tag:blogger.com,1999:blog-5362250429212141599.post5139155335597033092..comments2024-01-31T09:56:55.642+00:00Comments on One Week Wonder: BootJacker: The Amazing AVR Bootloader Hack!Snialhttp://www.blogger.com/profile/18339375292327879363noreply@blogger.comBlogger15125tag:blogger.com,1999:blog-5362250429212141599.post-67552556236401059532015-06-25T16:37:54.912+01:002015-06-25T16:37:54.912+01:00Hi WestfW,
If the firmware programmer protects th...Hi WestfW,<br /><br />If the firmware programmer protects the flash using the Boot Lock bits, then I think yes, I think it would mean that the technique wouldn't work. However, the problem I faced when upgrading FIGnition to the 1.0 firmware on an AtMega168 was that even if the Boot Lock bits hadn't been programmed, it wasn't possible to program the bootloader from the application section. Using this technique, it was possible to upgrade the FIGnition bootloader from the application as described.<br /><br />I hope this helps, cheers from JulzSnialhttps://www.blogger.com/profile/18339375292327879363noreply@blogger.comtag:blogger.com,1999:blog-5362250429212141599.post-61037408987060893322015-05-30T07:04:55.779+01:002015-05-30T07:04:55.779+01:00Does this end up working? It sounded great, but t...Does this end up working? It sounded great, but then I noticed that most of the Boot Lock bit protections have this clause "If Interrupt Vectors are placed in the Application section, interrupts are disabled while executing from the Boot Loader section."<br />WestfWhttps://www.blogger.com/profile/15544747646127871059noreply@blogger.comtag:blogger.com,1999:blog-5362250429212141599.post-39828632152149125592014-12-20T03:28:09.071+00:002014-12-20T03:28:09.071+00:00This comment has been removed by the author.Anonymoushttps://www.blogger.com/profile/01678587400949822325noreply@blogger.comtag:blogger.com,1999:blog-5362250429212141599.post-31369390534740067802014-10-30T19:45:51.201+00:002014-10-30T19:45:51.201+00:00Hi Julz,
Thanks for the info. Also my current und...Hi Julz,<br /><br />Thanks for the info. Also my current undertanding of the various components is still a bit blur. So I am coming back with more question...<br /><br />I am starting a project to build my own mechanical keyboard. I am at the moment aiming for the Atmel ATMEGA32U4 which has enough pins to drive my keyboard matrix.<br /><br />I think that by reading your last paragraph, you are eluding that with this chip, using your technique to zap the bootloader and replace it by mine (which would not allow firmware update), I should be pretty safe. Correct?<br /><br />Second point, could I still update my AVR via JTAG for example (I need the requirement to have physical attacks only, no logical possibility). Ideally having a PCB design which require a DIP switch to allow JTAG.<br /><br />FYI, I am using QubesOS as my OS and feel pretty safe to protect my dev environment with it.Alex Duboishttps://www.blogger.com/profile/15941182811119064218noreply@blogger.comtag:blogger.com,1999:blog-5362250429212141599.post-46792140609365445342014-10-29T22:29:35.690+00:002014-10-29T22:29:35.690+00:00Hi Alex,
Thanks for the affirmation!
If you'...Hi Alex,<br /><br />Thanks for the affirmation!<br /><br />If you're using an AVR device and you can download application firmware updates via USB and the AVR chip has sufficient application flash and your hackers know what device they're trying to hack, then I'm afraid the technique in bootjacker will be able to jack your device.<br /><br />Maybe I should head off to a Black hat conference or something ;-) But yes, it's a major failing because the major technique Atmel use to prevent inadvertent writes to Flash mean that it's easy to identify SPM sequences in flash - there are very few combinations and even code a little bit more complex than mine could identify them all.<br /><br />The vulnerabilities recently identified in USB devices I think all depend on being able to program the internal firmware on the USB device via a device driver that runs on the host (or via, perhaps a device driver that's uploaded to the host, though I'm not aware of any USB device that does that). So, for example, the original EZ-USB devices by Cypress Semiconductor were exactly like that - they just have RAM for the firmware and can boot up in DFU (Device Firmware Upload?) mode which means they identify as one device on power-on whose only purpose is to upload new firmware. The TI TUSB3410 devices are similar (and both based on 8051 architectures).<br /><br />I have an EZ-USB board of that kind and it's fantastic as a super-flexible arduino-type device.<br /><br />USB devices that can't upload firmware, that just communicate via USB will be pretty resilient if implemented on an AVR. That's mostly because of the harvard architecture, you can't inject code by overflowing a buffer, because you can't execute from RAM on an AVR. To hi-jack it using buffer overflows you'd have to do something like sticking enough data in the buffer that it overwrites the stack with a return address to somewhere in your code that could directly or indirectly execute SPM instructions in a controlled manner. It's unlikely that any code sequences in your Flash can be exploited in this manner, even more unlikely if the hackers don't even know what's in the flash.<br /><br />In that sense the AVR is pretty secure.<br /><br />Hope this helps!<br /><br />-cheers from JulzSnialhttps://www.blogger.com/profile/18339375292327879363noreply@blogger.comtag:blogger.com,1999:blog-5362250429212141599.post-90005979371441524852014-10-28T23:18:48.560+00:002014-10-28T23:18:48.560+00:00Hi Julz,
Great post.
I am trying to do the oppos...Hi Julz,<br /><br />Great post.<br /><br />I am trying to do the opposite and be sure that my code cannot be modified via USB (which is my only interface for my keyboard).<br /><br />Is this feasible with an AVR?<br /><br />Do I have to make sure my code is free of any buffer overflow or other security related software bugs?<br /><br />AlexAlex Duboishttps://www.blogger.com/profile/15941182811119064218noreply@blogger.comtag:blogger.com,1999:blog-5362250429212141599.post-73899310459603906332014-07-15T10:43:06.771+01:002014-07-15T10:43:06.771+01:00Cool! Nicely thought outside the box :-)Cool! Nicely thought outside the box :-)Matthijs Kooijmanhttps://www.blogger.com/profile/15325800216934541176noreply@blogger.comtag:blogger.com,1999:blog-5362250429212141599.post-77839376205174720252014-07-07T15:14:40.418+01:002014-07-07T15:14:40.418+01:00really cool, I was looking at fuse settings with t...really cool, I was looking at fuse settings with the AVRdragon to make a self erasing application on AVR including the bootloader.. but this trick allows me to overwrite pretty much everything on the chip... Thanx<br />its a REALLY neat hack...<br /> <br /> hzlwitnessdigitalhttps://www.blogger.com/profile/01484835022519770464noreply@blogger.comtag:blogger.com,1999:blog-5362250429212141599.post-20280385559345258602014-07-07T15:12:24.244+01:002014-07-07T15:12:24.244+01:00Hi Ralf,
Yes, that's called an ICSP (or just ...Hi Ralf,<br /><br />Yes, that's called an ICSP (or just ISP), an in-circuit serial programmer. I use a home-brew ICSP to program AVRs from scratch, but when I sell FIGnition computers, I can't expect them to have an ICSP so instead I provide a bootloader on the AVR so that users can upgrade their FIGnition firmware just using a FIGnition and no other hardware. This is the way arduinos are normally programmed, and if you mess up the bootloader there, you will brick your arduino!<br /><br />Up until now I've used the excellent V-USB software USB bootloader from Objective Development. To provide complete flexibility without incurring USB licensing fees I've switched to audio data transfer and an audio bootloader. This means I really do need to supply a migration program which can update customer's bootloaders.<br /><br />-cheers from JulzSnialhttps://www.blogger.com/profile/18339375292327879363noreply@blogger.comtag:blogger.com,1999:blog-5362250429212141599.post-61827189754250821162014-07-07T13:04:04.877+01:002014-07-07T13:04:04.877+01:00You didn't need to do any of this to solve you...You didn't need to do any of this to solve your original problem though!<br /><br />There's a very straightforward serial programming interface (hold RESET low and program with pins PB1,PB2 and PB3. It's even documented in the manual! You can do a full chip erase and from there program any bootloader / application code you like.Ralfhttps://www.blogger.com/profile/10844724134361778460noreply@blogger.comtag:blogger.com,1999:blog-5362250429212141599.post-74993778717851014962014-07-07T07:34:52.568+01:002014-07-07T07:34:52.568+01:00Hi guys,
Thanks for the comments! @Snowcamo - goo...Hi guys,<br /><br />Thanks for the comments! @Snowcamo - good one!<br /><br />@Bubz, @quibelez, @ptdecker! Thanks for the encouragements and your takes on how insight comes about, it all comes into play! I wasn't trying to offer much in the way of theology, it's just the blogging equivalent of e.g. Daniel Sturridge giving thanks for his equaliser when playing against Italy :-)<br /><br />Have a great week all of you: may your talents, moods and algorithmic precision bring you success!<br /><br />-cheers from JulzSnialhttps://www.blogger.com/profile/18339375292327879363noreply@blogger.comtag:blogger.com,1999:blog-5362250429212141599.post-89496978441525812472014-07-07T06:48:29.779+01:002014-07-07T06:48:29.779+01:00Nice hack!Nice hack!ptdeckerhttps://www.blogger.com/profile/14086611976717903266noreply@blogger.comtag:blogger.com,1999:blog-5362250429212141599.post-5382195117784336792014-07-07T00:32:24.895+01:002014-07-07T00:32:24.895+01:00reaction = current_mood ? yeah_sure : no_brainer;reaction = current_mood ? yeah_sure : no_brainer;Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5362250429212141599.post-1095427647858460112014-07-06T15:04:03.368+01:002014-07-06T15:04:03.368+01:00As an atheist, I must admit I don't believe pr...As an atheist, I must admit I don't believe prayer is what what made this awsome hack reality, but rather the unique skillset of a very talented hacker. I don't want to start any religious thing going, I just wanted to acknowledge how awesome this trick is. <br />I have had times when I needed to use a modified optiboot, as the braindead reset trickery to get to bootloader uses rts/dtr to do a hw reset, and optiboot makes this worse by ignoring soft reset. But by modifying the bootloader, you eliminate most casual Arduino users, as they would never get into that.<br />This is a very sweet trick, big ups!!!Bubzhttps://www.blogger.com/profile/13408976607877254533noreply@blogger.comtag:blogger.com,1999:blog-5362250429212141599.post-11156493176124925732014-07-06T08:53:30.631+01:002014-07-06T08:53:30.631+01:00[1] As a Christian, I also have to fess' up th...<i>[1] As a Christian, I also have to fess' up that I prayed about it too. Not some kind of desperation thing, but some pretty calm prayer, trusting it'll get sorted out :-)</i><br /><br />This never fails, and has a habit of transforming impossible things into possible (Luke 1:37).<br /><br />My most memorable case was a time critical piece of assembler 20 years ago, where I had to multiply a variable with a constant and there really was neither time nor fast multiply available. The constant was from a complex formula and when I finally got it calculated, it turned out to be 256.000xxxxxx. The precision was plenty enough.Snowcamohttps://www.blogger.com/profile/09220466383874024695noreply@blogger.com