the application of reverse engineering techniques … · the application of reverse engineering...
TRANSCRIPT
![Page 1: The Application Of Reverse Engineering Techniques … · The Application Of Reverse Engineering Techniques Against The Arduino Microcontroller To Acquire Uploaded Applications By](https://reader031.vdocuments.us/reader031/viewer/2022022014/5b49c20c7f8b9a691e8b9ed8/html5/thumbnails/1.jpg)
DIGITAL FORENSIC RESEARCH CONFERENCE
The Application Of Reverse Engineering Techniques Against The Arduino
Microcontroller To Acquire Uploaded Applications
By
Steve Watson
Presented At
The Digital Forensic Research Conference
DFRWS 2014 USA Denver, CO (Aug 3rd - 6th)
DFRWS is dedicated to the sharing of knowledge and ideas about digital forensics research. Ever since it organized
the first open workshop devoted to digital forensics in 2001, DFRWS continues to bring academics and practitioners
together in an informal environment. As a non-profit, volunteer organization, DFRWS sponsors technical working
groups, annual conferences and challenges to help drive the direction of research and development.
http:/dfrws.org
![Page 2: The Application Of Reverse Engineering Techniques … · The Application Of Reverse Engineering Techniques Against The Arduino Microcontroller To Acquire Uploaded Applications By](https://reader031.vdocuments.us/reader031/viewer/2022022014/5b49c20c7f8b9a691e8b9ed8/html5/thumbnails/2.jpg)
Disclaimer
The$opinions$expressed$and$materials$shared$in$this$presenta1on$are$my$own$and$may$not$reflect$the$opinions,$policies,$or$procedures$of$my$employer.$
Steve$Watson$ DFRWS$US$2014$2$
![Page 3: The Application Of Reverse Engineering Techniques … · The Application Of Reverse Engineering Techniques Against The Arduino Microcontroller To Acquire Uploaded Applications By](https://reader031.vdocuments.us/reader031/viewer/2022022014/5b49c20c7f8b9a691e8b9ed8/html5/thumbnails/3.jpg)
What is Arduino?
● A$single$board$microcontroller$plaHorm.$
$● An$open$source$
electronics$plaHorm.$
Steve$Watson$ DFRWS$US$2014$3$
![Page 4: The Application Of Reverse Engineering Techniques … · The Application Of Reverse Engineering Techniques Against The Arduino Microcontroller To Acquire Uploaded Applications By](https://reader031.vdocuments.us/reader031/viewer/2022022014/5b49c20c7f8b9a691e8b9ed8/html5/thumbnails/4.jpg)
Why are we talking about Arduino?
$● New,$ founda1onal$ technology$ appearing$ in$
many$different$form$factors.$$● No$clear$direc1on$on$forensic$acquisi1on$of$data$
on$this$evolving$plaHorm.$
Steve$Watson$ DFRWS$US$2014$4$
![Page 5: The Application Of Reverse Engineering Techniques … · The Application Of Reverse Engineering Techniques Against The Arduino Microcontroller To Acquire Uploaded Applications By](https://reader031.vdocuments.us/reader031/viewer/2022022014/5b49c20c7f8b9a691e8b9ed8/html5/thumbnails/5.jpg)
Where is Arduino today?
Steve$Watson$ DFRWS$US$2014$5$
![Page 6: The Application Of Reverse Engineering Techniques … · The Application Of Reverse Engineering Techniques Against The Arduino Microcontroller To Acquire Uploaded Applications By](https://reader031.vdocuments.us/reader031/viewer/2022022014/5b49c20c7f8b9a691e8b9ed8/html5/thumbnails/6.jpg)
Examples - MakerBot Thing-O-Matic
Introduced$September$2010$at$MakerFaire$NYC$
“By$2018,$3D$prin0ng$will$result$in$the$loss$of$at$least$$100$billion$per$year$in$intellectual$property$globally.”$
Steve$Watson$ DFRWS$US$2014$6$
![Page 7: The Application Of Reverse Engineering Techniques … · The Application Of Reverse Engineering Techniques Against The Arduino Microcontroller To Acquire Uploaded Applications By](https://reader031.vdocuments.us/reader031/viewer/2022022014/5b49c20c7f8b9a691e8b9ed8/html5/thumbnails/7.jpg)
Example - Arduino Phone
hTp://www.instructables.com/id/ArduinoPhone/$
hTp://blog.arduino.cc/2013/08/12/diyYcellphone/$
Steve$Watson$ DFRWS$US$2014$7$
![Page 8: The Application Of Reverse Engineering Techniques … · The Application Of Reverse Engineering Techniques Against The Arduino Microcontroller To Acquire Uploaded Applications By](https://reader031.vdocuments.us/reader031/viewer/2022022014/5b49c20c7f8b9a691e8b9ed8/html5/thumbnails/8.jpg)
Examples - ArduSat
Steve$Watson$ DFRWS$US$2014$
![Page 9: The Application Of Reverse Engineering Techniques … · The Application Of Reverse Engineering Techniques Against The Arduino Microcontroller To Acquire Uploaded Applications By](https://reader031.vdocuments.us/reader031/viewer/2022022014/5b49c20c7f8b9a691e8b9ed8/html5/thumbnails/9.jpg)
Arduino Basics
microcontroller CPU, RAM and
ROM on a single chip.
shield daughter card that sits on top of the
Arduino
sketch
the code or application written in
C++ that is uploaded to the
Arduino
Steve$Watson$ DFRWS$US$2014$9$
![Page 10: The Application Of Reverse Engineering Techniques … · The Application Of Reverse Engineering Techniques Against The Arduino Microcontroller To Acquire Uploaded Applications By](https://reader031.vdocuments.us/reader031/viewer/2022022014/5b49c20c7f8b9a691e8b9ed8/html5/thumbnails/10.jpg)
Is there data to recover?
![Page 11: The Application Of Reverse Engineering Techniques … · The Application Of Reverse Engineering Techniques Against The Arduino Microcontroller To Acquire Uploaded Applications By](https://reader031.vdocuments.us/reader031/viewer/2022022014/5b49c20c7f8b9a691e8b9ed8/html5/thumbnails/11.jpg)
Where is the data?
Microcontroller$ Development$Systems$ Remote$Endpoints$
Steve$Watson$ DFRWS$US$2014$11$
![Page 12: The Application Of Reverse Engineering Techniques … · The Application Of Reverse Engineering Techniques Against The Arduino Microcontroller To Acquire Uploaded Applications By](https://reader031.vdocuments.us/reader031/viewer/2022022014/5b49c20c7f8b9a691e8b9ed8/html5/thumbnails/12.jpg)
What is the data?
Microcontroller$ Development$Systems$ Remote$Endpoints$
running$applica1ons$(flash)$
.ino$(Arduino$sketch)$
cloud$compu1ng$updates$(TwiTer,$Facebook,$IoT$pages)$
NVM,$persistent$(eeprom)$
.elf$(intermediate$step$between$c++$and$assembly)$
control$messages$(c&c$of$other$microcontroller$devices)$
.csv,$.txt$(asci$or$hex$on$SDCARD)$
.hex$(assembly)$
.txt,$.csv$
Fuses$(single$byte$hex$values)$
.json$(JSON$calls$to$other$applica1ons)$
Steve$Watson$ DFRWS$US$2014$12$
![Page 13: The Application Of Reverse Engineering Techniques … · The Application Of Reverse Engineering Techniques Against The Arduino Microcontroller To Acquire Uploaded Applications By](https://reader031.vdocuments.us/reader031/viewer/2022022014/5b49c20c7f8b9a691e8b9ed8/html5/thumbnails/13.jpg)
How I approach new devices
1. What$is$the$opera1ng$system?$2. What$is$the$storage?$3. What$is$the$connec1vity?$4. How$is$the$system$updated,$installed,$accessed?$5. What$are$the$parallels$with$other$systems$and$
devices?$6. What$exis1ng$documenta1on$and$informa1on$
exists?$
Steve$Watson$ DFRWS$US$2014$13$
![Page 14: The Application Of Reverse Engineering Techniques … · The Application Of Reverse Engineering Techniques Against The Arduino Microcontroller To Acquire Uploaded Applications By](https://reader031.vdocuments.us/reader031/viewer/2022022014/5b49c20c7f8b9a691e8b9ed8/html5/thumbnails/14.jpg)
Focus on the Arduino
![Page 15: The Application Of Reverse Engineering Techniques … · The Application Of Reverse Engineering Techniques Against The Arduino Microcontroller To Acquire Uploaded Applications By](https://reader031.vdocuments.us/reader031/viewer/2022022014/5b49c20c7f8b9a691e8b9ed8/html5/thumbnails/15.jpg)
Connection to the target
1. Chip$removal$(chipYoff$equivalent)$$2. Tethered$to$another$Arduino$(computer$to$
computer$equivalent)$$3. Connect$to$a$programming$port$on$the$board$
(JTAG$equivalent)$$
Steve$Watson$ DFRWS$US$2014$15$
![Page 16: The Application Of Reverse Engineering Techniques … · The Application Of Reverse Engineering Techniques Against The Arduino Microcontroller To Acquire Uploaded Applications By](https://reader031.vdocuments.us/reader031/viewer/2022022014/5b49c20c7f8b9a691e8b9ed8/html5/thumbnails/16.jpg)
Connection: Chip-off
Example:$ZIF$Socket$28YPin,$hTps://www.sparkfun.com/products/9175$
Steve$Watson$ DFRWS$US$2014$16$
![Page 17: The Application Of Reverse Engineering Techniques … · The Application Of Reverse Engineering Techniques Against The Arduino Microcontroller To Acquire Uploaded Applications By](https://reader031.vdocuments.us/reader031/viewer/2022022014/5b49c20c7f8b9a691e8b9ed8/html5/thumbnails/17.jpg)
Connection: Tethered Arduino
$
$
$
$
$
Arduino$Tutorial:$Using$an$Arduino$as$an$AVR$ISP$(InYSystem$Programmer)$hTp://arduino.cc/en/Tutorial/ArduinoISP$
$
Steve$Watson$ DFRWS$US$2014$17$
![Page 18: The Application Of Reverse Engineering Techniques … · The Application Of Reverse Engineering Techniques Against The Arduino Microcontroller To Acquire Uploaded Applications By](https://reader031.vdocuments.us/reader031/viewer/2022022014/5b49c20c7f8b9a691e8b9ed8/html5/thumbnails/18.jpg)
Connection: JTAG Equivalent
$$$$$$$$Olimex$STK500v2$connected$via$ICSP$to$an$Arduino$UNO$
Steve$Watson$ DFRWS$US$2014$18$
![Page 19: The Application Of Reverse Engineering Techniques … · The Application Of Reverse Engineering Techniques Against The Arduino Microcontroller To Acquire Uploaded Applications By](https://reader031.vdocuments.us/reader031/viewer/2022022014/5b49c20c7f8b9a691e8b9ed8/html5/thumbnails/19.jpg)
Connection: ICSP
ICSP$Y$InYCircuit$Serial$Programming$$
Steve$Watson$ DFRWS$US$2014$19$
![Page 20: The Application Of Reverse Engineering Techniques … · The Application Of Reverse Engineering Techniques Against The Arduino Microcontroller To Acquire Uploaded Applications By](https://reader031.vdocuments.us/reader031/viewer/2022022014/5b49c20c7f8b9a691e8b9ed8/html5/thumbnails/20.jpg)
Software used to acquire
1. AVRDUDE$Y$AVR$Downloader/UploaDEr$
a. opensource$
b. hTp://www.nongnu.org/avrdude/$
c. Included$in$the$Arduino$IDE$install$under$install$directory$../Arduino/hardware/tools/avr/bin/avrdude.exe$
2. Atmel$AVR$Studio$a. Free$development$environment$for$Atmel$AVR$8Y$and$32Y
bit$MCUs.$$
Steve$Watson$ DFRWS$US$2014$20$
![Page 21: The Application Of Reverse Engineering Techniques … · The Application Of Reverse Engineering Techniques Against The Arduino Microcontroller To Acquire Uploaded Applications By](https://reader031.vdocuments.us/reader031/viewer/2022022014/5b49c20c7f8b9a691e8b9ed8/html5/thumbnails/21.jpg)
Data to acquire
Flash$(32KB)$$EEPROM$(1KB)$● NVM$reserved$for$persistence$across$uploads$$Fuses$(1B$x$3$reserved)$● lfuse,$hfuse,$efuse$● single$byte$hex$configura1ons$related$to$clock,$bootloader$
and$voltage$(see$reference$slide$for$more$detail)$
Steve$Watson$ DFRWS$US$2014$21$
![Page 22: The Application Of Reverse Engineering Techniques … · The Application Of Reverse Engineering Techniques Against The Arduino Microcontroller To Acquire Uploaded Applications By](https://reader031.vdocuments.us/reader031/viewer/2022022014/5b49c20c7f8b9a691e8b9ed8/html5/thumbnails/22.jpg)
Software: AVRDUDE
Example:$Read$flash$memory$and$dump$hex$to$specific$file.$
$
avrdude$Yp$m328p$Yc$stk500v2$YP$com4$YU$flash:r:"[path/to/file/filename.hex]":r$
$Yp$[part$number]$Yc$[programmer]$YP$[com$port]$YU$[memory$opera1on]$
● Note$the$:r:$and$:r$to$define$READ$● change$‘flash’$to$eeprom,$lfuse,$hfuse$and/or$efuse$to$acquire$reserved$
por1ons.$$
Steve$Watson$ DFRWS$US$2014$22$
![Page 23: The Application Of Reverse Engineering Techniques … · The Application Of Reverse Engineering Techniques Against The Arduino Microcontroller To Acquire Uploaded Applications By](https://reader031.vdocuments.us/reader031/viewer/2022022014/5b49c20c7f8b9a691e8b9ed8/html5/thumbnails/23.jpg)
Software: AVRDUDE C:\apps\avrdude,-p,m328p,-c,stk500v2,-P,com4,-U,flash:r:"c:/temp/arduino_uno.hex":r,
,
avrdude:,AVR,device,initialized,and,ready,to,accept,instructions,
Reading,|,##################################################,|,100%,0.03s,
avrdude:,Device,signature,=,0x1e950f,
avrdude:,reading,flash,memory:,
Reading,|,##################################################,|,100%,94.89s,
avrdude:,writing,output,file,"c:/temp/arduino_uno.hex",
avrdude:,safemode:,Fuses,OK,(E:05,,H:D6,,L:FF),
avrdude,done.,,Thank,you.,
$
Steve$Watson$ DFRWS$US$2014$23$
![Page 24: The Application Of Reverse Engineering Techniques … · The Application Of Reverse Engineering Techniques Against The Arduino Microcontroller To Acquire Uploaded Applications By](https://reader031.vdocuments.us/reader031/viewer/2022022014/5b49c20c7f8b9a691e8b9ed8/html5/thumbnails/24.jpg)
Software: Atmel Studio
Steve$Watson$ DFRWS$US$2014$24$
$$
Full$walkthrough$(screenshots)$of$an$MCU$acquisi1on$in$the$backup$slides.$
![Page 25: The Application Of Reverse Engineering Techniques … · The Application Of Reverse Engineering Techniques Against The Arduino Microcontroller To Acquire Uploaded Applications By](https://reader031.vdocuments.us/reader031/viewer/2022022014/5b49c20c7f8b9a691e8b9ed8/html5/thumbnails/25.jpg)
Investigations where data may be needed
1. Supply$chain$inves1ga1ons$2. Malware$analysis$3. Improvised$devices$4. Automa1on$and$control$systems$5. Medical,$fitness$6. Security,$access$control$7. Drones$8. Cloud$
Steve$Watson$ DFRWS$US$2014$25$
![Page 26: The Application Of Reverse Engineering Techniques … · The Application Of Reverse Engineering Techniques Against The Arduino Microcontroller To Acquire Uploaded Applications By](https://reader031.vdocuments.us/reader031/viewer/2022022014/5b49c20c7f8b9a691e8b9ed8/html5/thumbnails/26.jpg)
Why does this matter?
$1. Inves1ga1ons$and$li1ga1on$are$coming$to$this$
new$technology$area.$$2. The$principles$applied$here$can$be$expanded$to$
other$embedded$technologies.$$
Steve$Watson$ DFRWS$US$2014$26$
![Page 28: The Application Of Reverse Engineering Techniques … · The Application Of Reverse Engineering Techniques Against The Arduino Microcontroller To Acquire Uploaded Applications By](https://reader031.vdocuments.us/reader031/viewer/2022022014/5b49c20c7f8b9a691e8b9ed8/html5/thumbnails/28.jpg)
Backup Material
![Page 29: The Application Of Reverse Engineering Techniques … · The Application Of Reverse Engineering Techniques Against The Arduino Microcontroller To Acquire Uploaded Applications By](https://reader031.vdocuments.us/reader031/viewer/2022022014/5b49c20c7f8b9a691e8b9ed8/html5/thumbnails/29.jpg)
![Page 30: The Application Of Reverse Engineering Techniques … · The Application Of Reverse Engineering Techniques Against The Arduino Microcontroller To Acquire Uploaded Applications By](https://reader031.vdocuments.us/reader031/viewer/2022022014/5b49c20c7f8b9a691e8b9ed8/html5/thumbnails/30.jpg)
Credits 1tle$slide$Y$Arduino$schema1c,$hTp://arduino.cc/en/uploads/Main/arduinoYunoYschema1c.pdf$slide$3$Y$Arduino$UNO$photo,$hTp://arduino.cc/en/uploads/Main/ArduinoUno_R3_Front.jpg$slide$5$Y$Icons$made$by$www.fla1con.com$slide$6$Y$Image$hTp://upload.wikimedia.org/wikipedia/commons/8/87/Makerbot_ThingYOYMa1c_Assembled_Prin1ng_Blue_Rabbit.jpg$hTp://www.gartner.com/newsroom/id/2603215$slide$7$Y$http://blog.arduino.cc/2013/08/12/diy-cellphone/,$http://farm6.staticflickr.com/5475/9474701418_798e142291.jpg,$http://www.instructables.com/id/ArduinoPhone/ slide 8 - Screenshots and images in order of animation: https://www.kickstarter.com/projects/575960623/ardusat-your-arduino-experiment-in-space,$http://www.blogcdn.com/www.engadget.com/media/2012/06/ardustat8388676666666.jpg slide$11$$Y$Icons$made$by$www.fla1con.com$slide$16$Y$Example:$ZIF$Socket$28YPin,$hTps://www.sparkfun.com/products/9175$slide$17$Y$image$created$with$Fritzing$slide$19$Y$monochrome$images http://allaboutee.com/2011/05/11/how-to-program-an-avr-microcontroller/ $$$$$
![Page 31: The Application Of Reverse Engineering Techniques … · The Application Of Reverse Engineering Techniques Against The Arduino Microcontroller To Acquire Uploaded Applications By](https://reader031.vdocuments.us/reader031/viewer/2022022014/5b49c20c7f8b9a691e8b9ed8/html5/thumbnails/31.jpg)
Reference - Fuses
http://www.engbedded.com/fusecalc/
lfuse $ $$$$$$$$$hfuse $ $ $ $$ $ $efuse$
![Page 32: The Application Of Reverse Engineering Techniques … · The Application Of Reverse Engineering Techniques Against The Arduino Microcontroller To Acquire Uploaded Applications By](https://reader031.vdocuments.us/reader031/viewer/2022022014/5b49c20c7f8b9a691e8b9ed8/html5/thumbnails/32.jpg)
AVR Acquisition with Atmel Studio Begin&
![Page 33: The Application Of Reverse Engineering Techniques … · The Application Of Reverse Engineering Techniques Against The Arduino Microcontroller To Acquire Uploaded Applications By](https://reader031.vdocuments.us/reader031/viewer/2022022014/5b49c20c7f8b9a691e8b9ed8/html5/thumbnails/33.jpg)
Software: Atmel Studio
![Page 34: The Application Of Reverse Engineering Techniques … · The Application Of Reverse Engineering Techniques Against The Arduino Microcontroller To Acquire Uploaded Applications By](https://reader031.vdocuments.us/reader031/viewer/2022022014/5b49c20c7f8b9a691e8b9ed8/html5/thumbnails/34.jpg)
![Page 35: The Application Of Reverse Engineering Techniques … · The Application Of Reverse Engineering Techniques Against The Arduino Microcontroller To Acquire Uploaded Applications By](https://reader031.vdocuments.us/reader031/viewer/2022022014/5b49c20c7f8b9a691e8b9ed8/html5/thumbnails/35.jpg)
$$$$$$$1. From$Atmel$Studio$
main$screen,$choose$‘Debug’$then$‘Device$Programming’.$
2. Iden1fy$the$‘Tool’,$‘Device’,$and$‘Interface’$then$click$‘Apply’.$
![Page 36: The Application Of Reverse Engineering Techniques … · The Application Of Reverse Engineering Techniques Against The Arduino Microcontroller To Acquire Uploaded Applications By](https://reader031.vdocuments.us/reader031/viewer/2022022014/5b49c20c7f8b9a691e8b9ed8/html5/thumbnails/36.jpg)
![Page 37: The Application Of Reverse Engineering Techniques … · The Application Of Reverse Engineering Techniques Against The Arduino Microcontroller To Acquire Uploaded Applications By](https://reader031.vdocuments.us/reader031/viewer/2022022014/5b49c20c7f8b9a691e8b9ed8/html5/thumbnails/37.jpg)
![Page 38: The Application Of Reverse Engineering Techniques … · The Application Of Reverse Engineering Techniques Against The Arduino Microcontroller To Acquire Uploaded Applications By](https://reader031.vdocuments.us/reader031/viewer/2022022014/5b49c20c7f8b9a691e8b9ed8/html5/thumbnails/38.jpg)
![Page 39: The Application Of Reverse Engineering Techniques … · The Application Of Reverse Engineering Techniques Against The Arduino Microcontroller To Acquire Uploaded Applications By](https://reader031.vdocuments.us/reader031/viewer/2022022014/5b49c20c7f8b9a691e8b9ed8/html5/thumbnails/39.jpg)
![Page 40: The Application Of Reverse Engineering Techniques … · The Application Of Reverse Engineering Techniques Against The Arduino Microcontroller To Acquire Uploaded Applications By](https://reader031.vdocuments.us/reader031/viewer/2022022014/5b49c20c7f8b9a691e8b9ed8/html5/thumbnails/40.jpg)
![Page 41: The Application Of Reverse Engineering Techniques … · The Application Of Reverse Engineering Techniques Against The Arduino Microcontroller To Acquire Uploaded Applications By](https://reader031.vdocuments.us/reader031/viewer/2022022014/5b49c20c7f8b9a691e8b9ed8/html5/thumbnails/41.jpg)
![Page 42: The Application Of Reverse Engineering Techniques … · The Application Of Reverse Engineering Techniques Against The Arduino Microcontroller To Acquire Uploaded Applications By](https://reader031.vdocuments.us/reader031/viewer/2022022014/5b49c20c7f8b9a691e8b9ed8/html5/thumbnails/42.jpg)
![Page 43: The Application Of Reverse Engineering Techniques … · The Application Of Reverse Engineering Techniques Against The Arduino Microcontroller To Acquire Uploaded Applications By](https://reader031.vdocuments.us/reader031/viewer/2022022014/5b49c20c7f8b9a691e8b9ed8/html5/thumbnails/43.jpg)
![Page 44: The Application Of Reverse Engineering Techniques … · The Application Of Reverse Engineering Techniques Against The Arduino Microcontroller To Acquire Uploaded Applications By](https://reader031.vdocuments.us/reader031/viewer/2022022014/5b49c20c7f8b9a691e8b9ed8/html5/thumbnails/44.jpg)
AVR Acquisition with Atmel Studio End&