Making BadUSB Work For You Adam Caudill (@adamcaudill) Brandon Wilson (@brandonlwilson)
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Making BadUSB Work For You
Adam Caudill (@adamcaudill)Brandon Wilson (@brandonlwilson)
What is BadUSB?● NOT a technical flaw● NOT a vulnerability
Patriot 8GB Supersonic Xpress
Phison 2251-03
Reverse Engineering
A word of warning...
● Always starts at boot ROM● Attempts to read firmware from NAND● If successful, first 32KB loaded to XDATA● If not, waits to receive code to RAM and
executes it
Boot Process
Pin Shorting
Paging
...
Page 0 Page 1 Page 2 Page A
Base section
0x0000
0x5000
0xEFFF
Firmware Update Process
Boot ROM Burner Executable Firmware
Pain Points● Patching existing firmware
o Very touchyo Limited RAM available
● Writing from-scratch firmwareo NAND suckso Non-standard command setso Bad block managemento Global wear leveling
● Lots...and lots...of pin shorting
Quick Reset Cable
New Tools● Desktop Flasher● Firmware Patcher● HID payload injector
What We've Done● Custom HID firmware● Hidden partition patch● Password protection bypass patch
Custom HID Firmware
Hidden Partition Patch
Read Request(Get LBA
0x00000073)
Patch (Use hidden
area?)
Section 1(Public)
Section 2(Hidden)
Password Protection Bypass
Defense & Detection● Composite devices● Modified firmware
?
Source Code & ToolsDrive: bit.ly/badusb4youCode: github.com/adamcaudill/PsychsonBurner & Stock Firmware: usbdev.ru/files/phison/
Special ThanksSecurity Research Labs● Karsten Nohl● Sascha Krißler● Jakob Lell
Special ThanksRichard Harman (@xabean) ShmooCon 2014 Controlling USB Flash Drive Controllers
bit.ly/1xaNkbP
Thanksgithub.com/adamcaudill/Psychson
Adam Caudill (@adamcaudill)Brandon Wilson (@brandonlwilson)
Related Documents
