[EN] NDH 2011 badge hacking part 2 : What is the message?
Hello!
Now you should have a nice working cable. Today we are going to get the message.
Dumping the flash
We can look into the chip memory using avrdude terminal mode:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
$ sudo avrdude -c usbasp -p attiny2313 -t
avrdude: warning: cannot set sck period. please check for usbasp firmware update.
avrdude: AVR device initialized and ready to accept instructions
Reading | ################################################## | 100% 0.01s
avrdude: Device signature = 0x1e910a
avrdude> dump flash 0 512
>>> dump flash 0 512
0000 12 c0 22 c0 21 c0 20 c0 1f c0 1e c0 1d c0 1c c0 |..".!. .........|
0010 1b c0 1a c0 19 c0 18 c0 17 c0 16 c0 15 c0 14 c0 |................|
0020 13 c0 12 c0 11 c0 11 24 1f be cf ed cd bf 10 e0 |.......$........|
0030 a0 e6 b0 e0 e8 e4 f1 e0 02 c0 05 90 0d 92 ac 38 |............ ..8|
0040 b1 07 d9 f7 3c d0 7e c0 db cf 18 ba 12 ba 98 b3 |....<.~.........|
0050 3a e2 38 27 43 2f 50 e0 30 fd 02 c0 80 e0 01 c0 |:.8'C/P.0.......|
0060 82 e0 89 2b 88 bb 28 b3 ca 01 96 95 87 95 81 70 |...+..(........p|
0070 82 2b 88 bb 92 b3 42 fd 02 c0 80 e0 01 c0 80 e4 |.+....B.........|
0080 89 2b 82 bb 92 b3 43 fd 02 c0 80 e0 01 c0 80 e2 |.+....C.........|
0090 89 2b 82 bb 82 b3 30 71 38 2b 32 bb 92 b3 45 fd |.+....0q8+2...E.|
00a0 02 c0 80 e0 01 c0 88 e0 89 2b 82 bb 92 b3 46 fd |.........+....F.|
00b0 02 c0 80 e0 01 c0 84 e0 89 2b 82 bb 08 95 cf 92 |.........+......|
00c0 df 92 ef 92 ff 92 1f 93 df 93 cf 93 cd b7 de b7 |................|
00d0 ab 97 0f b6 f8 94 de bf 0f be cd bf de 01 11 96 |................|
00e0 e0 e6 f0 e0 84 e1 01 90 0d 92 81 50 e1 f7 9b 81 |........ ..P....|
00f0 de 01 55 96 e4 e7 f0 e0 87 e1 01 90 0d 92 81 50 |..U......... ..P|
0100 e1 f7 8f ef 81 bb 87 bb 98 bb 90 e0 75 e1 c7 2e |............u...|
0110 d1 2c cc 0e dd 1e 68 ec e6 2e f1 2c 0a c0 95 df |.,....h...., ...|
0120 80 e9 91 e0 f7 01 31 97 f1 f7 01 97 d9 f7 91 2f |......1......../|
0130 9f 5f f6 01 e9 0f f1 1d 80 81 19 2f 90 e0 88 23 |._........./...#|
0140 c1 f3 ed cf f8 94 ff cf 4e 6f 74 68 69 6e 67 20 |........Nothing |
0150 74 68 65 72 65 20 4e 30 30 62 21 00 62 4f 46 46 |there N00b!.bOFF|
0160 45 0a 7d 45 58 46 4e 0a 4c 45 58 0a 64 6e 62 18 |E }EXFN LEX dnb.|
0170 61 1b 1b 00 ff ff ff ff ff ff ff ff ff ff ff ff |a...............|
0180 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
0190 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
01a0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
01b0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
01c0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
01d0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
01e0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
01f0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
avrdude>
We don’t see any “clear” interesting string for our purpose. Maybe it is obfuscated.
We are going to dump it to a file for backup purposes:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
$ sudo avrdude -c usbasp -p attiny2313 -n -U flash:r:dump.hex:i -v
avrdude: Version 5.10, compiled on Jun 29 2010 at 21:09:48
Copyright (c) 2000-2005 Brian Dean, http://www.bdmicro.com/
Copyright (c) 2007-2009 Joerg Wunsch
System wide configuration file is "/etc/avrdude.conf"
User configuration file is "/home/m_101/.avrduderc"
User configuration file does not exist or is not a regular file, skipping
Using Port : /dev/parport0
Using Programmer : usbasp
AVR Part : ATtiny2313
Chip Erase delay : 9000 us
PAGEL : PD4
BS2 : PD6
RESET disposition : possible i/o
RETRY pulse : SCK
serial program mode : yes
parallel program mode : yes
Timeout : 200
StabDelay : 100
CmdexeDelay : 25
SyncLoops : 32
ByteDelay : 0
PollIndex : 3
PollValue : 0x53
Memory Detail :
Block Poll Page Polled
Memory Type Mode Delay Size Indx Paged Size Size #Pages MinW MaxW ReadBack
----------- ---- ----- ----- ---- ------ ------ ---- ------ ----- ----- ---------
eeprom 65 6 4 0 no 128 4 0 4000 4500 0xff 0xff
flash 65 6 32 0 yes 2048 32 64 4500 4500 0xff 0xff
signature 0 0 0 0 no 3 0 0 0 0 0x00 0x00
lock 0 0 0 0 no 1 0 0 9000 9000 0x00 0x00
lfuse 0 0 0 0 no 1 0 0 9000 9000 0x00 0x00
hfuse 0 0 0 0 no 1 0 0 9000 9000 0x00 0x00
efuse 0 0 0 0 no 1 0 0 9000 9000 0x00 0x00
calibration 0 0 0 0 no 2 0 0 0 0 0x00 0x00
Programmer Type : usbasp
Description : USBasp, http://www.fischl.de/usbasp/
avrdude: auto set sck period (because given equals null)
avrdude: warning: cannot set sck period. please check for usbasp firmware update.
avrdude: AVR device initialized and ready to accept instructions
Reading | ################################################## | 100% 0.01s
avrdude: Device signature = 0x1e910a
avrdude: safemode: lfuse reads as 64
avrdude: safemode: hfuse reads as DF
avrdude: safemode: efuse reads as FF
avrdude: reading flash memory:
Reading | ################################################## | 100% 1.10s
avrdude: writing output file "dump.hex"
avrdude: safemode: lfuse reads as 64
avrdude: safemode: hfuse reads as DF
avrdude: safemode: efuse reads as FF
avrdude: safemode: Fuses OK
avrdude done. Thank you.
Now we dumped the flash.
Getting the message
In the previous dumped firmware we could see the following strings:
- “Nothing there N00b!”
- “bOFFE }EXFN LEX dnb\x18a\x1b\x1b”
I wrote a quick hack to see if we got any “usual” obfuscation scheme such as caesar or XOR were used:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
// @author : m_101
// @license : beerware
// @year : 2011
// @program : "Bruteforce" caesar and XOR
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <ctype.h>
// caesar
char *caesar (char *str, const int len, const unsigned int key) {
int idxStr, rkey, c;
char *cryptext;
// allocate cryptext
cryptext = calloc(len, sizeof(*cryptext));
if (!cryptext)
return NULL;
//
rkey = key % 26;
for (idxStr = 0; idxStr < len; idxStr++) {
/*
if (!isalpha(str[idxStr])) {
free(cryptext);
return NULL;
}
//*/
c = toupper(str[idxStr]) + key;
/*
if (c > 'Z')
c -= 26;
else if (c < 'A')
c += 26;
//*/
cryptext[idxStr] = c;
}
return cryptext;
}
#define BUFSIZE 1024
void bf_caesar (char *str, const int len) {
int key;
char *cryptext;
//
char filename[1024];
FILE *fp = NULL;
if (!str || !len) {
printf("Bad string\n");
return;
}
if (strlen(str) != len) {
printf("Bad length\n");
return;
}
for (key = 1; key <= 255; key++) {
cryptext = caesar(str, len, key);
if (cryptext) {
// generate filename
snprintf(filename, BUFSIZE, "%s-%02d", "caesar", key);
// write to file
/*
fp = fopen(filename, "w");
if (fp) {
fwrite(cryptext, sizeof(*cryptext), len, fp);
fclose(fp);
}
//*/
// print to console
printf("%02d : %s\n\n", key, cryptext);
free(cryptext);
}
}
}
void bf_xor (char *str, const int len) {
int key;
int c;
int idxStr;
//
char filename[1024];
FILE *fp = NULL;
if (!str || !len) {
printf("Bad string\n");
return;
}
if (strlen(str) != len) {
printf("Bad length\n");
return;
}
for (key = 1; key <= 255; key++) {
printf("%02d : ", key);
// generate filename
snprintf(filename, BUFSIZE, "%s-%02d", "xor", key);
// fp = fopen(filename, "w");
for (idxStr = 0; idxStr < len; idxStr++) {
c = str[idxStr] ^ key;
putchar(c);
// write to file
/*
if (fp)
fwrite(&c, sizeof(*str), 1, fp);
//*/
}
putchar('\n');
if (fp)
fclose(fp);
}
}
int main (int argc, char *argv[]) {
if (argc < 2) {
printf("Usage: %s str\n", argv[0]);
return 1;
}
printf("Bruteforce Caesar:\n");
bf_caesar(argv[1], strlen(argv[1]));
printf("\nBruteforce XOR:\n");
bf_xor(argv[1], strlen(argv[1]));
return 0;
}
As you could see, for caesar I did not bother to do a rotating scheme as usual but a stupid and simple shifting.
I managed to get 2 messages:
1
2
Hello\nWorld\nFor\nNDH
hELLO*wORLD*FOR*ndh
Done.
There was another way to get the message using a video camera to capture the leds sequence and decode it manually or using image processing techniques. I did not want to do that so I did not do it … have fun for the courageous ones ;).
You could also use IDA Pro (or any compatible disassembler) to reverse the ASM code from the dumped firmware. I did not want to spend too much time on it so I skipped it. If you want to do it, here is the documentation: AVR 8-bit Instruction Set.
Next I will show you an example of programming the chip.
Cheers,
m_101