Depthcharge: A Framework for U-Boot Hacking

Short Abstract:
In modern embedded systems that implement a “secure boot” flow, the boot loader plays a critical role in establishing the integrity and authenticity of software and data required to boot an operating system. Given the role and vantage point of boot loaders, they are a particularly interesting target for hardware hackers seeking to root a device and instrument it for further vulnerability hunting and reverse engineering. Although the vast majority of devices leveraging the ubiquitous and open source U-Boot boot loader leave it unprotected and trivially exploited, more product vendors are finally implementing secure boot and (attempting to) lock down their U-Boot builds. These less common specimen offer exciting opportunities to pursue creative bypasses and explore underappreciated U-Boot functionality.

The Depthcharge framework was developed to help hardware hackers methodically (ab)use some of that underappreciated U-Boot functionality in novel ways to circumvent boot-time protections, as well as expedite the identification and exploitation of “the usual suspects” within exposed U-Boot device consoles. The project includes a Python 3 library for interfacing with devices, reading and writing memory via available primitives, deploying executable payloads, and analyzing various data structures. A collection of scripts built atop of library make this functionality readily available via the command line, and “Depthcharge Companion” firmware allows the tooling to extend its vantage point by presenting itself as a peripheral device connected to the target. This Demo Lab will introduce the basics of Depthcharge and explore how attendees can leverage and expand upon it when seeking to circumvent boot-time protections or just to further explore a system from within the U-Boot environment. For those wishing to protect their (employer’s) products from fellow DEF CON attendees, we’ll also cover the configuration checker functionality that can be used to avoid common U-Boot pitfalls.

Developer Bio:
Jon Szymaniak is Principle Security Consultant in NCC Group’s Hardware & Embedded Systems Services team and a former embedded systems engineer. His areas of interest include U-Boot, Linux, Yocto, and firmware reverse engineering. Through both his day job and hobby hacking adventures, he’s enjoyed exploring and exploiting boot ROMs, automotive ECUs, Android-based platforms, and a myriad of Internet-connected things that shouldn't be.

URLs:
GitHub: https://github.com/nccgroup/depthcharge
Documentation: https://depthcharge.readthedocs.io

Blog Posts and Prior Presentations:Detailed Explanation:
Additional detail can be found here in the project documentation:
https://depthcharge.readthedocs.io/e...is-depthcharge

The Depthcharge project aims to allow hackers, security practitioners, and engineering teams a way to “work smarter” when attempting to root a device or evaluate its security posture. This not only includes gaining control of a target’s U-Boot execution, but also leveraging the bootloader as a vantage point to further explore the target system.

The Python 3 Depthcharge API can be leveraged to enumerate functionality exposed by a U-Boot console and identify memory read/write primitives. Memory access abstractions built atop of these primitives seek to make dumping device firmware quicker and more robust, and custom payload deployment easier. With its colorized serial monitor, Depthcharge provides a more pleasant environment for hacking around and scripting while within a device’s U-Boot console. The “Companion” firmware extends Depthcharge reach into a target platform, allowing it to act as a “malicious” peripheral device (e.g. on an I2C bus). While much of the project focuses on console exposure, it also include some data structure identification (e.g. stored environments) functionality aimed at situations where such functionality is not available. For engineers and those on the “blue team” — build configuration checker functionality can help raise red flags and detect U-Boot pitfalls much earlier in the product development lifecycle.

Target Audience:
Hardware / Embedded Systems - Both “offense” and “defense” within this audience

I believe the Depthcharge Demo Lab can show that there’s more interesting hackery to be had within the U-Boot boot loader, and that we can work much smarter when we encounter it. Given that I tend to see discussions of U-Boot limited to unprotected IoT junkware, I’ve always been bummed that folks don’t seem to get to appreciate the joy of circumventing secure boot mechanisms, or otherwise leveraging their U-Boot environment to start exploring a hardware platform and its SoC from a lower level vantage point.

Whether it be folks enjoying the abuse of a CRC32 feature as an arbitrary memory primitive, or just gaining an appreciation for how U-Boot exports functionality for use by “stand alone applications” — I hope to share some new tricks and get people excited about hacking deeper on their devices. Demos will be based upon my earlier work bypassing a (now patched) 2019 Sonos vulnerability, as well as some “previously seen on client work” vulnerabilities modeled on development kits to protect the (not so?) innocent.

Warranty voiding and custom firmware development shall be strongly encouraged.