Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.

YouTube

Reverse-Engineering the Supra iBox - Exploitation of a Hardened MSP430-Based Device

Black Hat via YouTube

Overview

Explore reverse engineering and exploitation techniques for hardened embedded devices through a detailed examination of the Supra iBox BT, a bluetooth and IR-based physical key storage device used by real estate professionals. Delve into the challenges of extracting firmware from an MSP430 microcontroller with a blown JTAG fuse, and learn about various attack methods, including voltage glitching and timing attacks. Discover the complex crypto key management scheme employed by Supra and understand how it handles synchronization without direct internet access. Gain insights into the internals of the iBox firmware, including an exploit demonstration that can open any iBox. Examine the physical access required, board layout, and internal components of the device. Follow the step-by-step reverse-engineering process, from initial analysis to successful firmware extraction. Investigate the Bootstrap Loader (BSL) overview, existing attacks, and their limitations. Learn about MSP430 JTAG security measures and the "Paparazzi" attack. Uncover findings from firmware reversing, including the IrDA protocol implementation and Supra's crypto architecture. Explore various authentication modes, brute force attempts, and potential hardware backdoors. Conclude with an analysis of flash write/erase attacks and discuss potential solutions for improving embedded device security.

Syllabus

Intro
Supra iBox
ekey Android app
Programmed auth flow
Must access firmware
Physical access
Board photos
Internals
Reverse-engineering steps
MSP430 firmware extraction
BSL Overview
Existing BSL attacks
Voltage glitching attack
Results of voltage glitching
BSL timing attack
Timing attack problems
Timing attack game plan
Timing attack results
Modified attack results
Timing attack conclusions
MSP430 JTAG security
MSP430 1/2/4xx fuse
"Paparazzi" attack: Why?
MSP430 firmware reversing
IrDA
Firmware reversing finds
Supra crypto architecture
Syscode Key
Third authentication mode
Brute Force
Hardware backdoor
Flash write terase attack
Conclusions/solutions

Taught by

Black Hat

Reviews

Start your review of Reverse-Engineering the Supra iBox - Exploitation of a Hardened MSP430-Based Device

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.