Rapid7 was back this year at DEF CON 30 participating at the IoT Village with another hands-on hardware hacking exercise, with the goal of teaching attendees' various concepts and methods for IoT hacking. Over the years, these exercises have covered several different embedded device topics, including how to use a Logic Analyzer, extracting firmware, and gaining root access to an embedded IoT device.
Like last year, we had many IoT Village attendees request a copy of our exercise manual, so again I decided to create an in-depth write-up about the exercise we ran, with some expanded context to answer several questions and expand on the discussion we had with attendees at this year's DEF CON IoT Village.
This year's exercise focused on the following key areas:
Interaction with eMMC in circuitUsing Linux dd command to make binary copy of flash memoryUse unsquashfs and mksquashfs commands to unpack and repack read only squash file systemsAlter startup files within the embedded Linux operating system to execute code during device startupLeverage dropbear to enable SSH accessSummary of exercise
The goal of this year's hands-on hardware hacking exercise was to gain root access to a Arris SB6190 Cable modem without needing to install any external code. To do this, the user interacted with the device via a PHISON PS8211-0 embedded multimedia controller (eMMC) to mount up and gain access to the NAND flash memory storage. With NAND flash memory access, the user was able to identify the partitions of interest and extract those partitions using the Linux dd command.
Next, the user extracted the filesystem from the partition binary files and was then able ..
Support the originator by clicking the read the rest link below.
