Additionally, we need the 128kB of RAM at 0x20000000 and 64kB of TCRAM at 0x10000000 that the firmware expects on this platform. Since we’d like to have initialized variables, it’s usually better go with dumps of live memory from a running system, but /dev/zero works for many functions if you’re in a rush.
Symbol Imports
Now that we’ve got the code loaded, calling it is as simple as calling any other function, except that our C program doesn’t yet know the symbol addresses. There are two ways around this.
The quick but dirty solution is to simply cast a data or function pointer. For a concrete example, there is a null function at 0x08098e14 that simply returns without doing anything. Because it’s a Thumb function and not an ARM function, we’ll have to add one to that address before calling it at 0x08098e15.
Similarly, you can access data that’s in Flash or RAM.
Casting function pointers gets us part of the way, but it’s rather tedious and wastes a bit of memory. Instead, it’s more efficient to pass a textfile of symbols to the linker. Because this is just a textfile, you can easily export symbols by script from IDA Pro or Radare2.
The symbol file is just a collection of assignments of names to addresses in roughly C syntax, except for the lack of types.
You can include it in the executable by passing GCC parameters to the linker, or by calling ld directly.
Now that we can load the firmware into process memory and call its functions, let’s take a step back and see a second way to do the linking, by rewriting the firmware dump into an ELF object and then linking it. After that, we’ll get along to decoding some audio.
Static Firmware Linking
While it’s nice and easy to load firmware with mmap(2) at runtime, it would be nice and correct to convert the firmware dump into an object file for static linking, so that our resulting executable has no external dependencies at all. This requires both a bit of objcopy wizardry and a custom script for ld.
First, let’s convert our firmware image dump to an ELF that loads at the proper address.
Sadly, ld will ignore our request to load this image at 0x0800-0C000, because load addresses in Unix are just polite suggestions, to be thrown away at the whim of the linker. We can fix this by passing flags to GCC at compile time, so ld knows to place the section at the right address.18
Similarly, the SRAM core dump can be embedded at its own load address.
Decoding the Audio
To decode the audio, I decided to begin with the same .amb format that DSD uses. This way, I could work from their reference files and compare my decoding to theirs.
The .amb format consists of a four byte header (2e 61 6d 62) followed by eight-byte frames. Each frame begins with a zero byte and is followed by 49 bits of data, stored most significant bit first with the final bit in the least significant bit of its own byte.
To have as few surprises as possible, I take the eight packed bytes and extract them into an array of 49 shorts located at 0x20011c8e, because this is the address that the firmware uses to store its buffer. Shorts are used for convenience in addressing during computation, even if they are a bit more verbose than they would be in a convenient calling convention.
Additionally, I re-use the output buffers to store the resulting WAV audio. In the MD380, there are two buffers of audio produced from each frame of AMBE.
The thread that does the decoding in firmware is tied into the MicroC/OS-II realtime operating system of the MD380. Since I don’t have the timers and interrupts to call that thread, nor the I/O ports to support it, I’ll instead just call the decoding routines that it calls.
For any parameter that I don’t understand, I just copy the value that I’ve seen called through my hooks in the firmware running on real hardware. For example, 0x20011224 is some structure used by the AMBE code, but I can simply re-use it thanks to my handy RAM dump.
Since everything is now in the right position, we can decode a frame of AMBE to two audio frames in quick succession.
After dumping these to disk and converting to a .wav file with sox -r 8000 -e signed-integer -L -b 16 -c 1 out.raw out-.wav, a proper audio file is produced that is easily played. We can now decode AMBE in Linux!
Runtime Hooks
So now we’re able to decode audio frames, but this is firmware, and damned near everything of value except the audio routines will eventually call a function that deals with I/O—a function we’d better replace if we don’t want to implement all of the STM32’s I/O devices.
Luckily, hooking a function is nice and easy. We can simply scan through the entire image, replacing all BX (Branch and eXchange) instructions to the old functions with ones that direct to the new functions. False positives are a possibility, but we’ll ignore them for now, as the alternative would be to list every branch that must be hooked.
The BL instruction in Thumb is actually two adjacent 16-bit instructions, which load a low and high half of the address difference into the link register, then BX against that register. (This clobbers the link register, but so does any BL, so the register use is effectively free.)
Now that we can calculate function call instructions, a simple loop can patch all calls from one address into calls to a second address. You can use this to hook the I/O functions live, rather than trapping them.
I/O Traps
What about those I/O functions that we’ve forgotten to hook, or ones that have been inlined to a dozen places that we’d rather not hook? Wouldn’t it sometimes be easier to trap the access and fake the result, rather than hooking the same function?
You’re in luck! Because this is Unix, we can simply create a handler for SIGSEGV, much as Jeffball did in PoC‖GTFO 8:8. Your segfault handler can then fake the action of the I/O device and return.
Alternately, you might not bother with a proper handler. Instead, you can use GDB to debug the process, printing a backtrace when the I/O region at 0x40000000 is accessed. While GDB in Qemu doesn’t support ptrace(2), it has no trouble trapping out the segmentation fault and letting you know which function attempted to perform I/O.
Thank you kindly for reading my ramblings about ARM firmware. I hope that you will find them handy in your own work, whenever you need to work with firmware away from its own hardware.
If you’d like to similarly instrument Linux applications, take a look at Jonathan Brossard’s Witchcraft Compiler Collection,19 an interactive ELF shell that makes it nice and easy to turn an executable into a linkable library.
The emulator from this article has now been incorporated into my md380tools project, for use in Linux.20
Cheers from Varaždin, Croatia,
-Travis 6A/KK4VCZ
13:6 Silliness in Three Acts; or, Weak Passwords of Spinlocks
by Evan Sultanik
Dramatis Personæ
Disembodied Voice of Pastor Manul Laphroaig . . . . . . . . . . . Bard Alice Feynman . . . . . . Disciple of the Church of Weird Machines Bob Schrute . . . . . . . . . . Assistant to the Facility Security Officer Havva al-Kindi . . . . . . . . . . . . . . . Alice’s Old and Wise Officemate The Ghost of Paul Erdös . . . . . . . . . . . . . . . . . Keeper of The Book
Act I: Memorize, Don’t Compromise
PASTOR: In the windowless bowels of a nondescript, Class A office building entrenched inside the Washington, D.C. beltway, we meet our heroine, Alice Feynman, lost on her way to a meeting with the Facility Security Officer.
ALICE: Excuse me, which way is it to the security office?
BOB: You must be the new hire. Bob Schrute, assistant FSO. I can take you there right after I finish with this...
ALICE: Alice. Nice to meet you. What’re you doing?
BOB: Kaba Mas X-09 high security spin-lock. It’s DSS-approved for use in our SCIFs. I’m resetting this one’s passcode.
ALICE: [Blank Stare]
BOB: U.S. Department of Defense (DoD) Defense Security Service (DSS). Sensitive Compartmented Information Facilities (SCIFs). The rooms where we are allowed to stor
e and process classified information?
ALICE: I see. I noticed those things all over this building.
BOB: They’re ubiquitous. You’ll see them anywhere in the country there’s classified work going on. One on each door, and another on each safe. Super secure, too. Security in this office is no joke.
ALICE: How do they work?
BOB: [Throwing Alice the lock’s manual.] They run off of the electricity generated from spinning them, so you need to spin them a bit to get started. You see? The LCD on top shows you the current number. You enter three two-digit numbers. First one clockwise, second counter-clockwise, third clockwise, and then a final spin counter-clockwise to open. That’s the passcode.
ALICE: [Flipping through the manual.] Does each lock get a different passcode?
BOB: Yes. That’s why we have this [handing Alice a magnet stuck to the side of the door].
ALICE: Ah I see. It’s a phone keypad. So you use a mnemonic to remember each passcode?
BOB: Exactly. [Pointing to a poster on the wall with his own mugshot and memetic letters emblazoning “MEMORIZE, DON’T COMPROMISE,” he sternly repeats that slogan:] Memorize, don’t compromise.
ALICE: [“Is this guy serious?” face.]
BOB: You think you could crack it? FALSE. [Flamboyantly produces a pocket calculator that had been hidden somewhere on his person.] Three two-digit numbers. That’s 100 times 100 times 100, so ... there are a million possible codes. I’ve set this to have a timeout of four minutes after each failed attempt. So, trying all possible combinations would take ... [furiously punching at the calculator] ... almost eight years! We change each code once every couple months, so even if you could continuously try codes for eight hours a day, you’d have ... [more furious punching] ... about seven tenths of one percent chance of getting the code right.
ALICE: [Handing the manual back.] I didn’t see anything in here about an automatic lockout after too many failed attempts.
BOB: [Pointing to his minuscule biceps.] These provide the lockout.
ALICE: Are you ready to take me to the security office now?
BOB: Fine.
Act II: Surely You’re Joking
PASTOR: Two weeks later, Alice has settled into her office, which she shares with Havva al-Kindi. She hasn’t had a chance to play with those nifty locks at all yet; her clearance is still being processed. Most of her time is spent idling or doing busy-work while she waits to be approved to work on a real project.
ALICE: [On her desk phone] Yes. Yes, no problem. By close of business today. No problem. Bye.
PASTOR: As Alice hangs up the phone, she notices something odd about the keypad, and immediately remembers the magnet Bob had showed her.
ALICE: [Gets up and starts drawing on her whiteboard.]
HAVVA: What are you doing?
ALICE: Did you ever notice that the numbers zero and one don’t have any letters on the phone?
HAVVA: Sure! You’re probably too young to have ever used a rotary phone, right? Back when phone numbers were only seven digits long, the first two numbers represented the exchange, and a mnemonic was given to each exchange. [Singing and tapping on her desk] Bum-dah-bum bah-duh-bum bahhh dummm! PEnnsylvania Six Five Thousand! No? It was a big Glenn Miller hit! My parents used to play it all the time when I was a kid. That song is referring to the phone number for the Hotel Pennsylvania in New York, which to this day is still (212) PE6-5000.
ALICE: Oh yeah! I went there once for HOPE.
HAVVA: Hope? Anyhow, for various reasons, the numbers zero and one were never used in exchanges, which meant they never occurred at the beginning of phone numbers, which meant they couldn’t have letters associated with them.
ALICE: Interesting! [Continuing on the whiteboard] 86 = ... [a pause to consult her computer] 262144. 1 – 262144 ÷ 1000000 = ... 0.738. Wow! So, if there are only eight buttons with letters, that reduces the number of possible phone numbers associated with six-letter mnemonics by 74% compared to if all the buttons had letters!
HAVVA: I guess that’s true. There are also certain phone numbers you’ll never be able to have English mnemonics for, because the buttons for 5, 7, and 9 don’t have any vowels. So you can’t make a mnemonic for a phone number that only uses those three numbers.
ALICE: Wow, yeah, that’s another 36 = . . . [quickly doing some math in her head this time] 729 codes that don’t have mnemonics.
HAVVA: Codes?
ALICE: Er, I mean “phone numbers.”
HAVVA: I’ll bet there are certain “codes” that don’t have any English words associated with them. Plus, letters in English words don’t all occur at the same frequency: It’s much more likely that a word will have the letter “e” than it will have the letter “x.”
ALICE: [Opens up a terminal on her computer.]
$ grep ‘^.{6}$’ /usr/share/dict/words | wc -l
17706
$ echo `!!` / 1000000 | bc -l
.01770600000000000000
PASTOR: And thus, Alice had discovered that fewer than 2% of the million possible codes actually map to English words.
ALICE: [Once again at the whiteboard.]
HA
CK
ER
42
25
34
[Back at the computer.]
$ grep -i ‘^.{4}er$’ /usr/share/dict/words | wc -l
1562
About 10% of six-letter English words end with the letters “ER”!
[Back at the board, with long pauses.]
DO
SA
GE
36
72
43
EN
RA
GE
36
72
43
FO
RA
GE
36
72
43
FO
RB
ID
36
72
43
PASTOR: And many words share the same code. In fact, Alice quickly wrote a script to count the number of unique codes possible from six-letter English words.21
ALICE: There are only 14684 possible codes to check! That would take ... only about 40 days to brute-force crack!
Act III: The Book
PASTOR: Later that day, Alice is at her favorite dive, decompressing with some of her side projects.
PAUL: [Sits down next to Alice at the bar. Wheel of Fortune is playing on an ancient CRT.] Television is something the Russians invented to destroy American education.
ALICE: [Tippling a brown liquor, neat, while working on her laptop. Paul’s comment draws her attention to the TV. Alice notices that some letters are given away “for free” and remembers what Havva had said about letter frequency. She quickly grabs her notebook and jots down the letters as a reminder.] R, S, T, L, N, E.
PAUL: [Noticing Alice’s notebook.] Yes, these are very common letters in English. My native language does not use “r” as much. But what do I know about English? I learned it from my father, who taught it to himself by reading English novels in one of Joe’s Gulags. [Awkward pause while Alice struggles with how to respond.] Have you discovered anything beautiful? [Pointing into her notebook.]
ALICE: Oh that? I’ve been thinking about mnemonics for passcodes.
PAUL: [Pointing to the drink:] That poison will not help you. [Produces a small pill bottle out of his shirt pocket, raises it to eye level, drops it, and then catches it with the same hand before it hits the bar.]
ALICE: Haven’t you heard? The Ballmer Peak is real! Or at least that’s what I read on Stack Exchange.
PAUL: Pál Erdös. My brain is open.
PASTOR: Alice introduces herself and proceeds to explain all of her findings to Paul.
ALICE: . . .and I just finished sorting the 14684 distinct codes by the number of words associated with them. That way, if I try the codes in order of decreasing word associations, then it will maximize my chances of
cracking the code sooner than later.
PAUL: Yes, if codewords are chosen uniformly from all six-letter English words. Can I see the distribution of word frequency? [Grabbing a napkin, stealing Alice’s pen, and scribbling some notes.] Using your method, after fewer than 250 attempts, there is a 5% probability that you will have cracked the code. After about 5700 attempts, there will be a 50% probability of success.
ALICE: [Typing on her computer.] That’s only about 16 days!
PASTOR: An adversary with intermittent access to the lock—for example, after hours—could quite conceivably crack the code in less than a month.
PAUL: If there exists a method that allows the code-breaker to detect whether each successive two-digit subcode is correct before entering the next two-digit subcode,. . .
PASTOR: . . .otherwise known as a “vulnerability”...
PAUL: . . .[annoyed about having been interrupted, even if by the disembodied voice of a narrator] then the expected value for the length of time required to crack the code is on the order of minutes. [Mumbling toward the fourth wall:] That Pastor is more annoying than the SF.
ALICE: What?
PAUL: SF means “Supreme Fascist.” This would show that God is bad. I do not claim that this is correct, or that God exists. It is just a sort of half-joke. There is an anecdote I once heard. Suppose Israel Gelfand and his advisor, Andrei Kolmogorov, were to both arrive in a country with a lot of mountains. Kolmogorov would immediately try and climb the highest mountain. Gelfand would immediately start building roads. What would you do?
PoC or GTFO, Volume 2 Page 37