A Deep Dive Into Unconstrained Code Execution on Siemens S7 PLCs

A Deep Dive Into Unconstrained Code Execution on Siemens S7 PLCs

media.ccc.de via YouTube Direct link

Decompressed Firmware Update File Structure

23 of 34

23 of 34

Decompressed Firmware Update File Structure

Class Central Classrooms beta

YouTube videos curated by Class Central.

Classroom Contents

A Deep Dive Into Unconstrained Code Execution on Siemens S7 PLCs

Automatically move to the next video in the Classroom when playback concludes

  1. 1 Intro
  2. 2 Process Automation
  3. 3 What we do with much more complex control loops?
  4. 4 Background on Siemens PLCs Market Share
  5. 5 S7-1200 v4 PLC hardware - SoC Decap
  6. 6 S7-1200 v4 Closer Look
  7. 7 M25P40/ Serial Flash Embedded Memory (bootloader)
  8. 8 D X-Ray Tomography
  9. 9 Siemens Bootloader, Startup Process
  10. 10 Siemens AG ADONIS RTOS Components
  11. 11 CoreSight in Siemens PLCs
  12. 12 Background on CoreSight
  13. 13 ARM CoreSight Sources
  14. 14 CoreSight in Siemens S7 PLC
  15. 15 Siemens Firmware Dump
  16. 16 Execution Mode Stack in S7-1200 v4
  17. 17 ADONIS MPU Configuration at Ox00040084
  18. 18 Siemens Firmware Boot Process
  19. 19 ADONIS Kernel
  20. 20 ADONIS File System
  21. 21 ADONIS TCP/IP Stack
  22. 22 Firmware Update Process On S7 PLC
  23. 23 Decompressed Firmware Update File Structure
  24. 24 MiniWeb Scripting Language (MWSL)
  25. 25 Special Access Feature
  26. 26 Ox80 Handler, Update Mode Function
  27. 27 Siemens S7-1200/S7-200 SMART Bootloader Arbitrary Code Execution
  28. 28 Siemens S7-1200 PLC Bootloader Arbitrary Code Execution
  29. 29 Slager Payload
  30. 30 DEMO
  31. 31 Ideas for Injecting Custom Code into the Firmware
  32. 32 What else is out there?
  33. 33 Conclusions
  34. 34 Questions?

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.