硬件安全入门(下)
在上一篇文章中,我们通过一个徽章挑战,为读者详细介绍了如何转储Atmel芯片的固件,在本文中,我们将继续为读者演示如何转储更复杂的一个电路板:Belkin N300路由器。
转储Belkin N300路由器
接下来我们要转储的板子是Belkin N300路由器。当前,Belkin是最受欢迎的消费类路由器品牌之一,这意味着与之前的CTF徽章不同,这次的挑战提供了更多的真实场景。因此,在该设备中发现漏洞的话,则可能会影响到全球的家庭。
首先我们要做的就是再去尝试定位一个闪存芯片。这次我们确定的是一款MX25L1606E芯片(图11),相关的参数见https://www.macronix.com/Lists/Datasheet/Attachments/7465/MX25L1606E,3V,16Mb,v1.9.pdf。
图11 mx25l1606e芯片
接下来,我们将使用Attify Badge(图12)来转储我们的固件,因为Bus Pirate已经“罢工”了。
图12 Attify Badge
引脚输出如下所示:
图13 mx25l1606e示意图
MX25L1606E
Attify Badge
CS
CS
SO
MOSI
GND
GND
VCC
3.3V
SCLK
SCK
SI
MOSI
完成上述操作后,它应该是这样的:
图14 mx25l1606E(已经连接Attify Badge)
由于闪存芯片周围有金属框,所以这块板子上使用SOIC夹的空间有限,因此,这次我们采用了鳄鱼夹。
现在,准备工作已经就绪了,下面我们继续转储这个固件。但是,这次我们将使用名为“flashrom”的实用程序,而不是avrdude,因为我们要处理的是闪存 SPI芯片,而不是Atmel芯片。
首先,我们可以使用下面的命令来确定flashrom是否可以转储我们的芯片:“flashrom -p ft2232_spi:type=232H”。
该命令将尝试自动识别我们的芯片。如果你使用的是Bus Pirate,可以用下面的参数代替传递给-p的参数:“flashrom -p buspirate_spi:dev=/dev/ttyUSB0”。
其中,/dev/ttyUSB0是Bus Pirate连接的串口,读者可以根据需要进行修改。运行该命令后,成功返回如下内容:
flashrom v0.9.9-r1954 on Linux 4.15.0-88-generic (x86_64)
flashrom is free software, get the source code at https://flashrom.org
Calibrating delay loop... delay loop is unreliable, trying to continue OK.
Found Macronix flash chip "MX25L1605A/MX25L1606E/MX25L1608E" (2048 kB, SPI) on ft2232_spi.
如果芯片识别失败也不要担心,可以用“flashrom -L”在列表中手动找到您的芯片,然后运行下面的命令,看看是否还能读取芯片:“flashrom -p ft2232_spi:type=232H -c MX25L1605A/MX25L1606E/MX25L1608E -r dump.bin”。
其中,-p选项表明我们要使用ft2232编程器(如果使用Bus Pirate,则用上面的-p参数进行相应的替换),-c选项表明我们要转储哪种闪存芯片(本例中是MX25L1606E),-r dump.bin告诉它将内容读入文件dump.bin。如果一切顺利的话,我们应该得到一个有效的固件文件。如果失败的话,则会报错,或者创建一个充满空字节的文件。
当然,这个过程可能需要一段时间,特别是对于较大的芯片;另外,我们可以从数据表中识别尺寸大小。由于MX25L1606E以地址1FFFFF结束,所以,其长度为2097151字节或2MB(图15)。
图15 mx25l1606e的存储器组织结构
这块2MB的芯片用了大约2分钟才完全转储过来。最后,我们很幸运,第一次就成功转储了固件。
iot@attifyos ~> flashrom -p ft2232_spi:type=232H -c MX25L1605A/MX25L1606E/MX25L1608E -r dump.bin
flashrom v0.9.9-r1954 on Linux 4.15.0-88-generic (x86_64)
flashrom is free software, get the source code at https://flashrom.org
Calibrating delay loop... delay loop is unreliable, trying to continue OK.
Found Macronix flash chip "MX25L1605A/MX25L1606E/MX25L1608E" (2048 kB, SPI) on ft2232_spi.
Reading flash... done.
这时,该binwalk上场了:
iot@attifyos ~> binwalk dump.bin
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
5440 0x1540 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 85344 bytes
28570 0x6F9A Sercomm firmware signature, version control: 256, download control: 0, hardware ID: "AAZ", hardware version: 0x3200, firmware version: 0x6, starting code segment: 0x0, code size: 0x7310
142352 0x22C10 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 2764800 bytes
881324 0xD72AC LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 3450 bytes
882534 0xD7766 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 10162 bytes
884943 0xD80CF LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 118270 bytes
917640 0xE0088 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 11937 bytes
920834 0xE0D02 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 2992 bytes
921709 0xE106D LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 177 bytes
921863 0xE1107 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 116 bytes
921999 0xE118F LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 491 bytes
922337 0xE12E1 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 718 bytes
922610 0xE13F2 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 20267 bytes
926110 0xE219E LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 1196 bytes
926568 0xE2368 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 140 bytes
926729 0xE2409 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 708 bytes
927159 0xE25B7 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 17248 bytes
930471 0xE32A7 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 141 bytes
930632 0xE3348 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 543 bytes
930971 0xE349B LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 4166 bytes
932391 0xE3A27 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 5883 bytes
933996 0xE406C LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 3257 bytes
935281 0xE4571 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 49 bytes
935337 0xE45A9 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 7205 bytes
936048 0xE4870 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 4716 bytes
937318 0xE4D66 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 2506 bytes
937984 0xE5000 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 7376 bytes
938892 0xE538C LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 2951 bytes
939613 0xE565D LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 7369 bytes
940273 0xE58F1 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 11312 bytes
942619 0xE621B LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 7671 bytes
944755 0xE6A73 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 300 bytes
945073 0xE6BB1 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 99243 bytes
974918 0xEE046 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 89932 bytes
1006871 0xF5D17 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 55 bytes
1006939 0xF5D5B LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 1484 bytes
1007670 0xF6036 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 11316 bytes
1008768 0xF6480 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 6962 bytes
1010654 0xF6BDE LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 2723 bytes
1011701 0xF6FF5 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 9151 bytes
1013994 0xF78EA LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 13151 bytes
1016828 0xF83FC LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 3592 bytes
1018079 0xF88DF LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 27452 bytes
1024437 0xFA1B5 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 711 bytes
1024870 0xFA366 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 71 bytes
1024953 0xFA3B9 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 3861 bytes
1026104 0xFA838 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 4303 bytes
1026844 0xFAB1C LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 11222 bytes
1029155 0xFB423 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 2189 bytes
1030156 0xFB80C LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 15453 bytes
1031493 0xFBD45 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 11326 bytes
1032515 0xFC143 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 4244 bytes
1036593 0xFD131 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 15755 bytes
1040878 0xFE1EE LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 2695 bytes
1042083 0xFE6A3 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 1956 bytes
1043986 0xFEE12 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 6532 bytes
1045769 0xFF509 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 868 bytes
1046218 0xFF6CA LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 2208 bytes
1047043 0xFFA03 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 1010 bytes
1047474 0xFFBB2 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 2793 bytes
1048685 0x10006D LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 1599 bytes
1049943 0x100557 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 49437 bytes
1055931 0x101CBB LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 2276 bytes
1056907 0x10208B LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 9850 bytes
1059309 0x1029ED LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 14359 bytes
1062254 0x10356E LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 115629 bytes
1096126 0x10B9BE LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 142 bytes
1096289 0x10BA61 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 2379 bytes
1097270 0x10BE36 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 9662 bytes
1099324 0x10C63C LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 8110 bytes
1100452 0x10CAA4 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 16599 bytes
1104501 0x10DA75 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 113073 bytes
1139633 0x1163B1 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 1164 bytes
1140114 0x116592 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 2749 bytes
1141269 0x116A15 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 992 bytes
1141593 0x116B59 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 2386 bytes
1142645 0x116F75 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 3389 bytes
1143726 0x1173AE LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 2593 bytes
1144845 0x11780D LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 112854 bytes
1178716 0x11FC5C LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 23875 bytes
1182332 0x120A7C LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 19256 bytes
1186345 0x121A29 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 22772 bytes
1189511 0x122687 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 19897 bytes
1193861 0x123785 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 5708 bytes
1195343 0x123D4F LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 118097 bytes
1230423 0x12C657 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 2468 bytes
1231379 0x12CA13 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 122825 bytes
1264272 0x134A90 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 36 bytes
1264320 0x134AC0 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 3331 bytes
1265332 0x134EB4 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 114489 bytes
1299549 0x13D45D LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 6837 bytes
1301387 0x13DB8B LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 13110 bytes
1303991 0x13E5B7 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 119 bytes
1304130 0x13E642 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 3482 bytes
1305418 0x13EB4A LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 2803 bytes
1306588 0x13EFDC LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 88006 bytes
1337278 0x1467BE LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 6572 bytes
1339658 0x14710A LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 2384 bytes
1342047 0x147A5F LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 141 bytes
1342210 0x147B02 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 73 bytes
1342295 0x147B57 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 856 bytes
1343170 0x147EC2 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 625 bytes
1343809 0x148141 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 183 bytes
1343969 0x1481E1 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 2619 bytes
1345099 0x14864B LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 3389 bytes
1346055 0x148A07 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 12586 bytes
1347838 0x1490FE LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 118 bytes
1347975 0x149187 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 650 bytes
1348652 0x14942C LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 2791 bytes
1349331 0x1496D3 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 615 bytes
1349749 0x149875 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 13284 bytes
1352395 0x14A2CB LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 4897 bytes
1353804 0x14A84C LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 34279 bytes
1358905 0x14BC39 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 113 bytes
1359036 0x14BCBC LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 37989 bytes
1365372 0x14D57C LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 2509 bytes
1366497 0x14D9E1 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 2175 bytes
1367477 0x14DDB5 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 7597 bytes
1369498 0x14E59A LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 5214 bytes
1371175 0x14EC27 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 43 bytes
1371229 0x14EC5D LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 114 bytes
1371363 0x14ECE3 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 290 bytes
1371584 0x14EDC0 LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 929 bytes
从“Sercomm Firmware Signature”这一行,我们可以看到一个硬件的ID为“AAZ”,它与电路板上的硬件ID完全匹配(图16)。现在,我们就可以继续分析这个固件的漏洞了。请记住,如果我们可以转储固件,我们也可以将自定义固件和后门写入闪存芯片。
图16 硬件标识
如果期间出错的话,最可能的两个原因是引脚没有正确连接,或者(如果引脚已经正确连接)它们正在给SPI芯片供电,使得芯片无法进行转储。第二种情况可能很常见,一般来说,最好的解决方法是用热*对芯片进行脱焊,然后用芯片自行转储固件。如前所述,最好检查一下电缆的长度,以确保故障不是由于电缆太长造成的。
虽然转储这些设备可能需要不少时间,但这可以帮助我们加深对这些设备的工作原理的了解。例如,通过转储Belkin设备的固件,我们可以直接分析源web文件,从而使我们可以更容易识别设备内的远程漏洞并加以利用。
通过利用这些类型的设备的安全漏洞,攻击者可以在受害者的路由器内创建一个后门,并重新路由所有网络流量,窃取受害者的银行和电子商务账户等账户的凭证。了解这些漏洞存在的地方,让我们有机会在它们造成任何重大损害之前修复它们。
在本系列的下一部分,我们将讨论JTAG和UART串行接口,如何访问它们,以及我们可以从中得到什么。
参考资料
我们可以借助一些工具来成功地转储这些固件,例如:
SOIC Clip:https://www.amazon.com/gp/product/B07R5LPTYM/ref=ppx_yo_dt_b_asin_title_o04_s00?ie=UTF8&psc=1
A device for dumping firmware (Bus Pirate): https://www.amazon.com/SparkFun-PID-12942-Bus-Pirate/dp/B01KKYN9LW
Cables and clips: https://www.amazon.com/gp/product/B07R5LPTYM/ref=ppx_yo_dt_b_asin_title_o04_s00?ie=UTF8&psc=1
Additional useful wires: https://www.amazon.com/gp/product/B07PTYBFDT/ref=ppx_yo_dt_b_asin_title_o00_s00?ie=UTF8&psc=1
Bus Pirate用于与SPI串行协议进行交互,以便为我们转储固件。其他可行的替代方案包括Shikra(https://int3.cc/products/the-shikra)和Attify Badge(https://www.attify-store.com/products/attify-badge-uart-jtag-spi-i2c-pre-soldered-headers)。当然,每个工具都有自己的优缺点。但是,Bus Pirate以及被广泛使用,并且有很好的文档,在我看来,它是最容易使用的。但是,Shikra被认为比Bus Pirate更稳定,速度更快,但没有那么多的支持。相比之下,Attify Badge则更易于设置,但同样支持有限。此外,Bus Pirate还提供了一个很好的串行接口,如果你愿意的话,可以很轻松与设备进行手动通信。读者可以根据自己的喜好和条件进行选择。
此外,由于电缆和夹子相当便宜,并且容易买到,因此,我特别推荐这些,因为它们已经为我提供了我迄今为止所需的一切,并且可以很好地夹在针脚上。
本文作者:mssp299
本文为安全脉搏专栏作者发布,转载请注明:https://www.secpulse.com/archives/150635.html
如有侵权请联系:admin#unsafe.sh