dissecting the teddy ruxpin: reverse engineering the smart ... con 26/def con 26... · dissecting...
TRANSCRIPT
Bio• @Zenofex– SecurityresearcheratCylance
– FoundingmemberofExploitee.rs
– ContributingmemberofAustinHackers
http://Defcon26.Exploitee.rs/
Exploitee.rs
Andme!• Wehackthings– Checkoutournetworkofwebsitesformoreembeddeddeviceresearch.• https://Exploitee.rs
AgentHHCJ_000Cody
GynophageMaximus64[mbm]
SaurikTdwengx00String
http://Defcon26.Exploitee.rs/
Disclaimer
AllofthedatawithinthispresentationwasreverseengineeredbyreviewingthehardwareandsoftwarewithintheTeddyRuxpinandalot
oftrialanderror.
Theoutputoftheseattemptsisthecontentofthispresentationandmayvaryfromthe
manufacturer’sdocumentation.
http://Defcon26.Exploitee.rs/
TheOGIlliop
– Releasedin1985– Originalusedcassettetapesandphysicalbooks
– Hardwareconsistedof• Movingeyes• MovingMouth• Speaker
– Bestsellingtoyof1985,1986
http://Defcon26.Exploitee.rs/
TheNewIlliop
– Animatedeyes– Movingmouth– Speaker– BLE
– USBmassstorage• PivotedoffaninternaluSDcard
– CompanionmobileApphttp://Defcon26.Exploitee.rs/
MYN822BLE
http://Defcon26.Exploitee.rs/
nRF51822basedmodule– 14padsconnected• VDD• 2xGND• GPIO0,1,2,3,5,8,10,21,22• SWDIO• SWDCLK
DumpingFirmwarew/SWD
http://Defcon26.Exploitee.rs/
UsingMYN822BLEpin-outandSWDcandumpNRF51822flashandRAMDumpwithOpenOCDorotherSWDcompatibleutility
BLEInfo
• Commands– AA0403000100F8 - NEXT STORY– AA020600F8 - NEXT PAGE– AA020500F9 - PAUSE– AA020400FA - RESUME– AA020100FD - List Books– AA020C00F2 - ENTER IN-APP MODE
– AA020D00F1 - EXIT IN-APP MODE– AA021200EC - RESET PURCHASES
http://Defcon26.Exploitee.rs/
• Jumptobookcommands– AA03110001EB– AA03110002EA– AA03110003E9– AA03110004E8– AA03110005E7– AA03110006E6– AA03110007E5– AA03110008E4– AA03110009E3– AA0311000AE2
UUID UUID
Firmware
• FirmwaredumpedwithSWDcanbeexaminedinIDA– FlashSize:0x20000(128kb)– RAM0x4000(16kb)– Settings:
• CreateRAMSection• RAMStart:0x20000000• RamSize:0x4000• LoadAddress:0x1c000
http://Defcon26.Exploitee.rs/
TeddyRuxpinBooks
• 12Files– Intro.bin– Idle.bin– 10xStory##.binfiles
• Filesareaproprietarypackagecalled“SNXROM”
• Targetexclusiveeditioncontains2extrastories.
http://Defcon26.Exploitee.rs/
SNXROM• Filesconsistof– SNXROMwidecharmagicstring
– Header• Recordstart• Recordend• Tableendswith0xFFFF
– RecordData• Rawimagedataisstoredfirst• AudiostartswithAU
http://Defcon26.Exploitee.rs/
VideoFrames• Videois128x128RGB565frames
• Framerecordcountisthensplitbetweenleftandrighteyes
• Gimprawdataimportworksgreatforfindingimagesinblobsofdata
http://Defcon26.Exploitee.rs/
Audio32
• Sonixproprietaryfileformatusedforaudiodataandmouth/eyesynchronizationontheTeddyRuxpin
• Consistsof:– Marktable– Silencetable– Audiodata– Singlechannelaudio
http://Defcon26.Exploitee.rs/
AU32HeaderStructure
• Header– “AU”(2bytes)– Unknownconstantvalue(2bytes)
– Samplerate(2bytes)– Channels(always1)(2bytes)
– Unknownvalue(4bytes)
– Unknownvalue(4bytes)
– Enablemarktable– Enablesilencetable– Unknownvalue(4bytes)
– Marktabledata– Silencetabledata– Audiodata
http://Defcon26.Exploitee.rs/
Au32DataStructure
• Aftertheheader– MarkTable
• Position(2-4bytes)– Ifthefirstbytesare0x8000asecondvalueisreadandappendedtothefirstbytes
• Value(2bytes)– SilenceTable
• 0x0inallTRaudiofiles– AudioData
• 16bitsignedlittleendian
http://Defcon26.Exploitee.rs/
MarkTable• Themarktableisusedtocreatesynchronizedmouthmovementswithintheaudioandvideoframes
• DifferentmarklabelsareusedtosignifyhowmuchTR’smouthshouldmoveorwhatimagetodisplay– 0–Closed– 1–Halfopen– 2–Fullopen
• Anythingwithhighervalueisusedtoreferencevideoframes
http://Defcon26.Exploitee.rs/
SilenceTable• Silencetableisusedtocompressaudiobyremovingemptysectionsthenreferencingpositionandlengthintable
• SilencetablehasbeenunusedinalltestedTRfiles
http://Defcon26.Exploitee.rs/
AudioData• Signed16bitLEdatastored
afterMarkTableandSilenceDetectionTable
• Supportedsamplerate:– 16Khz
• Supportedbitrates:– 16Kbps– 20Kbps– 24Kbps– 28Kbps– 32Kbps
http://Defcon26.Exploitee.rs/