Re-enabling JTAG and Debugging the WRT120N

After de-obfuscating the WRT120N’s firmware, I started taking a closer look at the code, which runs the now-defunct SuperTask! RTOS.

Thanks in no small part to copious debug strings littered throughout the code and some leaked Atheros datasheets, I made good progress in statically disassembling the code. The next step was to start debugging the system while exercising some of the router’s services.

The WRT120N does have a JTAG port (labeled J8), which appears to conform to the MIPS EJTAG standard header:

The WRT120N JTAG header

The WRT120N JTAG header

It didn’t work right out of the box though:

$ sudo openocd -f flyswatter2.cfg -f wrt120n.cfg 
Open On-Chip Debugger 0.7.0 (2014-01-05-12:41)
Licensed under GNU GPL v2
For bug reports, read
	http://openocd.sourceforge.net/doc/doxygen/bugs.html
Info : only one transport option; autoselect 'jtag'
adapter speed: 6000 kHz
trst_and_srst separate srst_gates_jtag trst_push_pull srst_open_drain connect_deassert_srst
trst_and_srst separate srst_nogate trst_push_pull srst_open_drain connect_assert_srst
adapter_nsrst_delay: 100
jtag_ntrst_delay: 100
mips.cpu
Info : max TCK change to: 30000 kHz
Info : clock speed 6000 kHz
Error: JTAG scan chain interrogation failed: all ones
Error: Check JTAG interface, timings, target power, etc.
Error: Trying to use configured scan chain anyway...
Error: mips.cpu: IR capture error; saw 0x1f not 0x01
Warn : Bypassing JTAG setup events due to errors
Error: Error writing unexpected address 0xffffffff
Error: Error writing unexpected address 0xffffffff
Error: Error writing unexpected address 0xffffffff
Error: Error writing unexpected address 0xffffffff

It turns out that JTAG has been disabled in hardware and in software on the WRT120N. Luckily both were relatively easy to fix.

Continue reading

Reversing the WRT120N’s Firmware Obfuscation

It was recently brought to my attention that the firmware updates for the Linksys WRT120N were employing some unknown obfuscation. I thought this sounded interesting and decided to take a look.

The latest firmware update for the WRT120N didn’t give me much to work with:

Binwalk firmware update analysis

Binwalk firmware update analysis

As you can see, there is a small LZMA compressed block of data; this turned out to just be the HTML files for the router’s web interface. The majority of the firmware image is unidentified and very random. With nothing else to go on, curiosity got the best of me and I ordered one (truly, Amazon Prime is not the best thing to ever happen to my bank account).

Continue reading

Reverse Engineering Serial Ports

Given the name of this blog and the number of requests that I’ve had, I think it’s high time we discussed serial ports; specifically, serial ports in embedded systems.

My goal here is to describe the techniques that I’ve found effective in identifying and reverse engineering embedded serial ports through the use of definitive testing and educated guesses, and without the need for expensive equipment.


Introduction

Serial ports are extremely useful to embedded developers, who commonly use them for:

  • Accessing the boot loader
  • Observing boot and debug messages
  • Interacting with the system via a shell

Needless to say, this functionality is also useful to hackers, so finding a serial port on an embedded device can be very advantageous. As a case study, we’ll be examining the PCB of a Westell 9100EM FiOS router for possible serial ports:

Westell 9100EM PCB

Continue reading

Hardware Hacking With Python

In preparation for our Embedded Device Exploitation classes, I’ve just released my latest project, the Gumbi board:

New Gumbi boards, fresh off the press

The Gumbi board provides a flexible USB interface to the real world in the form of 64 digital I/O pins – all controllable from the comfort of your Python shell, allowing you to rapidly prototype and create new tools for interfacing with external devices.

Take flashbin for example, an open source flash programmer I’ve written for working with external parallel flash chips.

Although popular for firmware storage, parallel NOR flash chips are particularly difficult for hobbyists/hackers to work with because their interface typically requires 30 to 40 I/O pins (or more!). This tends to result in error-prone wiring that has to be re-wired whenever you need to interface with a different chip:

Using the Gumbi board however, everything can be defined (and re-defined) in software. Just plug the chip in, create a flashbin config file that defines the pin configuration for your target chip, and you’re ready to go:

A 4MB NOR flash chip connected to the Gumbi board via a ZIF socket adapter

Dumping firmware from the 4MB flash chip with flashbin

Continue reading

Telegraph Relay Controller

A bit of old-school hacking today. 🙂

I picked up an old J.H. Bunnell telegraph relay, which from what I’ve been able to deduce is a mainline type 2-3 relay made sometime in the late 1800’s. It was missing a few parts, but a binding post from the junk box and a spring from an old floppy drive soon fixed that. I hooked it up to the power supply and hey, whaddya know, it still works!

J.H. Bunnell Relay

Manually turning the relay on and off is fun, but I figured I could do better. So, I programmed an AVR micro controller to tap out some morse code on the relay. The relay draws a little over half an amp at 12 volts, so there’s no way the AVR was going to drive it directly; instead the AVR controls a simple transistor switch that trips the relay. The result? Pure awesomeness:

Now to maybe find some practical use for it. I’m thinking some sort of early-warning system is in order.

Speaking SPI & I2C With The FT-2232

For a while now I’ve been looking for an easy way to interface with external SPI and I2C devices over USB in a manner that can be easily integrated into future projects as well as used in a simple stand-alone system.

Although there are many existing SPI/I2C interface solutions, most of them are microcontroller based and connect to the PC though a USB to serial converter. This works fine, but I wanted something with a bit more speed while also remaining simple, cheap, and readily available.

After some searching, the FTDI FT-2232 family of chips seemed to fit the bill nicely. Although they are more commonly used to interface with JTAG devices, the FT-2232’s Multi-Protocol Synchronous Serial Engine (MPSSE) also supports the SPI and I2C protocols, clock rates of up to 30MHz, and a full-speed USB interface. Development boards are also cheap – the UM232H is $20 from DigiKey or Mouser in single quantities.

I’ve written libmpsse, a Linux wrapper library around libftdi that provides an easy to use API for interfacing with SPI and I2C devices using C and Python.

So how does this relate to hacking embedded systems you ask? Let’s take a look…

Continue reading