I gave an informal talk for the IEEE student branch about breaking in to your own devices this evening. I did the low-postable-content notes with live examples and links thing, but at least one person wanted to watch the video links, so here are the notes. There is something delightful about giving talks that require legal disclaimers. I don’t think there is anything in here that will get me in trouble…
1. Breaking In to your Own Devices 2. Why? - Expanded capabilities - Privacy/Security - Curiosity - This is the best reason, ex: - Tomagochis, Natalie Silvanovich - 29C3: MANY TAMAGOTCHIS WERE HARMED IN THE MAKING OF THIS PRESENTATION https://events.ccc.de/congress/2012/Fahrplan/events/5088.en.html - 30C3: Even More Tamagotchis Were Harmed in the Making of this Presentation - Repair - Continued Support - Planned Obsolescence 3. The Law - DMCA - New Exemptions, Librarian of Congress - https://www.eff.org/deeplinks/2015/10/victory-users-librarian-congress-renews-and-expands-protections-fair-uses - DVD CCA DeCSS https://en.wikipedia.org/wiki/DeCSS - Jon Lech Johansen - As Art: Shirt or https://www.cs.cmu.edu/~dst/DeCSS/Gallery/ - AACS 128 bit number https://en.wikipedia.org/wiki/AACS_encryption_key_controversy - 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 - John Deere http://www.wired.com/2015/04/dmca-ownership-john-deere/ - [Totally not Burglary] Tools (At least in Kentucky) 4. The Basics - Our Friend the Lockpick - Diagrams: http://toool.us/deviant/ - Seriously, you should try this - MIT Guide " The MIT Guide To Lockpicking " - http://www.capricorn.org/~akira/home/lockpick/ 5. Locksport - People do this for funsies - At events like Defcon ( https://www.defcon.org/ ) and Blackhat (https://www.blackhat.com/) and CCC (https://www.ccc.de/en/) - Hilarious presentation on lockboxes : https://www.youtube.com/watch?v=5Yr6ATdaDQ8 6. Invasion or Replacement - Sometimes you just get extra access or install modules - Sometimes you wholesale replace ( OpenWRT - https://openwrt.org/ ) 7. Vendors - Sometimes Helpful: Palm WebOS had you literally type "upupdowndownleftrightleftrightbastart" (Konami Code) into the global search bar to turn on developer mode. (Sidebar: iOS was locked down to 3rd party dev initially. Steve Jobs was an asshole? Too janky to let 3rd parties see? We don't know.) - Sometimes try to prevent it - $1M bounty for iOS 9 Remote Jailbreak paid out Yesterday: - http://apple.slashdot.org/story/15/11/02/2122222/somebody-just-claimed-a-1-million-bounty-for-hacking-the-iphone - from some bloodsuckers who sell 0days to governmetns and other criminals. - Geohot Case(s) - Worked on early iOS Carrier Unlock and Bootstream Attacks - Worked on early PS3 revese engineering (& sued) - Best. Talk. Ever. : Fail0verflow 27C3 talk: https://www.youtube.com/watch?v=LP1t_pzxKyE - Worked on a variety of Android Roots 8. Rooting - Android - Varies from vendors, devices, etc. - The people in to this tend to hang out at http://www.xda-developers.com/ - Some vendors make you jump through a hoop - Things like https://towelroot.com/ that work on a wide variety of options. - Ex: My S5, AdAway - Samsung Root Exploit in Swiftkey - https://www.nowsecure.com/blog/2015/06/16/remote-code-execution-as-system-user-on-samsung-phones/ - Fix: If you're already rooted, just remove the bad keyboard! - If you aren't already rooted, stuck until your manufacturer and carrier get their shit . 9. Extra Features - Rigol Oscilloscopes and Access Codes (Keygen!: http://hackaday.com/2013/07/24/a-keygen-for-the-rigol-2000-series-scopes/ ) 10. Debug Ports - It's remarkable how often there is a serial port inside of things - Look for 5 pads - https://pappp.net/?p=1350 rescuing a bricked router. - If not, maybe another serial protocol - Universal Bus Trascievers to the rescue - Bus Pirate: https://pappp.net/?p=15 11. JTAG - Joint Test Action Group 5 pin standard programming header for many devices: TDI (Test Data In) TDO (Test Data Out) TCK (Test Clock) TMS (Test Mode Select) TRST (Test Reset) optional. 12. Dissection and Dumping - An example of a ROM Dump I did a while back: https://pappp.net/?p=11 - Usually encoding challenges - Likely have to bust out an interactive disassembler like IDA Pro or radare http://radare.org/r/ 13. - Command Injection - Everything is running a Commodity OS, because everyone is lazy - A network camera example: http://jumpespjump.blogspot.com/2015/09/how-i-hacked-my-ip-camera-and-found.html?m=1 - If it runs commands based on user input, it's likely 0wnable.