Mobile Hacking using Linux Drivers

5,458 views

Published on

Published in: Technology

Mobile Hacking using Linux Drivers

  1. 1. Mobile Hacking through Linux Drivers© 2012 Anil Kumar Pugalia <email@sarika-pugs.com> All Rights Reserved.
  2. 2. What to Expect?Objective Usual Linux Kernel Hacking Techniques Tools to do Reverse-engineeringAssumptions Linux Kernel is already ported onto a Mobile Getting into the mobile has been figured out © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 2 All Rights Reserved.
  3. 3. The Hacking Architecture User Space (provides interface for hacking) Kernel Space (provides functionalities & facilities to hack) Hardware (is what needs Hacking) System Call I/F (the connector) © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 3 All Rights Reserved.
  4. 4. Kernel Space FunctionalityProcess ManagementMemory ManagementDevice ManagementStorage ManagementNetwork Management © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 4 All Rights Reserved.
  5. 5. Kernel Driver Ecosystembash gvim X Server ssh gcc firefox Process Memory Device File Systems NetworkingManagement Management ControlConcurrency Virtual Ttys & Files & Dirs: ConnectivityMultiTasking Memory Device Access The VFSArchitecture Character Filesystem Network MemoryDependent Drivers Layer Subsystem Manager Code & Block Layer Interface Friends & Drivers Drivers Hardware Protocol Layers like PCI, USB, I2C, RS232, ... Consoles, Disks & Network CPU Memory ` etc CDs Interfaces © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 5 All Rights Reserved.
  6. 6. Kernel Source Organization/usr/src/linux/ arch/<arch> mm drivers fs char mtd/ide net pci serial usb ... block net include linux asm-<arch> init kernel ipc lib scripts tools crypto firmware security sound ... © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 6 All Rights Reserved.
  7. 7. Show me the Source Code © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 7 All Rights Reserved.
  8. 8. Kernel Build SystemKey components Makefile KconfigConfiguring the Makefile Setting up the kernel version (specially for the Desktops) For Cross Compilation, need to setup ARCH CROSS_COMPILE Or, invoke make with these options © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 8 All Rights Reserved.
  9. 9. Kernel Configurationmake configmake menuconfigmake xconfigOthers make defconfig make oldconfig make <specific>config © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 9 All Rights Reserved.
  10. 10. Kernel CompilationAfter configuring the kernel, we are all set to build itBuild Methods make vmlinux – To build everything configured for a kernel image make modules – To build only configured modules make – To build everything configured (kernel image & modules) make modules_prepare – To only prepare for building modulesCleaning Methods make clean – Simple clean make mrproper – Complete sweep clean, incl. Configs © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 10 All Rights Reserved.
  11. 11. Linux Kernel ImagesKernel Image should be understood by Stage 2 BootloaderDefault kernel compilation builds vmlinuxvmlinux is understood only by the desktop bootloadersSo, for embedded systems, we would typically have to do thefollowing Creating linux.bin using <cross>-objcopy Example: arm-linux-objcopy -O binary vmlinux linux.bin And then, convert it into the bootloader specific image using some bootloader utility. For u-boot, it is done using mkimage Example: mkimage -A arm -O linux -T kernel -C none -a 20008000 -e 20008000 -n “Custom” -d linux.bin uImage.arm © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 11 All Rights Reserved.
  12. 12. Powerful Kernel Argumentsconsole – Boot up & access interfaceroot – Base file system contentsmem – Limit the RAM usagenfsroot – Base file system over nfsip – IP address on boot... © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 12 All Rights Reserved.
  13. 13. Do we really need to build the kernel? Not really. Alternative: Use Modules instead. © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 13 All Rights Reserved.
  14. 14. Ws of a Module?Hot plug-n-play DriverDynamically Loadable & UnloadableLinux – the first OS to have such a featureLater many followed suitEnables fast hacking cycleFile: <module>.ko (Kernel Object) <module>.o wrapped with kernel signature © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 14 All Rights Reserved.
  15. 15. Module Commandslsmod – List modulesinsmod <mod_file> – Load modulermmod <module> – Unload modulemodprobe <module> – Auto load module © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 15 All Rights Reserved.
  16. 16. The Module Constructorstatic int __init mfd_init(void){ ... return 0;}module_init(mfd_init); © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 16 All Rights Reserved.
  17. 17. The Module Destructorstatic void __exit mfd_exit(void){ ...}module_exit(mfd_exit); © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 17 All Rights Reserved.
  18. 18. Typical Makefileifeq (${KERNELRELEASE},) KERNEL_SOURCE := <kernel source directory path> PWD := $(shell pwd)default: $(MAKE) -C ${KERNEL_SOURCE} SUBDIRS=$(PWD) modulesclean: $(MAKE) -C ${KERNEL_SOURCE} SUBDIRS=$(PWD) cleanelse obj-m += <module>.oendif © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 18 All Rights Reserved.
  19. 19. How to Hack?© 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 19 All Rights Reserved.
  20. 20. printk & syslogdHeader: <linux/kernel.h>Arguments: Same as printfFormat Specifiers: All as in printf, except float & double relatedAdditionally, a initial 3 character sequence for Log Level KERN_EMERG "<0>" /* system is unusable */ KERN_ALERT "<1>" /* action must be taken immediately */ KERN_CRIT "<2>" /* critical conditions */ KERN_ERR "<3>" /* error conditions */ KERN_WARNING "<4>" /* warning conditions */ KERN_NOTICE "<5>" /* normal but significant condition */ KERN_INFO "<6>" /* informational */ KERN_DEBUG "<7>" /* debug-level messages */ © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 20 All Rights Reserved.
  21. 21. Logs & Kernel WindowsLog View Commands dmesg | tail tail /var/log/messagesKernel Windows /proc /sysPeeping Commands cat <window_file> Utilities: sysfsutils, sysdiag © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 21 All Rights Reserved.
  22. 22. Cool Kernel WindowsTrivial ones /proc/cpuinfo /proc/meminfo /proc/devices /proc/filesystems /proc/partitions /proc/interrupts /proc/softirqsHacking Experts /proc/kallsyms /proc/kcore /proc/iomem /proc/ioports /proc/bus/*/devices /sys/class © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 22 All Rights Reserved.
  23. 23. Kernel Probeskprobes → CONFIG_KPROBESjprobes → Specialized Kprobes For probing function entry pointskretprobes → Return Kprobes For probing function exit points © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 23 All Rights Reserved.
  24. 24. Kernel Hacking Related OptionsCONFIG_PRINTK_TIMECONFIG_DEBUG_SLAB CONFIG_DEBUG_HIMEM, CONFIG_DEBUG_PAGE_ALLOCCONFIG_DEBUG_SPINLOCKCONFIG_MAGIC_SYSRQ (kdump related)CONFIG_DETECT_SOFTLOCKUPCONFIG_DEBUG_STACKOVERFLOWCONFIG_DEBUG_STACK_USAGECONFIG_BUG CONFIG_DEBUG_BUGVERBOSECONFIG_KALLSYMS (for debugging oops using gdb) Under “General setup” → “Configure Std Kernel ... (for small systems)” © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 24 All Rights Reserved.
  25. 25. Memory & Device Access RAM Memory Controller 32 32Data Bus CPU Address Bus 32 Bus Controller Device uController Address Space 32 © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 25 All Rights Reserved.
  26. 26. Kernel Space Memory AccessVirtual Address on Physical Address Header: <linux/gfp.h> unsigned long __get_free_pages(flags, order); etc void free_pages(addr, order); etc Header: <linux/slab.h> void *kmalloc(size_t size, gfp_t flags); GFP_USER, GFP_KERNEL, GFP_DMA void kfree(void *obj); Header: <linux/vmalloc.h> void *vmalloc(unsigned long size); void vfree(void *addr); © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 26 All Rights Reserved.
  27. 27. Kernel Space Device AccessVirtual Address for Bus/IO Address Header: <asm/io.h> void *ioremap(phys_addr_t bus_addr, unsigned long size); void iounmap(void *addr);I/O Memory Access Header: <asm/io.h> u[8|16|32] ioread[8|16|32](void *addr); void iowrite[8|16|32](u[8|16|32] value, void *addr);Kernel Window: /proc/iomem © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 27 All Rights Reserved.
  28. 28. x86 Hardware Architecture RAM North 32 Bridge 32 32 x86 Address Bus Data Bus CPU 32I/O Ports / I/O Line Address South Space 16 Bridge (PCI) Device 32 Address Space © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 28 All Rights Reserved.
  29. 29. I/O Access (x86* specific)I/O Port Access u8 inb(unsigned long port); u16 inw(unsigned long port); u32 inl(unsigned long port); void outb(u8 value, unsigned long port); void outw(u16 value, unsigned long port); void outl(u32 value, unsigned long port);Header: <asm/io.h>Kernel Window: /proc/ioports © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 29 All Rights Reserved.
  30. 30. Hacking from User SpaceDecoding Code objdump -d <object_file> – Disassemble nm <object_file> – List symbolsTracing: strace [options] <command>Decoding Bus Devices PCI – lspci [-v[v]] USB – lsusb [-v] © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 30 All Rights Reserved.
  31. 31. What all have we learnt talked? Linux Hacking Architecture Configuring & Compiling the Linux Kernel Boot Control using Kernel Boot Args Hacking Flexibility w/ Linux Modules Ready-made Hacking Tools & Techniques © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 31 All Rights Reserved.
  32. 32. Any Queries?© 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 32 All Rights Reserved.
  33. 33. Contact MeMailing List computerclubin@googlegroups.comWebsite http://www.sysplay.inEmail email@sarika-pugs.comTwitter anil_pugalia © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> All Rights Reserved.

×