Hacking Hardware With A $10 SDCard ReaderFeb 27, 2020
hi everyone this is
hardwarewith a $10 sd card
readeran exploit production ok so a little bit about us my name is amira tamati i'm adding effects on twitter i'm a senior research scientist at silent, I am the founder of exploit ears. and also founder of payscript we have CJ here he is please stand up or say hello or any audio that goes on CJ underscore zero zero zero he is a security researcher at Draper and does
hardwareand software exploitation of things and then we have qua hang by please stand up he is in Maximus 64 underlined and is a graduate of the University of Central Florida who is a master of the welder and heat gun so just as a heads up this presentation and thoughts are ours and ours alone and have no no relationship. to our employers ok there are about ten of us the next guy cries so we only have three on stage we have to shout out to the rest of the members we have MDM he is the co-founder of open wrt he goes through MDM was here us have dina phage who is the organizer of DEFCON CTF and passes on gyno underscore lbs we have hands Neilson who passes on non-stick and is a boring corpse tech guy we have Jay Freeman who is the creator of Cydia passes on Sarek we have tom dwenger who is the master software developer in our group and then we have zero X zero zero string who is actually in the audience stand up sam goes up and goes to zero X zero zero string or null string and he is the hacker and troublemaker extraordinaire i would like to call it our wild card ok so a little bit about exploited ears we are a research group that originally started
hackinggoogle tv devices after google removed the google tv brand we pivoted and started hacking everything and ever since If we were previously known as GTV hackers when they removed the brand, we had to change our names and that's when we became the ears of exploitation.
Since then, we have released root methods for multiple generations of Google TV devices and others. embedded systems and we have a blog forum wiki all types of database are vulnerabilities we found as well as vulnerabilities found by the community so check out our wiki and if you have anything to add please let us know what will you find today? you'll find out what an emmc flash is and how it differs from manned which many of you hardware folks are probably more familiar with although you're probably familiar with emc as well we're going to talk about how to recognize emc flash how to identify an emmc flash connector plugged into an MMC flash inside an onboard device then selecting the correct usb sd card
readerthat sounds simple but there are a few tricks and we will show you how to limit the pinout that is needed to read and write so which is important and then finally interact with emmc flash ok so previous work just as a note there's probably a lot of previous work but we're specifically talking about previous work that influenced us my michael elizabeth scott on scanline she's the one who introduced us to the subject and got us thinking about it.
He has a blog where he built a sniffer for the Nintendo DSi system and used it to create a database of cpu flash read writes we reference a talk we did at Def Con 21 where we had an emmc root that we threw but we didn't really go into how to find your own emmc pin outs and how to communicate with them and since then I've developed an approach that is not only low cost but alleviates a lot of the problems we ran into along the way, as I said earlier probably many of you may be looking at this presentation who have had some experience with emmc.
Sorry I didn't quote it, there was too much on the site so we specifically listed the stuff and whatnot so an intro of emmc flash you might think of it as an MMC version of an SD card for embedded devices the abbreviation mm c stands for for embedded media card It's inside a ton of devices from phones, set-top boxes, tablets, cars, you know anything could use the NFC you need an easy to use flash drive and was developed by the J electronic device engineering council Deck and I think it's currently under review. 5.1 or maybe it slips so EMM Severson and the big thing about MMC is that it comes with a built in flash driver normally when you have a man nan ship you have an external driver and the lines we take out of the flash to that driver in the CPU, you know. it goes from 8 data lines, 5 control lines for nan to an emmc, where we can reduce the number of data lines needed to one and then down to two control lines, which makes it much simpler for someone who works from a reverse engineering standpoint find the pin out and then communicate read write dump whatever with that particular meat driving the internal controller we are leveling up bad block handling and error correcting code , as well as a few other things constantly being developed as each revision comes along so it also provides an easier design to incorporate because it allows an engineer to have their design with the controller and the flash inside a single matrix package, so is gaining prevalence and in fact possibly starting to be phased out by a different type of storage called has this kind of boring slide so prevalent but the NXP presentation of 201 4 estimated four point three seven five billion 16 gigabyte MMC chips in the world the number sounds crazy so you know we started the source in our white paper which you feel free to check out if you feel like you want more information on this and samsung galaxy s2 s5 mobile phones all use emmc flash storage amazon echo amazon dot devices actually generally use emmc flash so its in more devices than you ever would expect to sell over 110 million devices only for one line of devices which is samsung galaxy s5 is low cost there are many storage sizes small single package size i mention ed above with integrated driver so how do you identify emmc flash?
There are a number of things you can do and this is kind of a generic list because it's kind of a case by case when you're looking at a board and it has all these components it's important to know where to look and especially the bigger the board, how many the more components you have, the more likely it is that you want to use some characteristics to identify which components to look for in the datasheets and type. of identifying which is which of them are the location on the board relative to the SOC so essentially when you have a flash or memory chip you don't want to run data lines across the board and impact the data rates you want to have. as close to the SOC as possible so it could be on the other side of the board going across the different layers or it could be directly next to the SOC there is a standardized package type for MMC it's usually BGA I'm sure someone c I should do some other version but only the standard is BGA which stands for Ball Grid Array as I mentioned above you can refer to the datasheet. about the manufacturer name the model number along the way will also include the size values and then the silkscreen in some cases you will be lucky and it will be labeled flash or flash MMC and all pins labeled too you can also look at PCB traces and resistors and what we're talking about here is specifically if you have an emmc flash chip or a flash chip and you have a number of resistors pulled to the side in a line which will show you an example of later you might be able to infer that those could be the data lines or based on the number and location you will be able to put everything together that is emmc without having a data sheet or mall id available or being able to 100% identify th The chip is based on the number of model, so the location on board.
I talked about this briefly just to the left most devices you'll see have some form of MSE or SOC which is the main CPU plus the IO interfaces on the memory controller and then you have like a ram chip and then you have your flash memory many SSDs have a limited amount of storage space on them so they have external storage where they store the code to run whatever device interfaces with the peripherals those memory types would be emmc flash nand flash nor spi there is a bunch of different kinds of meat with emmc being kind of a medium brown in terms of spi comms probably the easiest to communicate with and Mandan or pulling other stuff so you're going to be looking for BGA packages near the SOC because as I mentioned, the data lines probably don't want to run around the board's common flash packets too much, so on the left hand side you have the grid matrix the ball one which is the BGA package and the standard for emmc and then on the right hand side you have the small thin outline package aka piece op which is usually used for parallel NAND or ni flash.
We didn't have the spi flash here, but you'll usually see it. with eight legs and sort of a small package and will typically have a lot less storage space than these counterparts so iding the MMC chip on this particular one you can see the manufacturer name is the big bold print top of the line in this case it's Toshiba you can look at the part number H G BM v g6 a 2j Bai R and then have those two you can do an internet search to find the part number and find the full datasheet which will list things like logic level pin out things that would be nice to find but in some cases you know you are reversing a console reversing something that has proprietary hardware you may not find a datasheet for the MMC generally in some cases you can use the same pin, but you'll want to double check and make sure you haven't changed anything or at least know that you risk breaking your device if you guess the visual id pins or fill incorrectly or here is we'd like to think the last thing you want to do is disconnect a BGA chip my failure rate I have a one in four success rate as here it's close to 100% when it separates, rebels, and reattaches bonding BGA, it's amazing and CJ is probably a little better than maybe half as good, it's barely right, um, but when you identify them time. with some of the features you'll see on the left side of the chip you'll see all the data pins the blue pads which are the blue circles that were left over and then the number is the data pads you'll probably find eight of them and you'll notice that on the right side of the chip you will see the command and clock pads.
It's important to note that they're on opposite sides of each other and that helps you identify if you're looking at a BGA chip and see traces running on the left so maybe a resistor bank or even some even way to the left. the SOC you might be able to guess that it's the data pins and on the right hand side if you have two coming out and sort of routing around the chip maybe around all the know connects you might be able to guess that they're the clock or a command if it's not VCC Q or VCC which is the power lines the white pads on this particular oh I'm going to move to a blue ok yeah I went over your slide sorry mate I'll give it to you next. kind of keep the BGA standard now CJ to take over sorry fun dude don't worry about it let's talk i gotta get it right so this slide the mayor just talked about with everything he was going to say so it's good to play it, it's fabulous, so what's super awesome when you pull out the datasheet itself is what you can act on.
All I'll do is take the datasheet import it into a photo editor say Photoshop whatever you want you could use Microsoft Paint though I think Paint 3D came out so paints are no longer there the sign of question mark is a bit of a pain, but you can actually remove the background. from the image and then overlay it over the previous image expecting something like this so you have a visual representation of where each pad is on the chip so you see in the blues on the left side, the blues on the right side and more or less where they mask it on the circuit board so look at the ones on the left side the data ones which are a little hard to see but you have the slides in the url below those are the data lines which are the data panel and it looks like that there are traces on the circuit board of those pads going directly to a resistor bank on the side that is labeled our 21 to our 28, please note this photo is slightly upside down and upside down is not for consistency, you can read the part number so moving forward from that they're talking about the silkscreen you see our 21 which is near the bottom it has our 28 our 21 is 23 our 2012 oh we'll get into that more. detail a bit but emmc uses up to 8 data lines data 0 1 2 3 4 5 6 7 and just as an assumption that you only had one PCB and you are going to mark withsilkscreen which resistor does what so when you start with the lowest value it's prop data 0 it's just a hunch but we're assuming it is and we know these lines need to be connected to the system on chip so if we backtrack for a moment we just a little picture i know i write i hate to say it's just one chip left you see the resistor bank everything goes that way and i know i hate it when people do that but it was very helpful they tracked that way those are probably our data lines we also need to find our command lines which are normally on the right hand side of the chip of course we can't really see what's on the right hand side of the chip we see nothing coming out we don't have a xen ray machine our homes that would be great if we let you know that you actually see what's through this chip and we don't necessarily want to remove the chip yet so we can make an educated guess if you look at the top corner or left of this image and you see r8 and r9 but those are probably the Kommandant clock lines based on the fact that we've won we can't see where they go in they lead to the system on chip now if you're a little crazy and highly rated for its qualities you'll just skip right to removing the flash tip you know it's a tricky thing it's usually much easier to remove than replace but don't do it step by step you can use it with a soldering rework station or even a heat gun or a paint gun you get home depot or lowes take it there start prying up the dash pull the chip I've only had any luck with removing the chips not putting them in Claus had luck doing both he's awesome you need tweezers too a bit of sovereign flow and patience because and if you don't want to keep the board up too much eat it up slowly cool it down little by little and you do it right there so a really fast base isn't going to go into detail Terrible about this, but to pull the flash, heat the board gently, then apply. also gently tap the flash chip when it starts to move then you can lift it up cleanly and if you get it right you won't eat all the balls as in this picture they are still fully intact from here you can now track each pad. on each pin to the resistor bank or wherever it goes if it disappears whatever it is you can also take advantage of that information from the hair to get the flash chip out and it's like me I can't solder it back I don't want to mail it to Garra because it takes too long.
I can buy another. I could hook it up, as we'll talk about in a moment. Remove the file system. Remove the firmest. Maybe get cryptographic keys. Remove something from that closure. - to take advantage of it for an exploit or exploit the network something that we can then use without but having to reconnect and get past that so you don't know, guessing is a bit hard, it can cause damage if you get a bit of Shack, apply the wrong voltage or if you know you connect 3.3 volts to a 1.8 volt line that kuo we'll talk about a bit that no one has done we have a solution for that you can test it with an oscilloscope you connect an oscilloscope to what you think are your pins you're looking for specifically the data zero command and clock lines as a bigger talk you really only need a handful of pins which makes it much better than using NAND flash apart from the controller so we'll give you some details on the overall cost The signal provides a constant repeating signal that usually looks like a sine wave in the upper right could look like a square wave just below it Thanks Wikipedia for the image that signals of clock used to synchronize the data on the command lines you want to make sure that when the command is sent you know to say I want to block X and you retrieve the block X so that the times are correct so that it knows which command will send what data is coming back and how do they correlate this is what a clock signal looks like on an oscilloscope you mentioned it's very periodic very repetitive it looks like a clock signal So using this picture and if you're testing things you can find a signal that looks like this is probably a clock the command signal below you can see represented in this image the clock signal is very periodic and the command has little bits of essentially the commands that are sent out have little bits of command going out and they correlate to the data not showing here but I'll more or less send a command that says hey I want block 0 and it'll be fine here are blocks there and the data shows up in the rinse and the loop to read and write everything, it's worth mentioning that the McMahon line is actually bi-directional so if you send a command that says hello I want this you'll be fine and separately here's data and what it looks like on an oscilloscope below the command line, it's usually easier to identify them on the data line, since there's only one that can see the data line at the top, and there's a rough correlation between the data coming into via the command line the data shows up as I said the whole clan is requesting the data to be retrieved so now suppose we have potential pods identified via one of these means either scoped used visual id the manufacturer was kind enough to label everything for me. a bit of test and reset on guessing check between scope or wiring to confirm command zero data and clock of course every device is different and you know testing will definitely confirm the identity of which ping of which and then if you have that long for a device like amazon fire tv that works one schematic there will be millions of devices available and you are good so it's just a little bit of start up work and you can get pre very good it's a fun fact as the mayor was talking about before the SD card protocol is actually a suite of the NMC protocol so MMC was the first to come along it incorporated some of the features of MMC added a bunch more to bundle things specifically MMC in our case you just think that instead of using the one bit mode we just need a data line pure cables much easier to use a normal SD card you have in your camera and everything you need ue is used for the data line is performance faster than one bit which is also the maximum for an SD card data zero one two and three 8 bit mode and only EMC chips have 8 bit mode which is data 0 to 7 and has the fastest purpose so again it resets any data command clock too of course power and grounds we'll get into to get it all working so looking at an SD card for a minute you also need an sd card reader that supports single bit mode so with single bit mode the best way to test it is to just take a normal sd card take a tape or whatever cover of your choice ing and cover those data 1 data 2 and data 3 lines on top and bottom connect to an SD card reader if it works as an SD card it has a one bit reader we prefer the transcender our DF 5 USB 3.0 Reader and it actually costs less of ten dollars.
I think it was nine bucks and 51 cents on Amazon, don't quote me, but it was still less than $10, so a bit of a savings. to connect to MC flash you have a couple of options you can do it in circuit so you have a box you open a lamp you turn it on you have your pins but you need to apply power you have a self-powered you will have a power cord power plugged in to do your thing that had some challenges you can power the flash externally separately so have a bank power supply or usb connection and power it up you can also show dead baggage in this picture you've done Claw because it's literally crazy but amazing with soldering and started back o f BG flash chip to extract the data each method has its own problems dead bugs obviously can be challenging not impossible but difficult. they are dangling and it's very effective it's the best way to get data you will never fail with this method assuming the skill is kosher so if you can do it it won't fail you will get data but you're used to worst case we like to use it as the worst case.
The quad will be used as a birthday stage because it's awesome to put back together as you're soldering the balls together. You have to spin the chip. There are ways to do this. There are kids. there are things online that are not totally possible right now for circuit programming. I'm going to q-pop it so when you try to access the EMC on the circuit that has the CB it may try to communicate with the EMC chip this will lead to data corruption and in some cases may even detect the chip to renew this, you need to keep a cpu on reset i will find the reset pin and input low or high depending on the chip or in some device have a reset button on the back get a hole press that button or we can disconnect the cpu emc line or you can disable the cpu oscillator logic level is also another problem when you try to access the EMC most device mode embedded devices use 1.8 the logic level for the AMC and the SD card reader the USB the card reader SD only works with equal two person logic so you can't change EMC logic level two frequently in circuits because it's actually physically connecting the dctq I gave ce the logic level to line 21.8, so when it reaches a peak equal to three to one point eight the line of another device with the same power L may have an overvoltage and to damage the device to fix this problem we make an adapter from low low voltage we translate a logic point eight low into three one three volts so some problems consider some important c onsideration for troubleshooting a good ground connection is very important and the length of the wire can affect the connection to the logic level must be known to communicate properly with the chip make sure it is a good connection to all con's and you have a clean power supply so here is our low level low voltage EMC adapter.
It is a conversion of EMC Flow 108 to 220 volts in a USB reader. website here is our breakout board that we make as well you can use it with an epic card reader to make it 3.3 volt even TiVo logic level for the EMC so this bar is based on the last one this it doesn't have the voltage translator so you can just use four three one three or that buckland chip that doesn't have any components is it's a passive board yes another special thing about the EMC boot request is the hyperspecial boot request it has to send is special command to enter this mode with normal sd card readers, you can't send those commands to enter the mode, so you need a sd i/o controller with the fbi a shoulder when you connect the emc auto detect as bar good zero power blue steel in the linux kernel, so some laptops have a vio interface for reading sd cards and supports a special command needed to interact with a boot partition so the pc doesn't have this SDI or open shoulder you can buy a PCI Express from the FBI or bridge it's called a wrinkle or five years 2030 used to know 234 is $150 or you can use a bigger black bowl has an FBI interface and you can configure warrior two the AMC that way it's only $50 so here in a picture and as you can see I connect the ethnic card slot to a pin header so you can configure the cable to AEMC and the blue request we just pop into linux on a kill and c-block then boot to 0 with one and how the demo i mean we'll show you thank you very much qua i don't know if this w bad work but can we give it a little round of hand for him?
This is his first time speaking in public and he's doing it in a black hat so you know that's a big credit to qua so yeah let's do this demo real quick um so I saw two eggs with the show right so we'll do it at four times the speed because this is an 11 minute video it's going to look a little crazy because it's four times the speed actually this isn't sped up at all that's how fast it runs quoi so the first part is kind of boring it just shows the device booting up essentially here in a second it's about to disarm it and this is the pin for fire tv it's quick but you can see it on our wiki essentially we have that pin for the process of the that we talked about in this presentation, he's doing some programming on the circuitry of this particular chip, but in that picture you could see that he had detached it and ended up having to put it back, so I wish you something.
I heard audio on this because terribly we put some really bad techno on it last minute we decided to have no audio so yeah this process here is removing the clock resistor so it can have power in the circuit to the chip essentially preventing that MC or SOC to communicate with the meat and allowing it I just have to connect that zero clock and the command I'm grounded so I know to talk about five pin but technically this method is four pin and once it connects it What you are going to see is that it modifies thefile system, add supersu, this is an android. based on the device and then you turn it back on and it's rooted the beautiful thing about communicating directly with emmc is that no exploits are required, you're just using your hardware skills to directly communicate and modify the chip and then just boot it up and it's all great like as long as there are no signatures or some sort of cured boot on that particular partition or image then this is a great solution for projects as long as you spend the time figuring out the pin or throwing the chip off so sports don't they are so important but it just shows that it adds the necessary files to the file system, you can see that it recognized that it was connected to your SD card reader, everything is done, now you are just removing the cables and cleaning everything up. so it doesn't create a short and yeah it would have been wave or much duller on a 1x so they'll be back together and show you're up to date and rooted so that's a great thing to be able to know and that's where we feel the value was to come and bring it to all of you on blackhat because a lot of people came on our IRC channel and told us how they couldn't figure out a pin out or we're having trouble connecting and hopefully that clears it up so now let's open it up to questions , keep in mind that we have some goodies to give away, so if you're already leaving, you know, so be it.
I have 2000 of these things so if anyone has any questions go ahead, who doesn't have my hair birds? barbershop in austin texas is ok so no doubt it's easy right? oh there is one ok what is it your question ok so the question is do you mind if i take this question the question is why are there so many offline pads on emmc bga chips you know we are not the who built it but I can tell you what we think is the correct answer and that is that those pads keep that big package on the board even though they are enforcing the BGA standard and the number of pads that would be used on any BGA format , so this isn't emmc specific so it's more standard and also has the benefit of holding it to the board next question or i answered that question are you ok ok next question anyone is right super guy on the part From the back, can you hear me, yes I can all?
Ok, you showed an implementation using a specific Toshiba and also a specific spice, but I wonder if there were any other specific emmc chips you've tried that couldn't or different like a bit for bit 8-bit modes that were harder to test and hack? like this so your question if we specifically mention the Toshiba chip and I think another example of how to find the pin and be able to communicate with it is there any that raise more issues? I destroyed one of my readers at one point, um, you know it's a component for a board that engineers have to rely on a specific set of programming and standards, the biggest problem you'll have is maybe if you're doing circuit programming. you don't understand the full schematic or layout of the devices and you have problems with other components on those power rails or you know they are using that chip in some way or another so you know best case is not best case best solution in that case would be to unplug the dead chip because then you have a direct connection to the flash without any other interference, do you do anything else just to elaborate?
We've seen other types of flash chips in Kingston SanDisk this was Toshiba and there are a few other manufacturers we haven't had a problem yet let's not say there isn't a random class ship we haven't found that could be problematic Red this method just with the multitude of gadgets we buy dad, this still has to be a problem, ok, does that answer the question? and what was the end of that, sorry honestly i see it more and more since the question was yes how often do you see a signature verification or secure boot implementation inside ax and C?
I'm not specifically with the software side or a state bootloader, it's becoming more and more prevalent as SOCs have some kind of secure boot support, some kind of chain of trust, generally at that point, what What we like to do is look at the issues with the way it's implemented. ted instead of trying to figure out a way to crack the encryption you know it's more so I think in DEFCON 23 or maybe DefCon 22 we had a problem where they were loading things or information from flash and we were able to set the address memory and had a signature check on the first loaded image and then no signature check on the second with an arbitrary memory location, so we were able to change that second memory location and override the first loaded image that was loaded in the memory and provided the second so in those cases you're looking for a failure in secure boot and you know it's one of those things like you know we're talking about directly interfacing with hardware it really depends on the software if secure boot is whether or not it makes a problem, but it's worth mentioning that the device in question was actually used in emmc flash, so we were able to do a proper dump test, enju agar and repeat consistently and if there were some you know any device s will u-boot multiple times and fail it will wipe the bootloader this one actually did it was ten times on its output we were able to just write it back and keep going trying so with this method we were able to constantly test and repeat without needing to buy new hardware all the time and eventually crack the signature or at least bypass secure boot ok i answered your question filesystem, did you say requirement at the end of the story?
You know? Do you think of a USB storage device? Do you think about an SD card? we dropped these emmc adapters and i personally test each of them before they go dead and i have this i really have it with me i took a fire tv stick and soldered it to a breakout board i probably cant see it but i use the is to test each one of the MMC boards we shipped and when I plug it in it's going to auto mount the images and it just shows up beautifully no extra work needed so it's mounting multiple partitions it's reading the partition table and I think these in particular, like ext3 ext4 they answer the question ok someone else ok yeah im here perfect ok can you start with a mic ?
It's before we got pin outs for your FS chips and a cheap card reader, it's funny that we were actually talking about this before we knew we knew there was going to be a question about your FS. Personally, I haven't looked at it too much. FS, so I can't speak directly to that question, do any of you not have that much, but based on the prevalence of millions, hundreds of millions of devices at the very least, and with you know a device is designed? still designed for two years in the fu Now we're going to see EMC still for quite a while and hopefully in that time period and a little bit we'll come back with something for you guys FS and go from there so yeah maybe a project future just to keep an eye on our wiki and twitter and we've definitely talked about that but you know no we haven't really done the research yet to be able to really answer that question did that answer the question? it's someone like waving your hand if you have a Co like a black spot.
Dislike. I often like the pinout to change a lot between dependent chips that I've seen before. I'd probably like the same amount for each. one and you just say one board on top and you just play for each GN so it's a trillion VGA so I've personally only seen one variant but the process he's seen oh actually I repeat that one question, are there multiple variants we've seen? back in the emmc BGA pin ounce was correct yes ok then cost he has seen two variants oh the new one decided to have the SD card yes he said he had seen one with all three yes with a fire tv and it would be really dumb ok so we saw one it was actually last week getting ready for this that had a different pin out but for the most part most MMC chips we've seen had the pin out out identical to that Toshiba's and that's why I said you could guess you could use an emmc pin and probably confirm some unconnected connections or confirm some data lines preferably inside like an oscilloscope so you can see the patterns and waveform, but you know that for the most part there is only one variant or those two variants and then that being the most frequent anything is not ok that answered your question oh yes thanks yes no problem thanks to someone else ok it seems that unless I missed e somebody looks like we're done let's see we want to thank black cap for
If you have any copyright issue, please Contact