34C3: Hacking Into A CPU’s Microcode

December 28, 2017 by Elliot Williams 67 Comments

Inside every modern CPU since the Intel Pentium fdiv bug, assembly instructions aren’t a one-to-one mapping to what the CPU actually does. Inside the CPU, there is a decoder that turns assembly into even more primitive instructions that are fed into the CPU’s internal scheduler and pipeline. The code that drives the decoder is the CPU’s microcode, and it lives in ROM that’s normally inaccessible. But microcode patches have been deployed in the past to fix up CPU hardware bugs, so it’s certainly writeable. That’s practically an invitation, right? At least a group from the Ruhr University Bochum took it as such, and started hacking on the microcode in the AMD K8 and K10 processors.

The hurdles to playing around in the microcode are daunting. It turns assembly language into something, but the instruction set that the inner CPU, ALU, et al use was completely unknown. [Philip] walked us through their first line of attack, which was essentially guessing in the dark. First they mapped out where each x86 assembly codes went in microcode ROM. Using this information, and the ability to update the microcode, they could load and execute arbitrary microcode. They still didn’t know anything about the microcode, but they knew how to run it.

So they started uploading random microcode to see what it did. This random microcode crashed almost every time. The rest of the time, there was no difference between the input and output states. But then, after a week of running, a breakthrough: the microcode XOR’ed. From this, they found out the syntax of the command and began to discover more commands through trial and error. Quite late in the game, they went on to take the chip apart and read out the ROM contents with a microscope and OCR software, at least well enough to verify that some of the microcode operations were burned in ROM.

The result was 29 microcode operations including logic, arithmetic, load, and store commands — enough to start writing microcode code. The first microcode programs written helped with further discovery, naturally. But before long, they wrote microcode backdoors that triggered when a given calculation was performed, and stealthy trojans that exfiltrate data encrypted or “undetectably” through introducing faults programmatically into calculations. This means nearly undetectable malware that’s resident inside the CPU. (And you think the Intel Management Engine hacks made you paranoid!)

[Benjamin] then bravely stepped us through the browser-based attack live, first in a debugger where we could verify that their custom microcode was being triggered, and then outside of the debugger where suddenly xcalc popped up. What launched the program? Calculating a particular number on a website from inside an unmodified browser.

He also demonstrated the introduction of a simple mathematical error into the microcode that made an encryption routine fail when another particular multiplication was done. While this may not sound like much, if you paid attention in the talk on revealing keys based on a single infrequent bit error, you’d see that this is essentially a few million times more powerful because the error occurs every time.

The team isn’t done with their microcode explorations, and there’s still a lot more of the command set left to discover. So take this as a proof of concept that nearly completely undetectable trojans could exist in the microcode that runs between the compiled code and the CPU on your machine. But, more playfully, it’s also an invitation to start exploring yourself. It’s not every day that an entirely new frontier in computer hacking is bust open.

Ergonomic Keyboard Designed From The Ground Up

December 28, 2017 by Bryan Cockfield 15 Comments

In 2011, [Fabio] had been working behind a keyboard for about a decade when he started noticing wrist pain. This is a common long-term injury for people at desk jobs, but rather than buy an ergonomic keyboard he decided that none of the commercial offerings had all of the features he needed. Instead, he set out on a five-year journey to build the perfect ergonomic keyboard.

Part of the problem with other solutions was that no keyboards could be left in Dvorak (a keyboard layout [Fabio] finds improves his typing speed) after rebooting the computer, and Arduino-based solutions would not make themselves available to the computer’s BIOS. Luckily he found the LUFA keyboard library, and then was able to salvage a PCB from another keyboard. From there, he programmed everything on a Teensy microcontroller, added an OLED screen, and soldered it all together (including a set of Cherry MX switches).

Of course, the build wasn’t truly complete until recently, when a custom two-part case was 3D printed. The build quality and attention to detail in this project is impressive, and if you want to roll out your own [Fabio] has made all of the CAD files and software available. Should you wish to incorporate some of his designs into other types of specialized keyboards, there are some ideas floating around that will surely improve your typing or workflow.

Sound Isolated Server Rack

December 26, 2017 by Adam Fabio 47 Comments

Servers are most often found in climate controlled data centers. This means they aren’t exactly built for creature comforts like quiet operation. Quite the contrary — many server chassis include fans which absolutely scream when the machine is under load. [Whiskykilo] needed to set up a 12 U rack in his basement for working from home. He knew the sound would get on anyone’s nerves, but especially on those of his wife.

To solve this problem, he built a sound isolated rack. The build started with a standard 12 U metal rack frame. This is wrapped in 1/2″ MDF coated with automotive sound deadening material. An outer frame built of 1×4 lumber and another layer of 1/2″ MDF. Isolating the inner and outer boxes made the biggest contribution to quieting down the noisy servers.

Computers need to breathe, so the front and back doors of the rack enclosure include banks of intake and exhaust fans to keep air flowing through the servers. Two AC Infinity controllers keep the fans operating and monitor temperature. These machines do generate some heat – so 64 °F (18C) intake and 81 °F (27C) exhaust is not unheard of. The servers don’t seem to mind running at these temperatures. A Raspberry Pi 3 keeps an eye on UPS operation and displays the data on a 7″ HDMI LCD.

Interested in running a server at home? You don’t have to go to the lumberyard – check out this server made with Ikea components, or this server built from 96 MacBook Pros.

Micro-ATX Arduino Is The Ultimate Breakout Board

December 23, 2017 by Tom Nardi 66 Comments

If you’ve been hanging around microcontrollers and electronics for a while, you’re surely familiar with the concept of the breakout board. Instead of straining to connect wires and components to ever-shrinking ICs and MCUs, a breakout board makes it easier to interface with the device by essentially making it bigger. The Arduino itself, arguably, is a breakout board of sorts. It takes the ATmega chip, adds the hardware necessary to get it talking to a computer over USB, and brings all the GPIO pins out with easy to manage header pins.

But what if you wanted an even bigger breakout board for the ATmega? Something that really had some leg room. Well, say no more, as [Nick Poole] has you covered with his insane RedBoard Pro Micro-ATX. Combining an ATmega32u4 microcontroller with standard desktop PC hardware is just as ridiculous as you’d hope, but surprisingly does offer a couple tangible benefits.

The RedBoard is a fully compliant micro-ATX board, and will fit in pretty much any PC case you may have laying around in the junk pile. Everything from the stand-off placement to the alignment of the expansion card slots have been designed so it can drop right into the case of your choice.

That’s right, expansion slots. It’s not using PCI, but it does have a variation of the standard Arduino “shield” concept using 28 pin edge connectors. There’s a rear I/O panel with a USB port and ISP header, and you can even add water cooling if you really want (the board supports standard LGA 1151 socket cooling accessories).

While blowing an Arduino up to ATX size isn’t exactly practical, the RedBoard is not without legitimate advantages. Specifically, the vast amount of free space on the PCB allowed [Nick] to add 2Mbits of storage. There was even some consideration to making removable banks of “RAM” with EEPROM chips, but you’ve got to draw the line somewhere. The RedBoard also supports standard ATX power supplies, which will give you plenty of juice for add-on hardware that may be populating the expansion slots.

With as cheap and plentiful as the miniITX and microATX cases are, it’s no surprise people seem intent on cramming hardware into them. We’ve covered a number of attempts to drag other pieces of hardware kicking and screaming into that ubiquitous beige-box form factor.

CNC’d MacBook Breathes Easy

December 14, 2017 by Tom Nardi 65 Comments

Sick of his 2011 Macbook kicking its fans into overdrive every time the temperatures started to climb, [Arthur] decided to go with the nuclear option and cut some ventilation holes into the bottom of the machine’s aluminum case. But it just so happens that he had the patience and proper tools for the job, and the final result looks good enough that you might wonder why Apple didn’t do this to begin with.

After disassembling the machine, [Arthur] used double-sided tape and a block of scrap wood to secure the Macbook’s case to the CNC, and cut out some very slick looking vents over where the internal CPU cooler sits. With the addition of some fine mesh he found on McMaster-Carr, foreign objects (and fingers) are prevented from getting into the Mac and messing up all that Cupertino engineering.

[Arthur] tells us that the internal temperature of his Macbook would hit as high as 102 °C (~215 °F) under load before his modification, which certainly doesn’t sound like something we’d want sitting in our laps. With the addition of his vents however, he’s now seeing an idle temperature of 45 °C to 60 °C, and a max of 82 °C.

In the end, [Arthur] is happy with the results of his modification, but he’d change a few things if he was to do it again. He’s somewhat concerned about the fact that the mesh he used for the grill isn’t non-conductive (he’s using shims of card stock internally to make sure it doesn’t touch anything inside), and he’d prefer the peace of mind of having used epoxy to secure it all together rather than super-glue. That said, it works and hasn’t fallen apart yet; basically the hallmarks of a successful hack.

It’s worth noting that [Arthur] is not the first person to struggle with the Macbook’s propensity for cooking itself alive. A few years back we covered another user who added vents to their Macbook, but not before they were forced to reflow the whole board because some of the solder joints gave up in the heat.

What You Need To Know About The Intel Management Engine

December 11, 2017 by Brian Benchoff 95 Comments

Over the last decade, Intel has been including a tiny little microcontroller inside their CPUs. This microcontroller is connected to everything, and can shuttle data between your hard drive and your network adapter. It’s always on, even when the rest of your computer is off, and with the right software, you can wake it up over a network connection. Parts of this spy chip were included in the silicon at the behest of the NSA. In short, if you were designing a piece of hardware to spy on everyone using an Intel-branded computer, you would come up with something like the Intel Managment Engine.

Last week, researchers [Mark Ermolov] and [Maxim Goryachy] presented an exploit at BlackHat Europe allowing for arbitrary code execution on the Intel ME platform. This is only a local attack, one that requires physical access to a machine. The cat is out of the bag, though, and this is the exploit we’ve all been expecting. This is the exploit that forces Intel and OEMs to consider the security implications of the Intel Management Engine. What does this actually mean?

Continue reading “What You Need To Know About The Intel Management Engine” →

Biometric Authentication With A Cheap USB Hub

December 7, 2017 by Tom Nardi 26 Comments

It’s fair to say that fingerprints aren’t necessarily the best idea for device authentication, after all, they’re kind of everywhere. But in some cases, such as a device that never leaves your home, fingerprints are an appealing way to speed up repetitive logins. Unfortunately, fingerprint scanners aren’t exactly ubiquitous pieces of hardware yet. We wouldn’t hold out much hope for seeing a future Raspberry Pi with a fingerprint scanner sitting on top, for example.

Looking for a cheap way to add fingerprint scanning capabilities to his devices, [Nicholas] came up with a clever solution that is not only inexpensive, but multi-functional. By combining a cheap USB hub with a fingerprint scanner that was intended as a replacement part of a Thinkpad laptop, he was able to put together a biometric USB hub for around $5 USD.

After buying the Thinkpad fingerprint scanner, he wanted to make sure it would be detected by his computer as a standard USB device. The connector and pinout on the scanner aren’t standard, so he had to scrape off the plastic coating of the ribbon cable and do some probing with his multimeter to figure out what went where. Luckily, once he found the ground wire, the order of the rest of the connections were unchanged from normal USB.

When connected to up his Ubuntu machine, the Thinkpad scanner came up as a “STMicroelectronics Fingerprint Reader”, and could be configured with libpam-fprintd.

With the pintout and software configuration now known, all that was left was getting it integrated into the USB hub. One of the hub’s ports was removed and filled in with hot glue, and the fingerprint scanner connected in its place. A hole was then cut in the case of the hub for the scanner to peak out of. [Nicholas] mentions his Dremel is on loan to somebody else at the moment, and says he’ll probably try to clean the case and opening up a bit when he gets it back.