Jeep firmware reversing research

December 29, 2015 ~ hucktech ~ Leave a comment

Reverse engineering the IOC application firmware of 2014 Jeep Cherokee https://t.co/iPcNYc3KaO

— Nicolas Krassas (@Dinosn) December 27, 2015

ICIT Brief: Who’s Behind the Wheel? Exposing the Vulnerabilities and Risks of High Tech Vehicles

The July 2015 remote hack of a Jeep Cherokee by security researchers from IOActive served as a catalyst which made vehicle cybersecurity a top priority for the automotive industry, consumers and lawmakers. Since then, Chrysler has recalled 1.4 million Jeeps to patch vulnerabilities and lawmakers have proposed various pieces of legislation to address cybersecurity in vehicles, including the Security and Privacy in Your Car (SPY Car) Act from Senators Markey (MA) and Blumenthal (CT). In response to the need for legislative and agency education on the issue of vehicle cybersecurity, ICIT has partnered with its Fellow IOActive on a brief entitled “Who’s Behind the Wheel? Exposing the Vulnerabilities and Risks of High Tech Vehicles“. The brief provides a detailed breakdown of the July 2015 Jeep Cherokee hacking demonstration and an analysis of how hackers would behave during a ‘real-world’ attack. […]

http://icitech.org/icit-brief-whos-behind-the-wheel-exposing-the-vulnerabilities-and-risks-of-high-tech-vehicles/

Remaining CCC talks online

December 29, 2015 ~ hucktech ~ Leave a comment

I wish all conferences had AV teams as good as CCC!

https://media.ccc.de/b/conferences/camp2015

There are about a dozen hardware-related talks, and many of the other talks look useful. Especially this one:

Better recording of my TPM/boot protection presentation: https://t.co/LCUEHceXV0 #32c3

— Matthew Garrett (@mjg59@nondeterministic.computer) (@mjg59) December 29, 2015

Making it easier to avoid low-level compromise, and why you’ll still lose
Matthew Garrett

UEFI Firmware Parser updated

December 28, 2015 ~ hucktech ~ Leave a comment

Teddy Reed has updated UEFI Firmware Parser, a variety of changes to investigate!

https://github.com/theopolis/uefi-firmware-parser

https://github.com/theopolis/uefi-firmware-parser/commits/master

CCC day1 videos online

December 28, 2015 ~ hucktech ~ Leave a comment

CCC’s media team is great! Their videos are already online, for day 1. Lots of interesting videos to watch, if you’re not in Germany, including Joanna on the stateless laptop and Trammel on Thunderstrike!

Videos of #32C3 talks (day1 already up):https://t.co/L9Wz1FuZMU

— TROOPERS Conference (@WEareTROOPERS) December 28, 2015

https://media.ccc.de/c/32c3

Towards (reasonably) trustworthy x86 laptops
Joanna Rutkowska
https://media.ccc.de/v/32c3-7352-towards_reasonably_trustworthy_x86_laptops#video

Thunderstrike 2
Trammell Hudson
https://media.ccc.de/v/32c3-7236-thunderstrike_2#video

exploitee.rs: GoogleTV hackers

December 26, 2015 ~ hucktech ~ Leave a comment

I just noticed Exploitee.rs:

“We are a group of people who are interested in getting full access to the GoogleTV environment.”

https://twitter.com/reversemode/status/679761372268380160

https://www.exploitee.rs/

Here’s an example from their blog:

https://blog.exploitee.rs/2015/gaining-root-on-the-google-onhub/

BinWalk 2.1.1 released

December 26, 2015 ~ hucktech ~ Leave a comment

@devttyS0 "Just in time for Christmas, Binwalk v2.1.1 has been released" Finally, I've been using the git version for ages.

— Andrew Chen (@llkiwi2006) December 25, 2015

Awesome, Binwalk now uses Capstone for a new option "–disasm" to find executable code in firmware! https://t.co/RKzNIPcFcW

— Capstone Engine (@capstone_engine) December 24, 2015

https://github.com/devttys0/binwalk/releases/tag/v2.1.1
http://binwalk.org/
https://github.com/devttys0/binwalk/wiki

New to 2.1.1:
    Many bug fixes
    New/improved file signatures
    Disassembly scans (using the Capstone Engine)
    Improved raw Deflate compression detection and extraction
    Raw LZMA compression detection and extraction
    Improved false positive detection for common compressions (Zlib, LZMA)
    An IDA plugin for running binwalk inside of IDA
    Integration of better extraction utilities (e.g., sasquatch for SquashFS, jefferson for JFFS2)
    Removal of all C library dependencies, including libmagic – pure Python!
    Native Windows support!

CompuTrace on non-enterprise devices

December 26, 2015 ~ hucktech ~ Leave a comment

Sure, CompuTrace and similar technlogies has it’s place, on some devices owned by some high-security enterprises. I really dislike that OEMs appear to put CompuTrace in ALL (AFAICT) new devices. This is somewhat like how Microsoft has used Secure Boot as an excuse to lock down Windows PCs from loading non-Windows OSes. NIST advice for this doesn’t prevent a local user from selecting the OS they want, however. OEMs should be providing two levels of security, tamper-proof devices, for high-security enterprises, and owner-configurable devices, which let the owner have the ability to configure the silicon/firmware security/privacy features, and install the OS they prefer.

Strange, I thought only companies and governments are allowed to access your device’s CompuTrace phone-home chips and firmware. But it appears that there are multiple companies selling support for this to end-users, see the advertisements here:

https://twitter.com/search?q=computrace&src=typd

Companies: decide carefully if you want to use tracking software on your employees. Or at least do it politely:

OEMs: please make CompuTrace-free model(s) of at least one of your (server, laptop, tablet, and smartphone) product line. Privacy-minded consumers will probably even pay a premium for it.

By now, I would have presumed some privacy-minded activist group like the FSF would have a campaign against this, perhaps as part of their Free Hardware campaign…

https://twitter.com/delroth_/status/679972181061820416

Lenovo: fix your CompuTrace QA, see above.

Modders: If you have disabled CompuTrace module in firmware, perhaps using UEFITool or another tool, please write a quick HOWTO, for others to benefit from, such as above Lenovo user. Thanks in advance!

Verisure Alarm RE

December 26, 2015 ~ hucktech ~ Leave a comment

Reverse Engineer a Verisure Wireless Alarm part 1 – Radio Communications https://t.co/XPo13Xuhqa

— Jose (Snifer) (@sniferl4bs) December 25, 2015

A nicely-written article with use of GNUradio and other nice tricks!

Reverse Engineer a Verisure Wireless Alarm part 1 – Radio Communications

https://github.com/funoverip/verisure-alarm

the Open Processor Foundation

December 26, 2015 ~ hucktech ~ Leave a comment

“The Open Processor Foundation (OPF) is a nonprofit organization dedicated to provide universal access to create, distribute, and modify microprocessor designs as well as associated software to expedite time to market at far lower costs. It is the intention for this forum to provide a core processor as well as associated logic, compilers, debuggers, and various operating systems. The entire solution will be available license free, and meant to be embedded in your innovative products.”

オープンソフトクロスツール × ルネサス製IPコア

Sad, I hadn’t heard of Open Processor Foundation (OPF) until I read about it in the links in Joanna’s Staleless Laptop paper the other day… 😦

EFI app port added to U-Boot!

December 25, 2015 ~ hucktech ~ Leave a comment

On December 22th, Alexander Graf of SuSE posted a patch to the U-Boot list, adding EFI payload/application support to U-Boot!

This is my Christmas present for my openSUSE friends :).

U-Boot is a great project for embedded devices. However, convincing everyone involved that only for “a few oddball ARM devices” we need to support different configuration formats from grub2 when all other platforms (PPC, System Z, x86) are standardized on a single format is a nightmare.

So we started to explore alternatives. At first, people tried to get grub2 running using the u-boot api interface. However, FWIW that one doesn’t support relocations, so you need to know where to link grub2 to at compile time. It also seems to be broken more often than not. And on top of it all, it’s a one-off interface, so yet another thing to maintain.

That led to a nifty idea. What if we can just implement the EFI application protocol on top of U-Boot? Then we could compile a single grub2 binary for uEFI based systems and U-Boot based systems and as soon as that one’s loaded, everything looks and feels (almost) the same.

This patch set is the result of pursuing this endeavor.

– I am successfully able to run grub2 and Linux EFI binaries with this code.
– When enabled, the resulting U-Boot binary only grows by ~10kb, so it’s very light weight.
– It works on 32bit ARM and AArch64.
– All storage devices are directly accessible
– No runtime services (all calls return unimplemented)
– No EFI variables

Of course, there are still a few things one could do on top:

– Implement removable media booting (search for /efi/boot/boota{a64,rm}.efi)
– Improve disk media detection (don’t scan, use what information we have)
– Add EFI variable support using NVRAM
– Add GFX support
– Make EFI Shell work 😉

But so far, I’m very happy with the state of the patches. They completely eliminate potential arguments against U-Boot internally and give users the chance to run with the same level of comfort on all firmware types.

disk/part.c: Expose a list of available block drivers
include/efi_api.h: Add more detailed API definitions
efi_loader: Add PE image loader
efi_loader: Add boot time services
efi_loader: Add console interface
efi_loader: Add runtime services
efi_loader: Add disk interfaces
efi_loader: Add “bootefi” command
efi_loader: hook up in build environment

More information:
http://lists.denx.de/pipermail/u-boot/2015-December/239054.html

Licensing will be interesting. Tianocore demands BSD, U-Boot prefers GPL.

The first person who gets CHIPSEC to work under this patch, please speak up!

JEFF-Tools

December 24, 2015 ~ hucktech ~ Leave a comment

2 scripts to dump .JEFF and unpack .DALP (formats related to Intel Management Engine) https://t.co/K0ej5gJPLr

— Ange (@angealbertini) December 24, 2015

Just pushed https://t.co/Uy3X4dx4FM

— Igor Skochinsky (@IgorSkochinsky@infosec.exchange) (@IgorSkochinsky) December 24, 2015

Igor Skochinsky has created JEFF-Tools, tools for use Intel Management Engine. JEFF-Tools currently contains 2 tools:

dump_jeff.py

This script allows you to dump the JEFF files used by Intel ME’s DAL (Dynamic Application Loader). It supports the following input formats:

    raw JEFF file (‘JEFF signature’)
    JEFF packaged as an ME applet with signed manifest header ($MN2 magic) (currently ME 8-9.5 only)
    any binary containing an uncompressed JEFF file inside (e.g. JOM_mod.bin produced by unpacking an ME firmware)

unp_dalp.py

This script unpacks DAL applets from a .dalp file (such files are used by Intel to package several ME applets into one XML).

https://github.com/skochinsky/jeff-tools

See-Also some Intel ME tools and presentations here:

https://github.com/skochinsky/me-tools

https://github.com/skochinsky/papers

Intel 01.org mailing lists

December 24, 2015 ~ hucktech ~ Leave a comment

It is sometimes funny to watch a company do open source. Intel’s 01.org, for Open Source projects, has a mailing list server with multiple lists:
https://lists.01.org/

There are lists for LUV and CHIPSEC. These work fine!
https://lists.01.org/mailman/listinfo/chipsec
https://lists.01.org/mailman/listinfo/luv

There is a list for Thunderbolt Software. …but it is a closed list, with no public archives. 😦
https://lists.01.org/mailman/listinfo/thunderbolt-software

The text that it is a closed list:
“This is a hidden list, which means that the list of members is available only to the list administrator.”

There’s a list for Intel Kernel Guard Technology (KGT). It also is a closed list, with the same text as the Thunderbolt list. BUT, their archives are publicly-available.
https://lists.01.org/mailman/listinfo/intel-kgt
https://lists.01.org/pipermail/intel-kgt/

There’s a list for BIOS Implementation Test Suite (BITS)!
But there are no archives, perhaps a closed list, or just broken archives?
https://lists.01.org/mailman/listinfo/bits

I rather wish Intel used intel.com or 01.com for closed lists, and kept the Open Source-centric 01.0rg’s list all public, with working archives. 😦

TPM 2.0 is an ISO standard

December 24, 2015 ~ hucktech ~ Leave a comment

#TPM 2.0 spec now avail as ISO/EIC standard @TrustedComputin https://t.co/frgRhaaIRx

— Trusted Computing (@TrustedComputin) December 24, 2015

https://www.trustedcomputinggroup.org/community/2015/12/tcg_tpm_20_library_specification_now_available_from_iso_and_the_iec
http://www.trustedcomputinggroup.org/resources/tpm_library_specification
http://www.trustedcomputinggroup.org/resources/errata_for_tpm_library_specification_20

TPM is now an ISO standard.
Hurray, now I get to pay to access them from ISO. 🙂
TCG’s current specs are for members-only, not the public.
I hope TCG keeps the public specs on their site freely-available.

VirtualBox hardened loader

December 24, 2015 ~ hucktech ~ Leave a comment

https://twitter.com/hFireF0X/status/679926803364982789
http://www.kernelmode.info/forum/viewtopic.php?f=11&p=27460#p27460
https://github.com/hfiref0x/VBoxHardenedLoader
http://www.kernelmode.info/forum/viewtopic.php?f=11&t=3478

“VirtualBox Hardened VM detection mitigation loader: VBoxAntiVMDetectHardened is a complex of methods implemented to reduce VM detection possibilities of the common malware.”

Interesting, there are UEFI patches for this, as well!

GRUB and TPM

December 23, 2015 ~ hucktech ~ Leave a comment

For GRUB 0.x, there is the Trusted GRUB, from TrouSerS and the GRUB Legacy project:

New UEFI-patched GRUB Legacy

http://trousers.sourceforge.net/grub.html

I may have missed it, but I don’t think the recent GRUB Legacy project has Trusted GRUB ‘s TPM support. I hope they pick it up, it would be nice to have a single GRUB Legacy with latest UEFI and TPM support. I wonder what other forks of GRUB 0.x are worth watching?

For GRUB2, I missed this activity from Matthew back in September, but it appears that he’s added TPM support to GRUB2:

grub with support for Trusted Boot on both TPM 1.2 and TPM 2.0: https://t.co/ewOgFFW9Ps (TPM 2.0 support poorly tested due to firmware bugs)

— Matthew Garrett (@mjg59@nondeterministic.computer) (@mjg59) September 21, 2015

Things from this weekend:
1) http://t.co/oc4bcTNFg5 – bridging incompatible IoT protocols
2) https://t.co/ewOgFFW9Ps – TPM-aware grub code

— Matthew Garrett (@mjg59@nondeterministic.computer) (@mjg59) September 21, 2015

http://mjg59.dreamwidth.org/37656.html
https://github.com/mjg59/grub

The above blog post mentions Sirrix AG’s TrustedGRUB, that it was based on.

I just noticed that the TrustedGRUB2 project from Sirrix AG has also been recently updated:

https://github.com/Sirrix-AG/TrustedGRUB2
https://github.com/Sirrix-AG/TrustedGRUB2/commits/master

Hmm, there’s some UEFI 2.5-centric checks in the Sirrix tree, too:
https://github.com/Sirrix-AG/TrustedGRUB2/commit/c79c59f1295df8ea660f8a858f9532d76a5f67b7

https://www.gnu.org/software/grub/

So it appears that both Matthew’s GRUB2 as well as Sirrix’s current TrustedGRUB2 are both of interest, probably others (how many others??). Why doesn’t upstream GRUB2 take all these patches, anyway? Is it an FSF issue with TPM/UEFI-centric code? I wish UEFI Form was a bit more proactive with GRUB[2], two of the most influential UEFI ‘pre-OS’ applications in use.

Evil Abigail: Evil Maid for Linux LUKS

December 23, 2015 ~ hucktech ~ Leave a comment

Introducing EvilAbigail https://t.co/N3JNZuySGS (evil maid attack)

— Nicolas Krassas (@Dinosn) December 23, 2015

Introducing EvilAbigail

Tis the season to be jolly… or so they say; but it is also the season to be wary and vigilant. At GDS we were recently discussing cold boot attacks against full disk encryption on Linux systems – it didn’t take us long to agree it was feasible, but just how hard would it be and how practical is it to execute an attack? After a little searching we didn’t come across any pre existing tools so there was only one way forward… Evil maid attacks can be used to target any operating system. For this research we focused our attention on Linux with LUKS full disk encryption. […]

https://github.com/GDSSecurity/EvilAbigail

http://blog.gdssecurity.com/labs/2015/12/23/introducing-evilabigail.html

New UEFI Stall and Reset System tools

December 23, 2015 ~ hucktech ~ Leave a comment

theChiChen has created a new Github project with some hello-world-level UEFI applications. Besides a few Hello Worlds, there is are Stall and ResetSystem commands. These are built with EDK-II/Tianocore, not GNU-EFI toolchain.

https://github.com/theChiChen/UEFI_SHELL_Utilities
https://github.com/theChiChen/UEFI_SHELL_Utilities/blob/master/ChiChenPkg/Application/Stall/Stall.c
https://github.com/theChiChen/UEFI_SHELL_Utilities/blob/master/ChiChenPkg/Application/ResetSystem/ResetSystem.c

One of these days, I need to create a list of all these hello-world apps for UEFI and other firmware targets. There used to be only a handful, now there’s a few dozen..

Microsoft getting tough on Superfish OEMs

December 23, 2015 ~ hucktech ~ Leave a comment

Since the days of MS-DOS, OEMs have bundled lots of crap along with their Microsoft OS, and users would always blame Microsoft, not the OEM or IHV or ISV, for the user experience. Since NT was created, there have been tests for OEMs/IHVs, initially to get listed on the Hardware Compatibility List, these days to get certs and more. Now that modern versions of Windows include installer-related binaries in ACPI tables, that can be misused by attackers if OEMs don’t clean up their systems properly (Lenovo, Dell, etc.), Microsoft is increasing their testing of OEM systems bloatware.

Microsoft will begin detecting/removing #Superfish-like programs beginning Mar. 31, 2016 – https://t.co/TP9QQBk8K0

— Threatpost (@threatpost) December 23, 2015

Microsoft to Remove Superfish-Like Programs Starting in March

https://blogs.technet.microsoft.com/mmpc/2015/12/21/keeping-browsing-experience-in-users-hands/

I’ve heard one interesting potential feature of the new Microsoft laptop is that it might be the one Windows box doesn’t have OEM bloatware on it. Granted, it’ll have other Microsoft bloatware on it…

ITL’s Stateless Laptop proposal

December 23, 2015 ~ hucktech ~ Leave a comment

New paper: "State considered harmful – A proposal for a stateless laptop" (aka "the 2nd paper"):https://t.co/I2o6XYwJTo

— Joanna Rutkowska (@rootkovska) December 23, 2015

Joanna Rutkowska of Invisible Things Lab (ITL) has proposed the Stateless Laptop, and will be presenting at CCC in a few days (2015/12/27) on the topic.

http://blog.invisiblethings.org/2015/12/23/state_harmful.html
https://events.ccc.de/congress/2015/Fahrplan/events/7352.html

Click to access state_harmful.pdf

https://github.com/rootkovska/state_harmful/blob/master/state_harmful.md

I can’t begin to create a list of tags this article covers… This article is all about firmware security (and hardware security) for x86 systems, a MUST READ!!

Purism must consider this a holiday gift from ITL: the spec for their next Librem box. Looking forward to this box, built with fully Open Source Hardware designs/parts, hopefully from multiple OEMs next year! 🙂

Bunnie on Gongkai and elsewhere

December 22, 2015 ~ hucktech ~ Leave a comment

Bunnie has a new blog post on IP and open source culture gap between some cultures:

About a year and a half ago, I wrote about a $12 “Gongkai” cell phone (pictured above) that I stumbled across in the markets of Shenzhen, China. My most striking impression was that Chinese entrepreneurs had relatively unfettered access to cutting-edge technology, enabling start-ups to innovate while bootstrapping. Meanwhile, Western entrepreneurs often find themselves trapped in a spiderweb of IP frameworks, spending more money on lawyers than on tooling. Further investigation taught me that the Chinese have a parallel system of traditions and ethics around sharing IP, which lead me to coin the term “gongkai”. This is deliberately not the Chinese word for “Open Source”, because that word (kaiyuan) refers to openness in a Western-style IP framework, which this not. Gongkai is more a reference to the fact that copyrighted documents, sometimes labeled “confidential” and “proprietary”, are made known to the public and shared overtly, but not necessarily according to the letter of the law. However, this copying isn’t a one-way flow of value, as it would be in the case of copied movies or music. Rather, these documents are the knowledge base needed to build a phone using the copyright owner’s chips, and as such, this sharing of documents helps to promote the sales of their chips. There is ultimately, if you will, a quid-pro-quo between the copyright holders and the copiers. This fuzzy, gray relationship between companies and entrepreneurs is just one manifestation of a much broader cultural gap between the East and the West. […]

Full article:

http://www.bunniestudios.com/blog/?p=4297

Bunnie has also had a brief media presence, on radio and video:

Awesome to see @novenakosagi Open Source Hardware laptop, @bunniestudios & @xobs on The @BenHeck Show https://t.co/mTBjceWFb9 via @element14

— @pdp7@mastodon.social (@pdp7) December 22, 2015

Bunnie on NPR!https://t.co/hoHD0uhyMF
via @bunniestudios

— @pdp7@mastodon.social (@pdp7) December 22, 2015

http://www.npr.org/sections/money/2015/11/27/457404184/episode-666-the-hoverboard-life