Interfaces:
Unit 1: Basic UART
Introduce UARTs, their Common uses, and Tools to interface them. In lab, participants will acquire a root console on an embedded device via serial cable.
Unit 2: Exploit via UART
Discuss attack surface exposed via UART. In lab, participants will embed a remotely accessible backdoor via hardware access with serial cable.
Unit 3: Finding Pinouts Manually
Show various methods of locating and identifying debug headers on a board. In lab, participants will experimentally determine pinouts of an unknown debug port.
Unit 4: Basic JTAG
Introduce JTAG, its history and uses, and tools for interfacing. In lab, participants will configure and connect JTAG hardware and software for run control of an embedded cpu.
Unit 5: Finding Pinouts Automatically
Discuss algorithms and methods for automatically identifying debug ports. In lab, participants will use tools to automatically find and identify a JTAG interface
Unit 6: JTAG Exploration
Discuss the potential for undocumented and obscured features hidden in JTAG. In lab, participants will identify and probe several features of an undocumented jtag controller.
Unit 7: JTAG Enabling
Present several ways that manufacturers could disable or disconnect JTAG, and how to reverse them. In lab, participants will re-enable jtag access on an unmodified android tablet
Unit 8: JTAG Exploitation
Present multiple methods of escalating software privilege via jtag. In lab, participants will manipulate memory via jtag to modify kernel operations and privileges
Firmware:
Unit 1: Basic Firmware Dumping
Introduce basics of flash storage and common partitioning. In lab, participants will identify and examine the raw flash contents via root console
Unit 2: Intermediate Firmware Dumping
Present multiple methods of accessing firmware via jtag for times when root privileges are not yet available. In lab, participants will dump firmware off a target via JTAG.
Unit 3: Advanced Firmware Dumping
Present non-invasive methods of directly accessing various flash storage chips. In lab, participants will quickly dump the full firmware by directly interfacing with flash chips.
Unit 4: Invasive Firmware Dumping
Discuss destructive methods of firmware extraction and reasons why it might be necessary. Instructors will demonstrate removing and dumping a chip with a dedicated programmer.
Unit 5: Basic Firmware Analysis
Introduce multiple procedures for firmware analysis, helpful tools, and easy exploits. In lab, participants will analyze and make minor modifications to exploit a firmware, and flash it back to the target device.
Unit 6: Intermediate Firmware Analysis
Discuss further methods for extracting, modifying, and repackaging filesystem images. In lab, participants will manipulate the filesystem to add a backdoor to be remotely accessed.
Unit 7: Advanced Firmware Analysis
Introduce tools for binary reverse engineering of executables found in firmware. In lab, participants will reverse engineer the firmware for a small game console and extract key elements.
Exploitation and Side Channels
Unit 1: Embedded Exploitation
Introduce common issues with embedded code on ARM. In lab, participants will identify and exploit vulnerabilities in code found on an embedded ARM device.
Unit 2: Timing Side Channels
Introduce the concept of side channel attacks and show examples of how timing can leak information. In lab, participants will perform simple timing analysis to crack a microcontroller-based pin entry system.
Unit 3: Power Side Channel
Introduce power side channels as well as methods to measure power consumption. In lab, participants will perform simple power analysis to crack the 'fixed' pin entry system.
Unit 4: Exotic Interfaces and Attack Vectors
Briefly cover other exotic communication interfaces such as RF communications protocols and Automotive interfaces such as CAN, SWCAN, LSFT CAN, DW CAN, OBD, ISO 14239, ISO 14229
Unit 1: Basic UART
Introduce UARTs, their Common uses, and Tools to interface them. In lab, participants will acquire a root console on an embedded device via serial cable.
Unit 2: Exploit via UART
Discuss attack surface exposed via UART. In lab, participants will embed a remotely accessible backdoor via hardware access with serial cable.
Unit 3: Finding Pinouts Manually
Show various methods of locating and identifying debug headers on a board. In lab, participants will experimentally determine pinouts of an unknown debug port.
Unit 4: Basic JTAG
Introduce JTAG, its history and uses, and tools for interfacing. In lab, participants will configure and connect JTAG hardware and software for run control of an embedded cpu.
Unit 5: Finding Pinouts Automatically
Discuss algorithms and methods for automatically identifying debug ports. In lab, participants will use tools to automatically find and identify a JTAG interface
Unit 6: JTAG Exploration
Discuss the potential for undocumented and obscured features hidden in JTAG. In lab, participants will identify and probe several features of an undocumented jtag controller.
Unit 7: JTAG Enabling
Present several ways that manufacturers could disable or disconnect JTAG, and how to reverse them. In lab, participants will re-enable jtag access on an unmodified android tablet
Unit 8: JTAG Exploitation
Present multiple methods of escalating software privilege via jtag. In lab, participants will manipulate memory via jtag to modify kernel operations and privileges
Firmware:
Unit 1: Basic Firmware Dumping
Introduce basics of flash storage and common partitioning. In lab, participants will identify and examine the raw flash contents via root console
Unit 2: Intermediate Firmware Dumping
Present multiple methods of accessing firmware via jtag for times when root privileges are not yet available. In lab, participants will dump firmware off a target via JTAG.
Unit 3: Advanced Firmware Dumping
Present non-invasive methods of directly accessing various flash storage chips. In lab, participants will quickly dump the full firmware by directly interfacing with flash chips.
Unit 4: Invasive Firmware Dumping
Discuss destructive methods of firmware extraction and reasons why it might be necessary. Instructors will demonstrate removing and dumping a chip with a dedicated programmer.
Unit 5: Basic Firmware Analysis
Introduce multiple procedures for firmware analysis, helpful tools, and easy exploits. In lab, participants will analyze and make minor modifications to exploit a firmware, and flash it back to the target device.
Unit 6: Intermediate Firmware Analysis
Discuss further methods for extracting, modifying, and repackaging filesystem images. In lab, participants will manipulate the filesystem to add a backdoor to be remotely accessed.
Unit 7: Advanced Firmware Analysis
Introduce tools for binary reverse engineering of executables found in firmware. In lab, participants will reverse engineer the firmware for a small game console and extract key elements.
Exploitation and Side Channels
Unit 1: Embedded Exploitation
Introduce common issues with embedded code on ARM. In lab, participants will identify and exploit vulnerabilities in code found on an embedded ARM device.
Unit 2: Timing Side Channels
Introduce the concept of side channel attacks and show examples of how timing can leak information. In lab, participants will perform simple timing analysis to crack a microcontroller-based pin entry system.
Unit 3: Power Side Channel
Introduce power side channels as well as methods to measure power consumption. In lab, participants will perform simple power analysis to crack the 'fixed' pin entry system.
Unit 4: Exotic Interfaces and Attack Vectors
Briefly cover other exotic communication interfaces such as RF communications protocols and Automotive interfaces such as CAN, SWCAN, LSFT CAN, DW CAN, OBD, ISO 14239, ISO 14229
