黑客信息网:硬件安全入门(下)

作者:ch123456
围观群众:3
更新于

  接下来我们要转储的板子是Belkin N300路由器。当前,Belkin是最受欢迎的消费类路由器品牌之一,这意味着与之前的CTF徽章不同,这次的挑战提供了更多的真实场景。因此,在该设备中发现漏洞的话,则可能会影响到全球的家庭。

  首先我们要做的就是再去尝试定位一个闪存芯片。这次我们确定的是一款MX25L1606E芯片(图11),相关的参数见

  

  图11 mx25l1606e芯片

  接下来,我们将使用Attify Badge(图12)来转储我们的固件,因为Bus Pirate已经“罢工”了。

黑客信息网:硬件安全入门(下)

  

  图12 Attify Badge

  引脚输出如下所示:

  

  图13 mx25l1606e示意图

  MX25L1606E

  Attify Badge

  CS

  CS

  SO

  MOSI

  GND

  GND

  VCC

  3.3V

  SCLK

  SCK

  SI

  MOSI

  完成上述操作后,它应该是这样的:

  

  图14 mx25l1606E(已经连接Attify Badge)

  由于闪存芯片周围有金属框,所以这块板子上使用SOIC夹的空间有限,因此,这次我们采用了鳄鱼夹。

  现在,准备工作已经就绪了,下面我们继续转储这个固件。但是,这次我们将使用名为“flashrom”的实用程序,而不是avrdude,因为我们要处理的是闪存 SPI芯片,而不是Atmel芯片。

  首先,我们可以使用下面的命令来确定flashrom是否可以转储我们的芯片:“flashrom -p ft2232_spi:type=232H”。

  该命令将尝试自动识别我们的芯片。如果你使用的是Bus Pirate,可以用下面的参数代替传递给-p的参数:“flashrom -p buspirate_spi:dev=/dev/ttyUSB0”。

  其中,/dev/ttyUSB0是Bus Pirate连接的串口,读者可以根据需要进行修改。运行该命令后,成功返回如下内容:

  flashrom v0.9.9-r1954 on Linux 4.15.0-88-generic (x86_64)

  flashrom is free software, get the source code at

  Calibrating delay loop... delay loop is unreliable, trying to continue OK.

  Found Macronix flash chip "MX25L1605A/MX25L1606E/MX25L1608E" (2048 kB, SPI) on ft2232_spi.

  如果芯片识别失败也不要担心,可以用“flashrom -L”在列表中手动找到您的芯片,然后运行下面的命令,看看是否还能读取芯片:“flashrom -p ft2232_spi:type=232H -c MX25L1605A/MX25L1606E/MX25L1608E -r dump.bin”。

  其中,-p选项表明我们要使用ft2232编程器(如果使用Bus Pirate,则用上面的-p参数进行相应的替换),-c选项表明我们要转储哪种闪存芯片(本例中是MX25L1606E),-r dump.bin告诉它将内容读入文件dump.bin。如果一切顺利的话,我们应该得到一个有效的固件文件。如果失败的话,则会报错,或者创建一个充满空字节的文件。

  当然,这个过程可能需要一段时间,特别是对于较大的芯片;另外,我们可以从数据表中识别尺寸大小。由于MX25L1606E以地址1FFFFF结束,所以,其长度为2097151字节或2MB(图15)。

  

  图15 mx25l1606e的存储器组织结构

黑客信息网:硬件安全入门(下)

  这块2MB的芯片用了大约2分钟才完全转储过来。最后,我们很幸运,第一次就成功转储了固件。

  iot@attifyos ~> flashrom -p ft2232_spi:type=232H -c MX25L1605A/MX25L1606E/MX25L1608E -r dump.bin

  flashrom v0.9.9-r1954 on Linux 4.15.0-88-generic (x86_64)

  flashrom is free software, get the source code at

  Calibrating delay loop... delay loop is unreliable, trying to continue OK.

  Found Macronix flash chip "MX25L1605A/MX25L1606E/MX25L1608E" (2048 kB, SPI) on ft2232_spi.

  Reading flash... done.

  这时,该binwalk上场了:

  iot@attifyos ~> binwalk dump.bin

  DECIMAL HEXADECIMAL DESCRIPTION

  --------------------------------------------------------------------------------

  5440 0x1540 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 85344 bytes

  28570 0x6F9A Sercomm firmware signature, version control: 256, download control: 0, hardware ID: "AAZ", hardware version: 0x3200, firmware version: 0x6, starting code segment: 0x0, code size: 0x7310

  142352 0x22C10 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 2764800 bytes

  881324 0xD72AC LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 3450 bytes

  882534 0xD7766 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 10162 bytes

  884943 0xD80CF LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 118270 bytes

  917640 0xE0088 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 11937 bytes

  920834 0xE0D02 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 2992 bytes

  921709 0xE106D LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 177 bytes

  921863 0xE1107 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 116 bytes

  921999 0xE118F LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 491 bytes

  922337 0xE12E1 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 718 bytes

  922610 0xE13F2 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 20267 bytes

  926110 0xE219E LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 1196 bytes

  926568 0xE2368 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 140 bytes

  926729 0xE2409 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 708 bytes

  927159 0xE25B7 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 17248 bytes

  930471 0xE32A7 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 141 bytes

  930632 0xE3348 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 543 bytes

  930971 0xE349B LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 4166 bytes

  932391 0xE3A27 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 5883 bytes

  933996 0xE406C LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 3257 bytes

  935281 0xE4571 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 49 bytes

  935337 0xE45A9 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 7205 bytes

  936048 0xE4870 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 4716 bytes

  937318 0xE4D66 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 2506 bytes

  937984 0xE5000 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 7376 bytes

  938892 0xE538C LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 2951 bytes

  939613 0xE565D LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 7369 bytes

  940273 0xE58F1 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 11312 bytes

  942619 0xE621B LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 7671 bytes

  944755 0xE6A73 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 300 bytes

  945073 0xE6BB1 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 99243 bytes

  974918 0xEE046 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 89932 bytes

  1006871 0xF5D17 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 55 bytes

  1006939 0xF5D5B LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 1484 bytes

  1007670 0xF6036 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 11316 bytes

  1008768 0xF6480 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 6962 bytes

  1010654 0xF6BDE LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 2723 bytes

  1011701 0xF6FF5 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 9151 bytes

  1013994 0xF78EA LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 13151 bytes

  1016828 0xF83FC LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 3592 bytes

  1018079 0xF88DF LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 27452 bytes

  1024437 0xFA1B5 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 711 bytes

  1024870 0xFA366 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 71 bytes

  1024953 0xFA3B9 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 3861 bytes

  1026104 0xFA838 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 4303 bytes

  1026844 0xFAB1C LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 11222 bytes

  1029155 0xFB423 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 2189 bytes

  1030156 0xFB80C LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 15453 bytes

  1031493 0xFBD45 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 11326 bytes

黑客信息网:硬件安全入门(下)

  1032515 0xFC143 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 4244 bytes

  1036593 0xFD131 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 15755 bytes

  1040878 0xFE1EE LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 2695 bytes

  1042083 0xFE6A3 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 1956 bytes

  1043986 0xFEE12 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 6532 bytes

  1045769 0xFF509 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 868 bytes

  1046218 0xFF6CA LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 2208 bytes

  1047043 0xFFA03 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 1010 bytes

  1047474 0xFFBB2 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 2793 bytes

  1048685 0x10006D LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 1599 bytes

  1049943 0x100557 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 49437 bytes

  1055931 0x101CBB LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 2276 bytes

  1056907 0x10208B LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 9850 bytes

  1059309 0x1029ED LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 14359 bytes

  1062254 0x10356E LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 115629 bytes

  1096126 0x10B9BE LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 142 bytes

  1096289 0x10BA61 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 2379 bytes

  1097270 0x10BE36 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 9662 bytes

黑客信息网:硬件安全入门(下)

  1099324 0x10C63C LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 8110 bytes

  1100452 0x10CAA4 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 16599 bytes

  1104501 0x10DA75 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 113073 bytes

  1139633 0x1163B1 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 1164 bytes

  1140114 0x116592 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 2749 bytes

  1141269 0x116A15 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 992 bytes

  1141593 0x116B59 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 2386 bytes

  1142645 0x116F75 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 3389 bytes

  1143726 0x1173AE LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 2593 bytes

  1144845 0x11780D LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 112854 bytes

  1178716 0x11FC5C LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 23875 bytes

  1182332 0x120A7C LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 19256 bytes

  1186345 0x121A29 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 22772 bytes

  1189511 0x122687 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 19897 bytes

  1193861 0x123785 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 5708 bytes

  1195343 0x123D4F LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 118097 bytes

  1230423 0x12C657 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 2468 bytes

  1231379 0x12CA13 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 122825 bytes

  1264272 0x134A90 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 36 bytes

  1264320 0x134AC0 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 3331 bytes

  1265332 0x134EB4 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 114489 bytes

  1299549 0x13D45D LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 6837 bytes

  1301387 0x13DB8B LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 13110 bytes

  1303991 0x13E5B7 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 119 bytes

  1304130 0x13E642 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 3482 bytes

  1305418 0x13EB4A LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 2803 bytes

  1306588 0x13EFDC LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 88006 bytes

  1337278 0x1467BE LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 6572 bytes

黑客信息网:硬件安全入门(下)

  1339658 0x14710A LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 2384 bytes

  1342047 0x147A5F LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 141 bytes

  1342210 0x147B02 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 73 bytes

  1342295 0x147B57 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 856 bytes

  1343170 0x147EC2 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 625 bytes

  1343809 0x148141 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 183 bytes

  1343969 0x1481E1 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 2619 bytes

  1345099 0x14864B LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 3389 bytes

  1346055 0x148A07 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 12586 bytes

  1347838 0x1490FE LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 118 bytes

  1347975 0x149187 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 650 bytes

  1348652 0x14942C LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 2791 bytes

  1349331 0x1496D3 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 615 bytes

  1349749 0x149875 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 13284 bytes

  1352395 0x14A2CB LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 4897 bytes

  1353804 0x14A84C LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 34279 bytes

  1358905 0x14BC39 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 113 bytes

  1359036 0x14BCBC LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 37989 bytes

  1365372 0x14D57C LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 2509 bytes

  1366497 0x14D9E1 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 2175 bytes

  1367477 0x14DDB5 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 7597 bytes

  1369498 0x14E59A LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 5214 bytes

  1371175 0x14EC27 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 43 bytes

  1371229 0x14EC5D LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 114 bytes

  1371363 0x14ECE3 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 290 bytes

  1371584 0x14EDC0 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 929 bytes

  从“Sercomm Firmware Signature”这一行,我们可以看到一个硬件的ID为“AAZ”,它与电路板上的硬件ID完全匹配(图16)。现在,我们就可以继续分析这个固件的漏洞了。请记住,如果我们可以转储固件,我们也可以将自定义固件和后门写入闪存芯片。

  

  图16 硬件标识

  如果期间出错的话,最可能的两个原因是引脚没有正确连接,或者(如果引脚已经正确连接)它们正在给SPI芯片供电,使得芯片无法进行转储。第二种情况可能很常见,一般来说,最好的解决方法是用热*对芯片进行脱焊,然后用芯片自行转储固件。如前所述,最好检查一下电缆的长度,以确保故障不是由于电缆太长造成的。

  虽然转储这些设备可能需要不少时间,但这可以帮助我们加深对这些设备的工作原理的了解。例如,通过转储Belkin设备的固件,我们可以直接分析源web文件,从而使我们可以更容易识别设备内的远程漏洞并加以利用。

  通过利用这些类型的设备的安全漏洞,攻击者可以在受害者的路由器内创建一个后门,并重新路由所有网络流量,窃取受害者的银行和电子商务账户等账户的凭证。了解这些漏洞存在的地方,让我们有机会在它们造成任何重大损害之前修复它们。

  在本系列的下一部分,我们将讨论JTAG和UART串行接口,如何访问它们,以及我们可以从中得到什么。

  我们可以借助一些工具来成功地转储这些固件,例如:

  SOIC Clip:

  A device for dumping firmware (Bus Pirate):

  Cables and clips:

  Additional useful wires:

  Bus Pirate用于与SPI串行协议进行交互,以便为我们转储固件。其他可行的替代方案包括Shikra(和Attify Badge(当然,每个工具都有自己的优缺点。但是,Bus Pirate以及被广泛使用,并且有很好的文档,在我看来,它是最容易使用的。但是,Shikra被认为比Bus Pirate更稳定,速度更快,但没有那么多的支持。相比之下,Attify Badge则更易于设置,但同样支持有限。此外,Bus Pirate还提供了一个很好的串行接口,如果你愿意的话,可以很轻松与设备进行手动通信。读者可以根据自己的喜好和条件进行选择。

  此外,由于电缆和夹子相当便宜,并且容易买到,因此,我特别推荐这些,因为它们已经为我提供了我迄今为止所需的一切,并且可以很好地夹在针脚上。

非特殊说明,本文版权归 奥商分享网 所有,转载请注明出处.

本文分类: 本周

本文标题: 黑客信息网:硬件安全入门(下)

本文网址: http://xaasjf.com/benzhou/1162.html

发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

网站分类
搜索
最新留言
    标签列表