http://blog.ioactive.com
In Spain we have a saying "Hecha la ley, hecha la trampa" which
basically means there will always be a way to circumvent a restriction.
In fact, that is pretty much what hacking is all about.
It seems the idea of 'counterfeiting' appeared at the same time as
legitimate money. The Wikipedia page for Counterfeit money is a
fascinating read that helps explain its effects.
http://en.wikipedia.org/wiki/Counterfeit_money
Nowadays every physical currency implements security measures to prevent
counterfeiting. Some counterfeits can be detected with a naked eye,
while others need specific devices or procedures to be identified. In
order to help employees, counterfeit money detectors can be found in
places that accept cash, including shops, malls, postal offices, banks,
and gas stations.
Recently
I took a look at one of these devices, Secureuro. I chose this device
because it is widely used in Spain, and its firmware is freely available
to download.
http://www.securytec.es/Informacion/clientes-de-secureuro
As usual, the first thing I did when approaching a static analysis of a
device of this kind was to collect as much information as possible. We
should look for anything that could help us to understand how the target
works at all levels.
In this case I used the following sources:
Youtube
http://www.youtube.com/user/EuroSecurytec
I found some videos where the vendor details how to use the device. This
let me analyze the behavior of the device, such as when an LED turns
on, when a sound plays, and what messages are displayed. This knowledge
is very helpful for understanding the underlying logic when analyzing
the assembler later on.
Vendor Material
Technical specs, manuals, software, firmware ... [1] [2] [3] See references.
The following document provides some insights into the device’s security
http://www.secureuro.com/secureuro/ingles/MANUALINGLES2006.pdf
Unfortunately, some of these claims are not completely true and others
are simply false. It is possible to understand how Secureuro works; we
can access the firmware and EEPROM without even needing hardware
hacking. Also, there is no encryption system protecting the firmware.
Before we start discussing the technical details, I would like to
clarify that we are not disclosing any trick that could help criminals
to bypass the device 'as is'. My intention is not to forge a banknote
that could pass as legitimate, that is a criminal offense. My sole
purpose is to explain how I identified the code behind the validation in
order to create 'trojanized' firmware that accepts even a simple piece
of paper as a valid currency. We are not exploiting a vulnerability in
the device, just a design feature.
Analyzing the Firmware
This is the software that downloads the firmware into the device. The
firmware file I downloaded from the vendor's website contains 128K of
data that will be flashed to the ATMEGA128 microcontroller. So I can
directly load it into IDA, although I do not have access to the EEPROM
yet.
Entry Points
A basic approach to dealing with this kind of firmware is to identify
some elements or entry points that can leveraged to look for interesting
pieces of code.
A minimal set includes:
Interruption Vector
- 1. RESET == Main Entry Point
- 2. TIMERs
- 3. UARTs
- 4. SPI
Mnemonics
- 1. LPM (Load Program Memory)
- 2. SPM (Store Program Memory)
- 3. IN
- 4. OUT
Registers
ADCL: The ADC Data Register Low
ADCH: The ADC Data Register High
ADCSRA: ADC Control and Status Register
ADMUX: ADC Multiplexer Selection Register
ACSR: Analog Comparator Control and Status
UBRR0L: USART Baud Rate Register
UCSR0B: USART Control and Status Register
UCSR0A: USART Control and Status Register
UDR0: USART I/O Data Register
SPCR: SPI Control Register
SPSR: SPI Status Register
SPDR: SPI Data Register
EECR: EEPROM Control Register
EEDR: EEPROM Data Register
EEARL: EEPROM Address Register Low
EEARH: EEPROM Address Register High
OCR2: Output Compare Register
TCNT2: Timer/Counter Register
TCCR2: Timer/Counter Control Register
OCR1BL: Output Compare Register B Low
OCR1BH: Output Compare Register B High
OCR1AL: Output Compare Register A Low
OCR1AH: Output Compare Register A High
TCNT1L: Counter Register Low Byte
TCNT1H: Counter Register High Byte
TCCR1B: Timer/Counter1 Control Register B
TCCR1A: Timer/Counter1 Control Register A
OCR0: Timer/Counter0 Output Compare Register
TCNT0: Timer/Counter0
TCCR0: Timer/Counter Control Register
TIFR: Timer/Counter Interrupt Flag Register
TIMSK: Timer/Counter Interrupt Mask Register
==> Read More
No comments:
Post a Comment