Successfully reported this slideshow.

Mobile Hacking using Linux Drivers

11

Share

Upcoming SlideShare
Processes
Processes
Loading in …3
×
1 of 33
1 of 33

More Related Content

Related Books

Free with a 14 day trial from Scribd

See all

Mobile Hacking using Linux Drivers

  1. 1. Mobile Hacking through Linux Drivers © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> All Rights Reserved.
  2. 2. What to Expect? Objective Usual Linux Kernel Hacking Techniques Tools to do Reverse-engineering Assumptions Linux Kernel is already ported onto a Mobile Getting into the mobile has been figured out © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 2 All Rights Reserved.
  3. 3. The Hacking Architecture User Space (provides interface for hacking) Kernel Space (provides functionalities & facilities to hack) Hardware (is what needs Hacking) System Call I/F (the connector) © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 3 All Rights Reserved.
  4. 4. Kernel Space Functionality Process Management Memory Management Device Management Storage Management Network Management © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 4 All Rights Reserved.
  5. 5. Kernel Driver Ecosystem bash gvim X Server ssh gcc firefox Process Memory Device File Systems Networking Management Management Control Concurrency Virtual Ttys & Files & Dirs: Connectivity MultiTasking Memory Device Access The VFS Architecture Character Filesystem Network Memory Dependent Drivers Layer Subsystem Manager Code & Block Layer Interface Friends & Drivers Drivers Hardware Protocol Layers like PCI, USB, I2C, RS232, ... Consoles, Disks & Network CPU Memory ` etc CDs Interfaces © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 5 All Rights Reserved.
  6. 6. Kernel Source Organization /usr/src/linux/ arch/<arch> mm drivers fs char mtd/ide net pci serial usb ... block net include linux asm-<arch> init kernel ipc lib scripts tools crypto firmware security sound ... © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 6 All Rights Reserved.
  7. 7. Show me the Source Code © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 7 All Rights Reserved.
  8. 8. Kernel Build System Key components Makefile Kconfig Configuring the Makefile Setting up the kernel version (specially for the Desktops) For Cross Compilation, need to setup ARCH CROSS_COMPILE Or, invoke make with these options © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 8 All Rights Reserved.
  9. 9. Kernel Configuration make config make menuconfig make xconfig Others make defconfig make oldconfig make <specific>config © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 9 All Rights Reserved.
  10. 10. Kernel Compilation After configuring the kernel, we are all set to build it Build Methods make vmlinux – To build everything configured for a kernel image make modules – To build only configured modules make – To build everything configured (kernel image & modules) make modules_prepare – To only prepare for building modules Cleaning Methods make clean – Simple clean make mrproper – Complete sweep clean, incl. Configs © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 10 All Rights Reserved.
  11. 11. Linux Kernel Images Kernel Image should be understood by Stage 2 Bootloader Default kernel compilation builds vmlinux vmlinux is understood only by the desktop bootloaders So, for embedded systems, we would typically have to do the following Creating linux.bin using <cross>-objcopy Example: arm-linux-objcopy -O binary vmlinux linux.bin And then, convert it into the bootloader specific image using some bootloader utility. For u-boot, it is done using mkimage Example: mkimage -A arm -O linux -T kernel -C none -a 20008000 -e 20008000 -n “Custom” -d linux.bin uImage.arm © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 11 All Rights Reserved.
  12. 12. Powerful Kernel Arguments console – Boot up & access interface root – Base file system contents mem – Limit the RAM usage nfsroot – Base file system over nfs ip – IP address on boot ... © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 12 All Rights Reserved.
  13. 13. Do we really need to build the kernel? Not really. Alternative: Use Modules instead. © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 13 All Rights Reserved.
  14. 14. W's of a Module? Hot plug-n-play Driver Dynamically Loadable & Unloadable Linux – the first OS to have such a feature Later many followed suit Enables fast hacking cycle File: <module>.ko (Kernel Object) <module>.o wrapped with kernel signature © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 14 All Rights Reserved.
  15. 15. Module Commands lsmod – List modules insmod <mod_file> – Load module rmmod <module> – Unload module modprobe <module> – Auto load module © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 15 All Rights Reserved.
  16. 16. The Module Constructor static int __init mfd_init(void) { ... return 0; } module_init(mfd_init); © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 16 All Rights Reserved.
  17. 17. The Module Destructor static void __exit mfd_exit(void) { ... } module_exit(mfd_exit); © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 17 All Rights Reserved.
  18. 18. Typical Makefile ifeq (${KERNELRELEASE},) KERNEL_SOURCE := <kernel source directory path> PWD := $(shell pwd) default: $(MAKE) -C ${KERNEL_SOURCE} SUBDIRS=$(PWD) modules clean: $(MAKE) -C ${KERNEL_SOURCE} SUBDIRS=$(PWD) clean else obj-m += <module>.o endif © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 18 All Rights Reserved.
  19. 19. How to Hack? © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 19 All Rights Reserved.
  20. 20. printk & syslogd Header: <linux/kernel.h> Arguments: Same as printf Format Specifiers: All as in printf, except float & double related Additionally, a initial 3 character sequence for Log Level KERN_EMERG "<0>" /* system is unusable */ KERN_ALERT "<1>" /* action must be taken immediately */ KERN_CRIT "<2>" /* critical conditions */ KERN_ERR "<3>" /* error conditions */ KERN_WARNING "<4>" /* warning conditions */ KERN_NOTICE "<5>" /* normal but significant condition */ KERN_INFO "<6>" /* informational */ KERN_DEBUG "<7>" /* debug-level messages */ © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 20 All Rights Reserved.
  21. 21. Logs & Kernel Windows Log View Commands dmesg | tail tail /var/log/messages Kernel Windows /proc /sys Peeping Commands cat <window_file> Utilities: sysfsutils, sysdiag © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 21 All Rights Reserved.
  22. 22. Cool Kernel Windows Trivial ones /proc/cpuinfo /proc/meminfo /proc/devices /proc/filesystems /proc/partitions /proc/interrupts /proc/softirqs Hacking Experts /proc/kallsyms /proc/kcore /proc/iomem /proc/ioports /proc/bus/*/devices /sys/class © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 22 All Rights Reserved.
  23. 23. Kernel Probes kprobes → CONFIG_KPROBES jprobes → Specialized Kprobes For probing function entry points kretprobes → Return Kprobes For probing function exit points © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 23 All Rights Reserved.
  24. 24. Kernel Hacking Related Options CONFIG_PRINTK_TIME CONFIG_DEBUG_SLAB CONFIG_DEBUG_HIMEM, CONFIG_DEBUG_PAGE_ALLOC CONFIG_DEBUG_SPINLOCK CONFIG_MAGIC_SYSRQ (kdump related) CONFIG_DETECT_SOFTLOCKUP CONFIG_DEBUG_STACKOVERFLOW CONFIG_DEBUG_STACK_USAGE CONFIG_BUG CONFIG_DEBUG_BUGVERBOSE CONFIG_KALLSYMS (for debugging oops using gdb) Under “General setup” → “Configure Std Kernel ... (for small systems)” © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 24 All Rights Reserved.
  25. 25. Memory & Device Access RAM Memory Controller 32 32 Data Bus CPU Address Bus 32 Bus Controller Device uController Address Space 32 © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 25 All Rights Reserved.
  26. 26. Kernel Space Memory Access Virtual Address on Physical Address Header: <linux/gfp.h> unsigned long __get_free_pages(flags, order); etc void free_pages(addr, order); etc Header: <linux/slab.h> void *kmalloc(size_t size, gfp_t flags); GFP_USER, GFP_KERNEL, GFP_DMA void kfree(void *obj); Header: <linux/vmalloc.h> void *vmalloc(unsigned long size); void vfree(void *addr); © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 26 All Rights Reserved.
  27. 27. Kernel Space Device Access Virtual Address for Bus/IO Address Header: <asm/io.h> void *ioremap(phys_addr_t bus_addr, unsigned long size); void iounmap(void *addr); I/O Memory Access Header: <asm/io.h> u[8|16|32] ioread[8|16|32](void *addr); void iowrite[8|16|32](u[8|16|32] value, void *addr); Kernel Window: /proc/iomem © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 27 All Rights Reserved.
  28. 28. x86 Hardware Architecture RAM North 32 Bridge 32 32 x86 Address Bus Data Bus CPU 32 I/O Ports / I/O Line Address South Space 16 Bridge (PCI) Device 32 Address Space © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 28 All Rights Reserved.
  29. 29. I/O Access (x86* specific) I/O Port Access u8 inb(unsigned long port); u16 inw(unsigned long port); u32 inl(unsigned long port); void outb(u8 value, unsigned long port); void outw(u16 value, unsigned long port); void outl(u32 value, unsigned long port); Header: <asm/io.h> Kernel Window: /proc/ioports © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 29 All Rights Reserved.
  30. 30. Hacking from User Space Decoding Code objdump -d <object_file> – Disassemble nm <object_file> – List symbols Tracing: strace [options] <command> Decoding Bus Devices PCI – lspci [-v[v]] USB – lsusb [-v] © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 30 All Rights Reserved.
  31. 31. What all have we learnt talked? Linux' Hacking Architecture Configuring & Compiling the Linux Kernel Boot Control using Kernel Boot Args Hacking Flexibility w/ Linux Modules Ready-made Hacking Tools & Techniques © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 31 All Rights Reserved.
  32. 32. Any Queries? © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 32 All Rights Reserved.
  33. 33. Contact Me Mailing List computerclubin@googlegroups.com Website http://www.sysplay.in Email email@sarika-pugs.com Twitter anil_pugalia © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> All Rights Reserved.

×