The Godfather talking
You may crack software. How about me?
Sonsivri
 
*
Welcome, Guest. Please login or register.
Did you miss your activation email?
December 02, 2016, 06:54:39 18:54


Login with username, password and session length


Pages: [1]
Print
Author Topic: Hacking protected MCU firmware  (Read 893 times)
0 Members and 1 Guest are viewing this topic.
digidream
Inactive

Offline Offline

Posts: 3

Thank You
-Given: 18
-Receive: 1


« on: September 16, 2016, 11:36:46 11:36 »

Hello !

I don't know where to post this so, sorry if it is the wrong place.
I have a board in front of me with an ATXMEGA MCU and lock fuses enable so it is impossible to read the firmware.
But this board is delivered with a windows app and a firmware update feature.
When installing this software, I can found in hidden directory a firmware corresponding to the MCU on board but it is a .bin file and not a .hex one.
I tried to convert the .bin to .hex but I doesnt work. The file seems to not be in the right format.
Maybe the bin file is encrypted.

Do you think it is possible to listen the usb port during the transfert and copy the firmware or do other bad things ?

Thank you for your help Smiley


Logged
pablo2048
Active Member
***
Offline Offline

Posts: 103

Thank You
-Given: 96
-Receive: 82


« Reply #1 on: September 16, 2016, 12:15:06 12:15 »

IMHO even this USB transfer is encrypted. IAP decrypt file on the fly...
Logged
fpgaguy
V.I.P
Junior Member
*****
Offline Offline

Posts: 89

Thank You
-Given: 98
-Receive: 86



« Reply #2 on: September 16, 2016, 07:54:11 19:54 »

I'd suggest getting the spec for that particular part, to get a better understanding to what you are up against.

I have an ARM that I use that has e-fuse register on the part which can be set to an AES key, and when it's strapped to secure mode it will then use this AES key on the data contained in the secondary(external) boot SPI, in this mode JTAG is disabled also
The boot method for this part is then

internal ROM -> loads header from spi -> loads bin_hdr for DDR training/Serdes --> loads uboot --> loads linux kernel/ filesystem --> done booting

however _all_ those user pieces can be encrypted with the random 128 bit AES key you make

I suppose if you know the format of the boot code and can identify that the unencrypted code would have a certain pattern at a precise location somewhere in the code - perhaps reset vector, or something
and if you know the encryption method you could build some guessing tool with rainbow tables, but .... it may be quicker to just redesign


I've seen (s/w) USB sniffers  so that would be worth eliminating as a possibility

I see ATXMEGA is AES also .. so
there's quite a bit of discussion on the net for AES 128 cracking, but generally the consensus is it's not possible using a brute force attack
you will need to find a side channel and there is some vague sucesses reported on sim cards (Search Black Hat 2015, YuYu)









Logged
CocaCola
V.I.P
Senior Member
*****
Offline Offline

Posts: 397

Thank You
-Given: 108
-Receive: 179


« Reply #3 on: September 16, 2016, 08:47:57 20:47 »

it may be quicker to just redesign

It's certainly more ethical to redesign...  With that said unless you have to tools and experience chances are you won't be cracking it in any realistic time frame or even ever...  I highly doubt logging or listening to the USB is going to get you anywhere as the 'decryption' is almost certainly fully contained in the chip, the only likely info being sent over the USB is the file you already found...

On the other hand, if you dig around there are some Asian electronics firms that specialize in dumping chips, and if you contact them with the chip number they generally will give you a yes/no and cost right away...  It's not cheap and you generally have to send them 2-3 pcs of the chip for them to work with just in case they destroy one by physically taking it apart to access the guts directly...  Going back about 7 years now, I had a quote for $1000 USD to dump a locked chip they claimed to be able to do, but since security measures have obviously improved over the years it might even be more costly now...
Logged
hate
Hero Member
*****
Offline Offline

Posts: 556

Thank You
-Given: 156
-Receive: 354


« Reply #4 on: September 18, 2016, 05:52:03 05:52 »

Many years ago, I have converted a .bin file to a .hex file to program into a AVR. I don't remember what I used to convert at the time but a quick search suggests this:
Code:
avr-objcopy -I binary file.bin -O ihex file.hex
'avr-objcopy' comes with the Atmel AVR Tools.

There is also the 'srec_cat' way detailed here (I may have used this one):
Code:
srec_cat file.bin -binary -o file.hex -intel --line-length=44
'srec_cat' comes with WinAVR if not with Atmel AVR Tools.

But still the format of your .bin file may be a different format than the standard.
Logged

Regards...
pickit2
Moderator
Hero Member
*****
Offline Offline

Posts: 3816

Thank You
-Given: 567
-Receive: 2049


There is no evidence that I muted SoNsIvRi


« Reply #5 on: September 18, 2016, 03:26:10 15:26 »

also many years ago, I can't remember the programmer, but there was about 6 options to save an Hex file, in a bit of kit we used, we needed to save as option 4, but the number of times the wrong one was chosen. the techies said it was a bad chip.

This page I found trying to find the programmer we used.
http://www.keil.com/support/docs/1584/
Logged

Note: If you have no posts other than, I want or reporting a dead link Then you can't complain If I remove your post So Stop Leeching
sadman
Active Member
***
Offline Offline

Posts: 230

Thank You
-Given: 717
-Receive: 688



« Reply #6 on: September 18, 2016, 06:38:34 18:38 »

hi

what i think you have right firmware file in the format of .bin normally we required INHX8M compatible hex file you can find more detail about hex file and there format on link given.

https://en.wikipedia.org/wiki/Intel_HEX

further if you found old 8051 compiler it come with two utils "bin2hex" and "hex2bin"  i have these two utility on my old hard drive i will find it and share it here, both util are from intel and they work like a charm you can search on google by "bin2hex"

so i found it on my hard

sadman
« Last Edit: September 18, 2016, 06:48:45 18:48 by sadman » Logged
nPn
Newbie
*
 Warned
Offline Offline

Posts: 10

Thank You
-Given: 6
-Receive: 2


« Reply #7 on: September 18, 2016, 10:19:54 22:19 »

Strictly converting into HEX might be a bit of a red herring, because HEX is just a different (ASCII) representation of the data in the bin. There's nothing in a bin -> HEX conversion process that verifies if the data is valid AVR firmware or decrypts the bytes. Are you doing any additional steps that might fail? Please post your command line.
Logged
CocaCola
V.I.P
Senior Member
*****
Offline Offline

Posts: 397

Thank You
-Given: 108
-Receive: 179


« Reply #8 on: September 19, 2016, 05:57:46 05:57 »

Just because the file extension is .bin does not mean it complies with any known format or is even a binary file at all...

IMO if the developers implemented even the most basic security and encryption trying to convert BIN to HEX isn't going to get you anywhere...  Sure if you knew the BIN files format and knew for sure it wasn't encrypted you could convert to HEX but I doubt this is the case in today's protection world...
Logged
Gallymimu
Hero Member
*****
Offline Offline

Posts: 577

Thank You
-Given: 98
-Receive: 151


« Reply #9 on: September 22, 2016, 06:21:17 18:21 »

Just because the file extension is .bin does not mean it complies with any known format or is even a binary file at all...

IMO if the developers implemented even the most basic security and encryption trying to convert BIN to HEX isn't going to get you anywhere...  Sure if you knew the BIN files format and knew for sure it wasn't encrypted you could convert to HEX but I doubt this is the case in today's protection world...

I think you can pretty much guarantee if it's not ASCII it's BINARY Smiley
Logged
CocaCola
V.I.P
Senior Member
*****
Offline Offline

Posts: 397

Thank You
-Given: 108
-Receive: 179


« Reply #10 on: September 22, 2016, 08:14:28 20:14 »

I think you can pretty much guarantee if it's not ASCII it's BINARY Smiley

Not sure where you are going with that as there are other recognized and even proprietary character encoding schemes beyond ASCII, so your statement is essentially false, beyond the point that in the end all files are binary at the foundation...
« Last Edit: September 22, 2016, 08:23:01 20:23 by CocaCola » Logged
Gallymimu
Hero Member
*****
Offline Offline

Posts: 577

Thank You
-Given: 98
-Receive: 151


« Reply #11 on: September 23, 2016, 01:52:18 01:52 »

Not sure where you are going with that as there are other recognized and even proprietary character encoding schemes beyond ASCII, so your statement is essentially false, beyond the point that in the end all files are binary at the foundation...

Please elaborate with some examples so I can learn.  I simply didn't think the comment "... or is even a binary file at all" seemed nonsensical to me.  I simply didn't consider, at least at a high level, besides ASCII or BINARY encoding of data irrespective of some goofy character format where you might be using a bunch of other ascii symbols in the format.

BUT, I'm still interested if you have some particular examples in mind that don't really fall into the general category of ASCII encoding or binary encoding.  (No I'm not trying to nitpick and say everything is ones and zeroes at the end of the day).  

so I'm probably not FALSE and you probably don't actually sound silly.  We just need a meeting of the minds and then we can hug it out!

I'm here to learn, not to be right... though... I'm pretty much always right...  Smiley
Logged
Pages: [1]
Print
Jump to:  


DISCLAIMER
WE DONT HOST ANY ILLEGAL FILES ON THE SERVER
USE CONTACT US TO REPORT ILLEGAL FILES
ADMINISTRATORS CANNOT BE HELD RESPONSIBLE FOR USERS POSTS AND LINKS

... Copyright 2003-2999 Sonsivri.to ...
Powered by SMF 1.1.18 | SMF © 2006-2009, Simple Machines LLC | HarzeM Dilber MC