Tuesday, October 29, 2013


By Ruben Santamarta @reversemode
In Spain we have a saying "Hecha la ley, hecha la trampa" which basically means there will always be a way to circumvent a restriction. In fact, that is pretty much what hacking is all about.
It seems the idea of 'counterfeiting' appeared at the same time as legitimate money. The Wikipedia page for Counterfeit money  is a fascinating read that helps explain its effects.
Nowadays every physical currency implements security measures to prevent counterfeiting. Some counterfeits can be detected with a naked eye, while others need specific devices or procedures to be identified. In order to help employees, counterfeit money detectors can be found in places that accept cash, including shops, malls, postal offices, banks, and gas stations.
Recently I took a look at one of these devices, Secureuro. I chose this device because it is widely used in Spain, and its firmware is freely available to download. 
As usual, the first thing I did when approaching a static analysis of a device of this kind was to collect as much information as possible. We should look for anything that could help us to understand how the target works at all levels. 
In this case I used the following sources:
I found some videos where the vendor details how to use the device. This let me analyze the behavior of the device, such as when an LED turns on, when a sound plays, and what messages are displayed. This knowledge is very helpful for understanding the underlying logic when analyzing the assembler later on.

Vendor Material
Technical specs, manuals, software, firmware ... [1] [2] [3] See references.
The following document provides some insights into the device’s security http://www.secureuro.com/secureuro/ingles/MANUALINGLES2006.pdf 
Unfortunately, some of these claims are not completely true and others are simply false. It is possible to understand how Secureuro works; we can access the firmware and EEPROM without even needing hardware hacking. Also, there is no encryption system protecting the firmware.
Before we start discussing the technical details, I would like to clarify that we are not disclosing any trick that could help criminals to bypass the device 'as is'. My intention is not to forge a banknote that could pass as legitimate, that is a criminal offense. My sole purpose is to explain how I identified the code behind the validation in order to create 'trojanized' firmware that accepts even a simple piece of paper as a valid currency. We are not exploiting a vulnerability in the device, just a design feature.

Analyzing the Firmware
This is the software that downloads the firmware into the device. The firmware file I downloaded from the vendor's website contains 128K of data that will be flashed to the ATMEGA128 microcontroller. So I can directly load it into IDA, although I do not have access to the EEPROM yet.

Entry Points
A basic approach to dealing with this kind of firmware is to identify some elements or entry points that can leveraged to look for interesting pieces of code. 
A minimal set includes:

Interruption Vector 
  1. 1. RESET == Main Entry Point
  2. 2. TIMERs
  3. 3. UARTs
  4. 4. SPI
  1. 1. LPM (Load Program Memory)
  2. 2. SPM (Store Program Memory) 
  3. 3. IN
  4. 4. OUT

ADCL: The ADC Data Register Low
ADCH: The ADC Data Register High
ADCSRA: ADC Control and Status Register
ADMUX: ADC Multiplexer Selection Register 
ACSR: Analog Comparator Control and Status
UBRR0L: USART Baud Rate Register 
UCSR0B: USART Control and Status Register
UCSR0A: USART Control and Status Register
UDR0: USART I/O Data Register 
SPCR: SPI Control Register  
SPSR: SPI Status Register  
SPDR: SPI Data Register  
EECR: EEPROM Control Register  
EEDR: EEPROM Data Register  
EEARL: EEPROM Address Register Low 
EEARH: EEPROM Address Register High 
OCR2: Output Compare Register  
TCNT2: Timer/Counter Register   
TCCR2: Timer/Counter Control Register  
OCR1BL: Output Compare Register B Low
OCR1BH: Output Compare Register B High
OCR1AL: Output Compare Register A Low
OCR1AH: Output Compare Register A High
TCNT1L: Counter Register Low Byte 
TCNT1H: Counter Register High Byte 
TCCR1B: Timer/Counter1 Control Register B 
TCCR1A: Timer/Counter1 Control Register A 
OCR0: Timer/Counter0 Output Compare Register 
TCNT0: Timer/Counter0    
TCCR0: Timer/Counter Control Register  
TIFR: Timer/Counter Interrupt Flag Register 
TIMSK: Timer/Counter Interrupt Mask Register

No comments:

Post a Comment

Support : Relax Viet
Copyright © 2013. Security24h - All Rights Reserved
Design by Namkna
Best View Resolution 1024 x 768 pixel