mercredi 6 juillet 2011

[EN] NDH 2011 badge hacking part 2 : What is the message?

Hello!

Now you should have a nice working cable.
Today we are going to get the message.

Dumping the flash

We can look into the chip memory using avrdude terminal mode:
$ sudo avrdude -c usbasp -p attiny2313 -t

avrdude: warning: cannot set sck period. please check for usbasp firmware update.
avrdude: AVR device initialized and ready to accept instructions

Reading | ################################################## | 100% 0.01s

avrdude: Device signature = 0x1e910a
avrdude> dump flash 0 512
>>> dump flash 0 512 
0000  12 c0 22 c0 21 c0 20 c0  1f c0 1e c0 1d c0 1c c0  |..".!. .........|
0010  1b c0 1a c0 19 c0 18 c0  17 c0 16 c0 15 c0 14 c0  |................|
0020  13 c0 12 c0 11 c0 11 24  1f be cf ed cd bf 10 e0  |.......$........|
0030  a0 e6 b0 e0 e8 e4 f1 e0  02 c0 05 90 0d 92 ac 38  |............ ..8|
0040  b1 07 d9 f7 3c d0 7e c0  db cf 18 ba 12 ba 98 b3  |....<.~.........|
0050  3a e2 38 27 43 2f 50 e0  30 fd 02 c0 80 e0 01 c0  |:.8'C/P.0.......|
0060  82 e0 89 2b 88 bb 28 b3  ca 01 96 95 87 95 81 70  |...+..(........p|
0070  82 2b 88 bb 92 b3 42 fd  02 c0 80 e0 01 c0 80 e4  |.+....B.........|
0080  89 2b 82 bb 92 b3 43 fd  02 c0 80 e0 01 c0 80 e2  |.+....C.........|
0090  89 2b 82 bb 82 b3 30 71  38 2b 32 bb 92 b3 45 fd  |.+....0q8+2...E.|
00a0  02 c0 80 e0 01 c0 88 e0  89 2b 82 bb 92 b3 46 fd  |.........+....F.|
00b0  02 c0 80 e0 01 c0 84 e0  89 2b 82 bb 08 95 cf 92  |.........+......|
00c0  df 92 ef 92 ff 92 1f 93  df 93 cf 93 cd b7 de b7  |................|
00d0  ab 97 0f b6 f8 94 de bf  0f be cd bf de 01 11 96  |................|
00e0  e0 e6 f0 e0 84 e1 01 90  0d 92 81 50 e1 f7 9b 81  |........ ..P....|
00f0  de 01 55 96 e4 e7 f0 e0  87 e1 01 90 0d 92 81 50  |..U......... ..P|
0100  e1 f7 8f ef 81 bb 87 bb  98 bb 90 e0 75 e1 c7 2e  |............u...|
0110  d1 2c cc 0e dd 1e 68 ec  e6 2e f1 2c 0a c0 95 df  |.,....h...., ...|
0120  80 e9 91 e0 f7 01 31 97  f1 f7 01 97 d9 f7 91 2f  |......1......../|
0130  9f 5f f6 01 e9 0f f1 1d  80 81 19 2f 90 e0 88 23  |._........./...#|
0140  c1 f3 ed cf f8 94 ff cf  4e 6f 74 68 69 6e 67 20  |........Nothing |
0150  74 68 65 72 65 20 4e 30  30 62 21 00 62 4f 46 46  |there N00b!.bOFF|
0160  45 0a 7d 45 58 46 4e 0a  4c 45 58 0a 64 6e 62 18  |E }EXFN LEX dnb.|
0170  61 1b 1b 00 ff ff ff ff  ff ff ff ff ff ff ff ff  |a...............|
0180  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
0190  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
01a0  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
01b0  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
01c0  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
01d0  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
01e0  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
01f0  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|

avrdude>

We don't see any "clear" interesting string for our purpose. Maybe it is obfuscated.

We are going to dump it to a file for backup purposes:

$ sudo avrdude -c usbasp -p attiny2313 -n -U flash:r:dump.hex:i -v

avrdude: Version 5.10, compiled on Jun 29 2010 at 21:09:48
         Copyright (c) 2000-2005 Brian Dean, http://www.bdmicro.com/
         Copyright (c) 2007-2009 Joerg Wunsch

         System wide configuration file is "/etc/avrdude.conf"
         User configuration file is "/home/m_101/.avrduderc"
         User configuration file does not exist or is not a regular file, skipping

         Using Port                    : /dev/parport0
         Using Programmer              : usbasp
         AVR Part                      : ATtiny2313
         Chip Erase delay              : 9000 us
         PAGEL                         : PD4
         BS2                           : PD6
         RESET disposition             : possible i/o
         RETRY pulse                   : SCK
         serial program mode           : yes
         parallel program mode         : yes
         Timeout                       : 200
         StabDelay                     : 100
         CmdexeDelay                   : 25
         SyncLoops                     : 32
         ByteDelay                     : 0
         PollIndex                     : 3
         PollValue                     : 0x53
         Memory Detail                 :

                                  Block Poll               Page                       Polled
           Memory Type Mode Delay Size  Indx Paged  Size   Size #Pages MinW  MaxW   ReadBack
           ----------- ---- ----- ----- ---- ------ ------ ---- ------ ----- ----- ---------
           eeprom        65     6     4    0 no        128    4      0  4000  4500 0xff 0xff
           flash         65     6    32    0 yes      2048   32     64  4500  4500 0xff 0xff
           signature      0     0     0    0 no          3    0      0     0     0 0x00 0x00
           lock           0     0     0    0 no          1    0      0  9000  9000 0x00 0x00
           lfuse          0     0     0    0 no          1    0      0  9000  9000 0x00 0x00
           hfuse          0     0     0    0 no          1    0      0  9000  9000 0x00 0x00
           efuse          0     0     0    0 no          1    0      0  9000  9000 0x00 0x00
           calibration    0     0     0    0 no          2    0      0     0     0 0x00 0x00

         Programmer Type : usbasp
         Description     : USBasp, http://www.fischl.de/usbasp/

avrdude: auto set sck period (because given equals null)
avrdude: warning: cannot set sck period. please check for usbasp firmware update.
avrdude: AVR device initialized and ready to accept instructions

Reading | ################################################## | 100% 0.01s

avrdude: Device signature = 0x1e910a
avrdude: safemode: lfuse reads as 64
avrdude: safemode: hfuse reads as DF
avrdude: safemode: efuse reads as FF
avrdude: reading flash memory:

Reading | ################################################## | 100% 1.10s



avrdude: writing output file "dump.hex"

avrdude: safemode: lfuse reads as 64
avrdude: safemode: hfuse reads as DF
avrdude: safemode: efuse reads as FF
avrdude: safemode: Fuses OK

avrdude done.  Thank you.

Now we dumped the flash.

Getting the message

In the previous dumped firmware we could see the following strings:
- "Nothing there N00b!"
- "bOFFE }EXFN LEX dnb\x18a\x1b\x1b"

I wrote a quick hack to see if we got any "usual" obfuscation scheme such as caesar or XOR were used:
// @author  : m_101
// @license : beerware
// @year    : 2011
// @program : "Bruteforce" caesar and XOR
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <ctype.h>

// caesar
char *caesar (char *str, const int len, const unsigned int key) {
    int idxStr, rkey, c;
    char *cryptext;

    // allocate cryptext
    cryptext = calloc(len, sizeof(*cryptext));
    if (!cryptext)
        return NULL;

    //
    rkey = key % 26;

    for (idxStr = 0; idxStr < len; idxStr++) {
        /*
        if (!isalpha(str[idxStr])) {
            free(cryptext);
            return NULL;
        }
        //*/
        c = toupper(str[idxStr]) + key;
        /*
        if (c > 'Z')
            c -= 26;
        else if (c < 'A')
            c += 26;
        //*/
        cryptext[idxStr] = c;
    }

    return cryptext;
}

#define BUFSIZE     1024

void bf_caesar (char *str, const int len) {
    int key;
    char *cryptext;
    //
    char filename[1024];
    FILE *fp = NULL;

    if (!str || !len) {
        printf("Bad string\n");
        return;
    }

    if (strlen(str) != len) {
        printf("Bad length\n");
        return;
    }

    for (key = 1; key <= 255; key++) {
        cryptext = caesar(str, len, key);
        if (cryptext) {
            // generate filename
            snprintf(filename, BUFSIZE, "%s-%02d", "caesar", key);
            // write to file
            /*
            fp = fopen(filename, "w");
            if (fp) {
                fwrite(cryptext, sizeof(*cryptext), len, fp);
                fclose(fp);
            }
            //*/
            
            // print to console
            printf("%02d : %s\n\n", key,  cryptext);
            free(cryptext);
        }
    }
}

void bf_xor (char *str, const int len) {
    int key;
    int c;
    int idxStr;
    //
    char filename[1024];
    FILE *fp = NULL;

    if (!str || !len) {
        printf("Bad string\n");
        return;
    }

    if (strlen(str) != len) {
        printf("Bad length\n");
        return;
    }

    for (key = 1; key <= 255; key++) {
        printf("%02d : ", key);
        // generate filename
        snprintf(filename, BUFSIZE, "%s-%02d", "xor", key);
        // fp = fopen(filename, "w");
        for (idxStr = 0; idxStr < len; idxStr++) {
            c = str[idxStr] ^ key;
            putchar(c);
            // write to file
            /*
            if (fp)
                fwrite(&c, sizeof(*str), 1, fp);
            //*/
        }
        putchar('\n');

        if (fp)            
            fclose(fp);
    }
}

int main (int argc, char *argv[]) {
    if (argc < 2) {
        printf("Usage: %s str\n", argv[0]);
        return 1;
    }

    printf("Bruteforce Caesar:\n");
    bf_caesar(argv[1], strlen(argv[1]));

    printf("\nBruteforce XOR:\n");
    bf_xor(argv[1], strlen(argv[1])); 

    return 0;
}

As you could see, for caesar I did not bother to do a rotating scheme as usual but a stupid and simple shifting.

I managed to get 2 messages:
Hello\nWorld\nFor\nNDH
hELLO*wORLD*FOR*ndh
Done.

There was another way to get the message using a video camera to capture the leds sequence and decode it manually of using image processing techniques.
I did not want to do that so I did not do it ... have fun for the courageous ones ;).

You could also use IDA Pro (or any compatible disassembler) to reverse the ASM code from the dumped firmware. I did not want to spend too much time on it so I skipped it. If you want to do it, here is the documentation: AVR 8-bit Instruction Set

Next I will show you an example of programming the chip.

Cheers,

m_101

Resources:
[NDH2K11] Badges hackable!
NDH2K11's Badge: Spec. & hackz
NDH2K11's Badge: PROGRAMMATIONNNNNN!!!!
- Manual of avrdude
- AVR 8-bit Instruction Set

Aucun commentaire :

Publier un commentaire