Now you should have a nice working cable.
Today we are going to get the message.
Dumping the flash
We can look into the chip memory using avrdude terminal mode:
$ sudo avrdude -c usbasp -p attiny2313 -t avrdude: warning: cannot set sck period. please check for usbasp firmware update. avrdude: AVR device initialized and ready to accept instructions Reading | ################################################## | 100% 0.01s avrdude: Device signature = 0x1e910a avrdude> dump flash 0 512 >>> dump flash 0 512 0000 12 c0 22 c0 21 c0 20 c0 1f c0 1e c0 1d c0 1c c0 |..".!. .........| 0010 1b c0 1a c0 19 c0 18 c0 17 c0 16 c0 15 c0 14 c0 |................| 0020 13 c0 12 c0 11 c0 11 24 1f be cf ed cd bf 10 e0 |.......$........| 0030 a0 e6 b0 e0 e8 e4 f1 e0 02 c0 05 90 0d 92 ac 38 |............ ..8| 0040 b1 07 d9 f7 3c d0 7e c0 db cf 18 ba 12 ba 98 b3 |....<.~.........| 0050 3a e2 38 27 43 2f 50 e0 30 fd 02 c0 80 e0 01 c0 |:.8'C/P.0.......| 0060 82 e0 89 2b 88 bb 28 b3 ca 01 96 95 87 95 81 70 |...+..(........p| 0070 82 2b 88 bb 92 b3 42 fd 02 c0 80 e0 01 c0 80 e4 |.+....B.........| 0080 89 2b 82 bb 92 b3 43 fd 02 c0 80 e0 01 c0 80 e2 |.+....C.........| 0090 89 2b 82 bb 82 b3 30 71 38 2b 32 bb 92 b3 45 fd |.+....0q8+2...E.| 00a0 02 c0 80 e0 01 c0 88 e0 89 2b 82 bb 92 b3 46 fd |.........+....F.| 00b0 02 c0 80 e0 01 c0 84 e0 89 2b 82 bb 08 95 cf 92 |.........+......| 00c0 df 92 ef 92 ff 92 1f 93 df 93 cf 93 cd b7 de b7 |................| 00d0 ab 97 0f b6 f8 94 de bf 0f be cd bf de 01 11 96 |................| 00e0 e0 e6 f0 e0 84 e1 01 90 0d 92 81 50 e1 f7 9b 81 |........ ..P....| 00f0 de 01 55 96 e4 e7 f0 e0 87 e1 01 90 0d 92 81 50 |..U......... ..P| 0100 e1 f7 8f ef 81 bb 87 bb 98 bb 90 e0 75 e1 c7 2e |............u...| 0110 d1 2c cc 0e dd 1e 68 ec e6 2e f1 2c 0a c0 95 df |.,....h...., ...| 0120 80 e9 91 e0 f7 01 31 97 f1 f7 01 97 d9 f7 91 2f |......1......../| 0130 9f 5f f6 01 e9 0f f1 1d 80 81 19 2f 90 e0 88 23 |._........./...#| 0140 c1 f3 ed cf f8 94 ff cf 4e 6f 74 68 69 6e 67 20 |........Nothing | 0150 74 68 65 72 65 20 4e 30 30 62 21 00 62 4f 46 46 |there N00b!.bOFF| 0160 45 0a 7d 45 58 46 4e 0a 4c 45 58 0a 64 6e 62 18 |E }EXFN LEX dnb.| 0170 61 1b 1b 00 ff ff ff ff ff ff ff ff ff ff ff ff |a...............| 0180 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................| 0190 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................| 01a0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................| 01b0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................| 01c0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................| 01d0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................| 01e0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................| 01f0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................| avrdude>
We don't see any "clear" interesting string for our purpose. Maybe it is obfuscated.
We are going to dump it to a file for backup purposes:
$ sudo avrdude -c usbasp -p attiny2313 -n -U flash:r:dump.hex:i -v
avrdude: Version 5.10, compiled on Jun 29 2010 at 21:09:48
Copyright (c) 2000-2005 Brian Dean, http://www.bdmicro.com/
Copyright (c) 2007-2009 Joerg Wunsch
System wide configuration file is "/etc/avrdude.conf"
User configuration file is "/home/m_101/.avrduderc"
User configuration file does not exist or is not a regular file, skipping
Using Port : /dev/parport0
Using Programmer : usbasp
AVR Part : ATtiny2313
Chip Erase delay : 9000 us
PAGEL : PD4
BS2 : PD6
RESET disposition : possible i/o
RETRY pulse : SCK
serial program mode : yes
parallel program mode : yes
Timeout : 200
StabDelay : 100
CmdexeDelay : 25
SyncLoops : 32
ByteDelay : 0
PollIndex : 3
PollValue : 0x53
Memory Detail :
Block Poll Page Polled
Memory Type Mode Delay Size Indx Paged Size Size #Pages MinW MaxW ReadBack
----------- ---- ----- ----- ---- ------ ------ ---- ------ ----- ----- ---------
eeprom 65 6 4 0 no 128 4 0 4000 4500 0xff 0xff
flash 65 6 32 0 yes 2048 32 64 4500 4500 0xff 0xff
signature 0 0 0 0 no 3 0 0 0 0 0x00 0x00
lock 0 0 0 0 no 1 0 0 9000 9000 0x00 0x00
lfuse 0 0 0 0 no 1 0 0 9000 9000 0x00 0x00
hfuse 0 0 0 0 no 1 0 0 9000 9000 0x00 0x00
efuse 0 0 0 0 no 1 0 0 9000 9000 0x00 0x00
calibration 0 0 0 0 no 2 0 0 0 0 0x00 0x00
Programmer Type : usbasp
Description : USBasp, http://www.fischl.de/usbasp/
avrdude: auto set sck period (because given equals null)
avrdude: warning: cannot set sck period. please check for usbasp firmware update.
avrdude: AVR device initialized and ready to accept instructions
Reading | ################################################## | 100% 0.01s
avrdude: Device signature = 0x1e910a
avrdude: safemode: lfuse reads as 64
avrdude: safemode: hfuse reads as DF
avrdude: safemode: efuse reads as FF
avrdude: reading flash memory:
Reading | ################################################## | 100% 1.10s
avrdude: writing output file "dump.hex"
avrdude: safemode: lfuse reads as 64
avrdude: safemode: hfuse reads as DF
avrdude: safemode: efuse reads as FF
avrdude: safemode: Fuses OK
avrdude done. Thank you.Now we dumped the flash.
Getting the message
In the previous dumped firmware we could see the following strings:
- "Nothing there N00b!"
- "bOFFE }EXFN LEX dnb\x18a\x1b\x1b"
I wrote a quick hack to see if we got any "usual" obfuscation scheme such as caesar or XOR were used:
// @author : m_101
// @license : beerware
// @year : 2011
// @program : "Bruteforce" caesar and XOR
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <ctype.h>
// caesar
char *caesar (char *str, const int len, const unsigned int key) {
int idxStr, rkey, c;
char *cryptext;
// allocate cryptext
cryptext = calloc(len, sizeof(*cryptext));
if (!cryptext)
return NULL;
//
rkey = key % 26;
for (idxStr = 0; idxStr < len; idxStr++) {
/*
if (!isalpha(str[idxStr])) {
free(cryptext);
return NULL;
}
//*/
c = toupper(str[idxStr]) + key;
/*
if (c > 'Z')
c -= 26;
else if (c < 'A')
c += 26;
//*/
cryptext[idxStr] = c;
}
return cryptext;
}
#define BUFSIZE 1024
void bf_caesar (char *str, const int len) {
int key;
char *cryptext;
//
char filename[1024];
FILE *fp = NULL;
if (!str || !len) {
printf("Bad string\n");
return;
}
if (strlen(str) != len) {
printf("Bad length\n");
return;
}
for (key = 1; key <= 255; key++) {
cryptext = caesar(str, len, key);
if (cryptext) {
// generate filename
snprintf(filename, BUFSIZE, "%s-%02d", "caesar", key);
// write to file
/*
fp = fopen(filename, "w");
if (fp) {
fwrite(cryptext, sizeof(*cryptext), len, fp);
fclose(fp);
}
//*/
// print to console
printf("%02d : %s\n\n", key, cryptext);
free(cryptext);
}
}
}
void bf_xor (char *str, const int len) {
int key;
int c;
int idxStr;
//
char filename[1024];
FILE *fp = NULL;
if (!str || !len) {
printf("Bad string\n");
return;
}
if (strlen(str) != len) {
printf("Bad length\n");
return;
}
for (key = 1; key <= 255; key++) {
printf("%02d : ", key);
// generate filename
snprintf(filename, BUFSIZE, "%s-%02d", "xor", key);
// fp = fopen(filename, "w");
for (idxStr = 0; idxStr < len; idxStr++) {
c = str[idxStr] ^ key;
putchar(c);
// write to file
/*
if (fp)
fwrite(&c, sizeof(*str), 1, fp);
//*/
}
putchar('\n');
if (fp)
fclose(fp);
}
}
int main (int argc, char *argv[]) {
if (argc < 2) {
printf("Usage: %s str\n", argv[0]);
return 1;
}
printf("Bruteforce Caesar:\n");
bf_caesar(argv[1], strlen(argv[1]));
printf("\nBruteforce XOR:\n");
bf_xor(argv[1], strlen(argv[1]));
return 0;
}As you could see, for caesar I did not bother to do a rotating scheme as usual but a stupid and simple shifting.
I managed to get 2 messages:
Hello\nWorld\nFor\nNDH hELLO*wORLD*FOR*ndhDone.
There was another way to get the message using a video camera to capture the leds sequence and decode it manually of using image processing techniques.
I did not want to do that so I did not do it ... have fun for the courageous ones ;).
You could also use IDA Pro (or any compatible disassembler) to reverse the ASM code from the dumped firmware. I did not want to spend too much time on it so I skipped it. If you want to do it, here is the documentation: AVR 8-bit Instruction Set
Next I will show you an example of programming the chip.
Cheers,
m_101
Resources:
- [NDH2K11] Badges hackable!
- NDH2K11's Badge: Spec. & hackz
- NDH2K11's Badge: PROGRAMMATIONNNNNN!!!!
- Manual of avrdude
- AVR 8-bit Instruction Set
Aucun commentaire :
Enregistrer un commentaire