Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Mobile Hacking using Linux Drivers

6,277 views

Published on

Published in: Technology
  • Be the first to comment

Mobile Hacking using Linux Drivers

  1. 1. Mobile Hacking through Linux Drivers© 2012 Anil Kumar Pugalia <email@sarika-pugs.com> All Rights Reserved.
  2. 2. What to Expect?Objective Usual Linux Kernel Hacking Techniques Tools to do Reverse-engineeringAssumptions Linux Kernel is already ported onto a Mobile Getting into the mobile has been figured out © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 2 All Rights Reserved.
  3. 3. The Hacking Architecture User Space (provides interface for hacking) Kernel Space (provides functionalities & facilities to hack) Hardware (is what needs Hacking) System Call I/F (the connector) © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 3 All Rights Reserved.
  4. 4. Kernel Space FunctionalityProcess ManagementMemory ManagementDevice ManagementStorage ManagementNetwork Management © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 4 All Rights Reserved.
  5. 5. Kernel Driver Ecosystembash gvim X Server ssh gcc firefox Process Memory Device File Systems NetworkingManagement Management ControlConcurrency Virtual Ttys & Files & Dirs: ConnectivityMultiTasking Memory Device Access The VFSArchitecture Character Filesystem Network MemoryDependent Drivers Layer Subsystem Manager Code & Block Layer Interface Friends & Drivers Drivers Hardware Protocol Layers like PCI, USB, I2C, RS232, ... Consoles, Disks & Network CPU Memory ` etc CDs Interfaces © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 5 All Rights Reserved.
  6. 6. Kernel Source Organization/usr/src/linux/ arch/<arch> mm drivers fs char mtd/ide net pci serial usb ... block net include linux asm-<arch> init kernel ipc lib scripts tools crypto firmware security sound ... © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 6 All Rights Reserved.
  7. 7. Show me the Source Code © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 7 All Rights Reserved.
  8. 8. Kernel Build SystemKey components Makefile KconfigConfiguring the Makefile Setting up the kernel version (specially for the Desktops) For Cross Compilation, need to setup ARCH CROSS_COMPILE Or, invoke make with these options © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 8 All Rights Reserved.
  9. 9. Kernel Configurationmake configmake menuconfigmake xconfigOthers make defconfig make oldconfig make <specific>config © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 9 All Rights Reserved.
  10. 10. Kernel CompilationAfter configuring the kernel, we are all set to build itBuild Methods make vmlinux – To build everything configured for a kernel image make modules – To build only configured modules make – To build everything configured (kernel image & modules) make modules_prepare – To only prepare for building modulesCleaning Methods make clean – Simple clean make mrproper – Complete sweep clean, incl. Configs © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 10 All Rights Reserved.
  11. 11. Linux Kernel ImagesKernel Image should be understood by Stage 2 BootloaderDefault kernel compilation builds vmlinuxvmlinux is understood only by the desktop bootloadersSo, for embedded systems, we would typically have to do thefollowing Creating linux.bin using <cross>-objcopy Example: arm-linux-objcopy -O binary vmlinux linux.bin And then, convert it into the bootloader specific image using some bootloader utility. For u-boot, it is done using mkimage Example: mkimage -A arm -O linux -T kernel -C none -a 20008000 -e 20008000 -n “Custom” -d linux.bin uImage.arm © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 11 All Rights Reserved.
  12. 12. Powerful Kernel Argumentsconsole – Boot up & access interfaceroot – Base file system contentsmem – Limit the RAM usagenfsroot – Base file system over nfsip – IP address on boot... © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 12 All Rights Reserved.
  13. 13. Do we really need to build the kernel? Not really. Alternative: Use Modules instead. © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 13 All Rights Reserved.
  14. 14. Ws of a Module?Hot plug-n-play DriverDynamically Loadable & UnloadableLinux – the first OS to have such a featureLater many followed suitEnables fast hacking cycleFile: <module>.ko (Kernel Object) <module>.o wrapped with kernel signature © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 14 All Rights Reserved.
  15. 15. Module Commandslsmod – List modulesinsmod <mod_file> – Load modulermmod <module> – Unload modulemodprobe <module> – Auto load module © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 15 All Rights Reserved.
  16. 16. The Module Constructorstatic int __init mfd_init(void){ ... return 0;}module_init(mfd_init); © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 16 All Rights Reserved.
  17. 17. The Module Destructorstatic void __exit mfd_exit(void){ ...}module_exit(mfd_exit); © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 17 All Rights Reserved.
  18. 18. Typical Makefileifeq (${KERNELRELEASE},) KERNEL_SOURCE := <kernel source directory path> PWD := $(shell pwd)default: $(MAKE) -C ${KERNEL_SOURCE} SUBDIRS=$(PWD) modulesclean: $(MAKE) -C ${KERNEL_SOURCE} SUBDIRS=$(PWD) cleanelse obj-m += <module>.oendif © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 18 All Rights Reserved.
  19. 19. How to Hack?© 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 19 All Rights Reserved.
  20. 20. printk & syslogdHeader: <linux/kernel.h>Arguments: Same as printfFormat Specifiers: All as in printf, except float & double relatedAdditionally, a initial 3 character sequence for Log Level KERN_EMERG "<0>" /* system is unusable */ KERN_ALERT "<1>" /* action must be taken immediately */ KERN_CRIT "<2>" /* critical conditions */ KERN_ERR "<3>" /* error conditions */ KERN_WARNING "<4>" /* warning conditions */ KERN_NOTICE "<5>" /* normal but significant condition */ KERN_INFO "<6>" /* informational */ KERN_DEBUG "<7>" /* debug-level messages */ © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 20 All Rights Reserved.
  21. 21. Logs & Kernel WindowsLog View Commands dmesg | tail tail /var/log/messagesKernel Windows /proc /sysPeeping Commands cat <window_file> Utilities: sysfsutils, sysdiag © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 21 All Rights Reserved.
  22. 22. Cool Kernel WindowsTrivial ones /proc/cpuinfo /proc/meminfo /proc/devices /proc/filesystems /proc/partitions /proc/interrupts /proc/softirqsHacking Experts /proc/kallsyms /proc/kcore /proc/iomem /proc/ioports /proc/bus/*/devices /sys/class © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 22 All Rights Reserved.
  23. 23. Kernel Probeskprobes → CONFIG_KPROBESjprobes → Specialized Kprobes For probing function entry pointskretprobes → Return Kprobes For probing function exit points © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 23 All Rights Reserved.
  24. 24. Kernel Hacking Related OptionsCONFIG_PRINTK_TIMECONFIG_DEBUG_SLAB CONFIG_DEBUG_HIMEM, CONFIG_DEBUG_PAGE_ALLOCCONFIG_DEBUG_SPINLOCKCONFIG_MAGIC_SYSRQ (kdump related)CONFIG_DETECT_SOFTLOCKUPCONFIG_DEBUG_STACKOVERFLOWCONFIG_DEBUG_STACK_USAGECONFIG_BUG CONFIG_DEBUG_BUGVERBOSECONFIG_KALLSYMS (for debugging oops using gdb) Under “General setup” → “Configure Std Kernel ... (for small systems)” © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 24 All Rights Reserved.
  25. 25. Memory & Device Access RAM Memory Controller 32 32Data Bus CPU Address Bus 32 Bus Controller Device uController Address Space 32 © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 25 All Rights Reserved.
  26. 26. Kernel Space Memory AccessVirtual Address on Physical Address Header: <linux/gfp.h> unsigned long __get_free_pages(flags, order); etc void free_pages(addr, order); etc Header: <linux/slab.h> void *kmalloc(size_t size, gfp_t flags); GFP_USER, GFP_KERNEL, GFP_DMA void kfree(void *obj); Header: <linux/vmalloc.h> void *vmalloc(unsigned long size); void vfree(void *addr); © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 26 All Rights Reserved.
  27. 27. Kernel Space Device AccessVirtual Address for Bus/IO Address Header: <asm/io.h> void *ioremap(phys_addr_t bus_addr, unsigned long size); void iounmap(void *addr);I/O Memory Access Header: <asm/io.h> u[8|16|32] ioread[8|16|32](void *addr); void iowrite[8|16|32](u[8|16|32] value, void *addr);Kernel Window: /proc/iomem © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 27 All Rights Reserved.
  28. 28. x86 Hardware Architecture RAM North 32 Bridge 32 32 x86 Address Bus Data Bus CPU 32I/O Ports / I/O Line Address South Space 16 Bridge (PCI) Device 32 Address Space © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 28 All Rights Reserved.
  29. 29. I/O Access (x86* specific)I/O Port Access u8 inb(unsigned long port); u16 inw(unsigned long port); u32 inl(unsigned long port); void outb(u8 value, unsigned long port); void outw(u16 value, unsigned long port); void outl(u32 value, unsigned long port);Header: <asm/io.h>Kernel Window: /proc/ioports © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 29 All Rights Reserved.
  30. 30. Hacking from User SpaceDecoding Code objdump -d <object_file> – Disassemble nm <object_file> – List symbolsTracing: strace [options] <command>Decoding Bus Devices PCI – lspci [-v[v]] USB – lsusb [-v] © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 30 All Rights Reserved.
  31. 31. What all have we learnt talked? Linux Hacking Architecture Configuring & Compiling the Linux Kernel Boot Control using Kernel Boot Args Hacking Flexibility w/ Linux Modules Ready-made Hacking Tools & Techniques © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 31 All Rights Reserved.
  32. 32. Any Queries?© 2012 Anil Kumar Pugalia <email@sarika-pugs.com> 32 All Rights Reserved.
  33. 33. Contact MeMailing List computerclubin@googlegroups.comWebsite http://www.sysplay.inEmail email@sarika-pugs.comTwitter anil_pugalia © 2012 Anil Kumar Pugalia <email@sarika-pugs.com> All Rights Reserved.

×