1 00:00:00,000 --> 00:00:01,999 JOE GRAND: Hello, hello, hello! 2 00:00:01,999 --> 00:00:02,999 Hello! 3 00:00:03,459 --> 00:00:04,999 Wow! 4 00:00:04,999 --> 00:00:05,999 It works. 5 00:00:06,999 --> 00:00:08,083 Good. 6 00:00:08,083 --> 00:00:14,292 You guys ready to JTAGulate? 7 00:00:14,501 --> 00:00:17,876 We'll have a group JTAGulating system. 8 00:00:18,042 --> 00:00:21,000 Did you bring all the JTAGulating? 9 00:00:21,209 --> 00:00:25,999 Kleenex and stuff in I did. 10 00:00:26,375 --> 00:00:28,125 I'm Joe Grand. 11 00:00:28,125 --> 00:00:31,334 I'm an electrical engineer and a hardware hacker 12 00:00:31,334 --> 00:00:35,626 and AUDIENCE MEMBER: We saw you on TV. 13 00:00:35,626 --> 00:00:37,999 JOE GRAND: Yes, I have been on TV. 14 00:00:38,334 --> 00:00:40,999 AUDIENCE MEMBER: Rich and famous. 15 00:00:40,999 --> 00:00:42,792 JOE GRAND: Not rich and famous. 16 00:00:42,792 --> 00:00:44,375 AUDIENCE MEMBER: Just famous. 17 00:00:46,626 --> 00:00:50,918 JOE GRAND: JTAGulate is I put together that 18 00:00:50,918 --> 00:00:55,083 will let you hook up to 24 unknown toast points 19 00:00:55,083 --> 00:01:00,709 on a circuit board and it will detect a JTAG interface which 20 00:01:00,709 --> 00:01:06,918 is a debug interface or a UART, root, and so I will go through sort 21 00:01:06,918 --> 00:01:11,959 of an introduction about the design, the process, JTAG, 22 00:01:11,959 --> 00:01:18,334 how UART works and then give you demos of all of this stuff. 23 00:01:19,626 --> 00:01:23,167 So on chip debug interfaces are basically of the Achilles heel 24 00:01:23,167 --> 00:01:27,250 of embedded systems and you have people hacking cars. 25 00:01:31,999 --> 00:01:35,959 Those are traditionally software guys and you have lots 26 00:01:35,959 --> 00:01:38,999 of other people looking at embedded systems 27 00:01:38,999 --> 00:01:41,999 in hardware that don't from this place and 28 00:01:41,999 --> 00:01:45,999 on chip debugging is one of those ways that you can totally 29 00:01:45,999 --> 00:01:47,999 own systems. 30 00:01:48,334 --> 00:01:50,999 If you find the interface, you can win a lot of times. 31 00:01:51,501 --> 00:01:53,501 So it's a well known attack vector. 32 00:01:53,501 --> 00:01:57,626 The problem is being able to find the interfaces. 33 00:01:57,626 --> 00:02:01,209 The one thing that we can take advantage of is engineers need 34 00:02:01,209 --> 00:02:05,626 to use this to design their product and test their product and 35 00:02:05,626 --> 00:02:10,250 during manufacturing they would do the final testing. 36 00:02:11,209 --> 00:02:14,834 Vendors know it is a vulnerable but they usually don't do anything 37 00:02:14,834 --> 00:02:16,167 about it. 38 00:02:18,999 --> 00:02:22,083 The goal for the project is just to create a tool that 39 00:02:22,083 --> 00:02:24,999 will get people interested in hacking devices, 40 00:02:24,999 --> 00:02:29,167 in hardware hacking, especially for non hardware folks that don't have 41 00:02:29,167 --> 00:02:33,250 the equipment or the time to go through everything and remove chips 42 00:02:33,250 --> 00:02:35,584 and all of that crap. 43 00:02:35,584 --> 00:02:36,834 It's to get it done, and get it done right and find 44 00:02:36,834 --> 00:02:39,250 the interface and then start hacking. 45 00:02:41,083 --> 00:02:43,959 As with anything, you are sort of building on other work and this 46 00:02:43,959 --> 00:02:45,584 is no exception. 47 00:02:45,709 --> 00:02:48,375 I first had seen some work about JTAG 48 00:02:48,375 --> 00:02:52,999 with Hunt's JTAG finder which was a proof of concept 49 00:02:52,999 --> 00:02:57,999 from 2006 that it was possible to brute force or enumerate 50 00:02:57,999 --> 00:03:02,999 through all the different test points of JTAG. 51 00:03:02,999 --> 00:03:03,999 That was pretty cool. 52 00:03:03,999 --> 00:03:07,250 He did it on an at mill development board. 53 00:03:07,250 --> 00:03:09,167 That was as far as he went through that. 54 00:03:10,959 --> 00:03:13,792 I thought, okay, there's some work out there. 55 00:03:16,417 --> 00:03:22,459 I saw JTAGenum and this was better than the original proof of concept. 56 00:03:22,792 --> 00:03:26,667 He was using an Arduino for the platform, which limited things 57 00:03:26,667 --> 00:03:31,999 to either 3.3 volts or 5 volts, code left much to be desired. 58 00:03:31,999 --> 00:03:34,083 They didn't have input protection and just a bunch of stuff, I want 59 00:03:34,083 --> 00:03:37,375 to build a tool that I can recommend to people. 60 00:03:40,918 --> 00:03:42,334 If you don't have the protection, or certain things in there, 61 00:03:42,334 --> 00:03:45,125 you can fry your target board and that's not a good idea. 62 00:03:45,584 --> 00:03:49,999 And then cyber fast track which is a really cool program. 63 00:03:49,999 --> 00:03:52,501 I submitted I did this research and I wrote this proposal 64 00:03:52,501 --> 00:03:54,667 for cyber fast track. 65 00:03:54,999 --> 00:03:57,250 All of my friends are doing CFT and I want to get paid 66 00:03:57,250 --> 00:04:00,999 to do JTAGulator and it would be totally awesome. 67 00:04:01,125 --> 00:04:03,209 It didn't actually work out that way. 68 00:04:04,083 --> 00:04:05,459 (Laughter). 69 00:04:06,250 --> 00:04:08,709 They said, opens, too much engineering. 70 00:04:08,709 --> 00:04:09,709 Sorry. 71 00:04:09,709 --> 00:04:10,834 Not enough research. 72 00:04:10,834 --> 00:04:13,626 At that point I had already done all the work to get to that point, and 73 00:04:13,626 --> 00:04:16,999 the proposal and the studying of JTAG and I was like, forget, it I 74 00:04:16,999 --> 00:04:20,501 will do it anyway and get it out this anyway and not get paid while 75 00:04:20,501 --> 00:04:23,999 I do it and this is the result of that effort. 76 00:04:25,417 --> 00:04:28,999 There's a bunch of other work, Travis Goodspeed, 77 00:04:28,999 --> 00:04:33,751 it was some black box reverse engineering that Felix Domke did 78 00:04:33,751 --> 00:04:35,999 a few years ago. 79 00:04:37,334 --> 00:04:41,125 And trying to brute force up documented JTAG commands 80 00:04:41,125 --> 00:04:45,918 where we are taking advantage of existing things and he's taking 81 00:04:45,918 --> 00:04:51,125 advantage of other things and then the forensic institute, about this sort 82 00:04:51,125 --> 00:04:55,083 of JTAG discovery but in a different way. 83 00:04:57,751 --> 00:04:59,999 So first we have to identify interfaces 84 00:04:59,999 --> 00:05:03,834 before we even try to hook up JTAGulator to it. 85 00:05:03,834 --> 00:05:05,584 External interfaces are things went don't even have to open 86 00:05:05,584 --> 00:05:07,709 up the product to look for. 87 00:05:07,792 --> 00:05:09,417 They are accessible to the outside world and usually 88 00:05:09,417 --> 00:05:11,918 they are intended for engineers and manufacturers and not 89 00:05:11,918 --> 00:05:13,375 for end users. 90 00:05:13,375 --> 00:05:15,999 So you see them hidden under batteries or stickers 91 00:05:15,999 --> 00:05:19,083 or coverers or something on the back of did he vice 92 00:05:19,083 --> 00:05:21,918 or somewhere on the device. 93 00:05:21,918 --> 00:05:26,918 It's for final system test, maybe a proprietary connector. 94 00:05:26,918 --> 00:05:29,999 So if you look up there, we see a Garmin GPS. 95 00:05:29,999 --> 00:05:31,792 I think that's a serial interface in this example, 96 00:05:31,792 --> 00:05:34,999 an RSA secure ID token with five pins. 97 00:05:34,999 --> 00:05:37,999 They once told me, that's only for programming the device. 98 00:05:38,999 --> 00:05:40,959 I don't know if that's true or not. 99 00:05:40,959 --> 00:05:45,792 I guess it doesn't matter anymore, but it's a good picture. 100 00:05:46,083 --> 00:05:47,709 And then the other one is from the Jawbone, that 101 00:05:47,709 --> 00:05:49,999 the wrist band accelerometer. 102 00:05:51,626 --> 00:05:54,167 There's a button on the end that you can do something 103 00:05:54,167 --> 00:05:57,918 with and then if you take the cap off, you see the buttons in the center 104 00:05:57,918 --> 00:06:00,626 and there's four posts on the final. 105 00:06:01,209 --> 00:06:03,876 So if you can discover the interface, then you have to figure out what 106 00:06:03,876 --> 00:06:05,250 to do with it. 107 00:06:05,250 --> 00:06:06,999 Those are external interfaces. 108 00:06:06,999 --> 00:06:08,292 The internal interfaces. 109 00:06:11,083 --> 00:06:13,999 Sometimes you need physical access and sometimes you need to get 110 00:06:13,999 --> 00:06:16,918 to the circuit board tax's not a big deal. 111 00:06:16,999 --> 00:06:20,584 That's the excuse that vendors say they have to have physical access. 112 00:06:20,584 --> 00:06:22,709 That's just a total fallacy. 113 00:06:22,709 --> 00:06:25,417 There's lots of ways to get physical access to things. 114 00:06:25,542 --> 00:06:29,292 So you look for things like test points, unpopulated component pads, 115 00:06:29,292 --> 00:06:32,626 silk screen markings might give you some information about, 116 00:06:32,626 --> 00:06:37,626 here's some interesting test points or here's the name of the interface. 117 00:06:37,709 --> 00:06:40,250 Engineers like to put things on the circuit boards that make their job 118 00:06:40,250 --> 00:06:43,792 easier and make the assembly facility job's job easier. 119 00:06:48,792 --> 00:06:54,999 The picture on the right is a very obvious interface. 120 00:06:54,999 --> 00:06:59,375 There's four gigantic holes there, four gigantic pads or test points. 121 00:06:59,999 --> 00:07:04,999 And it says VBATI 2 clock and data. 122 00:07:05,083 --> 00:07:07,584 You no he that's an I2C interface. 123 00:07:09,542 --> 00:07:12,417 We don't need a JTAGulator, he can hook up a bus. 124 00:07:15,999 --> 00:07:19,999 The engineer was nice and made it obvious for us. 125 00:07:19,999 --> 00:07:23,959 The one on the right, that's within of the blackberry devices. 126 00:07:23,959 --> 00:07:25,999 In that case, there's kind of test points sprinkled 127 00:07:25,999 --> 00:07:28,918 all over the place but there's a very obvious grouping 128 00:07:28,918 --> 00:07:32,250 of test points and I would look at that and say that's some sort 129 00:07:32,250 --> 00:07:35,375 of interface, usually connections or signals that perform 130 00:07:35,375 --> 00:07:38,209 a similar function or all together. 131 00:07:38,209 --> 00:07:39,626 So a bus would all be there. 132 00:07:39,626 --> 00:07:40,876 It's a debug interface. 133 00:07:41,125 --> 00:07:42,250 It is it's JTAG. 134 00:07:44,083 --> 00:07:47,083 Sometimes it gets even easier. 135 00:07:47,292 --> 00:07:49,751 So these examples one is from the Xbox on the right and 136 00:07:49,751 --> 00:07:53,292 the one is from Barnaby Jax's talk a few years ago. 137 00:07:53,834 --> 00:07:56,999 You see nice silk screen markings around the whole thing and on the left, 138 00:07:56,999 --> 00:07:59,751 in the Barnaby by case that was the ATM. 139 00:08:02,501 --> 00:08:05,792 He showed the JTAG using an industry standard interface, 140 00:08:05,792 --> 00:08:07,501 it said JTAG. 141 00:08:07,501 --> 00:08:10,209 He just got his off the shelf tools, plugged it right 142 00:08:10,209 --> 00:08:12,999 in and started his pwnage. 143 00:08:12,999 --> 00:08:16,792 So no hardware or reverse engineering necessary at that point. 144 00:08:16,834 --> 00:08:21,125 So we can take advantage of that JTAGtest.com has a number 145 00:08:21,125 --> 00:08:23,083 of pin outs. 146 00:08:23,626 --> 00:08:27,375 If you have that, you don't need a tool like JTAGulator, you just plug in. 147 00:08:27,501 --> 00:08:32,709 It gets a little harder if there's no obvious markings. 148 00:08:32,709 --> 00:08:35,459 We could take advantage of grouping of tracings and so the picture 149 00:08:35,459 --> 00:08:37,999 on the left are six test points and you can see 150 00:08:37,999 --> 00:08:40,999 all the traces are going down together. 151 00:08:40,999 --> 00:08:43,083 That's probably some sort of interface. 152 00:08:43,083 --> 00:08:43,667 Right on the edge of the board and very easy 153 00:08:43,667 --> 00:08:46,999 to access and that would be a target interface for us. 154 00:08:47,125 --> 00:08:50,083 You can take into account the location of resister arrays 155 00:08:50,083 --> 00:08:52,667 or pull ups or pull downs on different bus lines 156 00:08:52,667 --> 00:08:56,792 because those are normally used to set the static interface. 157 00:08:57,999 --> 00:09:01,667 So if we see a resistor array next to a connector. 158 00:09:01,667 --> 00:09:03,959 Okay that connector is probably a bus that needs pull ups 159 00:09:03,959 --> 00:09:05,626 an pull downs. 160 00:09:05,999 --> 00:09:06,999 That's a target. 161 00:09:06,999 --> 00:09:07,999 Let's take a look. 162 00:09:09,167 --> 00:09:15,751 Things get a little bit harder when there are no obvious test points. 163 00:09:15,751 --> 00:09:17,999 So things like this, where we have just four unpopulated 164 00:09:17,999 --> 00:09:22,459 component pads in place of a connector or in place of test points. 165 00:09:22,459 --> 00:09:26,083 So this is a buffalo wireless access point. 166 00:09:26,250 --> 00:09:27,542 Trying to be sneaky. 167 00:09:27,542 --> 00:09:28,542 Right? 168 00:09:28,542 --> 00:09:31,667 So they have these unpopulated R24, R29, 315 and 316, and 169 00:09:31,667 --> 00:09:34,876 they are trying to obfuscate. 170 00:09:39,083 --> 00:09:42,375 As soon as you discover what those what that 171 00:09:42,375 --> 00:09:45,250 pin out is, then you win. 172 00:09:45,250 --> 00:09:47,417 It is not going to change device to device. 173 00:09:47,876 --> 00:09:48,959 Now you know. 174 00:09:48,959 --> 00:09:51,083 So security through security doesn't work. 175 00:09:51,083 --> 00:09:52,959 We say it all the time and it's true. 176 00:10:00,999 --> 00:10:04,792 Currently you have to manually determine pin function. 177 00:10:04,792 --> 00:10:08,751 Right, you look at a grouping like that grouping of Blackberry PINs, 178 00:10:08,751 --> 00:10:11,999 okay, grab, what will I try to do. 179 00:10:11,999 --> 00:10:14,751 You can use your oscilloscope and see what's going on. 180 00:10:14,999 --> 00:10:18,375 I like to see if I can trace the signal back to a microcontroller 181 00:10:18,375 --> 00:10:20,626 to some sort of device. 182 00:10:20,999 --> 00:10:22,999 I will use continuity test. 183 00:10:23,375 --> 00:10:26,000 If it's a VGA part, that's going to get a lot harder, right, 184 00:10:26,000 --> 00:10:29,792 because you condition access the balls underneath the part. 185 00:10:29,792 --> 00:10:31,501 So probing only gets you so far. 186 00:10:31,501 --> 00:10:34,999 You can use x ray, if you have access to x ray equipment. 187 00:10:35,000 --> 00:10:36,999 Which is becoming more common, but still, you know, 188 00:10:36,999 --> 00:10:40,167 you don't really have one at your house, I hope. 189 00:10:41,959 --> 00:10:43,584 Some people do. 190 00:10:43,584 --> 00:10:44,626 I won't ask for what. 191 00:10:47,584 --> 00:10:50,751 And then look up the data sheet and fine the pin outs and see 192 00:10:50,751 --> 00:10:53,000 if they trace out anywhere. 193 00:10:53,000 --> 00:10:55,334 That's sort of the standard manual process. 194 00:10:55,334 --> 00:10:56,959 It's fine for certain things. 195 00:10:56,959 --> 00:10:58,167 It's totally valid but for other devices 196 00:10:58,167 --> 00:11:02,999 like highly integrated mobile phones, you can use your scope, 197 00:11:02,999 --> 00:11:07,209 logic analyzer and see how the state changes as you pull 198 00:11:07,209 --> 00:11:12,209 the pins high and low, it's a total pain in the ass. 199 00:11:13,834 --> 00:11:16,834 And I will show you why the JTAGulator is better. 200 00:11:18,417 --> 00:11:19,876 But not yet. 201 00:11:21,083 --> 00:11:24,626 So I will go into some details of JTAG and of UART, 202 00:11:24,626 --> 00:11:28,999 of asynchronization and how all the technology works and then it 203 00:11:28,999 --> 00:11:34,999 will make sense when we brute force the connections, you will understand. 204 00:11:34,999 --> 00:11:36,083 It makes total sense. 205 00:11:36,083 --> 00:11:40,918 So JTAG is one of these interfaces, it's an industry standard interface 206 00:11:40,918 --> 00:11:44,292 and it basically IEEE 1149.1 standard. 207 00:11:47,999 --> 00:11:52,751 It has low level functionality and basically, 208 00:11:52,751 --> 00:12:01,334 the vendor might add extra functionally or extract that low level stuff. 209 00:12:01,667 --> 00:12:03,999 We don't care what happens at a higher level. 210 00:12:03,999 --> 00:12:07,292 We want to communicate directly with the chip to figure the pin out. 211 00:12:07,292 --> 00:12:08,417 That's the only goal. 212 00:12:08,667 --> 00:12:12,334 The beauty of JTAG as opposed to the more vendor specific 213 00:12:12,334 --> 00:12:17,834 is we can access every single individual pin on the device. 214 00:12:18,167 --> 00:12:20,375 So we can send it out. 215 00:12:20,375 --> 00:12:22,667 We can read data in on every single pin. 216 00:12:22,667 --> 00:12:24,792 That's what allows when you do Flash updates through JTAG 217 00:12:24,792 --> 00:12:27,999 on a device because we control the main CPU and we are basically 218 00:12:27,999 --> 00:12:29,959 treating it as a puppet and now we can 219 00:12:29,959 --> 00:12:31,999 communicate with everything that that thing 220 00:12:31,999 --> 00:12:33,918 is connected to. 221 00:12:34,125 --> 00:12:36,125 So we can program devices. 222 00:12:36,125 --> 00:12:38,999 We can do debug and essentially use standard development tools 223 00:12:38,999 --> 00:12:41,999 to now communicate with these parts. 224 00:12:43,959 --> 00:12:45,999 As opposed to some of the other interfaces as well which 225 00:12:45,999 --> 00:12:47,999 is why JTAG is so popular. 226 00:12:47,999 --> 00:12:50,709 You can chain connections to go and devices to go. 227 00:12:50,709 --> 00:12:52,751 You can have a single interface but then you can have two 228 00:12:52,751 --> 00:12:55,125 or three parts on the board that you can communicate 229 00:12:55,125 --> 00:12:57,999 with through that single interface, or even multiple dyes 230 00:12:57,999 --> 00:12:59,999 within the same part. 231 00:12:59,999 --> 00:13:03,542 So you might have a CPU memory and like a crypto coprocessor, 232 00:13:03,542 --> 00:13:05,334 or a codec. 233 00:13:12,918 --> 00:13:14,999 JTAG is varying lengths once you figure that 234 00:13:14,999 --> 00:13:17,751 out, and I will talk about that. 235 00:13:18,459 --> 00:13:22,167 And the vendor, again, will abstract all of the low level stuff. 236 00:13:22,626 --> 00:13:25,292 Once we know the pin out, we can load legitimate tools that 237 00:13:25,292 --> 00:13:28,209 the vendor makes or some of the other open source stuff that's 238 00:13:28,209 --> 00:13:31,250 out there and then start our attack process. 239 00:13:36,792 --> 00:13:39,959 JTAG is a synchronous, which means it's a serial interface 240 00:13:39,959 --> 00:13:42,999 with input and output and we need a clock to align itself 241 00:13:42,999 --> 00:13:45,667 to synchronize that data flow. 242 00:13:45,999 --> 00:13:48,999 So we have TDI which is data in, we have data out. 243 00:13:49,083 --> 00:13:51,209 Test mode select and clock. 244 00:13:51,209 --> 00:13:53,584 Mode select is what we use to change state of the system and I 245 00:13:53,584 --> 00:13:56,834 will show you a diagram on the next few slides. 246 00:13:57,250 --> 00:14:01,209 We change state to change function or to load and address 247 00:14:01,209 --> 00:14:03,959 or load an instruction. 248 00:14:04,167 --> 00:14:07,125 I think of JTAG as a tiny little CPU that you can send 249 00:14:07,125 --> 00:14:10,083 finite number of commands to. 250 00:14:10,334 --> 00:14:13,125 You have test reset, which is an optional pin. 251 00:14:13,125 --> 00:14:15,999 Sometimes you see it on boards, sometimes you don't. 252 00:14:15,999 --> 00:14:20,959 All it's used for is to reset the tap, the test access point, asynchronously, 253 00:14:20,959 --> 00:14:25,501 you can do it by holding TMS high and clocking five cycles which 254 00:14:25,501 --> 00:14:27,501 is what we do. 255 00:14:27,501 --> 00:14:29,999 You don't need the external test reset pin so we don't 256 00:14:29,999 --> 00:14:33,751 look for it because we don't care with it. 257 00:14:33,751 --> 00:14:33,918 We have the TA P. 258 00:14:33,918 --> 00:14:38,709 and it has different shift registers that we can take advantage. 259 00:14:39,125 --> 00:14:41,626 So the first one is the instruction register. 260 00:14:41,626 --> 00:14:44,918 This is where you would load in a low level JTAG instruction. 261 00:14:44,918 --> 00:14:46,792 It has to be greater than two bits wide. 262 00:14:46,792 --> 00:14:47,834 That's per the spec. 263 00:14:47,834 --> 00:14:50,417 Usually it's like an 8 bit instruction or 16 bit instruction and then 264 00:14:50,417 --> 00:14:53,083 for data registers, you have a bypass register that we 265 00:14:53,083 --> 00:14:55,167 will take advantage of. 266 00:14:55,167 --> 00:14:57,083 It's a one bit register where you shift information 267 00:14:57,083 --> 00:14:59,626 in and then you get data out. 268 00:15:00,209 --> 00:15:02,876 That's what you can use to bypass one chip and get 269 00:15:02,876 --> 00:15:05,250 to another chip in the chain. 270 00:15:05,918 --> 00:15:07,999 Then you have boundary scan. 271 00:15:07,999 --> 00:15:09,918 That will be the definition of what how you access every 272 00:15:09,918 --> 00:15:11,417 single pin. 273 00:15:11,417 --> 00:15:13,918 So you know the length of the register that it needs to be 274 00:15:13,918 --> 00:15:16,792 and that will be defined on how many pins the part has, 275 00:15:16,792 --> 00:15:20,209 but so the boundary scan you shift data into this gigantic register 276 00:15:20,209 --> 00:15:22,999 and then you can latch everything at once and then 277 00:15:22,999 --> 00:15:26,375 the device ID which we also take advantage of for a different type 278 00:15:26,375 --> 00:15:29,709 of scan, it's a 32 bit register, it's not required in the spec 279 00:15:29,709 --> 00:15:32,918 but pretty much every device out there will have a device I. 280 00:15:32,918 --> 00:15:32,999 D. 281 00:15:32,999 --> 00:15:36,792 I wanted to make another way to test in case it didn't have a device ID, 282 00:15:36,792 --> 00:15:39,417 we can do it with a bypass scan. 283 00:15:43,083 --> 00:15:48,709 Here's a quick little view of the JTAG, the high level JTAG view. 284 00:15:49,667 --> 00:15:52,999 You have the core logic in the center of the chip and then 285 00:15:52,999 --> 00:15:56,083 the BSC cells attached to each I/0 pin. 286 00:15:57,292 --> 00:16:00,417 That will control inputs and outputs which is totally crazy 287 00:16:00,417 --> 00:16:02,999 to control a chip like that. 288 00:16:02,999 --> 00:16:03,999 It's really cool. 289 00:16:03,999 --> 00:16:07,501 And then you have your data register and instruction register and depending 290 00:16:07,501 --> 00:16:10,751 what you shift in and depending what state you are in, 291 00:16:10,751 --> 00:16:15,626 defines which register is going to be shifted out on the TDO line. 292 00:16:15,918 --> 00:16:15,999 So here's the TA P. 293 00:16:15,999 --> 00:16:17,209 controller. 294 00:16:17,209 --> 00:16:18,584 This is the state machine. 295 00:16:18,626 --> 00:16:23,918 It looks a little by confusing, sort of like spaghetti, but it's very simple. 296 00:16:23,918 --> 00:16:26,709 You are either shifting in to work with the data register or you are shifting 297 00:16:26,709 --> 00:16:29,751 in to work with the instruction register. 298 00:16:30,959 --> 00:16:35,834 Then you can latch it and exit it and shift data out. 299 00:16:35,834 --> 00:16:38,417 So it's very it's not as complicated as it seems and I had read 300 00:16:38,417 --> 00:16:42,083 through all of the IEEE standards and they make this stuff so boring 301 00:16:42,083 --> 00:16:45,584 and so complicated but it doesn't have to be. 302 00:16:45,876 --> 00:16:47,999 And I think that's just one of those things. 303 00:16:47,999 --> 00:16:48,999 It's like why? 304 00:16:48,999 --> 00:16:49,501 I don't know if people just write this stuff 305 00:16:49,501 --> 00:16:50,584 to look smart. 306 00:16:50,959 --> 00:16:54,584 And then it's our job to like distill it and make it not smart. 307 00:16:54,584 --> 00:16:55,584 Right? 308 00:16:55,584 --> 00:16:57,999 So this stuff is not as complicated as it looks. 309 00:16:57,999 --> 00:16:58,417 And, again, we don't care about anything 310 00:16:58,417 --> 00:17:00,918 above this level this low level. 311 00:17:00,918 --> 00:17:02,667 So these are the JTAG instructions that 312 00:17:02,667 --> 00:17:04,501 are available. 313 00:17:04,501 --> 00:17:06,792 I don't know how well you can see that slide. 314 00:17:07,083 --> 00:17:11,876 There's three required commands, and then a bunch of optional ones. 315 00:17:11,876 --> 00:17:13,918 Everything else, all the debug functionality that might be 316 00:17:13,918 --> 00:17:16,709 available on a part, anything else that vendor specific 317 00:17:16,709 --> 00:17:18,792 is at a higher level. 318 00:17:18,792 --> 00:17:21,999 At a lower level, it's shifting things in, calling commands and shifting stuff 319 00:17:21,999 --> 00:17:24,417 out of the data registers. 320 00:17:24,999 --> 00:17:28,292 Maybe they add data registers for other memory locations 321 00:17:28,292 --> 00:17:32,876 or debug stuff, or command to read memory or write memory. 322 00:17:33,751 --> 00:17:37,999 The things we did I advantage is the bypass command and then 323 00:17:37,999 --> 00:17:40,083 the ID command. 324 00:17:45,876 --> 00:17:48,918 If you do this enough, you will run into JTAG implementations that do 325 00:17:48,918 --> 00:17:51,083 have some sort of protection. 326 00:17:51,542 --> 00:17:54,999 But like anything else, most people don't use protection. 327 00:17:54,999 --> 00:17:55,999 Right? 328 00:17:55,999 --> 00:17:56,999 (Laughter). 329 00:17:56,999 --> 00:17:58,751 It's pretty safe to say. 330 00:17:58,918 --> 00:18:00,626 Especially at DEF CON. 331 00:18:01,209 --> 00:18:03,626 But you do run it once in a while. 332 00:18:03,667 --> 00:18:07,792 People vendors are aware of what's going on. 333 00:18:07,876 --> 00:18:10,083 But making changes in silicon is really hard. 334 00:18:10,083 --> 00:18:13,209 Even if a vendor knows about JTAG and they try 335 00:18:13,209 --> 00:18:19,334 to do some password protection, they have to update everything else that 336 00:18:19,334 --> 00:18:21,125 uses JTAG. 337 00:18:21,125 --> 00:18:24,375 You could see physical security fuses tar blown on the chip 338 00:18:24,375 --> 00:18:28,125 to prevent JTAG access from happening at all. 339 00:18:28,459 --> 00:18:31,751 Of course, once you do, that then the vendor can't use it as well. 340 00:18:31,751 --> 00:18:32,999 So it's a risky maneuver. 341 00:18:32,999 --> 00:18:37,167 Could you do silicon die attacks to physically repair that and then get 342 00:18:37,167 --> 00:18:40,209 to the device through JTAG. 343 00:18:40,542 --> 00:18:43,501 Some devices have some sort of password protection. 344 00:18:47,999 --> 00:18:51,083 So we can still use it to determine the interface. 345 00:18:53,250 --> 00:18:54,959 But then at that point we have to figure 346 00:18:54,959 --> 00:18:57,751 out how do we bypass that password protection? 347 00:18:58,417 --> 00:19:02,626 There is one case I heard of, maybe more, but here is one example 348 00:19:02,626 --> 00:19:06,292 of a device that it internal Flash memory that would erase 349 00:19:06,292 --> 00:19:08,876 after invalid attempts. 350 00:19:11,999 --> 00:19:15,959 It was in a volatile memory somewhere. 351 00:19:15,959 --> 00:19:17,334 Could you figure out what the upper limit 352 00:19:17,334 --> 00:19:20,751 is and then just do some number of pass word brute forcing, reset 353 00:19:20,751 --> 00:19:22,999 the device and do more. 354 00:19:25,999 --> 00:19:29,292 Once you do find the JTAG interface, you can use a bunch 355 00:19:29,292 --> 00:19:32,999 of available hard tools, HJTAG, and RIFF box. 356 00:19:33,834 --> 00:19:38,083 We only care about finding the interface and then you use tools 357 00:19:38,083 --> 00:19:41,876 designed to use JTAG at a higher level. 358 00:19:41,999 --> 00:19:44,584 There's no point in recreating the wheel and then you can use some 359 00:19:44,584 --> 00:19:47,542 of the open source software stuff as well. 360 00:19:48,459 --> 00:19:50,375 So that's JTAG. 361 00:19:50,792 --> 00:19:52,542 UART is similar. 362 00:19:52,542 --> 00:19:54,876 We used some serial interface. 363 00:19:54,876 --> 00:19:57,667 So UART is an asynchronous serial 364 00:19:57,667 --> 00:20:01,000 communications method. 365 00:20:01,000 --> 00:20:02,626 So there's no external clock. 366 00:20:02,626 --> 00:20:05,999 All of the bits are sort of determined by time. 367 00:20:05,999 --> 00:20:10,876 So if we have that time right, then the data bits will line up. 368 00:20:11,918 --> 00:20:14,834 So you have like, start bit, data bit. 369 00:20:15,959 --> 00:20:18,876 JTAGulator is checking a ports for UART. 370 00:20:26,999 --> 00:20:30,042 We would have to fiddle with the setting with terminal. 371 00:20:30,042 --> 00:20:35,125 So it is asynchronous. 372 00:20:35,125 --> 00:20:36,792 We are looking at two lines. 373 00:20:36,792 --> 00:20:37,999 We are looking at TX and RX. 374 00:20:37,999 --> 00:20:39,876 So then we will send data to the device and then we will check 375 00:20:39,876 --> 00:20:41,999 for information on the other pins. 376 00:20:45,167 --> 00:20:51,999 The stuff for legacy type of equipment, modems and teletypes we are not 377 00:20:51,999 --> 00:20:58,250 looking at those because we normally don't need those. 378 00:20:58,250 --> 00:21:02,083 Here's a little screen shot of the UART, just showing data communications. 379 00:21:02,083 --> 00:21:02,999 I have data digital, on my scope and I can see 380 00:21:02,999 --> 00:21:07,751 the data being transferred and then to determine the baud rate. 381 00:21:07,751 --> 00:21:09,083 So say you do discover the interface but the baud rate 382 00:21:09,083 --> 00:21:11,876 is not lining up, you can measure the smallest bit time and 383 00:21:11,876 --> 00:21:15,626 the bit width and do one over that and you have the baud rate. 384 00:21:15,626 --> 00:21:18,876 It's 8.7 microseconds and around 115.2kilobits per second. 385 00:21:18,876 --> 00:21:25,459 All right. 386 00:21:25,459 --> 00:21:27,876 So a little bit of hardware about JTAGulator. 387 00:21:28,083 --> 00:21:31,209 As with lots of stuff that I design, I want it to be open sourced 388 00:21:31,209 --> 00:21:33,375 and hackable and use it. 389 00:21:33,375 --> 00:21:35,292 I don't want it to be over complicated. 390 00:21:35,626 --> 00:21:39,292 I don't want to try to show off how smart I can be. 391 00:21:39,501 --> 00:21:42,959 Because I'm not that smart but I want something that you guys 392 00:21:42,959 --> 00:21:44,250 can use. 393 00:21:44,250 --> 00:21:45,501 That's the whole point. 394 00:21:46,125 --> 00:21:48,501 Everything is done through the USB port to a host 395 00:21:48,501 --> 00:21:51,083 and I will give you a demo of that. 396 00:21:51,375 --> 00:21:53,083 It has proper input protection. 397 00:21:53,083 --> 00:21:54,459 You can hook up to a device. 398 00:21:54,459 --> 00:21:56,209 We don't know what we are looking at. 399 00:21:56,209 --> 00:21:57,834 We are just looking at a board. 400 00:21:57,834 --> 00:21:59,999 We don't know if we are connecting to proper voltage levels that 401 00:21:59,999 --> 00:22:02,209 will work with our part. 402 00:22:02,209 --> 00:22:04,876 We have input protection and adjustable target voltage 403 00:22:04,876 --> 00:22:08,999 and we can match the target voltage of the device so we are not damaging 404 00:22:08,999 --> 00:22:10,792 that device. 405 00:22:11,792 --> 00:22:14,999 All components off the shelf and you can get them from Digikey. 406 00:22:14,999 --> 00:22:17,918 You can solder them if you want. 407 00:22:18,083 --> 00:22:20,375 I did four and I said, I'm done. 408 00:22:20,459 --> 00:22:22,125 I will let Parallax. 409 00:22:26,083 --> 00:22:29,542 We have a Parallax propeller in the center which 410 00:22:29,542 --> 00:22:32,542 is a great tool for hacking. 411 00:22:33,125 --> 00:22:37,417 We have a standard, USB to serial interface and that 412 00:22:37,417 --> 00:22:42,999 will provide power to the USB and provide our programming interface 413 00:22:42,999 --> 00:22:45,999 and our command interface. 414 00:22:46,167 --> 00:22:46,999 I'm using a D to A. 415 00:22:46,999 --> 00:22:52,250 I'm using an op amp to so 1.2 to 2.3 and I will go through details of each 416 00:22:52,250 --> 00:22:55,999 of these parts and then the voltage level translators 417 00:22:55,999 --> 00:23:00,250 to translate the voltage and some power stuff. 418 00:23:01,083 --> 00:23:02,709 Here's the board. 419 00:23:02,876 --> 00:23:08,292 I figured it had to be pink with a heavy medal JTAGulator logo. 420 00:23:08,292 --> 00:23:09,417 Someone is clapping. 421 00:23:09,417 --> 00:23:10,417 Someone likes pink. 422 00:23:10,417 --> 00:23:11,417 I like pink too. 423 00:23:16,999 --> 00:23:19,292 (Applause) Here's the basic setup. 424 00:23:19,626 --> 00:23:23,250 And so there's 24 channels either through screw terminals or the two 425 00:23:23,250 --> 00:23:27,999 by five headers which are compatible with the Buss probes and then you plug 426 00:23:27,999 --> 00:23:32,125 into the headers and you have mini clips you can use. 427 00:23:32,542 --> 00:23:35,626 Depending on what your interface is, you can use either one. 428 00:23:39,626 --> 00:23:42,083 So the propeller is the core of the system. 429 00:23:42,083 --> 00:23:44,626 For those of you guys that aren't familiar, it's 430 00:23:44,626 --> 00:23:47,999 a it's a device completely built from the ground 431 00:23:47,999 --> 00:23:52,209 up by par Parallax meant to be a device that's fun to work 432 00:23:52,209 --> 00:23:57,250 with and kind of fun to hack on and fun to develop with. 433 00:23:57,250 --> 00:24:00,999 Chip Gracie grew up with 6502 and hacking ZAD and he's 434 00:24:00,999 --> 00:24:05,459 a hardware hacker to the core and he was just kind of tired 435 00:24:05,459 --> 00:24:08,792 of all the restrictions of different types 436 00:24:08,792 --> 00:24:12,125 of tools and NDAs and this crap. 437 00:24:12,125 --> 00:24:13,125 He built his own. 438 00:24:13,709 --> 00:24:19,375 He has eight independent cores called cogs and some time slicing of that. 439 00:24:19,375 --> 00:24:20,999 You can code it in spin or assembly or C. 440 00:24:20,999 --> 00:24:23,999 There's a bunch of new tools that are being developed 441 00:24:23,999 --> 00:24:26,876 that are cross platform tools. 442 00:24:26,959 --> 00:24:30,709 For now you can do PC and Mac at least with Spin and 443 00:24:30,709 --> 00:24:35,501 the open source Spin tool should be coming out soon. 444 00:24:36,999 --> 00:24:40,459 If you were here last year, DEF CON 20, right, do you have DEF CON 445 00:24:40,459 --> 00:24:41,999 20 badges? 446 00:24:42,959 --> 00:24:45,501 Those are all propeller processors. 447 00:24:45,626 --> 00:24:47,999 So in theory, you could loot the JTAGulator code 448 00:24:47,999 --> 00:24:51,209 on to your badge and hook up to stuff but you don't have 449 00:24:51,209 --> 00:24:55,709 the target voltage settings but you could if you want to. 450 00:24:55,999 --> 00:24:58,292 The other cool thing about the propeller, like some 451 00:24:58,292 --> 00:25:03,125 of the other hobbyist platforms there's a luge amount of code sharing. 452 00:25:03,125 --> 00:25:04,125 So Parallax. 453 00:25:07,083 --> 00:25:09,334 , I want to do the debug interface through serial 454 00:25:09,334 --> 00:25:10,999 and grab that. 455 00:25:10,999 --> 00:25:12,626 You can put that stuff up there. 456 00:25:12,626 --> 00:25:14,876 It's a cool hacker developer community. 457 00:25:14,876 --> 00:25:17,542 We're running at 80 megahertz which leaves lots 458 00:25:17,542 --> 00:25:20,918 of possibilities for detecting interfaces and generating 459 00:25:20,918 --> 00:25:24,083 all different sorts of things to go further with devices 460 00:25:24,083 --> 00:25:25,999 if you want to. 461 00:25:26,876 --> 00:25:29,999 The prop lass 32k of RAM and the boot loader 462 00:25:29,999 --> 00:25:35,083 is in ROM and each has a 2K and, yeah, it's a good part. 463 00:25:37,999 --> 00:25:41,167 USB interface, the standard FTID part, so it will work it 464 00:25:41,167 --> 00:25:44,250 will just recognize virtual serial port on any machine, 465 00:25:44,250 --> 00:25:47,083 any machine that recognizes this virtual com port, 466 00:25:47,083 --> 00:25:50,083 you can communicate with JTAGulator. 467 00:25:54,375 --> 00:25:56,999 I have a MIC2025, you are not just supposed to plug 468 00:25:56,999 --> 00:26:01,083 in a device into USB and just let it go to up to right away. 469 00:26:01,417 --> 00:26:04,417 During enumeration, you are supposed to just record 470 00:26:04,417 --> 00:26:10,334 or you are only given 100 milli amps and you are supposed to enumerate. 471 00:26:11,667 --> 00:26:14,626 We are only enabling the FTID part. 472 00:26:14,626 --> 00:26:16,999 And then once it says you are enumerated, you are ready to go 473 00:26:16,999 --> 00:26:19,459 to the rest of the statement. 474 00:26:19,459 --> 00:26:21,083 That's the safe way to do it so we are not damaging any 475 00:26:21,083 --> 00:26:22,501 USB ports. 476 00:26:23,626 --> 00:26:25,334 Target voltage. 477 00:26:25,584 --> 00:26:29,083 From one of the pins on the prop and the duty cycle 478 00:26:29,083 --> 00:26:33,083 will determine what the output voltage is. 479 00:26:33,083 --> 00:26:37,918 I have a little RC filter and an op amp, very similar are of a D 480 00:26:37,918 --> 00:26:42,125 to A and I have a lookup table that actually defines 481 00:26:42,125 --> 00:26:48,334 the duty cycles and we can be very fine in our output voltage. 482 00:26:48,584 --> 00:26:51,751 I picked the AD8600 because it has a high output. 483 00:26:54,999 --> 00:27:00,999 We can get 15 milliamps through that part for our voltage range. 484 00:27:01,083 --> 00:27:04,417 Make we need to use the adjustable target voltage. 485 00:27:04,459 --> 00:27:06,999 It's the VADJ line. 486 00:27:06,999 --> 00:27:08,792 If we want to use that to maybe power something 487 00:27:08,792 --> 00:27:12,709 on the target board or maybe do some extra circuitry with whatever we need 488 00:27:12,709 --> 00:27:16,125 to do, 150 milliamps is a pretty decent amount. 489 00:27:17,792 --> 00:27:25,792 Level translation, I'm using the TXS01, which will convert our 3.3 voltage 490 00:27:25,792 --> 00:27:31,999 to our VADJ level, our adjustable voltage level. 491 00:27:34,918 --> 00:27:37,292 And then it has this high impedence state if we disable 492 00:27:37,292 --> 00:27:39,334 the output enable line. 493 00:27:39,334 --> 00:27:41,918 So we can connect all of our test points up, while 494 00:27:41,918 --> 00:27:45,501 the thing is not driving the lines at all. 495 00:27:45,501 --> 00:27:47,584 So we don't cause something to happen when we are not ready 496 00:27:47,584 --> 00:27:49,626 to start our search. 497 00:27:51,083 --> 00:27:53,584 And then the input protection, which we feed, that's 498 00:27:53,584 --> 00:27:56,918 because we don't know what we are connecting to. 499 00:27:56,918 --> 00:28:00,209 So we have diode limiter clamps that will clamp to some level 500 00:28:00,209 --> 00:28:05,083 of negative voltage and some level of high voltage and also we have 501 00:28:05,083 --> 00:28:08,834 a current limiting resister in there. 502 00:28:08,834 --> 00:28:10,584 For each channel we have this set up. 503 00:28:10,999 --> 00:28:14,999 So as long as our forward voltage for these diodes that we are using are 504 00:28:14,999 --> 00:28:18,999 less than half a volt, which they are, then we are going to limit ourselves 505 00:28:18,999 --> 00:28:23,999 to the adjustable voltage plus forward voltage and minus forward voltage. 506 00:28:24,083 --> 00:28:25,083 That's our limit. 507 00:28:25,083 --> 00:28:27,999 So we are not going to damage any other of our pins 508 00:28:27,999 --> 00:28:30,834 with unknown input voltages. 509 00:28:35,083 --> 00:28:36,999 Building materials. 510 00:28:36,999 --> 00:28:40,083 There's quite a few parts but none of them are that expensive. 511 00:28:41,459 --> 00:28:46,083 Everything is online, around $51 from Digi key in single quantity 512 00:28:46,083 --> 00:28:49,626 if you feel like building your own. 513 00:28:49,999 --> 00:28:52,125 So that's the hardware design. 514 00:28:52,125 --> 00:28:53,667 Pretty straightforward and the hardware is never really going 515 00:28:53,667 --> 00:28:55,250 to need to change. 516 00:28:55,250 --> 00:28:58,584 Maybe we want to develop some plug in module to do higher voltages 517 00:28:58,584 --> 00:29:03,999 for SCADA or industrial equipment, but the core hardware doesn't change. 518 00:29:03,999 --> 00:29:06,083 The firmware can change, as people start hacking on stuff, 519 00:29:06,083 --> 00:29:08,167 we can add things in. 520 00:29:09,459 --> 00:29:11,876 So here's the current source tree. 521 00:29:11,876 --> 00:29:13,167 I have the main object files. 522 00:29:13,167 --> 00:29:14,334 These spin files are the individual modules 523 00:29:14,334 --> 00:29:16,501 to keep things modular. 524 00:29:16,626 --> 00:29:19,083 So if we do a microchip. 525 00:29:20,999 --> 00:29:29,999 We can link that in, sort of like C files or H header files, whatever, you get it. 526 00:29:38,417 --> 00:29:42,292 So main file is JTAGulator and then the serial terminal, the Parallax 527 00:29:42,292 --> 00:29:44,999 and then the JD cog serial is something grabbed 528 00:29:44,999 --> 00:29:48,999 from the object exchange that's 509UR interface and I can just pop than 529 00:29:48,999 --> 00:29:51,375 into whatever cog I want. 530 00:29:51,375 --> 00:29:53,999 That will be doing the UART detection. 531 00:29:55,292 --> 00:29:57,584 So for actual functionality, I will go through a few of the I 532 00:29:57,584 --> 00:29:58,999 will go through the ways we are scanning 533 00:29:58,999 --> 00:30:00,999 and then give you a demo. 534 00:30:01,417 --> 00:30:03,292 The ID code scan. 535 00:30:03,292 --> 00:30:05,999 This is the first thing we can do. 536 00:30:05,999 --> 00:30:08,959 This is assuming the device actually supports I. 537 00:30:08,959 --> 00:30:12,000 D code this 32 bit device ID. 538 00:30:12,000 --> 00:30:14,999 If it's available, it will be in the data register. 539 00:30:14,999 --> 00:30:18,083 So all we have to do is enter the shift data register state 540 00:30:18,083 --> 00:30:21,375 and just send a clock and if there is a device I. 541 00:30:21,375 --> 00:30:21,542 D. 542 00:30:21,542 --> 00:30:24,751 It will come out on the TDO line. 543 00:30:26,459 --> 00:30:29,999 We are looking for three pins versus four pins 544 00:30:29,999 --> 00:30:33,167 for our various permutations. 545 00:30:37,042 --> 00:30:41,999 If we do get a device ID, if we get a valid one or one that we think might 546 00:30:41,999 --> 00:30:46,584 be valid, we can validate that by checking data sheets or BSDL files, 547 00:30:46,584 --> 00:30:51,709 boundary scan files, which will define the internal structure. 548 00:30:51,709 --> 00:30:53,876 You can find that with legitimate development tools 549 00:30:53,876 --> 00:30:56,999 and open source will list some of this stuff and maybe look 550 00:30:56,999 --> 00:31:00,250 at reference code to make sure that the device code you want 551 00:31:00,250 --> 00:31:04,209 is the right one and if you do, you have the right one. 552 00:31:04,209 --> 00:31:07,292 You can verify the manufacturer ID which 553 00:31:07,292 --> 00:31:11,751 is a specific code, assigned by JEDEC. 554 00:31:11,999 --> 00:31:15,542 You can grab the document for free. 555 00:31:15,542 --> 00:31:18,584 And then when you get the device ID from the device, 556 00:31:18,584 --> 00:31:21,584 you can make sure it's an analog device part 557 00:31:21,584 --> 00:31:26,459 or Qualcomm part to see if that data is actually correct. 558 00:31:27,250 --> 00:31:30,999 So the way in the scan works, it will ask for the number of channels 559 00:31:30,999 --> 00:31:33,918 to use, and then for every possible pin permutation, 560 00:31:33,918 --> 00:31:37,209 it will go through, try to get the device ID. 561 00:31:37,209 --> 00:31:40,999 If it reads all ones or in the final if bit zero is not one then we 562 00:31:40,999 --> 00:31:43,083 will ignore it. 563 00:31:43,083 --> 00:31:47,417 If we get something with a bit zero of if we get if bit zero does not 564 00:31:47,417 --> 00:31:51,999 if bit zero does not equal one, we ignore it. 565 00:31:51,999 --> 00:31:54,999 If we it equals one, it's potentially a good device ID. 566 00:31:55,375 --> 00:31:57,959 There's still human interaction. 567 00:31:58,999 --> 00:32:01,667 Hopefully you don't get a lot of false positives. 568 00:32:04,999 --> 00:32:07,125 So that's ID code scan. 569 00:32:07,125 --> 00:32:12,083 Bypass scan, we can get TDI as well. 570 00:32:12,083 --> 00:32:14,959 So we need to shift data coming out. 571 00:32:14,999 --> 00:32:18,083 To bypass scan takes data. 572 00:32:18,083 --> 00:32:20,083 One clock cycle delayed as you can see. 573 00:32:24,501 --> 00:32:27,250 So by doing a bypass, we can figure out how many devices there are 574 00:32:27,250 --> 00:32:28,918 in the chain. 575 00:32:29,292 --> 00:32:31,709 Which is called blind interrogation. 576 00:32:31,709 --> 00:32:33,918 All we are doing is basically first we need to force 577 00:32:33,918 --> 00:32:36,999 all devices into bypass and on that instruction sheet, 578 00:32:36,999 --> 00:32:41,626 bypass mode you can enter in by sending a command of all ones. 579 00:32:41,918 --> 00:32:43,083 But we don't know the instruction register length, 580 00:32:43,083 --> 00:32:45,584 right because it's sort of a black box. 581 00:32:45,584 --> 00:32:49,999 So we send in a shit load of ones and flush the entire device. 582 00:32:49,999 --> 00:32:51,334 We do 1,021 ones. 583 00:32:53,542 --> 00:32:56,334 We send a ton of ones and then we assume we are 584 00:32:56,334 --> 00:32:59,292 in bypass mode and then we load in a bunch of ones 585 00:32:59,292 --> 00:33:03,999 to the data register and flush everything full of ones and then a single zero 586 00:33:03,999 --> 00:33:08,083 and cascade it through until we see it on the output. 587 00:33:08,292 --> 00:33:10,209 Once we do, then we know, oh, okay, great and we can figure 588 00:33:10,209 --> 00:33:12,709 out the number of devices as well. 589 00:33:15,083 --> 00:33:17,999 So bypass scan does exactly what I mentioned, just 590 00:33:17,999 --> 00:33:20,999 with every different pin permutation. 591 00:33:23,375 --> 00:33:25,542 So then UART scan, now we are looking 592 00:33:25,542 --> 00:33:27,876 at the UART interface. 593 00:33:27,999 --> 00:33:30,792 It's kind of cool, because normally you can so you can 594 00:33:30,792 --> 00:33:33,918 actually send any output string you want. 595 00:33:33,918 --> 00:33:35,334 So normally, you know, if you connect up to an interface, 596 00:33:35,334 --> 00:33:38,417 you would pit carriage return to see if you get a response, if you want 597 00:33:38,417 --> 00:33:41,999 to hang up on a modem or whatever you do, plus, plus, plus. 598 00:33:42,250 --> 00:33:43,876 Maybe escape key. 599 00:33:43,876 --> 00:33:46,083 You can tell JTAGulator what user string you want to send out on, 600 00:33:46,083 --> 00:33:49,334 what it thinks is the TX line and it will look on the RX line to see 601 00:33:49,334 --> 00:33:51,584 if it gets anything back. 602 00:33:51,999 --> 00:33:56,375 It will Dray all different baud rates and wait 20 milliseconds to see 603 00:33:56,375 --> 00:33:58,999 if it gets a bite back. 604 00:33:59,876 --> 00:34:02,751 20 milliseconds is pretty long this computer 605 00:34:02,751 --> 00:34:04,584 time, anyway. 606 00:34:04,999 --> 00:34:07,999 If there is a valid response, it will display 16 bytes 607 00:34:07,999 --> 00:34:10,459 of data so we can quickly go through and see 608 00:34:10,459 --> 00:34:14,083 if there's any human readable stuff or something that makes sense 609 00:34:14,083 --> 00:34:16,709 for what we are looking at. 610 00:34:16,918 --> 00:34:18,459 We are doing 8N1. 611 00:34:18,459 --> 00:34:20,375 These are the standard baud rates. 612 00:34:20,959 --> 00:34:24,999 Maybe you find out the pin out, but you are not seeing data that 613 00:34:24,999 --> 00:34:26,834 makes sense. 614 00:34:26,834 --> 00:34:28,542 Like I mentioned earlier, use your scope, and figure 615 00:34:28,542 --> 00:34:31,375 out the baud rate and load into a terminal program and see 616 00:34:31,375 --> 00:34:34,999 if that helps or not, if as non standard baud rate. 617 00:34:35,125 --> 00:34:36,250 Here's some timing. 618 00:34:36,250 --> 00:34:37,792 This happens pretty fast. 619 00:34:37,959 --> 00:34:39,792 ID code scans. 620 00:34:40,918 --> 00:34:45,083 It's three possible pins since we are ignoring TDI 621 00:34:45,083 --> 00:34:49,125 and it's 264 permutations a second. 622 00:34:49,334 --> 00:34:52,209 Bypass mode, we have the extra pin, the TDI pin and because we have 623 00:34:52,209 --> 00:34:56,626 to flush so many ones through there, it takes a little bit longer. 624 00:34:56,626 --> 00:35:01,459 So it just happens to be 13.37 permutations. 625 00:35:01,626 --> 00:35:03,083 Totally leap. 626 00:35:04,250 --> 00:35:08,459 And you can see, you know, most of the time, it's like 2 seconds, 627 00:35:08,459 --> 00:35:12,083 5 seconds, or 13 seconds for ID code scan. 628 00:35:12,083 --> 00:35:14,792 At the max, it's 46 seconds for all 24 channels. 629 00:35:14,792 --> 00:35:16,999 Once you know, that usually I will do an ID code first 630 00:35:16,999 --> 00:35:19,918 to make sure there's a JTAG scan there and then I go 631 00:35:19,918 --> 00:35:23,999 to the bypass mode, the bypass scan to get that extra pin. 632 00:35:23,999 --> 00:35:25,459 It takes a little bit longer. 633 00:35:25,459 --> 00:35:27,417 Maximum time, 24 hours. 634 00:35:27,542 --> 00:35:29,999 Big deal, and you take a really long lunch break 635 00:35:29,999 --> 00:35:33,250 and you come back and you are good. 636 00:35:33,792 --> 00:35:37,167 And then UART ends up being 24 baud rates per permutation. 637 00:35:37,167 --> 00:35:39,083 It's about one permutation a second. 638 00:35:39,918 --> 00:35:42,209 10 minutes for 24 channels. 639 00:35:45,918 --> 00:35:47,083 All right. 640 00:35:47,083 --> 00:35:48,334 Here's some demos. 641 00:35:48,501 --> 00:35:57,375 Let's see, let me bring up my cool term, which is what I'm using on my Mac. 642 00:35:57,751 --> 00:36:00,501 How does that look up there? 643 00:36:00,501 --> 00:36:02,083 Is that nice and big? 644 00:36:02,459 --> 00:36:03,459 Good. 645 00:36:03,459 --> 00:36:04,459 Okay. 646 00:36:04,459 --> 00:36:08,834 So let's see, I'm already connected to. 647 00:36:08,834 --> 00:36:10,999 I have my JTAGulator plugged in through the mini USB and I believe 648 00:36:10,999 --> 00:36:12,999 I'm already connected. 649 00:36:12,999 --> 00:36:16,125 If I hit enter, can you see that response? 650 00:36:16,125 --> 00:36:17,999 Question mark, invalid command. 651 00:36:17,999 --> 00:36:23,999 I get the colon sign and that tells me that I it tells me the command prompt. 652 00:36:23,999 --> 00:36:24,999 So here we go. 653 00:36:24,999 --> 00:36:26,999 Here's a list, here's a list of commands. 654 00:36:26,999 --> 00:36:29,542 We will do let's see what do I have hooked up first? 655 00:36:29,542 --> 00:36:33,250 I have UART, I wanted to get everything set up before the talk. 656 00:36:33,250 --> 00:36:38,959 I have a bunch of connections from the JTAGulator 657 00:36:38,959 --> 00:36:44,876 on to a Link us that has DDWRT on it. 658 00:36:45,292 --> 00:36:50,459 I have these little individual female to female leads connected 659 00:36:50,459 --> 00:36:53,999 up from the JTAGulator to that. 660 00:36:54,417 --> 00:36:57,918 So if we go ahead, first thing we need to do is set the target voltage. 661 00:36:57,918 --> 00:36:59,083 I think I already did this. 662 00:36:59,083 --> 00:37:01,083 Yes, so I will do it again just for fun. 663 00:37:01,083 --> 00:37:03,334 Set the target voltage, 3.3 volts and now target voltage 664 00:37:03,334 --> 00:37:07,918 is set and then let's go ahead and do identify UART pin out. 665 00:37:07,918 --> 00:37:09,918 We will do carriage return. 666 00:37:09,918 --> 00:37:11,083 That's just the standard. 667 00:37:11,083 --> 00:37:15,999 Number of channels, I have one, two, three, four channels. 668 00:37:15,999 --> 00:37:20,709 Four wires set up on to this port of the Linksys device. 669 00:37:21,834 --> 00:37:24,209 I just arbitrarily connected things. 670 00:37:24,209 --> 00:37:26,709 I know there's a UART there because I tested it. 671 00:37:26,709 --> 00:37:28,125 I don't know which pin is which. 672 00:37:28,125 --> 00:37:30,999 Four channels it will be 12 possible permutations. 673 00:37:30,999 --> 00:37:33,334 Reminder to use channels 0 through 3 and space bar 674 00:37:33,334 --> 00:37:37,876 to JTAGulate and hopefully something will come up. 675 00:37:38,876 --> 00:37:40,083 Okay. 676 00:37:41,083 --> 00:37:43,417 So a bunch of stuff came up. 677 00:37:43,417 --> 00:37:45,167 Let's see if there's anything else. 678 00:37:46,999 --> 00:37:47,999 Okay. 679 00:37:47,999 --> 00:37:48,999 UART scan complete. 680 00:37:49,292 --> 00:37:52,501 You can see the TX and the RX lines are all the same, 1 and 3, 681 00:37:52,501 --> 00:37:54,667 that's a good sign. 682 00:37:54,667 --> 00:37:55,999 That means something there. 683 00:37:55,999 --> 00:37:57,417 That means whether we send a carriage return on pin one, 684 00:37:57,417 --> 00:38:00,250 we are getting a response on channel 3. 685 00:38:00,626 --> 00:38:02,292 But the JTAGulator can't figure out what the data 686 00:38:02,292 --> 00:38:05,709 is because it doesn't know what the data should be. 687 00:38:05,999 --> 00:38:09,709 If we have some interface, maybe it is a some sort of debug interface, 688 00:38:09,709 --> 00:38:13,417 but maybe it's not ASCII, maybe it's some binary thing that we 689 00:38:13,417 --> 00:38:15,334 need to decode. 690 00:38:15,918 --> 00:38:22,250 We can go through manually and say, okay, tell me when you guys see 691 00:38:22,250 --> 00:38:27,999 something that might be like a useful character, let's see, 692 00:38:27,999 --> 00:38:30,501 keep going here. 693 00:38:30,501 --> 00:38:32,167 AUDIENCE MEMBER: (Inaudible). 694 00:38:32,167 --> 00:38:34,542 JOE GRAND:, yes, 57.6 has a 0D and then you have a carriage return 695 00:38:34,542 --> 00:38:36,709 and a line feed. 696 00:38:36,751 --> 00:38:40,083 We will test both of them and see what it is. 697 00:38:40,250 --> 00:38:44,959 To save time, I will do this one. 698 00:38:44,959 --> 00:38:48,209 Remember, it's transmit is pin 1 and receive is pin 3. 699 00:38:50,083 --> 00:38:54,834 Now we can do a pass through mode where we can see TX 700 00:38:54,834 --> 00:39:00,542 is pin 1 and RX is pin 3 and baud rate 200, enter that. 701 00:39:00,542 --> 00:39:02,083 Now we are in UART pass through. 702 00:39:02,083 --> 00:39:04,792 So now we are using the JTAGulator as a pass through. 703 00:39:04,792 --> 00:39:06,876 So now we should be able to communicate directly 704 00:39:06,876 --> 00:39:09,250 with the with the DDWRT. 705 00:39:15,209 --> 00:39:17,375 (Applause) Yeah, thanks. 706 00:39:17,375 --> 00:39:19,876 So here we are and we are in the shell and stuff. 707 00:39:20,083 --> 00:39:21,250 So that's cool because it saves you the trouble 708 00:39:21,250 --> 00:39:23,167 of disconnecting everything and putting in your own USB 709 00:39:23,167 --> 00:39:25,125 to serial adapter and stuff. 710 00:39:25,459 --> 00:39:29,999 So we can hit control X and now we are back in JTAGulator's side. 711 00:39:30,083 --> 00:39:34,292 So I will disconnect oh, you know what I will do first? 712 00:39:34,292 --> 00:39:35,999 Disconnect target voltage. 713 00:39:35,999 --> 00:39:36,959 Set it back to zero so I don't fry anything 714 00:39:36,959 --> 00:39:38,626 as I take this off. 715 00:39:38,626 --> 00:39:42,542 I take off these pins and now we do the JTAG detection. 716 00:39:42,918 --> 00:39:45,667 You remember the DEF CON 17 badge. 717 00:39:47,083 --> 00:39:48,999 That's great. 718 00:39:51,375 --> 00:39:53,083 Okay, three people. 719 00:39:53,501 --> 00:39:56,959 The DEF CON 17 badge had a free scale MCF6, 720 00:39:56,959 --> 00:40:03,000 a digital signal controller that just happened to have JTAG on it. 721 00:40:03,292 --> 00:40:05,876 I had broken out the different pins as test points 722 00:40:05,876 --> 00:40:08,999 on the board that we were using during the badge hacking device 723 00:40:08,999 --> 00:40:11,501 and you could they would constantly get bricked when 724 00:40:11,501 --> 00:40:14,042 people would write code for them. 725 00:40:14,834 --> 00:40:17,999 I took the test points and wired it up to a connector so I can connect it 726 00:40:17,999 --> 00:40:20,209 up to here and give the demo. 727 00:40:20,209 --> 00:40:21,125 In real life, you wouldn't have a connector there, 728 00:40:21,125 --> 00:40:23,876 right, you would solder connectors on, right? 729 00:40:23,876 --> 00:40:24,999 I will plug this in. 730 00:40:26,083 --> 00:40:28,417 So now it's plugged into the JTAGulator. 731 00:40:28,542 --> 00:40:30,959 I have to set my target voltage. 732 00:40:30,959 --> 00:40:33,000 If I don't, and I try to identify JTAG. 733 00:40:39,292 --> 00:40:42,709 And so now let's do the ID code scan first. 734 00:40:47,125 --> 00:40:49,709 We will JTAGulate. 735 00:40:49,999 --> 00:40:50,999 Oh, no. 736 00:40:51,667 --> 00:40:52,999 Failure. 737 00:40:52,999 --> 00:40:54,125 Good just what I like. 738 00:40:56,709 --> 00:40:58,999 Let's see what I screwed up. 739 00:41:02,167 --> 00:41:04,292 I don't know. 740 00:41:07,542 --> 00:41:10,501 Well, let's try bypass scan. 741 00:41:12,083 --> 00:41:13,584 Screw it. 742 00:41:13,584 --> 00:41:14,959 Bypass scan takes longer. 743 00:41:14,959 --> 00:41:17,876 Not long enough for me to actually try to debug this thing. 744 00:41:18,876 --> 00:41:20,626 How much time do we have? 745 00:41:20,999 --> 00:41:21,999 Good. 746 00:41:21,999 --> 00:41:24,334 Enough time to plug it in a different way. 747 00:41:24,626 --> 00:41:27,792 Oh, you know what, can my ground pin fall off? 748 00:41:27,999 --> 00:41:29,083 Oh. 749 00:41:29,209 --> 00:41:30,501 Too much demo. 750 00:41:30,501 --> 00:41:32,292 Too much demo and not enough time. 751 00:41:32,292 --> 00:41:35,125 AUDIENCE MEMBER: You can have as much time as you want. 752 00:41:35,125 --> 00:41:36,999 JOE GRAND: As much time as I want. 753 00:41:39,417 --> 00:41:40,959 Nothing after me. 754 00:41:40,959 --> 00:41:41,959 Good. 755 00:41:41,959 --> 00:41:42,959 Okay. 756 00:41:42,959 --> 00:41:43,959 So we'll see. 757 00:41:47,459 --> 00:41:50,167 So ground goes to ground. 758 00:41:50,542 --> 00:41:53,167 So now I'm arbitrarily plugging this in. 759 00:41:53,667 --> 00:41:54,834 Ground goes to ground. 760 00:41:54,999 --> 00:41:56,999 And now I'm just plugging in. 761 00:41:56,999 --> 00:41:59,999 I don't care which pins they go to on here. 762 00:42:08,083 --> 00:42:10,375 So channel zero through 3. 763 00:42:42,584 --> 00:42:44,501 It will go to 3.0. 764 00:42:44,876 --> 00:42:46,751 That's the easy way to do it. 765 00:42:49,250 --> 00:42:54,375 A bug in the firmware when you go to UART to JTAG mode. 766 00:42:54,375 --> 00:42:56,083 Anyway, I will fix that. 767 00:42:56,375 --> 00:42:58,542 Now we have a response, right? 768 00:42:58,542 --> 00:42:59,959 We have TDI I don't know. 769 00:43:01,999 --> 00:43:06,334 So let's go ahead and try to find TDI. 770 00:43:06,459 --> 00:43:17,626 We will have four channels again and it takes rightly longer 771 00:43:17,626 --> 00:43:24,125 and there's our JTAG pin out. 772 00:43:24,125 --> 00:43:25,125 Enjoy. 773 00:43:25,125 --> 00:43:26,125 You can clap. 774 00:43:26,125 --> 00:43:27,125 Okay. 775 00:43:27,375 --> 00:43:32,083 (Applause) 0, 3, 2 one, oh, I messed that up. 776 00:43:32,083 --> 00:43:33,083 Okay. 777 00:43:36,999 --> 00:43:40,751 So ID code, we only need the three, we need, three, two, and one. 778 00:43:40,751 --> 00:43:45,375 3, 2, 1, one device on the chain and there's the ID code. 779 00:43:46,083 --> 00:43:49,999 It corresponds to the free scale part. 780 00:43:49,999 --> 00:43:52,999 You can look it up. 781 00:43:52,999 --> 00:43:55,667 And then let's do the final one which testing bypass. 782 00:43:55,667 --> 00:43:57,709 And that's 0, 3, 2, 1. 783 00:43:58,250 --> 00:44:02,459 One device on the chain and the pattern in matches the pattern out. 784 00:44:03,834 --> 00:44:06,626 You can do it again and we get a different pattern. 785 00:44:09,334 --> 00:44:11,584 Now we can go and hack with it. 786 00:44:11,584 --> 00:44:14,083 So that's our demo. 787 00:44:17,876 --> 00:44:19,083 (Applause). 788 00:44:22,918 --> 00:44:24,083 Okay. 789 00:44:24,083 --> 00:44:27,999 So like everything, there is' limits to the tool, like having to press reset. 790 00:44:30,167 --> 00:44:33,999 The first thing you could cause the target to do, as you are fuzzing 791 00:44:33,999 --> 00:44:37,083 all of these test points but that's somewhat of a limitation 792 00:44:37,083 --> 00:44:40,209 but also it could be useful if you are hacking to a device 793 00:44:40,209 --> 00:44:42,250 and you don't know. 794 00:44:42,250 --> 00:44:44,167 If you cause it to do something unintended that might 795 00:44:44,167 --> 00:44:45,834 be useful. 796 00:44:45,999 --> 00:44:48,626 Maybe the OCD interface is not enabled, 797 00:44:48,626 --> 00:44:52,417 and maybe it's some sort of if it's password protection, 798 00:44:52,417 --> 00:44:55,834 we might not be able to detect it. 799 00:44:55,959 --> 00:44:58,959 The vendors try to go sneaky by cutting traces, leaving 800 00:44:58,959 --> 00:45:04,125 out jumpers on connections to try to prevent somebody from using it. 801 00:45:04,125 --> 00:45:05,083 So we have to do a little more reverse engineering 802 00:45:05,083 --> 00:45:06,918 to find that first. 803 00:45:06,918 --> 00:45:09,626 Maybe there's maybe no on chip debug interface. 804 00:45:12,083 --> 00:45:16,751 Future work, we want to add all sorts of support for other stuff, 805 00:45:16,751 --> 00:45:21,999 which hopefully will happen, you know, as needed, as somebody says I need 806 00:45:21,999 --> 00:45:23,999 to discover ... 807 00:45:23,999 --> 00:45:25,292 spy by wire on TI and I will write a module or someone 808 00:45:25,292 --> 00:45:27,584 will write a module to do it. 809 00:45:27,584 --> 00:45:29,918 There's lots of possibilities for this tool. 810 00:45:29,999 --> 00:45:35,709 It's a general purpose, propeller, with lots of IO that you can do for stuff. 811 00:45:37,375 --> 00:45:40,667 We have a few more available at the hacker warehouse 812 00:45:40,667 --> 00:45:43,250 at the DEF CON vendor area. 813 00:45:43,250 --> 00:45:46,375 All the stuff is available on JTAGulator.com, and Parallax 814 00:45:46,375 --> 00:45:50,083 is selling assembled units and bare boards and in they run 815 00:45:50,083 --> 00:45:53,167 out of stock, they will make it. 816 00:45:54,709 --> 00:45:57,918 I have been dying to read this poem. 817 00:45:57,999 --> 00:46:00,417 That I went up to this guy that writes random 818 00:46:00,417 --> 00:46:04,334 poems and I said I developed tool called the JTAGulator and 819 00:46:04,334 --> 00:46:06,667 he wrote this poem. 820 00:46:09,209 --> 00:46:11,667 Maybe you can make some sense of it. 821 00:46:11,667 --> 00:46:13,250 I will just read it. 822 00:46:13,250 --> 00:46:14,250 Okay. 823 00:46:14,250 --> 00:46:15,250 Let's see. 824 00:46:15,250 --> 00:46:16,667 To take an object from made to modified, 825 00:46:16,667 --> 00:46:20,417 customized interfaces between past and few truths can 826 00:46:20,417 --> 00:46:24,667 maintain their veneer in the face of signal feedbacks, size 827 00:46:24,667 --> 00:46:29,375 of diamond screwdriver doesn't fit circuit, exit, enter the dragnet 828 00:46:29,375 --> 00:46:33,375 on all sides, caught with tools debugging as form of how 829 00:46:33,375 --> 00:46:38,167 to gain access to what you have but can't quite double blind verify, 830 00:46:38,167 --> 00:46:43,334 ascertain, make salient discoveries about electricity, keeps its secrets 831 00:46:43,334 --> 00:46:49,083 from anything that's not luckily everything electric is JTAGulator. 832 00:46:49,083 --> 00:46:53,292 Take apart a ball of and find particles that can't be 833 00:46:53,292 --> 00:46:55,375 broken into. 834 00:46:55,375 --> 00:46:56,792 (Applause) So there we go. 835 00:46:56,792 --> 00:46:57,792 The end. 836 00:46:57,792 --> 00:46:58,792 Thank you. 837 00:46:58,792 --> 00:46:59,792 (Applause). 838 00:46:59,792 --> 00:46:59,792 So I will leave this set up if you guys want 839 00:46:59,792 --> 00:47:02,792 to come and take a look at it until they kick me off the stage.