack for drawing surprisingly accurate conclusions from meager clues. To see what we mean check out the memory map for the second core which he posted on page 3 or his article.
Using JTAG he was able to inject a jump into the code (along with a filler word to keep the checksum valid) and run his own code. To begin the firmware hacking portion of the project he pulled the flash ROM off of the board and installed it on that little board sticking out on the left. This made it easy for him to backup and reflash the chip. Eventually this let him pull off the same proof of concept as a firmware-only hack (no JTAG necessary). He goes onto detail how an attacker who has root access could flash hacked firmware which compromises data without any indication to they system admin or user. But we also like his suggestion that you should try this out on your broken hard drives to see if you can reuse the controllers for embedded projects. That idea is a ton a fun!
When we were poking around the OHM2013 website (linked above) we noticed that the tickets are sold out; good for them! But if you were still able to buy them they take Bitcoin as one payment option. Are there any other conferences that allow Bitcoin for registration?
Ever wanted to make the jump from microcontrollers to logic chips? Although not technically the same thing we consider FPGA and CPLD devices to be in similar categories. Like FPGAs, Complex Programmable Logic Devices let you build hardware inside of a chip. And if you’ve got the knack for etching circuit boards you can now build your own CPLD development module. Long-time Hackaday readers will remember our own offering in this area.
Our years of microcontroller experience have taught us a mantra: if it doesn’t work it’s a hardware problem. We have a knack for wasting hours trying to figure out why our code doesn’t work. The majority of the time it’s a hardware issue. And this is why you might not want to design your own dev tools when just starting out. But one thing this guide has going for it is incremental testing. After etching and inspecting the board, it is populated in stages. There is test code available for each stage that will help verify that the hardware is working as expected.
The CPLD is programmed using that 10-pin header. If you don’t have a programmer you can build your own that uses a parallel port. Included on the board is an ATtiny2313 which is a nice touch as it can simulate all kinds of different hardware to test with your VHDL code. There is also a row of LEDs, a set of DIP switches, and a few breakout headers to boot.
This method requires only four signals (TDI, TMS, TCK and TDO) plus ground. But the problem is that an RS232 serial port operates with 12V logic levels and the JTAG side of the programmer needs to operate with the logic levels native to the device you’re programming. Commercial programmers use a level convert IC to take care of this for you, but that doesn’t mesh with the cheap goal of this project. Instead, [Nicholas] uses Zener diodes and voltage dividers to make the conversion. There is also an LED for each data signal to give some feedback if you’re having trouble.
You can use this along with a programming application that [Nicholas] whipped up using Visual Studio. It works well via the serial port, but he did try programming with a USB-to-Serial dongle. He found that this method slows the process down to an unbearable 5-minutes. Take a look, maybe you can help to get that sloth-like programming up to a manageable speed.
[Bingo] did some work porting Versaloon for STM8 and STM32 discovery boards. Versaloon is a multiple-architecture programmer that we saw a few weeks back. At its center is an STM32 microprocessor, which greatly simplifies the work necessary to use the two discovery boards instead. Flashing the firmware to the boards will zap the ST-link firmware and [Bingo] doesn’t know of a way to restore that so be warned. This hack is still pretty fresh off the bench, but so far it looks like vsprog and OpenOCD both work just fine with the new hardware.
Versaloon is an open source, USB connected project, that centers around an STM32 processor and provides a standard JTAG pinout. Above you see the Nano version which has a 10-pin JTAG connector, but there is also a 20-pin option on the Handy model. Great, another JTAG programmer. Well this can do a bit more than that. With a bit of help from the software it has been turned into a programmer for ten different types of hardware. Obviously this should be able to program anything that works with the JTAG protocol, but the script adapts it to work as an In System (or In Circuit) Programmer too. So far the list of programming targets includes STM32, LPC1000, LPC900, STM8, AR8, MSP430, and a few others.
We had some trouble finding an actual picture of this hardware. If you’ve got one, snap a picture and leave a link to it in the comments along with your thoughts on the device.
[Firestorm_v1] has done a fabulous writeup on not only resurrecting his dead DockStar with JTAG, but also includes some handy techniques and useful information that could be used with other hardware and JTAG equipped devices.
The tutorial itself goes into the details of finding the JTAG, correctly identifying the ports and making an adapter cable. Then wiring a TIAO Parallel JTAG kit and finally the flash and upload of firmware to the deceased Dockstar to give it new life.
While the fun stops a little short, we’ll be sure to keep an eye out for [Firestorm_v1’s] future plans involving these surprisingly useful (read: hackable) storage devices, “roving USB camera with WiFi” we hear?