Practical Reverse Engineering Part 4 ? Dumping The Flash ((LINK))
To follow up on my last post about SWD and hardware debugging, I wanted to do a deep dive into JTAG from a reverse-engineering perspective. The previous post received a lot of great feedback and it seems that people are interested in this topic, so I wanted to continue the series and expand upon another hardware debugging mechanism. For those who are unfamiliar, JTAG is a hardware level debugging mechanism that many embedded CPUs utilize, with this post I hope to explain how to approach JTAG from a reverse engineers perspective and provide some practical examples along the way.
Practical Reverse Engineering Part 4 — Dumping the Flash
This was quite a long post - realistically it probably should have been broken up into 2-3 parts. With this post, we learned how JTAG functions at a low level, as well as how to approach JTAG as a reverse engineer. We were also able to get JTAG access to an undocumented target, extract memory, and single-step through the running firmware. There are lots of things left to do here, like determine if the flash chips themselves can be dumped via JTAG, RE the firmware to look for interesting ways to recover data from the drive (I recently discovered that lots of cool work has been done here already!). As always, if you have any questions or comments, please feel free to reach out on twitter.
The software-based approach for dumping the SPI flash is quite complex and revolves around manipulating these registers in well-defined ways. Essentially, 3 registers play a major role in the process:
After some quick Googling, we determine that the chip with part number labeled MX25L12835F is the flash chip containing the firmware for the device. The documentation also indicates that this is an SPI (Serial Peripheral Interface) chip. SPI is nothing more than a protocol for communications in an embedded system. SPI allows for fast, synchronous, serial communications between different components on a board, and each pin serves a different purpose for SPI communications. You can learn a lot about SPI and how it works here.
For the sake of being as hardware-oriented as possible, I went with the method of dumping of the SPI flash memory via the bus pirate without desoldering the chip. I wanted to take a non-invasive approach such that my analysis might not be discovered (no physical modifications) by the naked eye. For this method, I purchased a bus pirate from Dangerous Prototypes and an SOIC8/SOP8 test clip (these stand for different types of chip packages, meaning small outlined integrated circuit and small outlined package). This particular flash chip fit perfectly with my 8-pin test clip and was used to make a connection while not removing the chip from the board. I then correctly wired the chip with respect to the bus pirate ports, while following the datasheet and pinout of the chip, as seen in Figure 5.
The problem with this is that, at times, voltage injection may occur and wake up other chips on the board. This means that other chips will communicate with our flash chip, interrupting our flash dumping process. This is why it is generally recommended to desolder the chip with a rework station and read the contents of the chip with a programmer. Thankfully, we were lucky and this was not the case. To dump the entire 16777232 bytes (exactly 16MB) worth of content from the flash chip, I utilized a tool called flashrom, which works well with the bus pirate device to extract the flash memory in full, as seen in Figure 8.
Within this directory, we can now take off our hardware reverse engineering hat and put on our software reverse engineering hat and begin looking for interesting items such as encryption keys used to sign WeMo device firmware, hashed root passwords, interesting services that may start on boot, etc.
A second action is to protect the bootloader by storing it in protected storage or a SoC, or to require the SoC to communicate with an authentication chip during the boot process. The problem with implementing the bootloader on a flash chip that is unprotected and can be manipulated by disabling the CRC checks in place when decompressing the firmware image on boot and overwriting the image with a malicious one. If the bootloader must be stored on the flash chip, it could be included in OTP (One-Time Programmable) memory, disallowing this area to be written by a third party.
In the first installment of our three-part blog series here we learned how to root the Flashforge Finder 3D printer and acquire its firmware. In this post, we will delve into reverse engineering and patching the software using the new open source NSA tool Ghidra, which rivals its expensive competitors such as IDA Pro in value and ease of use.
Now that we know what protocol is used I can write my own implementation in Python. This GitHub repository contains all the code used in this project in case you also have an ecu on your desk and want to play along at home. I implemented the TP 2.0 transport layer, and some useful KWP2000 services. This will be used in further parts to do some more diagnostics and eventually reflash the ECU.
Reverse osmosis (RO) is a water purification process that uses a partially permeable membrane to separate ions, unwanted molecules and larger particles from drinking water. In reverse osmosis, an applied pressure is used to overcome osmotic pressure, a colligative property that is driven by chemical potential differences of the solvent, a thermodynamic parameter. Reverse osmosis can remove many types of dissolved and suspended chemical species as well as biological ones (principally bacteria) from water, and is used in both industrial processes and the production of potable water. The result is that the solute is retained on the pressurized side of the membrane and the pure solvent is allowed to pass to the other side. To be "selective", this membrane should not allow large molecules or ions through the pores (holes), but should allow smaller components of the solution (such as solvent molecules, e.g., water, H2O) to pass freely.
A process of osmosis through semipermeable membranes was first observed in 1748 by Jean-Antoine Nollet. For the following 200 years, osmosis was only a phenomenon observed in the laboratory. In 1950, the University of California at Los Angeles first investigated desalination of seawater using semipermeable membranes. Researchers from both University of California at Los Angeles and the University of Florida successfully produced fresh water from seawater in the mid-1950s, but the flux was too low to be commercially viable until the discovery at University of California at Los Angeles by Sidney Loeb and Srinivasa Sourirajan at the National Research Council of Canada, Ottawa, of techniques for making asymmetric membranes characterized by an effectively thin "skin" layer supported atop a highly porous and much thicker substrate region of the membrane. John Cadotte, of Filmtec corporation, discovered that membranes with particularly high flux and low salt passage could be made by interfacial polymerization of m-phenylene diamine and trimesoyl chloride. Cadotte's patent on this process was the subject of litigation and has since expired. Almost all commercial reverse-osmosis membrane is now made by this method. By 2019, there were approximately 16,000 desalination plants operating around the world, producing around 95 million cubic metres per day (25 billion US gallons per day) of desalinated water for human use. Around half of this capacity was in the Middle East and North Africa region.
Membrane pore sizes can vary from 0.1 to 5,000 nm depending on filter type. Particle filtration removes particles of 1 µm or larger. Microfiltration removes particles of 50 nm or larger. Ultrafiltration removes particles of roughly 3 nm or larger. Nanofiltration removes particles of 1 nm or larger. Reverse osmosis is in the final category of membrane filtration, hyperfiltration, and removes particles larger than 0.1 nm. For the purposes of household water filtration when there is no need to remove excessive dissolved minerals (soften water), the alternative to reverse osmosis filtration is an activated carbon filter with a microfiltration membrane.
Each branch of the United States armed forces has their own series of reverse osmosis water purification unit models, but they are all similar. The water is pumped from its raw source into the reverse osmosis water purification unit module, where it is treated with a polymer to initiate coagulation. Next, it is run through a multi-media filter where it undergoes primary treatment by removing turbidity. It is then pumped through a cartridge filter which is usually spiral-wound cotton. This process clarifies the water of any particles larger than 5 µm and eliminates almost all turbidity.
In 2002, Singapore announced that a process named NEWater would be a significant part of its future water plans. It involves using reverse osmosis to treat domestic wastewater before discharging the NEWater back into the reservoirs.
Sea-water reverse-osmosis (SWRO) desalination, a membrane process, has been commercially used since the early 1970s. Its first practical use was demonstrated by Sidney Loeb from University of California at Los Angeles in Coalinga, California, and Srinivasa Sourirajan of National Research Council, Canada. Because no heating or phase changes are needed, energy requirements are low, around 3 kWh/m3, in comparison to other processes of desalination, but are still much higher than those required for other forms of water supply, including reverse osmosis treatment of wastewater, at 0.1 to 1 kWh/m3. Up to 50% of the seawater input can be recovered as fresh water, though lower recoveries may reduce membrane fouling and energy consumption.
Household reverse-osmosis units use a lot of water because they have low back pressure. Earlier they used to recover only 5 to 15% of the water entering the system. However, the latest RO water purifiers can recover 40 to 55% of water. The remainder is discharged as wastewater. Because wastewater carries with it the rejected contaminants, methods to recover this water are not practical for household systems. Wastewater is typically connected to the house drains and will add to the load on the household septic system. A reverse-osmosis unit delivering 20 liters (5.3 U.S. gal) of treated water per day may discharge between 50 and 80 liters (13 and 21 U.S. gal) of wastewater daily. Due to this very reason, National Green Tribunal of India proposed to ban RO water purification systems in areas where the total dissolved solids (TDS) measure in water is less than 500 mg/liter This has a disastrous consequence for mega cities like Delhi where large-scale use of household RO devices has increased the total water demand of the already water-parched National Capital Territory of India.