Martijn
Matthew GarrettYou: (implements secure boot)
Me: (jams screwdriver into NAND pins, receives u-boot prompt)
Me: (jams screwdriver into NAND pins, receives u-boot prompt)
I don't remember where I first read about shorting pins while u-boot is reading the kernel to force it to drop to a prompt, but I have hacked *so* many devices with that knowledge, so thank you whoever it was
CRYSTL ⬡@mjg59 that's incredible
Wanja@mjg59 Wait, which ones exactly do I short? Help me out here, I'm not good with computers.
@muvlon For SPI, easiest is usually just shorting clock to ground
Steve
vince@mjg59 i suspect it gets "rediscovered" periodically, but more recently might've been @colinoflynn hacking on the Hue Bridge? http://colinoflynn.com/2016/07/getting-root-on-philips-hue-bridge-2-0/
Adam ♿@mjg59 thank you.
I̵E̶E̸E̵ ̷1̵1̸4̴9̴.̷1̷@mjg59 you have just opened up an entire world of possibilities for me....
@mjg59 it’s a story as old as the hills, this trick was used back in the original Xbox days to force it to read the firmware from the LPC port instead of the NAND
Rogan Dawes@lilstevie @mjg59 and can be used with I.MX6 (and likely other NXP) devices to access Serial Download Protocol functionality in the boot rom by simply prevent it from validating u-boot in the first place.
@RoganDawes @mjg59 SDP is theoretically still covered by secureboot though. CVE-2017-7932 and CVE-2017-7936 are fixed in imx6’s manufactured after a certain date in late 2017 (I don’t recall exact date, and I think the document that states it is under an NDA that I’m not willing to violate)
@lilstevie @mjg59 Yes, it is still subject to HAB. Fortunately for me, my current target is using chips from before the fixes you describe!
@lilstevie @mjg59 Still trying to figure out how to get a basic U-Boot to execute via SDP, but hopefully I'll get it right eventually! Ideally I want to get a version that will allow me to update environment variables and enable the console in the native U-Boot. Then I can add some mw commands to neuter the factory U-Boot's response to an HAB failure, and simply continue to boot an unsigned image.
Daniel Bohrer@RoganDawes @lilstevie @mjg59 also, speaking from an inside developer's perspective, many products are not using HAB at all, sometimes probably also because of the GPLv3 tivoisation clause
Ge0rG ➡️ Easter-H-Egg@lilstevie
My first memory of this is around 2001/2002 when hacking the #dbox2 set top box to free it from a bloated Java UI and give it Linux freedom. IIRC it was a proprietary boot loader back then, not u-boot, but I wasn't involved too deeply in the details
@mjg59
My first memory of this is around 2001/2002 when hacking the #dbox2 set top box to free it from a bloated Java UI and give it Linux freedom. IIRC it was a proprietary boot loader back then, not u-boot, but I wasn't involved too deeply in the details
@mjg59
@mjg59 oh that's a handy trick to know, thanks for mentioning
sebastian ⚡@mjg59 I remember a talk I attended about hacking robot vacuum cleaners. They shoved a piece of aluminium foil under one side of the BGA packaged flash to get a bootloader prompt. The funny thing was I saw the picture and it was immediately clear to me what they were doing and how it worked. Because of course if you screw up the flash you get the prompt. Happened to me a lot. I just never considered that a desirable outcome before, so I never would have thought of it as an attack vector.
@mjg59 from a device maker’s perspective, is this attack possible to block?
@alwayscurious Yeah have u-boot reset or hang on failure, don't drop to a prompt
Ursidinoj/The Bjornsdottirs@mjg59 @alwayscurious rrryikes. so that'll be a quick patch
4censord 
:now: at kubecon!@mjg59 did I get that right, causing nand errors during boot fails open to a prompt?
Us they're anything specific that's needed.to make that work?
Us they're anything specific that's needed.to make that work?
Ben Pye@mjg59 Hah - I remember doing this years ago whilst trying to build my own u-boot for a router. I never finished, but I end up using a similar trick to get into the vendor supplied one...
@mjg59 I think I first heard of it at a DEFCON back in 2015.
Needless to say I was just blown away.
jfk@mjg59
I gotta say these clever/technical hands-on hacking posts are better than any algorithm in suggesting people for me to follow. They're just perfect in attracting replys from the right people for me to follow.
Keep it up! 😇
I gotta say these clever/technical hands-on hacking posts are better than any algorithm in suggesting people for me to follow. They're just perfect in attracting replys from the right people for me to follow.
Keep it up! 😇