Winning The Interface War: Extracting Information From Electronic Devices With The SEC Xtractor

research hardware vulnerability

We have just made the “SEC Xtractor” tool (SEC Consult’s hardware exploitation and firmware extraction tool) open-source!

Winning the Interface War SEC Xtractor version 1.31 main blog image - SEC Consult

It comes with an easy to use and configurable memory reading concept that supports multiple ways to read flash chips (e.g. NAND chips). As its firmware and hardware are completely open-source, it can be easily extended. Interface identification is another requirement that was fulfilled by integrating JTAG brute-forcing and UART scanning. It can also be used as an OpenOCD adapter and it provides two UART-to-USB bridges. Most devices require anything between 1.8 and 5.5 volts, which is supported by the SEC Xtractor.

Motivation

During the very first holistic penetration tests of embedded devices (hardware and firmware), the SEC Consult Hardware Lab used a bunch of different tools with all pros and cons. Most of them, like the Flyswatter 2 or the Shikra, had some kind of UART-to-USB bridge or were able to directly interface with SPI and I2C.

A large number of them were based on the same chip series, developed by Future Technology Devices International Ltd., mostly the FT2232 or FT232. As it was easy to buy a breakout board for the big FT2232HQ chip online, it didn’t take long for a prototype to be developed.

In the end, as no other tool could fulfill all the requirements (especially the ability to read NAND and NOR interfaces) the decision was taken to design a new fitting tool. This resulted in the development of the SEC Xtractor.

EARLY DAYS IN THE HARDWARE LAB OF SEC CONSULT

Nearly ten years ago, SEC Consult already performed some hardware security assessments in the field of smart metering, ATM security and some routers/gateway devices. Later, SEC Consult conducted a study on the security of smart home devices already with hardware security in mind. In 2015, SEC Consult took the first steps to create a dedicated Hardware Lab for security research and hardware security assessments for customers. The first setup work was done by former colleagues Stefan Riegler and Christian Kudera. End of 2015, Thomas Weber ordered some serious equipment to perform in-depth penetration tests in this field of IT security. Basic and high-end equipment was shipped from different shops and the first in-depth projects were finally undertaken in the last quarter of 2015.

The first issues with hardware security assessments came under many aspects:

  • How can we read this TSOP48 NAND flash memory?
  • Does anyone have this special screw driver in the office?
  • I killed the target device, do we have another one?

One of the biggest challenges was the varieties of embedded devices. They had different voltage levels, different flash memory types, different microcontrollers and so on. This led to the use of many different flash memory interfaces required to conduct a basic firmware audit.

SPI, NAND

SPI, NAND, NOR, I2C
Most Commonly Used Interfaces.

SPI

SPI, one of the most common interfaces, was not problematic as a lot of tools can handle its simple protocol. In addition, only a few additional wires are needed. Check out flashrom, a cool project using SPI and the FT2232 microcontrollers. In addition, it supports a lot of memory chips, making it one of the best open-source choices for extracting memory in this way.

I2C

I2C is another unproblematic interface because memory chips can be dumped with the FT2232 microcontroller by using the libmpsse library, available on GitHub.

NAND

It gets more complicated to find good solutions for reading NAND chips because of the bad block sections and the different command sequences for different memory sizes. Many projects are available on the Internet but only one was compatible with the FT2232, namely the NandTool.

NOR

The memory interface with the highest pin count was NOR. Depending on the memory size, it may use up to 32 address pins. In rare cases even more. The most open-source projects that were found for this kind of interface were solutions with a microcontroller or FPGA. Because these types of chips were not used in the first projects, the interface was skipped at that time.

Price vs. efficiency

Most projects concluded without any solution since the chips couldn’t be inserted without soldering. This can be frustrating for those who do not want to solder SMD. Only commercial tools (that are expensive) can read memory in that way. The problem remains that they cannot read every chip. This means that different tools for different flash chips are needed and that every new part must be implemented. The implementation itself is often a task that can only be done by the memory readers’ vendor, which ends up to be very expensive too.

I killed the target device, do we have another one?
Challenges In The SEC Consult Vulnerability Lab
Winning the Interface War Prototype #1 top image - SEC Consult
Prototype #1 was able to do simple memory chip operations on 5V and 3.3V.

To overcome all of these problems, we decided to create a tool that provides connections to be wired with simple connection wires and ZIF sockets. That way, people that are able to read a simple circuit, can dump out every kind of memory chip without soldering (it must be removed from the target though). The tool, which was later named “SEC Xtractor”, started as a simple memory extraction and UART interface project.

Choosing the FT2232HQ chip that comes with the FT2232 mini-module was thoroughly-considered and the most natural choice. The very first prototype for dumping memory chips was born!

Winning the Interface War Side-view to prototype #1 image - SEC Consult
Side-view to prototype #1.
Winning the Interface War Prototype #2 top image - SEC Consult
Prototype #2. Make JTAG, I2C, SPI and NAND usable with a simple breakout board.

A new era

During the development of the SEC Xtractor platform, countless hours were spent browsing and shopping online for fitting adapters and parts that could be used for the prototype. A PCB was routed after successfully reading the first binaries from unsoldered memory chips. It only contained the FT2232 mini-module, which was considered the most useful tool to support voltage switching between 3.3V and 5.5V out of the box. The parallel header rows were connected with jumper wires according to the memory chip alignment.

Winning the Interface War Prototype #3 top image - SEC Consult
Prototype #3. A simple microcontroller breakout board can be used for reading any NOR memory chip now

This simple PCB unleashed the power of the mini-module, which was handy for nearly every project that had to do with embedded device pentesting. One project that came in was testing a medical device that had a NOR flash memory chip that contained the whole firmware. We used an extension PCB with a microcontroller that was easy to program to read out the content via the UART interface. It was a minimalist solution.

Winning the Interface War NOR memory chip with manual wire connection image - SEC Consult
Reading a NOR memory chip can be a cumbersome task if all wires must be manually connected to perfection.

The biggest challenge that had to be mastered every time a hardware security assessment or research project was done, was to attach the wires. Not only did they look messy, but the connections were so unstable – that a simple touch during the reading would be fatal! Furthermore, a bit more expertise was necessary to perform this. The overall objective set by the SEC Xtractor solution was to have better flexibility for non-hardware experts that would just dump the firmware and keep on pentesting.

Winning the Interface War SEC Xtractor version 1.0 green image - SEC Consult
SEC Xtractor version 1.0 – parallel pin header rows were used for this design too with a ZIF socket instead of fixed connectors.

When all these PCBs were developed, another tool, called Hardsploit, came up.We soon uncovered it was a large breakout board with an FPGA. There was no doubt that a software engineer would have trouble modifying it easily because it looked to be too complex and not entirely open-source. The best choice would be something simple, a little more powerful than a small 8-bit microcontroller, programmable in C, but not too complex. In an ideal world, with ready to use adapters for different memory chips to overcome the need of wiring.

SEC Xtractor Version 1.0 – The First Generation

The extension board was equipped with an ATXmega128A1U controller an easy to program 8-bit microcontroller without a big framework of header files and a jungle of functions. It made sense to keep it and combine it with the FT2232 mini-module :) . To extend the range of target electronics, universal level shifters (TXS0108E-Q1) were added to all IOs. This includes the FT2232 and ATXmega128A1U pins.

To avoid the chaos of wires as seen in the picture above, we designed a pin header where NAND and NOR memory chips could be mounted. This pin header can be spotted on the picture in the left bottom corner. Because of the number of pins, adding a microcontroller sounded like a hacky solution at first, but after adding some functions from JTAGenum and other custom functions, the ATXmega became more and more useful for different purposes.

Winning the Interface War SEC Xtractor IO levels counter image - SEC Consult
Simple SEC Xtractor IO levels counter, measured on an oscilloscope.

Worst case scenario, a wrong voltage level can destroy the target device and delay or thwart the whole security assessment. Therefore, three seven-segment displays were added to ensure the right voltage was constantly used for the right IOs. This two-sided layout can easily be reproduced, even for DIY etching, and comes with through-hole resistors that can be changed when other values are needed (e.g. to change the voltage limits of the adjustable power supply). This deliberate fact enables makers and hackers to use the hardware of the SEC Xtractor for tailored applications.

The first real application, that was initially programmed for the simple ATXmega breakout board on the previous picture, was the shell. It can be reached with 4M Baud via the first serial to the USB interface of the FT2232 mini-module. This was the highest (official) available frequency in the datasheet of the ATXmega but overclocking, which results in faster memory dumps, could increase it.

One noticeable fact is that the level shifters were used out of spec since the first hardware version. They are designed to operate on their A port between 1.4V and 3.6V and on their B port between 1.65V and 5.5V. Furthermore, the power supply of the A port must be less or equal to the B port, otherwise the level shifter will not work. Because of the additional ESD input protection and the higher voltage range, port B was chosen as interface to the world and port A as interface to the microcontroller. This usually means that voltages below the internal microcontroller power supply could not be used. But after experimenting different options we discovered that levels could also be shifted from the A port (with 3.3V) to the B port (with 2.1V). Conclusion, we invalidated the rule in the datasheet.

All these edge-cases were conducted with a lot of equipment during the many years  it took to develop the SEC Xtractor hardware. Our best friend during that time was an oscilloscope and a counter implementation on the SEC Xtractor (see figure below).

Winning the Interface War Inside Siglent Technologies Digital Oscilloscope image - SEC Consult
Inside of the Siglent Technologies SDS 1202X-E Digital Oscilloscope.

Past Targets

The tool was tested at the end of 2016 for all kinds of projects and was first mentioned during a blogpost in 2017. JTAG brute-forcing was tested with the old and new hardware to verify its correct operation. With the help of the SEC Xtractor, we then created an advisory regarding an oscilloscope. The UART port (Tx Rx GND) of the following picture was used to connect to the device and dump running processes and the firmware.

Winning the Interface War SEC Xtractor version 1.31 black image - SEC Consult
SEC Xtractor version 1.31 with black soldermask.

We mainly used the SEC Xtractor during a longer hardware security research project, conducted in 2018 and first presented it during Black Hat Asia in 2019. The outcome was a reverse engineered JTAG interface, dumped NOR flash memory and the ability to reprogram an industrial PLC from Siemens. The (red) next version of SEC Xtractor, namely version 1.20, was used for this project. Its internal power supply was decreased to 2.7V so that the level shifters could reach the 1.8V limit needed for the low voltage memory chips and microprocessors.

SEC Xtractor Version 1.31 – Black Edition

Version 1.31 comes with improvements like a boot button and additional labels three years after the initial hardware version. An open-source bootloader was used to program the device via USB. No external programmer is needed to reflash the ATXmega microcontroller. The black color for the main PCB and the NAND/NOR adapters were chosen because the launch was made during Black Hat Europe 2019 Arsenal.

Winning the Interface War NOR adapter for the SEC Xtractor image - SEC Consult
NOR adapter for the SEC Xtractor.
Winning the Interface War Mounted NAND flash memory image - SEC Consult
Mounted NAND flash memory.

This project is now live and contributions are encouraged! New designs with other microcontrollers were discussed internally and can be implemented thanks to the separated hardware abstraction layer in the firmware. The refactoring and fine-tuning of the shell and the overall structure, which makes separation possible, was done by Wolfgang Ettlinger. The UART scanner, another important part, was re-implemented by Steffen Robertz. He also restructured and extended the NAND/NOR chip functions.

One textbook use-case is NAND flash reading. A photo shows the assembly of typical memory chips inside the adapters:

Winning the Interface War Pre-burned test memory chip image - SEC Consult
Example output of a pre-burned test memory chip.

The memory content is redirected directly to the console output. To dump the memory, this output must be logged to a file and then converted with the command “xxd -r” to a binary. The whole dumping process may take a while because of the relatively slow microcontroller (32MHz).

All the features of the SEC Xtractor were used for several research and customer projects and are under steady development by the team of SEC Consult.

Special thanks goes to Nathan Andrew Fain, and Anthony Andriano, because the JTAG brute forcing was based on the project JTAGenum and the Xmega Bootloader was used.

The hardware and the firmware are open-source now and can be found on the SEC Consult’s GitHub repository.

 

This hardware security research and SEC Xtractor platform development were conducted by Thomas Weber on behalf of SEC Consult Vulnerability Lab.