PCB badges have exploded in popularity in recent years. Starting out as a fun token of entry to a conference, they’re now being developed by all manner of independent groups, with DEFCON serving as the heart of the #badgelife movement. After DEFCON 26, Kate Morris and associates decided to undertake the development of their own badge, to celebrate the 50th anniversary of the Apollo landing. Kate’s talk at the 2019 Hackaday Superconference serves to tell the tale of creating a retro game to run on a badge platform.
IoT devices rarely ever just do what they’re advertised. They’ll almost always take up more space than they need to – on top of that, their processor and memory alone should be enough to run a multitude of other tasks while not necessarily compromising the task they were built to do.
That’s partially the motivation for rooting any device, but for Xiaomi devices, it’s a bit more fun – that is to say, it’s a little bit harder when you’re reverse engineering its firmware from scratch.
Similar to his other DEF CON 26 talk on modifying ARM Cortex-M firmware, [Dennis Giese] returns with a walkthrough of how to reverse-engineer Xiaomi IoT devices. He starts off talking about the Xiaomi ecosystem and the drawbacks of reusing firmware across all the different devices connected to the same cloud network before jumping into the walkthrough for accessing the devices.
This hack was revealed a while ago at DEFCON26, but it’s still a fascinating look into vulnerabilities that affect some of the most widely used IoT devices.
[Dennis Giese] figured out a way to modify ARM Cortex-M based firmware for use in customizing the functionality of devices or removing access to the vendor. Obviously, there are more malicious activities that can be done with this type of hack, as with any exploits of firmware, but they are (also) obviously not condoned.
The talk goes into the structure of Xiaomi ecosystem and products before going into a step-by-step approach to binary patching the firmware. The first step was to acquire the firmware, either by dumping SPI flash memory (using JTAG, SWD, or desoldered Flash pins) or intercepting traffic during a firmware update and downloading the firmware. There’s also a possibility of downloading the firmware using a URL, although this can be more difficult to find.
The firmware can then be parsed, which first requires the format to be converted from a proprietary format to and ELF file. This conversion makes it easier to load into IDA pro, and gives information on the segments of the firmware and its entry point. Python tools luckily exist for converting binary files to ELF, which simplifies the task.
After loading the ELF file into the disassembler, you’ll want to find the key memory area, denoted by “TAG_MAC”, “TAG_DID”, and “TAG_KEY” in the example firmware (for storing the MAC address, device ID, and key). In order to prepare the firmware for Nexmon – a software that supported C-based firmware binary patching for ARM Cortex-A and ARM Cortex-M binaries – you’ll need to partition some space in the memory for patches and know the function names and signatures for the firmware.
The latter is done by doing a difference comparison in the disassembler between an unknown executable and the example executable.
With the necessary information gathered, you can now use Nexmon to make your modifications. The fact that this can be done for smart devices at home means that smart devices you acquire – especially those partitioned by others – may contain malicious code, so take care when handling used devices.
Security researchers have found a way to remotely execute code on a fax machine by sending a specially crafted document to it. So… who cares about fax? Well apparently a lot of persons are still using it in many institutions, governments and industries, including the healthcare industry, legal, banking and commercial. Bureaucracy and old procedures tend to die hard.
This is one of those exploits that deserve proper attention, for many reasons. It is well documented and is a great piece of proper old school hacking and reverse engineering. [Eyal Itkin], [Yannay Livneh] and [Yaniv Balmas] show us their process in a nicely done article that you can read here. If you are into security hacks, it’s really worth reading and also worth watching the DEFCON video. They focused their attention in a all-in-one printer/scanner/fax and the results were as good as it gets.
Our research set out to ask what would happen if an attacker, with merely a phone line at his disposal and equipped with nothing more than his target`s fax number, was able to attack an all-in-one printer by sending a malicious fax to it.
In fact, we found several critical vulnerabilities in all-in-one printers which allowed us to ‘faxploit’ the all-in-one printer and take complete control over it by sending a maliciously crafted fax.
As the researchers note, once an all-in-one printer has been compromised, it could be used to a wide array of malicious activity, from infiltrating the internal network, to stealing printed documents even to mining Bitcoin. In theory they could even produce a fax worm, replicating via the phone line.
The attack summary video is bellow, demonstrating an exploit that allows an attacker to pivot into an internal network and taking over a Windows machine using Eternal Blue NSA exploit.
It’s April, which means all the people responsible for doubling the number of badges at DEF CON are hard at work getting their prototypes ready and trying to fund the entire thing. The first one out of the gate is Da Bomb, by [netik] and his crew. This is the same team that brought you the Ides of DEF CON badge, a blinky wearable multiplayer game that’s SPQR AF. Da Bomb is now a Kickstarter campaign to get the funding for the run of 500, and you’re getting a wearable badge filled with puzzles, Easter eggs, and a radio-based sea battle game that obviously can’t be called Battleship, because the navy doesn’t have battleships anymore.
Speaking of badges and various badge paraphernalia, there’s a new standard for add-ons this year. The Shitty Add-On V.1.69bis standard adds two pins and a very secure shrouded connector that solves all the problems of last year’s standard. [AND!XOR] just released a Shitty Brooch that powers all Shitty Add-Ons with a CR2032 battery. All the files are up on the Gits, so have fun.
You can 3D print anything if you don’t mind dealing with supports. But how to remove supports? For that [CCecil] has a great tip: use Chap stick. This is a print that used supports and it’s perfectly clean, right off the bed. By inserting a suspend (M600) command at the z-height of the top of the interface layer, then adding Chap stick on the top layer, everything comes off clean. Neat.
Speaking of 3D printing, here’s a project for anyone with the patience to do some serious modeling. It’s a pocket Soviet record player, although I think it’s more properly called a gramophone. It’s crank powered, so there’s a spring in there somewhere, and it’s entirely acoustic with zero electronics. Yes, you’re going to need a needle, but I’d be very interested in seeing somebody remake this using modern tools and construction materials.
If you want to build hundreds of a thing (and let’s face it, you do) now is a magical time to do it. Scale manufacturing has never been more accessible to the hardware hacker, but that doesn’t mean it’s turn-key with no question marks along the way. The path is there, but it’s not well marked and is only now becoming well-traveled. The great news is that yes, you can get hundreds of a thing manufactured, and Kerry Scharfglass proves that it’s a viable process for the lone-wolf electronics designer. He’s shared tips and tricks of the manufacturing process in a prefect level of detail during his talk at the 2018 Hackaday Superconference.
Kerry is the person behind the Dragonfly badge that was sold at DEF CON over the last two years. Yes, this is #badgelife, but it’s also a mechanism for him to test the waters for launching his own medium-run electronics business. And let’s face it, badge making can be a business. Kerry treats it as such in his talk.
The AND!XOR team have somehow managed to outdo themselves once again this year. Their newest unofficial hardware badge for DEF CON 26 just arrived. It’s a delightful creation in hardware, software, and the interactive challenges built into both.
They call this the “Wild West of IoT”, a name that draws from the aesthetic as well as the badge-to-badge communications features. Built on the ESP32-WROVER module which brings both WiFi and Bluetooth to the party, the badges are designed to form a wireless botnet at the conference. Anyone with a badge can work to advance their level and take more and more control of the botnet as they do.
Check out the video overview and then join me below for a deeper dive into all this badge has to offer.