Project Portfolio

Below you will find some of the projects we have taken on over the years. Details have been excluded or altered to protect client secrecy.

• Scientific instrument network protocol: The client provided a scientific instrument for which they wished to produce a custom UI. We began by sniffing the protocol between the integrated PC tablet and the ethernet-enabled microcontroller on the device. We found that the protocol was binary and quite complex, so we sought the code. From the tablet, we extracted the EXE and DLL files that provided the existing UI. Loading these into dnSpy allowed us to eventually discover the code used to parse the network protocol and manage sessions. We wrote a protocol specification document from this and used that document as a reference to build a sample Python library for communication with the instrument. We also wrote a custom Wireshark dissector for analyzing the protocol.
• Deliverables: sample Python client library, protocol specification document, Wireshark dissector
• Tools used: dnSpy, arpspoof, tcpdump, Wireshark

• Linux-based appliance: The client built an appliance running on a buildroot-based Linux system and wanted a black-box assessment of the security of the device and its firmware updates. The client provided a sample unit as well as a sample firmware update file. We reviewed the firmware in a hex editor and discovered long sequences of fixed values, suggesting an xor-based obfuscation. Once this was removed, binwalk extracted a squashfs image containing the system's root file system. Inside the root file system, we discovered the main ELF file that managed the web UI used to control the device. Using Ghidra, we reverse engineered the functionality of the device, discovering an obfuscated administrative backdoor as well as several memory corruption bugs.
• Deliverables: report of findings, tool to extract ELF from firmware update
• Tools used: Ghidra, binwalk, hex editor

• Bluetooth access control device: The client provided a sample retail device and wanted an independent review of the device's security. The platform contained two microcontrollers: a Bluetooth SoC and an ARM MCU that controlled the mechanical components. We discovered SWD headers for both MCUs, and further found that they had not been locked by the manufacturer, allowing us to extract firmware images using a Black Magic Probe. Loading those into Ghidra, we spent several weeks identifying relevant functionality and ultimately discovered a stack overflow vulnerability that allowed the security of the device to be bypassed. We developed an exploit for this vulnerability and built a proof-of-concept Android app to demonstrate the weakness.
• Deliverables: Android app, report of findings
• Tools used: Ghidra, Black Magic Probe

• Hand tool battery and charger: The client wanted to produce third-party batteries and chargers compatible with a major tool manufacturer's tools. They provided a sample battery, charger, and tool from the tool manufacturer. We used a logic analyzer to capture inter-device communication while the battery was charging, full, and in use by a tool. Although this provided many hints, it was not sufficient to fully understand the protocol and thus we needed the code. Access via SWD to the primary MCUs on the battery and charger was locked, so we engaged a partner to perform a glitch attack against the chips. From there, we loaded the RL78-based code into IDA Pro and spent several weeks analyzing the firmware, ultimately identifying the protocol parser and charging sequence. We documented the protocol in a report, including hidden manufacturer test commands, that the client referenced to implement their product.
• Deliverables: report describing charging protocol
• Tools used: IDA Pro, Saleae logic analyzer

• Bluetooth credit card: This work was performed as independent research against a retail product. We obtained a sample of the device, which could store and emulate up to 10 credit cards, and loaded the companion app to a test mobile phone. We observed protocol using Android's btsnoop feature and were able to reverse engineer its functionality with this data. We found that the card would return a list of full credit card numbers when queried with the correct request, so we implemented a tool running on BlueZ on Linux to extract them. We also took X-rays of the device and identified likely SWD headers for the primary microcontroller, but did not pursue this research further. We notified the manufacturer and they remediated the bug.
• Deliverables: tool to extract credit card numbers, report of findings
• Tools used: btsnoop, Wireshark

• Wireless game controllers: The client was building a system that utilized wireless video game controllers and wanted to support most common Bluetooth and proprietary wireless controllers. We reverse engineered the Bluetooth controllers by connecting to them from BlueZ and observing their behavior, most of which delivered keypresses automatically as part of HID or a HID-like profile. We then implemented support for them in an embedded Bluetooth stack. The proprietary wireless controllers used an nRF24-series chip. We developed a custom SDR-based sniffer for their protocol and used that as a reference to develop a compatible implementation. We then worked with the manufacturer of the proprietary wireless controllers to develop an improved protocol allowing multiple controllers to be connected to a single receiver. The improved protocol also exhibited higher reliability due to the use of shorter packets and error-correcting codes.
• Deliverables: C-based wireless protocol implementation for Bluetooth and proprietary controllers, nRF24 protocol sniffer
• Tools used: SDR

• Bluetooth stethoscope: The client was building a telemedicine startup and found a retail stethoscope with Bluetooth support to transport the audio from the scope's microphone. They provided the device's SDK and asked us to evaluate the SDK's suitability for their use case. We found that it would require too much overhead and complexity, and instead suggested that we reverse engineer the protocol and write a custom implementation instead. The client accepted, so we used Linux's btmon capability to log the communication between the SDK and the device. We were able to quickly reverse engineer the RFCOMM-based binary protocol and wrote a compatible implementation of streaming its audio using BlueZ primitives.
• Deliverables: sample Python implementation of streaming the audio, report describing the protocol
• Tools used: btmon, Wireshark

• pwn2own TP-Link router: This work was done as part of Mobile pwn2own 2020. We obtained and decrypted the device firmware using publicly-available tools and then used binwalk to extract the squashfs image that contained the router's root file system. This router's primary UI was built in Lua, but the manufacturer shipped only obfuscated Lua bytecode. We loaded the Lua library from the router into Ghidra to understand the obfuscation technique, which was a simple renumbering of the opcodes. We extended luadec to strip this obfuscation and disassembled the files, searching them for vulnerabilities. We discovered and exploited two vulnerabilities that were patched before the competition.
• Devlierables: exploits for the vulnerabilities, extended luadec
• Tools used: binwalk, luadec, Ghidra

• pwn2own Netgear router: This work was done as part of Mobile pwn2own 2020. Like the TP-Link router, we obtained and decrypted the device firmware using public tools and extracted the squashfs root file system image with binwalk. The primary web UI was a large ELF file written in C, which we loaded into Ghidra. This router used custom encryption to secure POST data over plaintext HTTP. We reverse engineered this from the binary and wrote a tool to allow us to construct crafted requests to the server. We also emulated large portions of this router's firmware (virtually the entire OS) natively in Linux using qemu-user emulation. Through this multi-pronged approach, we discovered one pre-auth admin privilege escalation and command injection that was partially patched before the contest. We also discovered several post-auth command injections that we disclosed to the vendor during the contest.
• Deliverables: exploits for the vulnerabilities, tool for sending encrypted POSTs
• Tools used: binwalk, Ghidra, qemu-user

• Nintendo 64 CIC: This work was performed as independent research. In the 1990's, Nintendo used a version of their CIC copy protection chip to restrict people from creating third-party game cartridges for the Nintendo 64. We wanted to bypass that restriction by making compatible clones. Using sample CICs extracted from retail cartridges, one of our research partners removed the silicon die from the plastic package using a WFNA decap, etched the implant mask ROM using a dash etch, and optically imaged the chips. We then manually extracted a bitmap of the ROM and reversed the address decoder logic on the die to convert the bitmap into a linear file. The SM5 4-bit microcontroller was not supported in any common tools, so we wrote a disassembler and emulator for the architecture. Using this we were able to study the code and reverse engineer its functionality, allowing us to clone the chips.
• Deliverables: open-source CIC clone, open-source SM5 emulator, documentation of the protocol
• Tools used: text editor, eyeballs

• AFL-unicorn fuzzer for Android 10 Bluetooth: This work was performed as independent research. Fuzzing Bluetooth code is challenging because bugs tend to be in cross-layer components that are highly reliant on state. We wanted to be able to fuzz portions of the stack while relying on state to be correctly initialized. In Android 10 and earlier versions, the Bluetooth stack ran as an independent process in memory. We wrote a tool to dump that process's memory to files on a host system, and then wrote a harness for AFL-Unicorn that loaded those memory dumps on the host and emulated them. Although the execs/sec were quite low, we discovered some non-exploitable OoB memory reads and writes using this technique.
• Deliverables: AFL-Unicorn fuzzing harness for Android Bluetooth stack
• Tools used: gdb, AFL-Unicorn