Announcement

Collapse
No announcement yet.

Jay Lagorio - Tear Down this Zywall: Breaking Open Zyxel Encrypted Firmware

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Jay Lagorio - Tear Down this Zywall: Breaking Open Zyxel Encrypted Firmware

    Jay Lagorio - Tear Down this Zywall: Breaking Open Zyxel Encrypted Firmware


    Jay Lagorio, Independent Security Researcher

    Presentation Title: Tear Down this Zywall: Breaking Open Zyxel Encrypted Firmware
    Length of presentation: 45 minutes

    How do you go bug hunting in devices you own when the manufacturer has slapped some pesky encryption scheme on the firmware? Starting from an encrypted blob of bits and getting to executable code is hard and can be even more frustrating when you already know the bug is there, you just want to see it! Join me on my expedition to access the contents of my Zyxel firewall's firmware using password and hash cracking, hardware and software reverse engineering, and duct taping puzzle pieces together. We'll start with a device and a firmware blob, flail helplessly at the crypto, tear apart the hardware, reverse engineer the software and emulate the platform, and finally identify the decryption routine – ultimately breaking the protection used by the entire product line to decrypt whatever firmware version we want.

    SPEAKER BIO(S)

    Jay Lagorio, a software engineer and independent security researcher, has been building computers and networks and finding ways to break them nearly his entire life. Being a nerd that likes to dig too far into things spilled over into the real world and he accidentally became a licensed private investigator. Releaser of the occasional tool or writeup on Github, he wishes he had enough time to do all the hacker things and crush griefers in GTA Online every day. He received a B.S. in Computer Science from UMBC and an M. Eng. from the Naval Postgraduate School.


    Twitter: @jaylagorio
    Github: @jaylagorio
    Web: https://lagor.io/



    REFERENCES:

    - Undocumented user account in Zyxel products (CVE-2020-29583): https://eye.security/en/blog/undocum...cve-2020-29583

    - Conversation with Niels Teusink via Twitter DM to get vulnerable firmware, ask whether he'd mind if I turned my work into a talk (he said go for it, screenshots can be provided)

    - Cracking a Zip File Password with John The Ripper: https://www.golinuxcloud.com/john-th...ohn_The_Ripper

    - Crack legacy zip encryption with Biham and Kocher's known plaintext attack: https://github.com/kimci86/bkcrack

    - Datasheet for Samsung K9F1G08U0 NAND Flash: https://www.datasheetarchive.com/K9F...datasheet.html

    - Datasheet for Psion PS2251-50-F USB Flash Controller: https://www.kynix.com/Detail/246017/PS2251-50-F.html

    - Motherboard USB Pin-out diagram: https://frontx.com/cpx108_2.html

    - Win32DiskImager: https://sourceforge.net/projects/win32diskimager/

    - Binwalk: https://github.com/ReFirmLabs/binwalk

    - "USGs Firmware Thread" comment about zld_fsextract: https://www.dslreports.com/forum/remark,26961186

    - Ghidra: https://ghidra-sre.org/

    - QEMU Usermode Emulator: https://wiki.debian.org/QemuUserEmulation

    - EMBA Firmware Analyzer: https://github.com/e-m-b-a/emba



    []
Working...
X