Professional Documents
Culture Documents
DEFCON 24 Brad Dixon Pin2Pwn How To Root An Embedded Linux Box With A Sewing Needle
DEFCON 24 Brad Dixon Pin2Pwn How To Root An Embedded Linux Box With A Sewing Needle
an Embedded Linux
Box with a Sewing
Needle
• Easy • Crude
• Dramatic
Demo
Prior Art
• Significant body of work around fault injection
and glitching at the IC level for secure
processors
JTAG Serial
Parallel or
SPI flash
Order of Attack
1. Serial
2. JTAG Memory CPU Flash
3. …
4. Flash to CPU
interface poke here
Ethernet Other I/O
Why does this work?
Boot loader Kernel load to RAM Scan / Mount ? Init / Start App
…or now
poke now…
1. No JTAG.
• FT232R
- IOH=2mA
- Imax=24mA
How To
Prepare Poke Pwn?
• Survey HW • Select pins to poke • Monitor for unusual
behavior
- Serial traffic
• Identify ports to • Get some timing - Fallback boot configurations
monitor boot help - Re-activated JTAG
- New network ports
• Datasheets • Poke!
• Sometimes you get
• Inspect failure • May take a few lucky!
modes, if possible attempts