Software Exploitation via Hardware exploitation training (LITE)
  • Course Syllabus
  • Contact Us
  • Photos
  • Webcam Workshop!

COURSE SYLLABUS

Below is the syllabus for the 4 day course. The content is continuously evolving and may vary each offering based on updates or available time.

Interfaces:

Unit 1: Basic UART
Introduce UARTs, their Common uses, and Tools to interface them. In lab, participants will acquire a root console on an embedded device via serial cable.

Unit 2: Exploit via UART
Discuss attack surface exposed via UART. In lab, participants will embed a remotely accessible backdoor via hardware access with serial cable.

Unit 3: Finding Pinouts Manually
Show various methods of locating and identifying debug headers on a board. In lab, participants will experimentally determine pinouts of an unknown debug port.

Unit 4: Basic JTAG
Introduce JTAG, its history and uses, and tools for interfacing. In lab, participants will configure and connect JTAG hardware and software for run control of an embedded cpu.

Unit 5: Finding Pinouts Automatically
Discuss algorithms and methods for automatically identifying debug ports. In lab, participants will use tools to automatically find and identify a JTAG interface.

Unit 6: JTAG Exploration
Discuss the potential for undocumented and obscured features hidden in JTAG. In lab, participants will identify and probe several features of an undocumented jtag controller.

Unit 7: JTAG Enabling
Present several ways that manufacturers could disable or disconnect JTAG, and how to reverse them. In lab, participants will re-enable jtag access on an unmodified android tablet .

Unit 8: JTAG Exploitation
Present multiple methods of escalating software privilege via jtag. In lab, participants will manipulate memory via jtag to modify kernel operations and privileges.

Firmware:

Unit 1: Basic Firmware Dumping
Introduce basics of flash storage and common partitioning. In lab, participants will identify and examine the raw flash contents via root console.

Unit 2: Intermediate Firmware Dumping
Present multiple methods of accessing firmware via jtag for times when root privileges are not yet available. In lab, participants will dump firmware off a target via JTAG.

Unit 3: Advanced Firmware Dumping
Present non-invasive methods of directly accessing various flash storage chips. In lab, participants will quickly dump the full firmware by directly interfacing with flash chips.

Unit 4: Invasive Firmware Dumping
Discuss destructive methods of firmware extraction and reasons why it might be necessary. Instructors will demonstrate removing and dumping a chip with a dedicated programmer.

Unit 5: Basic Firmware Analysis
Introduce multiple procedures for firmware analysis, helpful tools, and easy exploits. In lab, participants will analyze and make minor modifications to exploit a firmware, and flash it back to the target device.

Unit 6: Intermediate Firmware Analysis
Discuss further methods for extracting, modifying, and repackaging filesystem images. In lab, participants will manipulate the filesystem to add a backdoor to be remotely accessed.

Unit 7: Advanced Firmware Analysis
Introduce tools for binary reverse engineering of executables found in firmware. In lab, participants will reverse engineer the firmware for a small game console and extract key elements.

Exploitation & Exotic Interfaces:

Unit 1: Embedded Exploitation
Introduce common issues with embedded code on ARM. In lab, participants will identify and exploit vulnerabilities in code found on an embedded ARM device.

Unit 2: Exotic Interfaces and Attack Vectors
Briefly cover other exotic communication interfaces such as RF communications protocols and ​Automotive interfaces such as CAN, SWCAN, LSFT CAN, DW CAN, OBD, ISO 14239, ISO 14229.
Senrio Inc 2018. All rights reserved.