[ News ] [ Paper Feed ] [ Issues ] [ Authors ] [ Archives ] [ Contact ]


..[ Phrack Magazine ]..
.:: Hacking with Embedded Systems ::.

Issues: [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ 12 ] [ 13 ] [ 14 ] [ 15 ] [ 16 ] [ 17 ] [ 18 ] [ 19 ] [ 20 ] [ 21 ] [ 22 ] [ 23 ] [ 24 ] [ 25 ] [ 26 ] [ 27 ] [ 28 ] [ 29 ] [ 30 ] [ 31 ] [ 32 ] [ 33 ] [ 34 ] [ 35 ] [ 36 ] [ 37 ] [ 38 ] [ 39 ] [ 40 ] [ 41 ] [ 42 ] [ 43 ] [ 44 ] [ 45 ] [ 46 ] [ 47 ] [ 48 ] [ 49 ] [ 50 ] [ 51 ] [ 52 ] [ 53 ] [ 54 ] [ 55 ] [ 56 ] [ 57 ] [ 58 ] [ 59 ] [ 60 ] [ 61 ] [ 62 ] [ 63 ] [ 64 ] [ 65 ] [ 66 ] [ 67 ] [ 68 ] [ 69 ] [ 70 ]
Current issue : #63 | Release date : 2005-01-08 | Editor : Phrack Staff
IntroductionPhrack Staff
LoopbackPhrack Staff
LinenoisePhrack Staff
Phrack Prophile on TiagoPhrack Staff
OSX heap exploitation techniquesNemo
Hacking Windows CE (pocketpcs & others)San
Games with kernel Memory...FreeBSD Stylejkong
Raising The Bar For Windows Rootkit Detectionsherri sparks & jamie butler
Embedded ELF DebuggingELFsh crew
Hacking Grub for Fun & Profitcoolq
Advanced antiforensics : SELFripe & pluf
Process Dump and Binary Reconstructionilo
Next-Gen. Runtime Binary Encryptionzvrba
Shifting the Stack Pointerandrewg
NT Shellcode Prevention Demystifiedpiotr
PowerPC Cracking on OSX with GDBcurious
Hacking with Embedded Systemscawan
Process Hiding & The Linux Schedulerubra
Breaking Through a Firewallkotkrye
Phrack World NewsPhrack Staff
Title : Hacking with Embedded Systems
Author : cawan
                           ==Phrack Inc.==

                Volume 0x0b, Issue 0x3f, Phile #0x11 of 0x14

|=------------[ Security Review Of Embedded Systems And Its ]------------=|
|=------------[     Applications To Hacking Methodology     ]------------=|
|=-----------------------------------------------------------------------=|
|=----[ Cawan: <chuiyewleong[at]hotmail.com> or <cawan[at]ieee.org> ]----=|


--=[ Contents

    1. - Introduction

    2. - Architectures Classification

    3. - Hacking with Embedded System

    4. - Hacking with Embedded Linux

    5. - "Hacking Machine" Implementation In FPGA

    6. - What The Advantages Of Using FPGA In Hacking ?

    7. - What Else Of Magic That Embedded Linux Can Do ?

    8. - Conclusion


--[ 1. - Introduction

    Embedded systems have been penetrated the daily human life. In 
residential home, the deployment of "smart" systems have brought out the 
term of "smart-home". It is dealing with the home security, electronic 
appliances control and monitoring, audio/video based entertainment, home 
networking, and etc. In building automation, embedded system provides the 
ability of network enabled (Lonwork, Bacnet or X10) for extra convenient 
control and monitoring purposes. For intra-building communication, the 
physical network media including power-line, RS485, optical fiber, RJ45, 
IrDA, RF, and etc. In this case, media gateway is playing the roll to 
provide inter-media interfacing for the system. For personal handheld 
systems, mobile devices such as handphone/smartphone and PDA/XDA are going 
to be the necessity in human life. However, the growing of 3G is not as 
good as what is planning initially. The slow adoption in 3G is because it 
is lacking of direct compatibility to TCP/IP. As a result, 4G with Wimax 
technology is more likely to look forward by communication industry 
regarding to its wireless broadband with OFDM. 

    Obviously, the development trend of embedded systems application is 
going to be convergence - by applying TCP/IP as "protocol glue" for 
inter-media interfacing purpose. Since the deployment of IPv6 will cause 
an unreasonable overshooting cost, so the widespread of IPv6 products 
still needs some extra times to be negotiated. 
As a result, IPv4 will continue to dominate the world of networking, 
especially in embedded applications. As what we know, the brand-old 
IPv4 is being challenged by its native security problems in terms of 
confidentiality, integrity, and authentication.
Extra value added modules such as SSL and SSH would be the best solution 
to protect most of the attacks such as Denial of Service, hijacking, 
spooling, sniffing, and etc. However, the implementation of such value 
added module in embedded system is optional because it is lacking of 
available hardware resources. For example, it is not reasonable to 
implement SSL in SitePlayer[1] for a complicated web-based control and 
monitoring system by considering the available flash and memory that 
can be utilized. 

    By the time of IPv4 is going to conquer the embedded system's world, 
the native characteristic of IPv4 and the reduced structure of embedded 
system would be problems in security consideration. 
These would probably a hidden timer-bomb that is waiting to be exploited. 
As an example, by simply performing port scan with pattern recognition to 
a range of IP address, any of the running SC12 IPC@CHIP[2] can be 
identified and exposed. Once the IP address of a running SC12 is confirmed, 
by applying a sequence of five ping packet with the length of 65500 is 
sufficient to crash it until reset. 


--[ 2. - Architectures Classification

    With the advent of commodity electronics in the 1980s, digital utility
began to proliferate beyond the world of technology and industry. By its 
nature digital signal can be represented exactly and easily, which gives 
it much more utility. In term of digital system design, programmable 
logic has a primary advantage over custom gate arrays and standard cells 
by enabling faster time-to-complete and shorter design cycles. By using 
software, digital design can be programmed directly into programmable 
logic and allowing making revisions to the design relatively quickly.
The two major types of programmable logic devices are Field Programmable 
Logic Arrays (FPGAs) and Complex Programmable Logic Devices (CPLDs). 
FPGAs offer the highest amount of logic density, the most features, 
and the highest performance. These advanced devices also offer features 
such as built-in hardwired processors (such as the IBM Power PC), 
substantial amounts of memory, clock management systems, and support 
for many of the latest very fast device-to-device signaling technologies.
FPGAs are used in a wide variety of applications ranging from data 
processing and storage, instrumentation, telecommunications, and digital 
signal processing. Instead, CPLDs offer much smaller amounts of logic
(approximately 10,000 gates). But CPLDs offer very predictable timing 
characteristics and are therefore ideal for critical control applications.
Besides, CPLDs also require extremely low amounts of power and are very 
inexpensive. 

    Well, it is the time to discuss about Hardware Description Language 
(HDL). HDL is a software programming language used to model the intended 
operation of a piece of hardware. There are two aspects to the description 
of hardware that an HDL facilitates: true abstract behavior modeling and 
hardware structure modeling. The behavior of hardware may be modeled and 
represented at various levels of abstraction during the design process. 
Higher level models describe the operation of hardware abstractly, while 
lower level models include more detail, such as inferred hardware 
structure. There are two types of HDL: VHDL and Verilog-HDL. The history 
of VHDL started from 1980 when the USA Department of Defence (DoD) wanted 
to make circuit design self documenting, follow a common design methodology 
and be reusable with new technologies. It became clear there was a need for 
a standard programming language for describing the function and structure 
of digital circuits for the design of integrated circuits (ICs). The DoD 
funded a project under the Very High Speed Integrated Circuit (VHSIC) 
program to create a standard hardware description language. 
The result was the creation of the VHSIC hardware description language or 
VHDL as it is now commonly known. The history of Verilog-HDL started from 
1981, when a CAE software company called Gateway Design Automation that was 
founded by Prabhu Goel. One of the Gateway's first employees was Phil 
Moorby, who was an original author of GenRad's Hardware Description 
Language (GHDL) and HILO simulator. On 1983, Gateway released the Verilog 
Hardware Description Language known as Verilog-HDL or simply Verilog
together with a Verilog simulator. Both VHDL and Verilog-HDL are reviewed 
and adopted by IEEE as IEEE standard 1076 and 1364, respectively.
                 
    Modern hardware implementation of embedded systems can be classified 
into two categories: hardcore processing and softcore processing. Hardcore
processing is a method of applying hard processor(s) such as ARM, MIPS,
x86, and etc as processing unit with integrated protocol stack. 
For example, SC12 with x86, IP2022 with Scenix RISC, eZ80, SitePlayer 
and Rabbit are dropped in the category of hardcore processing.Instead,
softcore processing is applying a synthesizable core that can be targeted
into different semiconductor fabrics. The semiconductor fabrics should be
programmable as what FPGA and CPLD do. Altera[3] and Xilinx[4] are the
only FPGA/CPLD manufacturers in the market that supporting softcore 
processor. Altera provides NIOS processor that can be implemented in SOPC 
Builder that is targeted to its Cyclone and Stratix FPGAs. Xilinx provides 
two types of softcore: Picoblaze, that is targeted to its CoolRunner-2 
CPLD; and Microblaze, that is targeted to its Spartan and Virtex FPGAs.  
For the case of FPGAs with embedded hardcore, for example ARM-core in 
Stratix, and MIPS-core in Virtex are classified as embedded hardcore 
processing. On the other hand, FPGAs with embedded softcore such as 
NIOS-core in Cyclone or Stratix, and Microblaze-core in Spartan or Virtex 
are classified as softcore processing. Besides, the embedded softcore can 
be associated with others synthesizable peripherals such as DMA controller 
for advanced processing purpose. 

    In general, the classical point of view regarding to the hardcore 
processing might assuming it is always running faster than softcore 
processing. However, it is not the fact. Processor performance is often 
limited by how fast the instruction and data can be pipelined from external
memory into execution unit. As a result, hardcore processing is more 
suitable for general application purpose but softcore processing is more 
liable to be used in customized application purpose with parallel 
processing and DSP. It is targeted to flexible implementation in adaptive 
platform.


--[ 3. - Hacking with Embedded System

    When the advantages of softcore processing are applied in hacking, it 
brings out more creative methods of attack, the only limitation is the 
imagination. Richard Clayton had shown the method of extracting a 3DES key 
from an IBM 4758 that is running Common Cryptographic Architecture 
(CCA)[5]. The IBM 4758 with its CCA software is widely used in the banking 
industry to hold encryption keys securely. The device is extremely 
tamper-resistant and no physical attack is known that will allow keys to be 
accessed. According to Richard, about 20 minutes of uninterrupted access to 
the IBM 4758 with Combine_Key_Parts permission is sufficient to export the 
DES and 3DES keys. For convenience purpose, it is more likely to implement 
an embedded system with customized application to get the keys within the 
20 minutes of accessing to the device. An evaluation board from Altera was 
selected by Richard Clayton for the purpose of keys exporting and 
additional two days of offline key cracking.

    In practice, by using multiple NIOS-core with customized peripherals 
would provide better performance in offline key cracking. In fact, 
customized parallel processing is very suitable to exploit both symmetrical 
and asymmetrical encrypted keys.   
      

--[ 4. - Hacking with Embedded Linux

    For application based hacking, such as buffer overflow and SQL 
injection, it is more preferred to have RTOS installed in the embedded 
system. For code reusability purpose, embedded linux would be the best 
choice of embedded hacking platform. The following examples have clearly 
shown the possible attacks under an embedded platform. The condition of 
the embedded platform is come with a Nios-core in Stratix and  uClinux 
being installed. By recompiling the source code of netcat and make it run 
in uClinux, a swiss army knife is created and ready to perform penetration 
as listed below: -

    a) Port Scan With Pattern Recognition 
 
        A list of subnet can be defined initially in the embedded system 
    and bring it into a commercial building. Plug the embedded system 
    into any RJ45 socket in the building, press a button to perform port 
    scan with pattern recognition and identify any vulnerable network 
    embedded system in the building. Press another button to launch attack 
    (Denial of Service) to the target network embedded system(s). This 
    is a serious problem when the target network embedded system(s) is/are 
    related to the building evacuation system, surveillance system or 
    security system.
    
     b) Automatic Brute-Force Attack
    
        Defines server(s) address, dictionary, and brute-force pattern 
    in the embedded system. Again, plug the embedded system into any RJ45
    socket in the building, press a button to start the password guessing 
    process. While this small box of embedded system is located in a hidden
    corner of any RJ45 socket, it can perform the task of cracking over 
    days, powered by battery.
    
    c) LAN Hacking
 
        By pre-identify the server(s) address, version of patch, type 
    of service(s), a structured attack can be launched within the area 
    of the building. For example, by defining:
    
        http://192.168.1.1/show.php?id=1%20and%201=2%20union%20select%20
        8,7,load_file(char(47,101,116,99,47,112,97,115,115,119,100)),5,4,
        3,2,1
   
        **char(47,101,116,99,47,112,97,115,115,119,100) = /etc/passwd
    
    in the embedded system initially. Again, plug the embedded system into
    any RJ45 socket in the building (within the LAN), press a button to
    start SQL injection attack to grab the password file of the Unix
    machine (in the LAN). The password file is then store in the flash 
    memory and ready to be loaded out for offline cracking. Instead of 
    performing SQL injection, exploits can be used for the same 
    purpose.
    
    d) Virus/Worm Spreading
 
        The virus/worm can be pre-loaded in the embedded system. Again, 
    plug the embedded system into any RJ45 socket in the building, press a 
    button to run an exploit to any vulnerable target machine, and load the
    virus/worm into the LAN.
    
    e) Embedded Sniffer
 
        Switch the network interface from normal mode into promiscuous mode 
    and define the sniffing conditions. Again, plug the embedded system 
    into any RJ45 socket in the building, press a button to start the 
    sniffer. To make sure the sniffing process can be proceed in switch 
    LAN, ARP sniffer is recommended for this purpose. 
    

--[ 5. - "Hacking Machine" Implementation In FPGA

    The implementation of embedded "hacking machine" will be demonstrated 
in Altera's NIOS development board with Stratix EP1S10 FPGA. The board 
provides a 10/100-base-T ethernet and a compact-flash connector. Two
RS-232 ports are also provided for serial interfacing and system 
configuration purposes, respectively. Besides, the onboard 1MB of SRAM, 
16MB of SDRAM, and 8MB of flash memory are ready for embedded linux 
installation[6]. The version of embedded linux that is going to be applied 
is uClinux from microtronix[7]. 

    Ok, that is the specification of the board. Now, we start our journey 
of "hacking machine" design. We use three tools provided by Altera to 
implement our "hardware" design. In this case, the term of "hardware" means
it is synthesizable and to be designed in Verilog-HDL. The three tools 
being used are: QuartusII ( as synthesis tool), SOPC Builder (as 
Nios-core design tool), and C compiler. Others synthesis tools such as 
leonardo-spectrum from mentor graphic, and synplify from synplicity are 
optional to be used for special purpose. In this case, the synthesized 
design in edif format is defined as external module. It is needed to import
the module from QuartusII to perform place-and-route (PAR). The outcome of 
PAR is defined as hardware-core. For advanced user, Modelsim from mentor 
graphic is highly recommended to perform behavioral simulation and Post-PAR
simulation. Behavioral simulation is a type of functional verification to 
the digital hardware design. Timing issues are not put into the 
consideration in this state. Instead, Post-PAR simulation is a type of 
real-case verification. In this state, all the real-case factors such as 
power-consumption and timing conditions (in sdf format) are put into the 
consideration. [8,9,10,11,12]

    A reference design is provided by microtronix and it is highly 
recommended to be the design framework for any others custom design with
appropriate modifications [13]. Well, for our "hacking machine" design
purpose, the only modification that we need to do is to assign the 
interrupts of four onboard push-buttons [14]. So, once the design 
framework is loaded into QuartusII, SOPC Builder is ready to start 
the design of Nios-core, Boot-ROM, SRAM and SDRAM inteface, Ethernet 
interface, compact-flash interface and so on. Before starting to generate 
synthesizable codes from the design, it is crucial to ensure the check-box 
of "Microtronix uClinux" under Software Components is selected (it is in 
the "More CPU Settings" tab of the main configuration windows in SOPC 
Builder). By selecting this option, it is enabling to build a uClinux 
kernel, uClibc library, and some uClinux's general purpose applications by 
the time of generating synthesizable codes. Once ready, generate the design 
as synthesizable codes in SOPC Builder following by performing PAR in 
QuartusII to get a hardware core. In general, there are two formats of 
hardware core:- 

    a) .sof core:  To be downloaded into the EP1S10 directly by JTAG and 
                   will require a re-load if the board is power cycled
                   **(Think as volatile)
             
    b) .pof core:  To be downloaded into EPC16 (enhanced configuration
                   device) and will automatically be loaded into the 
                   FPGA every time the board is power cycled
                   **(Think as non-volatile)
                 
    The raw format of .sof and .pof hardware core is .hexout. As hacker, 
we would prefer to work in command line, so we use the hexout2flash tool 
to convert the hardware core from .hexout into .flash and relocate the 
base address of the core to 0x600000 in flash. The 0x600000 is the startup 
core loading address of EP1S10. So, once the .flash file is created, we 
use nios-run or nr command to download the hardware core into flash memory 
as following:

    [Linux Developer] ...uClinux/: nios-run hackcore.hexout.flash

    After nios-run indicates that the download has completed successfully, 
restart the board. The downloaded core will now start as the default core 
whenever the board is restarted.

    Fine, the "hardware" part is completed. Now, we look into the 
"software" implementation. We start from uClinux. As what is stated, the 
SOPC Builder had generated a framework of uClinux kernel, uClibc library, 
and some uClinux general purpose applications such as cat, mv, rm, and etc.

We start to reconfigure the kernel by using "make xconfig". 

    [Linux Developer] ...uClinux/: cd linux
    [Linux Developer] ...uClinux/: make xconfig

In xconfig, perform appropriate tuning to the kernel, then use 
"make clean" to clean the source tree of any object files.

    [Linux Developer] ...linux/: make clean 

To start building a new kernel use "make dep" following by "make". 

    [Linux Developer] ...linux/: make dep
    [Linux Developer] ...linux/: make

To build the linux.flash file for uploading, use "make linux.flash". 

    [Linux Developer] ...uClinux/: make linux.flash

The linux.flash file is defined as the operating system image. 
As what we know, an operating system must run with a file system.
So, we need to create a file system image too. First, edit the config
file in userland/.config to select which application packages get 
built. For example:

    #TITLE agetty
    CONFIG_AGETTY=y

If an application package's corresponding variable is set to 'n' 
(for example, CONFIG_AGETTY=n), then it will not be built and copied
over to the target/ directory. Then, build all application packages 
specified in the userland/.config as following:

    [Linux Developer] ...userland/: make

Now, we copy the pre-compiled netcat into target/ directory. 
After that, use "make romfs" to start generating the file system or 
romdisk image. 

    [Linux Developer] ...uClinux/: make romfs

Once completed, the resulting romdisk.flash file is ready to be 
downloaded
to the target board. First, download the file system image following by
the operating system image into the flash memory.  

    [Linux Developer] ...uClinux/: nios-run -x romdisk.flash
    [Linux Developer] ...uClinux/: nios-run linux.flash

Well, our FPGA-based "hacking machine" is ready now. 
 
    Lets try to make use of it to a linux machine with /etc/passwd 
enabled. We assume the ip of the target linux machine is 192.168.1.1 
as web server in the LAN that utilize MySQL database. Besides, we know 
that its show.php is vulnerable to be SQL injected. We also assume it has 
some security protections to filter out some dangerous symbols, so we 
decided to use char() method of injection. We assume the total columns in 
the table that access by show.php is 8.

Now, we define:

    char getpass[]="http://192.168.1.1/show.php?id=1%20and%201=2%20union
      %20select%208,7,load_file(char(47,101,116,99,47,112,97,115,115,119,
      100)),5,4,3,2,1";    

as attacking string, and we store the respond data (content of 
/etc/passwd) in a file name of password.dat. By creating a pipe to the 
netcat, and at the same time to make sure the attacking string is always 
triggered by the push-button, well, our "hacking machine" is ready.

    Plug the "hacking machine" into any of the RJ45 socket in the LAN, 
following by pressing a button to trigger the attacking string against 
192.168.1.1. After that, unplug the "hacking machine" and connect to a 
pc, download the password.dat from the "hacking machine", and start the 
cracking process. By utilizing the advantages of FPGA architecture,
a hardware cracker can be appended for embedded based cracking process.
Any optional module can be designed in Verilog-HDL and attach to the 
FPGA for all-in-one hacking purpose. The advantages of FPGA implementation
over the conventional hardcore processors will be deepened in the 
following section, with a lot of case-studies, comparisons and 
wonderful examples.

Tips:
   
**FTP server is recommended to be installed in "hacking machine" 
because of two reasons:

  1) Any new or value-added updates (trojans, exploits, worms,...) to 
     the "hacking machine" can be done through FTP (online update).
     
  2) The grabbed information (password files, configuration files,...) 
     can be retrieved easily.
     
Notes:

**Installation of FTP server in uClinux is done by editing 
  userland/.config file to enable the ftpd service.     

**This is just a demostration, it is nearly impossible to get a 
  unix/linux machine that do not utilize file-permission and shadow 
  to protect the password file. This article is purposely to show 
  the migration of hacking methodology from PC-based into embedded 
  system based.
  

--[ 6. - What The Advantages Of Using FPGA In Hacking ?

    Well, this is a good question while someone will ask by using a $50 
Rabbit module, a 9V battery and 20 lines of Dynamic C, a simple "hacking 
machine" can be implemented, instead of using a $300 FPGA development 
board and a proprietary embedded processor with another $495. The answer 
is, FPGA provides a very unique feature based on its architecture that is 
able to be hardware re-programmable. 

    As what we know, FPGA is a well known platform for algorithm 
verification in hardware implementation, especially in DSP applications. 
The demand for higher bit rates by the wired and wireless communications 
industry has led to the development of higher bit rate and low cost serial 
link interface chips. Based on such considerations, some demands of 
programmable channel and band scanning are needed to be digitized and 
re-programmable. A new term has been created for this type of framework 
as "software defined radio" or SDR. However, the slow adoption of SDR is 
due to the limitation in Analog-to-Digital Converter(ADC) to digitize 
the analog demodulation unit in transceiver module. 
Although the sampling rate of the most advanced ADC is not yet to meet 
the specification of SDR, but it will come true soon. In this case, the 
application of conventional DSP chips such as TMS320C6200 (for 
fixed-point processing) and TMS320C6700 (for floating-point processing) 
are a little bit harder to handle such extremely high bit rates. Of 
course, someone may claim its parallel processing technique could solve 
the problem by using the following symbols in linear assembly language[15].

    	Inst1
    ||	Inst2
    ||	Inst3
    ||	Inst4    
    ||	Inst5
    ||	Inst6
	    Inst7	

    The double-pipe symbols (||) indicate instructions that are in parallel
with a previous instruction. Inst2 to Inst6, these five instructions run 
in parallel with the first instruction, Inst1. In TMS320, up to eight 
instructions can be running in parallel. However, this is not a true 
parallel method, but perform pipelining in different time-slot within a 
single clock cycle.
Instead, the true parallel processing can only be implemented with 
different sets of hardware module. So, FPGA should be the only solution to 
implement a true parallel processing architecture. For the case of SDR that 
is mentioned, it is just a an example to show the limitation of data 
processing in the structure of resource sharing. Meanwhile, when we 
consider to implement an encryption module, it is the same case as what 
data processing do. The method of parallel processing is extremely worth to 
enhance the time of key cracking process. Besides, it is significant to 
know that the implementation of encryption module in FPGA is 
hardware-driven. It is totally free from the limitation of any hardcore 
processor structure that is using a single instruction pointer (or program 
counter) to performing push and pop operations interactively over the stack 
memory. So, both of the mentioned advantages: true-parallel processing, and 
hardware-driven, are nicely clarified the uniqueness of FPGA's architecture 
for advanced applications. 

    While we go further with the uniqueness of FPGA's architecture, 
more and more interesting issues can come into the discussion. 
For hacking purpose, we focus and stick to the discussion of utilizing 
the ability of hardware re-programmable in a FPGA-based "hacking machine". 
We ignore the ability of "software re-programmable" here because it can be 
done by any of the hardcore processor in the lowest cost. By applying the 
characterictic of hardware re-programmable, a segment of space in flash 
memory is reserved for hardware image. In Nios, it is started from 
0x600000. This segment is available to be updated from remote through the 
network interface. In advanced mobile communication, this type of feature 
is started to be used for hardware bug-fix as well as module update [16] 
purpose. It is usually known as Over-The-Air (OTA) technology. For hacking 
purpose, the characteristic of hardware re-programmable had made our 
"hacking machine" to be general purpose. It can come with a hardware-driven 
DES cracker, and easily be changed to MD5 cracker or any other types of 
hardware-driven module. Besides, it can also be changed from an online 
cracker to be a proxy, in a second of time. 

    In this state, the uniqueness of FPGA's architecture is clear now. 
So, it is the time to start the discussion of black magic with the 
characteristic of hardware re-programmable in further detail. By using 
Nios-core, we explore from two points: custom instruction and user 
peripheral. A custom instruction is hardware-driven and implemented by 
custom logic as shown below:

       |---->|------------|
       |     |Custom Logic|-|
       | |-->|------------| |
       | |                  | 
       | | |----------------||
    A ---->|               |-|
       |   |  Nios-ALU     | |----> OUT
    B ---->|               |-|
           |-----------------|           
        
By defining a custom logic that is parallel connected with Nios-ALU inputs, 
a new custom instruction is successfully created. With SOPC Builder, custom 
logic can be easily add-on and take-out from Nios-ALU, and so is the case 
of custom instruction. Now, we create a new custom instruction, let say 
nm_fpmult(). We apply the following codes:

    float a, b, result_slow, result_fast;

    result_slow = a * b;            //Takes 2874 clock cycles
    result_fast = nm_fpmult(a, b);  //Takes 19 clock cycles

From the running result, the operation of hardware-based multiplication 
as custom instruction is so fast that is even faster than a DSP chip. 
For cracking purpose, custom instructions set can be build up in respective 
to the frequency of operations being used. The instructions set is easily 
to be plugged and unplugged for different types of encryption being 
adopted. 

    The user peripheral is the second black magic of hardware 
re-programmable. As we know Nios-core is a soft processor, so a bus 
specification is needed for the communication of soft processor with other 
peripherals, such as RAM, ROM, UART, and timer. Nios-core is using a 
proprietary bus specification, known as Avalon-bus for 
peripheral-to-peripheral and Nios-core-to-peripheral communication purpose.
So, user peripherals such as IDE and USB modules are usually be designed to 
expand the usability of embedded system. For hacking purpose, we ignore the 
IDE and USB peripherals because we are more interested to design user 
peripheral for custom communication channel synchronization. When we 
consider to hack a customize system such as building automation, public 
addressing, evacuation, security, and so on, the main obstacle is its 
proprietary communication protocol [17, 18, 19, 20, 21, 22]. 

    In such case, a typical network interface is almost impossible to 
synchronize into the communication channel of a customize system. 
For example, a system that is running at 50Mbps, neither a 10Based-T
nor 100Based-T network interface card can communicate with any module
within the system. However, by knowing the technical specification of such 
system, a custom communication peripheral can be created in FPGA. So, it is 
able to synchronize our "hacking machine" into the communication channel of 
the customize system. By going through the Avalon-bus, Nios-core is 
available to manipulate the data-flow of the customize system. So, the 
custom communication peripheral is going to be the customize media gateway 
of our "hacking machine". The theoretical basis of custom communication 
peripheral is come from the mechanism of clock data recovery (CDR). CDR is 
a method to ensure the data regeneration is done with a decision circuit 
that samples the data signal at the optimal instant indicated by a clock. 
The clock must be synchronized as exactly the same frequency as the data 
rate, and be aligned in phase with respect to the data. The production of 
such a clock at the receiver is the goal of CDR. In general, the task of 
CDR is divided into two: frequency acquisition and timing alignment. 
    Frequency acquisition is the process that locks the receiver clock 
frequency to the transmitted data frequency. Timing alignment is the phase 
alignment of the clock so the decision circuit samples the data at the 
optimal instant. Sometime, it is also named as bit synchronization or phase 
locking. Most timing alignment circuits can perform a limited degree of 
frequency acquisition, but additional acquisition aids may be needed. Data 
oversampling method is being used to create the CDR for our "hacking 
machine". By using the method of data oversampling, frequency acquisition 
is no longer be put into the design consideration. By ensuring the sampling 
frequency is always N times over than data rate, the CDR is able to work as 
normal. To synchronize multiple of customize systems, a frequency synthesis 
unit such as PLL is recommended to be used to make sure the sampling 
frequency is always N times over than data rate. A framework of CDR 
based-on the data oversampling method with N=4 is shown as following in 
Verilog-HDL.

**The sampling frequency is 48MHz (mclk), which is 4 times of 
  data rate (12MHz).

    //define input and output 
    
    input data_in;
    input mclk;
    input rst;
    
    output data_buf;
    
    //asynchronous edge detector

    wire reset = (rst & ~(data_in ^ capture_buf));

    //data oversampling module

    reg capture_buf;

    always @ (posedge mclk or negedge rst)
      if (rst == 0) 
        capture_buf <= 0;
      else 
        capture_buf <= data_in;
    
    //edge detection module

    reg [1:0] mclk_divd;

    always @ (posedge mclk or negedge reset or posedge reset)
      if (reset == 0) 
        mclk_divd <= 2'b00;	
      else 
        mclk_divd <= mclk_divd + 1;

    //capture at data eye and put into a 16-bit buffer

    reg [15:0] data_buf;
    
    always @ (posedge mclk_divd[1] or negedge rst)
      if (rst == 0) 
        data_buf <= 0;
      else
        data_buf <= {data_buf[14:0],capture_buf};

    Once the channel is synchronized, the data can be transferred to 
Nios-core through the Avalon-Bus for further processing and interaction. 
The framework of CDR is plenty worth for channel synchronization in various 
types of custom communication channels. Jean P. Nicolle had shown another 
type of CDR for 10Base-T bit synchronization [23]. As someone might query 
for the most common approach of performing CDR channel synchronization in 
Phase-Locked Loop (PLL). Yes, this is a type of well known analog approach, 
by we are more interested to the digital approach, with the reason of 
hardware re-programmable - our black magic of FPGA. For those who 
interested to know more advantages of digital CDR approach over the analog 
CDR approach can refer to [24]. Anyway, the analog CDR approach is the only 
option for a hardcore-based (Scenix, Rabbit, SC12 ,...) "hacking machine" 
design, and it is sufferred to: 

1. Longer design time for different data rate of the communication link.
   The PLL lock-time to preamble length, charge-pump circuit design, 
   Voltage Controlled Oscillator (VCO), are very critical points.
   
2. Fixed-structure design. Any changes of "hacking application" need
   to re-design the circuit itself, and it is quite cumbersome.
          
    As a result, by getting a detail technical specification of a 
customized system, the possibility to hack into the system has always 
existed, especially to launch the Denial of Service attack. By disabling 
an evacuation system, or a fire alarm system at emergency, it is a very 
serious problem than ever. Try to imagine, when different types of CDRs 
are implemented in a single FPGA, and it is able to perform automatic 
switching to select a right CDR for channel synchronization. On the other 
hand, any custom defined module is able to plug into the system itself 
and freely communicate through Avalon-bus. Besides, the generated hardware 
image is able to be downloaded into flash memory through tftp. By following 
with a soft-reset to re-configure the FPGA, the "hacking machine" is 
successfully updated. So, it is ready to hack multiple of custom systems at 
the same time.   

case study:

**The development of OPC technology is slowly become popular.
  According to The OPC Foundation, OPC technology can eliminate
  expensive custom interfaces and drivers tranditionally required
  for moving information easily around the enterprise. It promotes 
  interoperability, including amongst different computing solutions
  and platforms both horizontally and vertically in the emterprise [25].

--[ 7. - What Else Of Magic That Embedded Linux Can Do ?

    So, we know the weakness of embedded system now, and we also know 
how to utilize the advantages of embedded system for hacking purpose. 
Then, what else of magic that we can do with embedded system? This is a 
good question.

    By referring to the development of network applications, ubiquitous 
and pervasive computing would be the latest issues. Embedded system would
probably to be the future framework as embedded firewall, ubiquitous 
gateway/router, embedded IDS, mobile device security server, and so on.
While existing systems are looking for network-enabled, embedded system
had established its unique position for such purpose. A good example is
migrating MySQL into embedded linux to provide online database-on-chip
service (in FPGA) for a building access system with RFID tags. Again, 
the usage and development of embedded system has no limitation, the only 
limitation is the imagination.

Tips:

**If an embedded system works as a server (http, ftp, ...), it is going
  to provide services such as web control, web monitoring,...
**If an embedded system works as a client (http, ftp, telnet, ..), then
  it is more likely to be a programmable "hacking machine"    


--[ 8. - Conclusion

    Embedded system is an extremely useful technology, because we can't
expect every processing unit in the world as a personal computer. While
we are begining to exploit the usefullness of embedded system, we need
to consider all the cases properly, where we should use it and where we
shouldn't use it. Embedded security might be too new to discuss seriously
now but it always exist, and sometime naive. Besides, the abuse of embedded
system would cause more mysterious cases in the hacking world.


--=[ References

[1] http://www.siteplayer.com/ 

[2] http://www.beck-ipc.com/

[3] http://www.altera.com/

[4] http://www.xilinx.com/

[5] http://www.cl.cam.ac.uk/users/rnc1/descrack/index.html

[6] Nios Development Kit, Stratix Edition: Getting Started User Guide
    (Version 1.2) - July 2003
    http://www.altera.com/literature/ug/ug_nios_gsg_stratix_1s10.pdf

[7] http://www.microtronix.com/

[8] Nios Hardware Development Tutorial (Version 1.1) - 
    July 2003
    http://www.altera.com/literature/tt/tt_nios2_hardware_tutorial.pdf

[9] Nios Software Development Tutorial (Version 1.3) -
    July 2003
    http://www.altera.com/literature/tt/tt_nios_sw.pdf

[10] Designing With The Nios (Part 1) -
     Second-Order, Closed-Loop Servo Control
     Circuit Cellar, #167, June 2004
     
[11] Designing With The Nios (Part 2) -
     System Enhancement
     Circuit Cellar, #168, July 2004
     
[12] Nios Tutorial (Version 1.1)
     February 2004
     http://www.altera.com/literature/tt/tt_nios_hw_apex_20k200e.pdf
     
[13] Microtronix Embedded Linux Development - 
     Getting Started Guide: Document Revision 1.2
     http://www.pldworld.com/_altera/html/_excalibur/niosldk/httpd/
     getting_started_guide.pdf
     
[14] Stratix EP1S10 Device: Pin Information
     February 2004
     http://www.fulcrum.ru/Read/CDROMs/Altera/literature/lit-stx.html

[15] TMS320C6000 Assembly Language Tools User's Guide
     http://www.tij.co.jp/jsc/docs/dsps/support/download/tools/
     toolspdf6000/spru186i.pdf

[16] Dynamic Spectrum Allocation In Composite Reconfigurable Wireless
     Networks
     IEEE Communications Magazine, May 2004.
     
http://ieeexplore.ieee.org/iel5/35/28868/01299346.pdf?tp=&arnumber=
     1299346&isnumber=28868
    
[17] TOA - VX-2000 (Digital Matrix System)
     
http://www.toa-corp.co.uk/asp/catalogue/products.asp?prodcode=VX-2000
     
[18] Klotz Digital - Vadis (Audio Matrix), VariZone (Complex Digital 
     PA System For Emergency Evacuation Applications)
     http://www.klotz-digital.de/products/pa.htm
     
[19] Peavey - MediaMatrix System
     http://mediamatrix.peavey.com/home.cfm
     
[20] Optimus - Optimus (Audio & Communication), Improve 
     (Distributed Audio)
     http://www.optimus.es/eng/english.html
     
[21] Simplex - TrueAlarm (Fire Alarm Systems)
     http://www.simplexgrinnell.com/
     
[22] Tyco - Fire Detection and Alarm, Integrated Security Systems,
     Health Care Communication Systems
     http://www.tycosafetyproducts-us.com
     
[23] 10Base-T FPGA Interface - Ethernet Packets: Sending and Receiving
     http://www.fpga4fun.com/10BASE-T.html
     
[24] Ethernet Receiver
     http://www.holmea.demon.co.uk/Ethernet/EthernetRx.htm

[25] The OPC Foundation
     http://www.opcfoundation.org/

[26] www.ubicom.com (IP2022)

[27] http://www.zilog.com/products/family.asp?fam=218 (eZ80)

[29] http://www.fpga4fun.com/

[29] http://www.elektroda.pl/eboard


|=[ EOF ]=---------------------------------------------------------------=|
[ News ] [ Paper Feed ] [ Issues ] [ Authors ] [ Archives ] [ Contact ]
© Copyleft 1985-2021, Phrack Magazine.