Pwning With Sewing Needles

August 8, 2016 by Brian Benchoff 23 Comments

If you don’t have root, you don’t own a device, despite what hundreds of Internet of Things manufacturers would tell you. Being able to access and write to that embedded Linux system in your new flashy gadget is what you need to truly own a device, and unfortunately this is a relatively uncommon feature. At this year’s DEF CON, [Brad Dixon] unveiled a technique that pwns a device using only a sewing needle, multimeter probe, or a paperclip. No, it won’t work on every device, and the devices this technique will work with are poorly designed. That doesn’t mean it doesn’t work, and that doesn’t mean the Pin2Pwn technique isn’t useful, though.

The attack relies on how an embedded Linux device boots. All the software needed to load Linux and the rest of the peripheral magic is usually stored on a bit of Flash somewhere on the board. By using a pin, probe, or paperclip to short two data pins, or two of the latch pins on this memory chip, the bootloader will fail, and when that happens, it may fall back to a uboot prompt. This pwns the device.

There are a few qualifications for this Pwn using a pin. If the device has JTAG, it doesn’t matter – you can already own the device. If, however, a device has a locked-down JTAG, unresponsive serial ports, or even their own secure boot solution, this technique might work.

Two data pins on a TSSOP Flash shorted by a multimeter probe

This exploit works on the property of the bootloader. This bit of code first looks at a piece of Flash or other memory separate from the CPU and loads whatever is there. [Brad] found a few devices (mostly LTE routers) that would try to load Linux from the Flash, fail, try to load Linux again, fail, and finally drop to a uboot prompt.

As with any successful exploit, an equally effective mitigation strategy must be devised. There are two ways to go about this, and in this case, the software side is much better at getting rid of this attack than the hardware side.

Since this attack relies on the software falling back to uboot after an unsuccessful attempt at whatever it should be booting, the simplest and most effective mitigation technique is simply rebooting the device if the proper firmware can’t be found. Having a silent serial console is great, but if the attack relies on falling back to uboot, simply not doing that will effectively prevent this attack.

The hardware side is a little simpler than writing good firmware. Instead of using TSSOP and SOIC packages for storing the device firmware, use BGAs. Hide the pins and traces on an inner layer of the board. While this isn’t a foolproof way of preventing the attack – there will always be someone with a hot air gun, magnet wire, and a steadier hand than you – it’s hard to glitch a data line with a sewing needle if you can’t see the data line.

Hackaday Prize Entry: An Interface For The Headless Linux System

May 28, 2016 by Moritz Walter 17 Comments

Connecting a headless Raspberry Pi to a wireless network can be quite a paradoxical situation. To connect it to the network, you need to open an SSH connection to configure the wireless port. But to do so, you need a network connection in the first place. Of course, you can still get command-line access using a USB-to-UART adapter or the Pi’s ethernet port – if present – but [Arsenijs] worked out a much more convenient solution for his Hackaday Prize entry: The pyLCI Linux Control Interface.

His solution is a software framework written in Python that uses a character display and buttons to make a simple hardware interface. This allows you to configure all important aspects of a Raspberry Pi – or any other Linux SBC – from a tidily organized click-and-scroll menu. [Arsenijs] implemented a whole bunch of useful tools: There’s a network tool to scan and connect to WiFi networks. A systemctl tool that lets you manage the services running on the system, which is especially helpful when you need to restart a stuck service. A partition tool helps with viewing and unmounting mass storage devices. He’s even planning to add a filesystem browser.

With his Open Source project, [Arsenjs] aims to shorten the development time for embedded projects by taking out the efforts of implementing the basic interface functions from scratch. Indeed, there are countless scenarios, where a basic display interface can be of great value. Given the great project documentation and the fact that this can work with virtually any Arduino or Raspberry Pi LCD-pushbutton-hat or shield, we’re sure this is going to be used a lot. Enjoy the video!

Continue reading “Hackaday Prize Entry: An Interface For The Headless Linux System” →

Arietta G25 Has Us Wondering Where ARM Boards Are Going

November 1, 2014 by Mike Szczys 40 Comments

This tidy little ARM board is the Arietta G25. It’s based around an AT91SAM9G25 which is an ARM9 chip running at 400MHz. Paired with the DDR2 RAM (in 128 or 256 meg options) to the left, the board runs Linux and runs it well. After the break you can see the obligatory running of Doom. But in this case it doesn’t just run a demo, but is playable from momentary push buttons on a breadboard (props to the Arietta team for using wire wrap for that setup).

See the vertical row of pads between the processor and the SD card slot? That’s a breakout header designed to accept a WiFi module. In at €20-30 based on your RAM choice and just €7 for the WiFi module this board is certainly a contender for any embedded Linux projects. But it does have us wondering, should be thinking of these as ARM boards, or forget the low-level development and just think of them as a Linux machines with plenty of GPIO available?

The 20×2 pin header breaks out a lot of the SAM9’s features. We really like the interactive pinout posted for this device. For instance, there are three sets of USB host lines available. But you’ll want to click on each to see that one set is in use for the SD card, and another is used by the WiFi module. The documentation that has been posted for the Arietta G25 is one of its strongest point. Nice work there!

Continue reading “Arietta G25 Has Us Wondering Where ARM Boards Are Going” →

Embedded Linux Meets Arduino With The Rascal Micro

June 14, 2012 by Mike Szczys 20 Comments

Behold the Rascal Micro. It’s running embedded Linux and has a dual-row of pin headers which probably seem pretty familiar. The idea here is to bring Arduino hardware (ie: shields) to a party with a powerful web server.

The image above is the beta version of the hardware. What’s being shown off in a recent Engadget demo is a version that slides two USB ports in between the barrel jack and the NIC. This makes it easy to jump over to wireless with the use of a USB dongle, or you can figure out what other peripherals you want to include in your project.

The novelty here is that the web server included a built-in editor. So not only can it serve you a webpage to control hardware or display sensor status, but it will let you edit the interface without needing to reflash anything.

The price rings in somewhere around $100-150, and like the popular Raspberry Pi board, you can’t get your hands on it right now.

Twiddling An LED Using The BeagleBone’s Embedded Linux

March 15, 2012 by Mike Szczys 18 Comments

If you comfortable working with 8-bit microcontrollers, the thought of moving to a hardware platform running embedded Linux may be a bit daunting. After all, there’s a lot going on between you and the chips on a board like the BeagleBone seen above. But [Matt Richardson] shows how easy it can be to get at the pins on this device. He put together a primer on hardware control from the embedded shell.

You will remember that the BeagleBone is the newest generation of the BeagleBoard. The ARM processor and other goodies make it a powerful tool, and those already familiar with Linux will be able to get up and running in no time. Just connect the board to your network and SSH into it to get started. [Matt] outlines this setup process in the clip after the break. He then hits the reference manual to find the pinout of the female headers on either side of the board. Each available I/O pin is mapped to the /sys directory and can easily be controlled by echoing your commands to the appropriate files. But [Matt] went a step further than that, writing his own Python library that implements Arduino-style syntax like the digitalWrite() function.

This example should give you enough of a shove to start porting your own libraries over for use with the device. Don’t forget to document your projects and tip us off about them. Continue reading “Twiddling An LED Using The BeagleBone’s Embedded Linux” →

Leapfrog Didj: Handheld Linux On The Cheap

February 1, 2010 by James Munns 64 Comments

Today our good friends over at Woot! are selling the Leapfrog Didj, a low cost educational toy aimed at little kids. Lucky for hackers out there, the Didj is actually a linux device, and gaining serial console access is as easy as soldering two wires. The documentation out there is a little outdated, with a number of broken links and stale wikis, but $25 for a portable linux device is a hard deal to beat. A list of sites which might be helpful are listed after the break, as well as the hardware specs of the Didj.

Let us know if you have played around with hacking the Didj before, and if you have any tips for other readers. Don’t forget to tell us what you do with the Didj as well!

Thanks to [Mark] for the tips and the hardware details.

Continue reading “Leapfrog Didj: Handheld Linux On The Cheap” →