34C3: Hacking Into A CPU’s Microcode

December 28, 2017 by Elliot Williams 67 Comments

Inside every modern CPU since the Intel Pentium fdiv bug, assembly instructions aren’t a one-to-one mapping to what the CPU actually does. Inside the CPU, there is a decoder that turns assembly into even more primitive instructions that are fed into the CPU’s internal scheduler and pipeline. The code that drives the decoder is the CPU’s microcode, and it lives in ROM that’s normally inaccessible. But microcode patches have been deployed in the past to fix up CPU hardware bugs, so it’s certainly writeable. That’s practically an invitation, right? At least a group from the Ruhr University Bochum took it as such, and started hacking on the microcode in the AMD K8 and K10 processors.

The hurdles to playing around in the microcode are daunting. It turns assembly language into something, but the instruction set that the inner CPU, ALU, et al use was completely unknown. [Philip] walked us through their first line of attack, which was essentially guessing in the dark. First they mapped out where each x86 assembly codes went in microcode ROM. Using this information, and the ability to update the microcode, they could load and execute arbitrary microcode. They still didn’t know anything about the microcode, but they knew how to run it.

So they started uploading random microcode to see what it did. This random microcode crashed almost every time. The rest of the time, there was no difference between the input and output states. But then, after a week of running, a breakthrough: the microcode XOR’ed. From this, they found out the syntax of the command and began to discover more commands through trial and error. Quite late in the game, they went on to take the chip apart and read out the ROM contents with a microscope and OCR software, at least well enough to verify that some of the microcode operations were burned in ROM.

The result was 29 microcode operations including logic, arithmetic, load, and store commands — enough to start writing microcode code. The first microcode programs written helped with further discovery, naturally. But before long, they wrote microcode backdoors that triggered when a given calculation was performed, and stealthy trojans that exfiltrate data encrypted or “undetectably” through introducing faults programmatically into calculations. This means nearly undetectable malware that’s resident inside the CPU. (And you think the Intel Management Engine hacks made you paranoid!)

[Benjamin] then bravely stepped us through the browser-based attack live, first in a debugger where we could verify that their custom microcode was being triggered, and then outside of the debugger where suddenly xcalc popped up. What launched the program? Calculating a particular number on a website from inside an unmodified browser.

He also demonstrated the introduction of a simple mathematical error into the microcode that made an encryption routine fail when another particular multiplication was done. While this may not sound like much, if you paid attention in the talk on revealing keys based on a single infrequent bit error, you’d see that this is essentially a few million times more powerful because the error occurs every time.

The team isn’t done with their microcode explorations, and there’s still a lot more of the command set left to discover. So take this as a proof of concept that nearly completely undetectable trojans could exist in the microcode that runs between the compiled code and the CPU on your machine. But, more playfully, it’s also an invitation to start exploring yourself. It’s not every day that an entirely new frontier in computer hacking is bust open.

34C3: The First Day Is A Doozy

December 27, 2017 by Elliot Williams 8 Comments

It’s 5 pm, the sun is slowly setting on the Leipzig conference center, and although we’re only halfway through the first day, there’s a ton that you should see. We’ll report some more on the culture of the con later — for now here’s just the hacks. Continue reading “34C3: The First Day Is A Doozy” →

The Most Tasteful Of Christmas Sweaters Come With A Trainset

December 25, 2017 by Jenny List 3 Comments

Ah, Christmas, the time of festive good cheer, cherubic carol-singers standing in the crunchy snow, church bells ringing out across the frozen landscape, Santa Claus in his red suit flying down the chimney with a sack of presents, the scent of Christmas meals cooking heavy upon the air, and a Canadian guy wearing a trainset.

Wait a minute, we hear you say, a Canadian guy wearing a trainset? That’s right, not satisfied with the sheer awfulness of his ugly Christmas sweater on its own, [BD594] made it extra-special by incorporating a working Christmas tree trainset into the ensemble. As if the discovery that Christmas tree trainsets are a thing was not enough, we are treated to the spectacle of one on a plywood ring suspended from a particularly obnoxious Christmas-themed garment. Not all hacks are in good taste, and in fairness we have to note that this one is tagged as comedy rather than railroad engineering.

You can view the result in the video below the break. It’s short on technical detail, which is a slight shame as even though there are few mysteries in powering a small trainset it might be interesting to know how the method used to suspend the baseboard. We’d suspect a harness underneath that jumper, as Christmas garments are built for looks rather than strength.

Continue reading “The Most Tasteful Of Christmas Sweaters Come With A Trainset” →

Hackaday At 34C3

December 24, 2017 by Elliot Williams 19 Comments

It’s that time of year. While the rest of the Christmas-celebrating world sits around and plays with the toys that they got out from under the tree, German nerds head off to the biggest European hacker con: the 34th annual Chaos Communications Congress, running Dec. 27th through 30th.

The CCC is both a grandparent among hacker cons, and the most focused on using technology to improve the world and bringing folks together. (The “communications” in the name is a dead giveaway.) This year’s motto, “tuwat!” is slangy-dialecty for “do something!” and is call to get up off the couch and use your super-powers for good.

If you can’t get over to Leipzig to join us, you’ll be able to read our extensive coverage starting up shortly after the opening ceremonies, and probably stretching well into 2018. And since the CCC media folks manage to stream every talk, hackers all over the world can follow along live. Most talks are in English, so get together with folks in your hackspace and have a video night!

And if you are in Leipzig, be on the lookout for [Elliot] who will be wandering around, attending workshops, and writing down as much as possible. Show me something cool, rave about a particularly good talk, or just say “hi”.

Fairy Dust clipart courtesy [sonoftroll].

Edward Snowden Introduces Baby Monitor For Spies

December 24, 2017 by Tom Nardi 25 Comments

Famed whistleblower [Edward Snowden] has recently taken to YouTube to announce Haven: an Open Source application designed to allow security-conscious users turn old unused Android smartphones and tablets into high-tech monitoring devices for free. While arguably Haven doesn’t do anything that wasn’t already possible with software on the market, the fact that it’s Open Source and designed from the ground up for security does make it a bit more compelling than what’s been available thus far.

Developed by the Freedom of the Press Foundation, Haven is advertised as something of a role-reversal for the surveillance state. Instead of a smartphone’s microphone and camera spying on its owner, Haven allows the user to use those sensors to perform their own monitoring. It’s not limited to the camera and microphone either, Haven can also pull data from the smartphone’s ambient light sensor and accelerometer to help determine when somebody has moved the device or entered the room. There’s even support for monitoring the device’s power status: so if somebody tries to unplug the device or cut power to the room, the switch over to the battery will trigger the monitoring to go active.

Thanks to the Open Source nature of Haven, it’s hoped that continued development (community and otherwise) will see an expansion of the application’s capabilities. To give an example of a potential enhancement, [Snowden] mentions the possibility of using the smartphone’s barometer to detect the opening of doors and windows.

With most commercially available motion activated monitor systems, such as Nest Cam, the device requires a constant Internet connection and a subscription. Haven, on the other hand, is designed to do everything on the local device without the need for a connection to the Internet, so an intruder can’t just knock out your Wi-Fi to kill all of your monitoring. Once Haven sees or hears something it wants you to know about it can send an alert over standard SMS, or if you’re really security minded, the end-to-end encrypted Signal.

The number of people who need the type of security Haven is advertised as providing is probably pretty low; unless you’re a journalist working on a corruption case or a revolutionary plotting a coup d’etat, you’ll probably be fine with existing solutions. That being said, we’ve covered on our own pages many individuals who’ve spent considerable time and effort rolling their own remote monitoring solutions which seem to overlap the goals of Haven.

So even if your daily life is more John Doe than James Bond, you may want to check out the GitHub page for Haven or even install it on one of the incredibly cheap Android phones that are out there and take it for a spin.

Continue reading “Edward Snowden Introduces Baby Monitor For Spies” →

Rickroll The Masses With A Coin Cell Throwie

December 22, 2017 by Jenny List 17 Comments

If there is one educational institution that features on these pages more than any other, it may be Cornell University. Every year we receive a pile of tips showing us the engineering term projects from [Bruce Land]’s students, and among them are some amazing pieces of work. Outside the walls of those technical departments though, we suspect that cool hacks may have been thin on the ground. English Literature majors for example contain among their ranks some astoundingly clever people, but they are not known for their handiness with a soldering iron or a lathe.

We’re happy to note then that someone at Cornell who is handy with a soldering iron has been spreading the love. In the form of coin cell powered throwies that intermittently Rickroll the inhabitants of the institution’s halls of residence. We have few technical details, but they seem to be a simple affair of a small microcontroller dead-bug soldered to a coin cell and a piezoelectric speaker. If we were embarking on such a project we’d reach for an ATtiny of some description, but similar work could be done with a PIC or any number of other families.

The Cornell Daily Sun write-up is more a work of investigative journalism detailing the perplexed residents searching for the devices than it is one of technical reference. We’re pleased to note that the university authorities have a relaxed attitude to the prank, and that no action will be taken against the perpetrator should they be found.

Thus we’d like to take a moment to reach out to the Cornell prankster, and draw their attention to our Coin Cell Challenge competition. There is still time to enter, and a Rickrolling throwie would definitely qualify. This isn’t the first tiny Rickrolling prank we’ve shown you on these pages.

Thanks [Simon Yorkston] for the tip.

Magic Leap Finally Announced; Remains Mysterious

December 21, 2017 by Mike Szczys 74 Comments

Yesterday Magic Leap announced that it will ship developer edition hardware in 2018. The company is best known for raising a lot of money. That’s only partially a joke, since the teased hardware has remained very mysterious and never been revealed, yet they have managed to raise nearly $2 billion through four rounds of funding (three of them raising more than $500 million each).

The announcement launched Magic Leap One — subtitled the Creator Edition — with a mailing list sign up for “designers, developers and creatives”. The gist is that the first round of hardware will be offered for sale to people who will write applications and create uses for the Magic Leap One.

We’ve gathered some info about the hardware, but we’ll certainly begin the guessing game on the specifics below. The one mystery that has been solved is how this technology is delivered: as a pair of goggles attaching to a dedicated processing unit. How does it stack up to current offerings?

Continue reading “Magic Leap Finally Announced; Remains Mysterious” →