Title : Hacking with Embedded Systems
Author : cawan
==Phrack Inc.==
Volume 0x0b, Issue 0x3f, Phile #0x11 of 0x14
|=------------[ Security Review Of Embedded Systems And Its ]------------=|
|=------------[ Applications To Hacking Methodology ]------------=|
|=-----------------------------------------------------------------------=|
|=----[ Cawan: <chuiyewleong[at]hotmail.com> or <cawan[at]ieee.org> ]----=|
--=[ Contents
1. - Introduction
2. - Architectures Classification
3. - Hacking with Embedded System
4. - Hacking with Embedded Linux
5. - "Hacking Machine" Implementation In FPGA
6. - What The Advantages Of Using FPGA In Hacking ?
7. - What Else Of Magic That Embedded Linux Can Do ?
8. - Conclusion
--[ 1. - Introduction
Embedded systems have been penetrated the daily human life. In
residential home, the deployment of "smart" systems have brought out the
term of "smart-home". It is dealing with the home security, electronic
appliances control and monitoring, audio/video based entertainment, home
networking, and etc. In building automation, embedded system provides the
ability of network enabled (Lonwork, Bacnet or X10) for extra convenient
control and monitoring purposes. For intra-building communication, the
physical network media including power-line, RS485, optical fiber, RJ45,
IrDA, RF, and etc. In this case, media gateway is playing the roll to
provide inter-media interfacing for the system. For personal handheld
systems, mobile devices such as handphone/smartphone and PDA/XDA are going
to be the necessity in human life. However, the growing of 3G is not as
good as what is planning initially. The slow adoption in 3G is because it
is lacking of direct compatibility to TCP/IP. As a result, 4G with Wimax
technology is more likely to look forward by communication industry
regarding to its wireless broadband with OFDM.
Obviously, the development trend of embedded systems application is
going to be convergence - by applying TCP/IP as "protocol glue" for
inter-media interfacing purpose. Since the deployment of IPv6 will cause
an unreasonable overshooting cost, so the widespread of IPv6 products
still needs some extra times to be negotiated.
As a result, IPv4 will continue to dominate the world of networking,
especially in embedded applications. As what we know, the brand-old
IPv4 is being challenged by its native security problems in terms of
confidentiality, integrity, and authentication.
Extra value added modules such as SSL and SSH would be the best solution
to protect most of the attacks such as Denial of Service, hijacking,
spooling, sniffing, and etc. However, the implementation of such value
added module in embedded system is optional because it is lacking of
available hardware resources. For example, it is not reasonable to
implement SSL in SitePlayer[1] for a complicated web-based control and
monitoring system by considering the available flash and memory that
can be utilized.
By the time of IPv4 is going to conquer the embedded system's world,
the native characteristic of IPv4 and the reduced structure of embedded
system would be problems in security consideration.
These would probably a hidden timer-bomb that is waiting to be exploited.
As an example, by simply performing port scan with pattern recognition to
a range of IP address, any of the running SC12 IPC@CHIP[2] can be
identified and exposed. Once the IP address of a running SC12 is confirmed,
by applying a sequence of five ping packet with the length of 65500 is
sufficient to crash it until reset.
--[ 2. - Architectures Classification
With the advent of commodity electronics in the 1980s, digital utility
began to proliferate beyond the world of technology and industry. By its
nature digital signal can be represented exactly and easily, which gives
it much more utility. In term of digital system design, programmable
logic has a primary advantage over custom gate arrays and standard cells
by enabling faster time-to-complete and shorter design cycles. By using
software, digital design can be programmed directly into programmable
logic and allowing making revisions to the design relatively quickly.
The two major types of programmable logic devices are Field Programmable
Logic Arrays (FPGAs) and Complex Programmable Logic Devices (CPLDs).
FPGAs offer the highest amount of logic density, the most features,
and the highest performance. These advanced devices also offer features
such as built-in hardwired processors (such as the IBM Power PC),
substantial amounts of memory, clock management systems, and support
for many of the latest very fast device-to-device signaling technologies.
FPGAs are used in a wide variety of applications ranging from data
processing and storage, instrumentation, telecommunications, and digital
signal processing. Instead, CPLDs offer much smaller amounts of logic
(approximately 10,000 gates). But CPLDs offer very predictable timing
characteristics and are therefore ideal for critical control applications.
Besides, CPLDs also require extremely low amounts of power and are very
inexpensive.
Well, it is the time to discuss about Hardware Description Language
(HDL). HDL is a software programming language used to model the intended
operation of a piece of hardware. There are two aspects to the description
of hardware that an HDL facilitates: true abstract behavior modeling and
hardware structure modeling. The behavior of hardware may be modeled and
represented at various levels of abstraction during the design process.
Higher level models describe the operation of hardware abstractly, while
lower level models include more detail, such as inferred hardware
structure. There are two types of HDL: VHDL and Verilog-HDL. The history
of VHDL started from 1980 when the USA Department of Defence (DoD) wanted
to make circuit design self documenting, follow a common design methodology
and be reusable with new technologies. It became clear there was a need for
a standard programming language for describing the function and structure
of digital circuits for the design of integrated circuits (ICs). The DoD
funded a project under the Very High Speed Integrated Circuit (VHSIC)
program to create a standard hardware description language.
The result was the creation of the VHSIC hardware description language or
VHDL as it is now commonly known. The history of Verilog-HDL started from
1981, when a CAE software company called Gateway Design Automation that was
founded by Prabhu Goel. One of the Gateway's first employees was Phil
Moorby, who was an original author of GenRad's Hardware Description
Language (GHDL) and HILO simulator. On 1983, Gateway released the Verilog
Hardware Description Language known as Verilog-HDL or simply Verilog
together with a Verilog simulator. Both VHDL and Verilog-HDL are reviewed
and adopted by IEEE as IEEE standard 1076 and 1364, respectively.
Modern hardware implementation of embedded systems can be classified
into two categories: hardcore processing and softcore processing. Hardcore
processing is a method of applying hard processor(s) such as ARM, MIPS,
x86, and etc as processing unit with integrated protocol stack.
For example, SC12 with x86, IP2022 with Scenix RISC, eZ80, SitePlayer
and Rabbit are dropped in the category of hardcore processing.Instead,
softcore processing is applying a synthesizable core that can be targeted
into different semiconductor fabrics. The semiconductor fabrics should be
programmable as what FPGA and CPLD do. Altera[3] and Xilinx[4] are the
only FPGA/CPLD manufacturers in the market that supporting softcore
processor. Altera provides NIOS processor that can be implemented in SOPC
Builder that is targeted to its Cyclone and Stratix FPGAs. Xilinx provides
two types of softcore: Picoblaze, that is targeted to its CoolRunner-2
CPLD; and Microblaze, that is targeted to its Spartan and Virtex FPGAs.
For the case of FPGAs with embedded hardcore, for example ARM-core in
Stratix, and MIPS-core in Virtex are classified as embedded hardcore
processing. On the other hand, FPGAs with embedded softcore such as
NIOS-core in Cyclone or Stratix, and Microblaze-core in Spartan or Virtex
are classified as softcore processing. Besides, the embedded softcore can
be associated with others synthesizable peripherals such as DMA controller
for advanced processing purpose.
In general, the classical point of view regarding to the hardcore
processing might assuming it is always running faster than softcore
processing. However, it is not the fact. Processor performance is often
limited by how fast the instruction and data can be pipelined from external
memory into execution unit. As a result, hardcore processing is more
suitable for general application purpose but softcore processing is more
liable to be used in customized application purpose with parallel
processing and DSP. It is targeted to flexible implementation in adaptive
platform.
--[ 3. - Hacking with Embedded System
When the advantages of softcore processing are applied in hacking, it
brings out more creative methods of attack, the only limitation is the
imagination. Richard Clayton had shown the method of extracting a 3DES key
from an IBM 4758 that is running Common Cryptographic Architecture
(CCA)[5]. The IBM 4758 with its CCA software is widely used in the banking
industry to hold encryption keys securely. The device is extremely
tamper-resistant and no physical attack is known that will allow keys to be
accessed. According to Richard, about 20 minutes of uninterrupted access to
the IBM 4758 with Combine_Key_Parts permission is sufficient to export the
DES and 3DES keys. For convenience purpose, it is more likely to implement
an embedded system with customized application to get the keys within the
20 minutes of accessing to the device. An evaluation board from Altera was
selected by Richard Clayton for the purpose of keys exporting and
additional two days of offline key cracking.
In practice, by using multiple NIOS-core with customized peripherals
would provide better performance in offline key cracking. In fact,
customized parallel processing is very suitable to exploit both symmetrical
and asymmetrical encrypted keys.
--[ 4. - Hacking with Embedded Linux
For application based hacking, such as buffer overflow and SQL
injection, it is more preferred to have RTOS installed in the embedded
system. For code reusability purpose, embedded linux would be the best
choice of embedded hacking platform. The following examples have clearly
shown the possible attacks under an embedded platform. The condition of
the embedded platform is come with a Nios-core in Stratix and uClinux
being installed. By recompiling the source code of netcat and make it run
in uClinux, a swiss army knife is created and ready to perform penetration
as listed below: -
a) Port Scan With Pattern Recognition
A list of subnet can be defined initially in the embedded system
and bring it into a commercial building. Plug the embedded system
into any RJ45 socket in the building, press a button to perform port
scan with pattern recognition and identify any vulnerable network
embedded system in the building. Press another button to launch attack
(Denial of Service) to the target network embedded system(s). This
is a serious problem when the target network embedded system(s) is/are
related to the building evacuation system, surveillance system or
security system.
b) Automatic Brute-Force Attack
Defines server(s) address, dictionary, and brute-force pattern
in the embedded system. Again, plug the embedded system into any RJ45
socket in the building, press a button to start the password guessing
process. While this small box of embedded system is located in a hidden
corner of any RJ45 socket, it can perform the task of cracking over
days, powered by battery.
c) LAN Hacking
By pre-identify the server(s) address, version of patch, type
of service(s), a structured attack can be launched within the area
of the building. For example, by defining:
http://192.168.1.1/show.php?id=1%20and%201=2%20union%20select%20
8,7,load_file(char(47,101,116,99,47,112,97,115,115,119,100)),5,4,
3,2,1
**char(47,101,116,99,47,112,97,115,115,119,100) = /etc/passwd
in the embedded system initially. Again, plug the embedded system into
any RJ45 socket in the building (within the LAN), press a button to
start SQL injection attack to grab the password file of the Unix
machine (in the LAN). The password file is then store in the flash
memory and ready to be loaded out for offline cracking. Instead of
performing SQL injection, exploits can be used for the same
purpose.
d) Virus/Worm Spreading
The virus/worm can be pre-loaded in the embedded system. Again,
plug the embedded system into any RJ45 socket in the building, press a
button to run an exploit to any vulnerable target machine, and load the
virus/worm into the LAN.
e) Embedded Sniffer
Switch the network interface from normal mode into promiscuous mode
and define the sniffing conditions. Again, plug the embedded system
into any RJ45 socket in the building, press a button to start the
sniffer. To make sure the sniffing process can be proceed in switch
LAN, ARP sniffer is recommended for this purpose.
--[ 5. - "Hacking Machine" Implementation In FPGA
The implementation of embedded "hacking machine" will be demonstrated
in Altera's NIOS development board with Stratix EP1S10 FPGA. The board
provides a 10/100-base-T ethernet and a compact-flash connector. Two
RS-232 ports are also provided for serial interfacing and system
configuration purposes, respectively. Besides, the onboard 1MB of SRAM,
16MB of SDRAM, and 8MB of flash memory are ready for embedded linux
installation[6]. The version of embedded linux that is going to be applied
is uClinux from microtronix[7].
Ok, that is the specification of the board. Now, we start our journey
of "hacking machine" design. We use three tools provided by Altera to
implement our "hardware" design. In this case, the term of "hardware" means
it is synthesizable and to be designed in Verilog-HDL. The three tools
being used are: QuartusII ( as synthesis tool), SOPC Builder (as
Nios-core design tool), and C compiler. Others synthesis tools such as
leonardo-spectrum from mentor graphic, and synplify from synplicity are
optional to be used for special purpose. In this case, the synthesized
design in edif format is defined as external module. It is needed to import
the module from QuartusII to perform place-and-route (PAR). The outcome of
PAR is defined as hardware-core. For advanced user, Modelsim from mentor
graphic is highly recommended to perform behavioral simulation and Post-PAR
simulation. Behavioral simulation is a type of functional verification to
the digital hardware design. Timing issues are not put into the
consideration in this state. Instead, Post-PAR simulation is a type of
real-case verification. In this state, all the real-case factors such as
power-consumption and timing conditions (in sdf format) are put into the
consideration. [8,9,10,11,12]
A reference design is provided by microtronix and it is highly
recommended to be the design framework for any others custom design with
appropriate modifications [13]. Well, for our "hacking machine" design
purpose, the only modification that we need to do is to assign the
interrupts of four onboard push-buttons [14]. So, once the design
framework is loaded into QuartusII, SOPC Builder is ready to start
the design of Nios-core, Boot-ROM, SRAM and SDRAM inteface, Ethernet
interface, compact-flash interface and so on. Before starting to generate
synthesizable codes from the design, it is crucial to ensure the check-box
of "Microtronix uClinux" under Software Components is selected (it is in
the "More CPU Settings" tab of the main configuration windows in SOPC
Builder). By selecting this option, it is enabling to build a uClinux
kernel, uClibc library, and some uClinux's general purpose applications by
the time of generating synthesizable codes. Once ready, generate the design
as synthesizable codes in SOPC Builder following by performing PAR in
QuartusII to get a hardware core. In general, there are two formats of
hardware core:-
a) .sof core: To be downloaded into the EP1S10 directly by JTAG and
will require a re-load if the board is power cycled
**(Think as volatile)
b) .pof core: To be downloaded into EPC16 (enhanced configuration
device) and will automatically be loaded into the
FPGA every time the board is power cycled
**(Think as non-volatile)
The raw format of .sof and .pof hardware core is .hexout. As hacker,
we would prefer to work in command line, so we use the hexout2flash tool
to convert the hardware core from .hexout into .flash and relocate the
base address of the core to 0x600000 in flash. The 0x600000 is the startup
core loading address of EP1S10. So, once the .flash file is created, we
use nios-run or nr command to download the hardware core into flash memory
as following:
[Linux Developer] ...uClinux/: nios-run hackcore.hexout.flash
After nios-run indicates that the download has completed successfully,
restart the board. The downloaded core will now start as the default core
whenever the board is restarted.
Fine, the "hardware" part is completed. Now, we look into the
"software" implementation. We start from uClinux. As what is stated, the
SOPC Builder had generated a framework of uClinux kernel, uClibc library,
and some uClinux general purpose applications such as cat, mv, rm, and etc.
We start to reconfigure the kernel by using "make xconfig".
[Linux Developer] ...uClinux/: cd linux
[Linux Developer] ...uClinux/: make xconfig
In xconfig, perform appropriate tuning to the kernel, then use
"make clean" to clean the source tree of any object files.
[Linux Developer] ...linux/: make clean
To start building a new kernel use "make dep" following by "make".
[Linux Developer] ...linux/: make dep
[Linux Developer] ...linux/: make
To build the linux.flash file for uploading, use "make linux.flash".
[Linux Developer] ...uClinux/: make linux.flash
The linux.flash file is defined as the operating system image.
As what we know, an operating system must run with a file system.
So, we need to create a file system image too. First, edit the config
file in userland/.config to select which application packages get
built. For example:
#TITLE agetty
CONFIG_AGETTY=y
If an application package's corresponding variable is set to 'n'
(for example, CONFIG_AGETTY=n), then it will not be built and copied
over to the target/ directory. Then, build all application packages
specified in the userland/.config as following:
[Linux Developer] ...userland/: make
Now, we copy the pre-compiled netcat into target/ directory.
After that, use "make romfs" to start generating the file system or
romdisk image.
[Linux Developer] ...uClinux/: make romfs
Once completed, the resulting romdisk.flash file is ready to be
downloaded
to the target board. First, download the file system image following by
the operating system image into the flash memory.
[Linux Developer] ...uClinux/: nios-run -x romdisk.flash
[Linux Developer] ...uClinux/: nios-run linux.flash
Well, our FPGA-based "hacking machine" is ready now.
Lets try to make use of it to a linux machine with /etc/passwd
enabled. We assume the ip of the target linux machine is 192.168.1.1
as web server in the LAN that utilize MySQL database. Besides, we know
that its show.php is vulnerable to be SQL injected. We also assume it has
some security protections to filter out some dangerous symbols, so we
decided to use char() method of injection. We assume the total columns in
the table that access by show.php is 8.
Now, we define:
char getpass[]="http://192.168.1.1/show.php?id=1%20and%201=2%20union
%20select%208,7,load_file(char(47,101,116,99,47,112,97,115,115,119,
100)),5,4,3,2,1";
as attacking string, and we store the respond data (content of
/etc/passwd) in a file name of password.dat. By creating a pipe to the
netcat, and at the same time to make sure the attacking string is always
triggered by the push-button, well, our "hacking machine" is ready.
Plug the "hacking machine" into any of the RJ45 socket in the LAN,
following by pressing a button to trigger the attacking string against
192.168.1.1. After that, unplug the "hacking machine" and connect to a
pc, download the password.dat from the "hacking machine", and start the
cracking process. By utilizing the advantages of FPGA architecture,
a hardware cracker can be appended for embedded based cracking process.
Any optional module can be designed in Verilog-HDL and attach to the
FPGA for all-in-one hacking purpose. The advantages of FPGA implementation
over the conventional hardcore processors will be deepened in the
following section, with a lot of case-studies, comparisons and
wonderful examples.
Tips:
**FTP server is recommended to be installed in "hacking machine"
because of two reasons:
1) Any new or value-added updates (trojans, exploits, worms,...) to
the "hacking machine" can be done through FTP (online update).
2) The grabbed information (password files, configuration files,...)
can be retrieved easily.
Notes:
**Installation of FTP server in uClinux is done by editing
userland/.config file to enable the ftpd service.
**This is just a demostration, it is nearly impossible to get a
unix/linux machine that do not utilize file-permission and shadow
to protect the password file. This article is purposely to show
the migration of hacking methodology from PC-based into embedded
system based.
--[ 6. - What The Advantages Of Using FPGA In Hacking ?
Well, this is a good question while someone will ask by using a $50
Rabbit module, a 9V battery and 20 lines of Dynamic C, a simple "hacking
machine" can be implemented, instead of using a $300 FPGA development
board and a proprietary embedded processor with another $495. The answer
is, FPGA provides a very unique feature based on its architecture that is
able to be hardware re-programmable.
As what we know, FPGA is a well known platform for algorithm
verification in hardware implementation, especially in DSP applications.
The demand for higher bit rates by the wired and wireless communications
industry has led to the development of higher bit rate and low cost serial
link interface chips. Based on such considerations, some demands of
programmable channel and band scanning are needed to be digitized and
re-programmable. A new term has been created for this type of framework
as "software defined radio" or SDR. However, the slow adoption of SDR is
due to the limitation in Analog-to-Digital Converter(ADC) to digitize
the analog demodulation unit in transceiver module.
Although the sampling rate of the most advanced ADC is not yet to meet
the specification of SDR, but it will come true soon. In this case, the
application of conventional DSP chips such as TMS320C6200 (for
fixed-point processing) and TMS320C6700 (for floating-point processing)
are a little bit harder to handle such extremely high bit rates. Of
course, someone may claim its parallel processing technique could solve
the problem by using the following symbols in linear assembly language[15].
Inst1
|| Inst2
|| Inst3
|| Inst4
|| Inst5
|| Inst6
Inst7
The double-pipe symbols (||) indicate instructions that are in parallel
with a previous instruction. Inst2 to Inst6, these five instructions run
in parallel with the first instruction, Inst1. In TMS320, up to eight
instructions can be running in parallel. However, this is not a true
parallel method, but perform pipelining in different time-slot within a
single clock cycle.
Instead, the true parallel processing can only be implemented with
different sets of hardware module. So, FPGA should be the only solution to
implement a true parallel processing architecture. For the case of SDR that
is mentioned, it is just a an example to show the limitation of data
processing in the structure of resource sharing. Meanwhile, when we
consider to implement an encryption module, it is the same case as what
data processing do. The method of parallel processing is extremely worth to
enhance the time of key cracking process. Besides, it is significant to
know that the implementation of encryption module in FPGA is
hardware-driven. It is totally free from the limitation of any hardcore
processor structure that is using a single instruction pointer (or program
counter) to performing push and pop operations interactively over the stack
memory. So, both of the mentioned advantages: true-parallel processing, and
hardware-driven, are nicely clarified the uniqueness of FPGA's architecture
for advanced applications.
While we go further with the uniqueness of FPGA's architecture,
more and more interesting issues can come into the discussion.
For hacking purpose, we focus and stick to the discussion of utilizing
the ability of hardware re-programmable in a FPGA-based "hacking machine".
We ignore the ability of "software re-programmable" here because it can be
done by any of the hardcore processor in the lowest cost. By applying the
characterictic of hardware re-programmable, a segment of space in flash
memory is reserved for hardware image. In Nios, it is started from
0x600000. This segment is available to be updated from remote through the
network interface. In advanced mobile communication, this type of feature
is started to be used for hardware bug-fix as well as module update [16]
purpose. It is usually known as Over-The-Air (OTA) technology. For hacking
purpose, the characteristic of hardware re-programmable had made our
"hacking machine" to be general purpose. It can come with a hardware-driven
DES cracker, and easily be changed to MD5 cracker or any other types of
hardware-driven module. Besides, it can also be changed from an online
cracker to be a proxy, in a second of time.
In this state, the uniqueness of FPGA's architecture is clear now.
So, it is the time to start the discussion of black magic with the
characteristic of hardware re-programmable in further detail. By using
Nios-core, we explore from two points: custom instruction and user
peripheral. A custom instruction is hardware-driven and implemented by
custom logic as shown below:
|---->|------------|
| |Custom Logic|-|
| |-->|------------| |
| | |
| | |----------------||
A ---->| |-|
| | Nios-ALU | |----> OUT
B ---->| |-|
|-----------------|
By defining a custom logic that is parallel connected with Nios-ALU inputs,
a new custom instruction is successfully created. With SOPC Builder, custom
logic can be easily add-on and take-out from Nios-ALU, and so is the case
of custom instruction. Now, we create a new custom instruction, let say
nm_fpmult(). We apply the following codes:
float a, b, result_slow, result_fast;
result_slow = a * b; //Takes 2874 clock cycles
result_fast = nm_fpmult(a, b); //Takes 19 clock cycles
From the running result, the operation of hardware-based multiplication
as custom instruction is so fast that is even faster than a DSP chip.
For cracking purpose, custom instructions set can be build up in respective
to the frequency of operations being used. The instructions set is easily
to be plugged and unplugged for different types of encryption being
adopted.
The user peripheral is the second black magic of hardware
re-programmable. As we know Nios-core is a soft processor, so a bus
specification is needed for the communication of soft processor with other
peripherals, such as RAM, ROM, UART, and timer. Nios-core is using a
proprietary bus specification, known as Avalon-bus for
peripheral-to-peripheral and Nios-core-to-peripheral communication purpose.
So, user peripherals such as IDE and USB modules are usually be designed to
expand the usability of embedded system. For hacking purpose, we ignore the
IDE and USB peripherals because we are more interested to design user
peripheral for custom communication channel synchronization. When we
consider to hack a customize system such as building automation, public
addressing, evacuation, security, and so on, the main obstacle is its
proprietary communication protocol [17, 18, 19, 20, 21, 22].
In such case, a typical network interface is almost impossible to
synchronize into the communication channel of a customize system.
For example, a system that is running at 50Mbps, neither a 10Based-T
nor 100Based-T network interface card can communicate with any module
within the system. However, by knowing the technical specification of such
system, a custom communication peripheral can be created in FPGA. So, it is
able to synchronize our "hacking machine" into the communication channel of
the customize system. By going through the Avalon-bus, Nios-core is
available to manipulate the data-flow of the customize system. So, the
custom communication peripheral is going to be the customize media gateway
of our "hacking machine". The theoretical basis of custom communication
peripheral is come from the mechanism of clock data recovery (CDR). CDR is
a method to ensure the data regeneration is done with a decision circuit
that samples the data signal at the optimal instant indicated by a clock.
The clock must be synchronized as exactly the same frequency as the data
rate, and be aligned in phase with respect to the data. The production of
such a clock at the receiver is the goal of CDR. In general, the task of
CDR is divided into two: frequency acquisition and timing alignment.
Frequency acquisition is the process that locks the receiver clock
frequency to the transmitted data frequency. Timing alignment is the phase
alignment of the clock so the decision circuit samples the data at the
optimal instant. Sometime, it is also named as bit synchronization or phase
locking. Most timing alignment circuits can perform a limited degree of
frequency acquisition, but additional acquisition aids may be needed. Data
oversampling method is being used to create the CDR for our "hacking
machine". By using the method of data oversampling, frequency acquisition
is no longer be put into the design consideration. By ensuring the sampling
frequency is always N times over than data rate, the CDR is able to work as
normal. To synchronize multiple of customize systems, a frequency synthesis
unit such as PLL is recommended to be used to make sure the sampling
frequency is always N times over than data rate. A framework of CDR
based-on the data oversampling method with N=4 is shown as following in
Verilog-HDL.
**The sampling frequency is 48MHz (mclk), which is 4 times of
data rate (12MHz).
//define input and output
input data_in;
input mclk;
input rst;
output data_buf;
//asynchronous edge detector
wire reset = (rst & ~(data_in ^ capture_buf));
//data oversampling module
reg capture_buf;
always @ (posedge mclk or negedge rst)
if (rst == 0)
capture_buf <= 0;
else
capture_buf <= data_in;
//edge detection module
reg [1:0] mclk_divd;
always @ (posedge mclk or negedge reset or posedge reset)
if (reset == 0)
mclk_divd <= 2'b00;
else
mclk_divd <= mclk_divd + 1;
//capture at data eye and put into a 16-bit buffer
reg [15:0] data_buf;
always @ (posedge mclk_divd[1] or negedge rst)
if (rst == 0)
data_buf <= 0;
else
data_buf <= {data_buf[14:0],capture_buf};
Once the channel is synchronized, the data can be transferred to
Nios-core through the Avalon-Bus for further processing and interaction.
The framework of CDR is plenty worth for channel synchronization in various
types of custom communication channels. Jean P. Nicolle had shown another
type of CDR for 10Base-T bit synchronization [23]. As someone might query
for the most common approach of performing CDR channel synchronization in
Phase-Locked Loop (PLL). Yes, this is a type of well known analog approach,
by we are more interested to the digital approach, with the reason of
hardware re-programmable - our black magic of FPGA. For those who
interested to know more advantages of digital CDR approach over the analog
CDR approach can refer to [24]. Anyway, the analog CDR approach is the only
option for a hardcore-based (Scenix, Rabbit, SC12 ,...) "hacking machine"
design, and it is sufferred to:
1. Longer design time for different data rate of the communication link.
The PLL lock-time to preamble length, charge-pump circuit design,
Voltage Controlled Oscillator (VCO), are very critical points.
2. Fixed-structure design. Any changes of "hacking application" need
to re-design the circuit itself, and it is quite cumbersome.
As a result, by getting a detail technical specification of a
customized system, the possibility to hack into the system has always
existed, especially to launch the Denial of Service attack. By disabling
an evacuation system, or a fire alarm system at emergency, it is a very
serious problem than ever. Try to imagine, when different types of CDRs
are implemented in a single FPGA, and it is able to perform automatic
switching to select a right CDR for channel synchronization. On the other
hand, any custom defined module is able to plug into the system itself
and freely communicate through Avalon-bus. Besides, the generated hardware
image is able to be downloaded into flash memory through tftp. By following
with a soft-reset to re-configure the FPGA, the "hacking machine" is
successfully updated. So, it is ready to hack multiple of custom systems at
the same time.
case study:
**The development of OPC technology is slowly become popular.
According to The OPC Foundation, OPC technology can eliminate
expensive custom interfaces and drivers tranditionally required
for moving information easily around the enterprise. It promotes
interoperability, including amongst different computing solutions
and platforms both horizontally and vertically in the emterprise [25].
--[ 7. - What Else Of Magic That Embedded Linux Can Do ?
So, we know the weakness of embedded system now, and we also know
how to utilize the advantages of embedded system for hacking purpose.
Then, what else of magic that we can do with embedded system? This is a
good question.
By referring to the development of network applications, ubiquitous
and pervasive computing would be the latest issues. Embedded system would
probably to be the future framework as embedded firewall, ubiquitous
gateway/router, embedded IDS, mobile device security server, and so on.
While existing systems are looking for network-enabled, embedded system
had established its unique position for such purpose. A good example is
migrating MySQL into embedded linux to provide online database-on-chip
service (in FPGA) for a building access system with RFID tags. Again,
the usage and development of embedded system has no limitation, the only
limitation is the imagination.
Tips:
**If an embedded system works as a server (http, ftp, ...), it is going
to provide services such as web control, web monitoring,...
**If an embedded system works as a client (http, ftp, telnet, ..), then
it is more likely to be a programmable "hacking machine"
--[ 8. - Conclusion
Embedded system is an extremely useful technology, because we can't
expect every processing unit in the world as a personal computer. While
we are begining to exploit the usefullness of embedded system, we need
to consider all the cases properly, where we should use it and where we
shouldn't use it. Embedded security might be too new to discuss seriously
now but it always exist, and sometime naive. Besides, the abuse of embedded
system would cause more mysterious cases in the hacking world.
--=[ References
[1] http://www.siteplayer.com/
[2] http://www.beck-ipc.com/
[3] http://www.altera.com/
[4] http://www.xilinx.com/
[5] http://www.cl.cam.ac.uk/users/rnc1/descrack/index.html
[6] Nios Development Kit, Stratix Edition: Getting Started User Guide
(Version 1.2) - July 2003
http://www.altera.com/literature/ug/ug_nios_gsg_stratix_1s10.pdf
[7] http://www.microtronix.com/
[8] Nios Hardware Development Tutorial (Version 1.1) -
July 2003
http://www.altera.com/literature/tt/tt_nios2_hardware_tutorial.pdf
[9] Nios Software Development Tutorial (Version 1.3) -
July 2003
http://www.altera.com/literature/tt/tt_nios_sw.pdf
[10] Designing With The Nios (Part 1) -
Second-Order, Closed-Loop Servo Control
Circuit Cellar, #167, June 2004
[11] Designing With The Nios (Part 2) -
System Enhancement
Circuit Cellar, #168, July 2004
[12] Nios Tutorial (Version 1.1)
February 2004
http://www.altera.com/literature/tt/tt_nios_hw_apex_20k200e.pdf
[13] Microtronix Embedded Linux Development -
Getting Started Guide: Document Revision 1.2
http://www.pldworld.com/_altera/html/_excalibur/niosldk/httpd/
getting_started_guide.pdf
[14] Stratix EP1S10 Device: Pin Information
February 2004
http://www.fulcrum.ru/Read/CDROMs/Altera/literature/lit-stx.html
[15] TMS320C6000 Assembly Language Tools User's Guide
http://www.tij.co.jp/jsc/docs/dsps/support/download/tools/
toolspdf6000/spru186i.pdf
[16] Dynamic Spectrum Allocation In Composite Reconfigurable Wireless
Networks
IEEE Communications Magazine, May 2004.
http://ieeexplore.ieee.org/iel5/35/28868/01299346.pdf?tp=&arnumber=
1299346&isnumber=28868
[17] TOA - VX-2000 (Digital Matrix System)
http://www.toa-corp.co.uk/asp/catalogue/products.asp?prodcode=VX-2000
[18] Klotz Digital - Vadis (Audio Matrix), VariZone (Complex Digital
PA System For Emergency Evacuation Applications)
http://www.klotz-digital.de/products/pa.htm
[19] Peavey - MediaMatrix System
http://mediamatrix.peavey.com/home.cfm
[20] Optimus - Optimus (Audio & Communication), Improve
(Distributed Audio)
http://www.optimus.es/eng/english.html
[21] Simplex - TrueAlarm (Fire Alarm Systems)
http://www.simplexgrinnell.com/
[22] Tyco - Fire Detection and Alarm, Integrated Security Systems,
Health Care Communication Systems
http://www.tycosafetyproducts-us.com
[23] 10Base-T FPGA Interface - Ethernet Packets: Sending and Receiving
http://www.fpga4fun.com/10BASE-T.html
[24] Ethernet Receiver
http://www.holmea.demon.co.uk/Ethernet/EthernetRx.htm
[25] The OPC Foundation
http://www.opcfoundation.org/
[26] www.ubicom.com (IP2022)
[27] http://www.zilog.com/products/family.asp?fam=218 (eZ80)
[29] http://www.fpga4fun.com/
[29] http://www.elektroda.pl/eboard
|=[ EOF ]=---------------------------------------------------------------=|