USB Storage devices – embedded Trojan analysis/implementation (USB Nand-Flash)

04 Aug

How we can build powerful analysis tools from Ebay crap….

There is lots of cool scrap available on Ebay, specifically items from video processing companies/telecom companies that sold their scrap to clowns who were supposed to ‘destroy it’ ( you know the ones, who advertise ‘secure destruction’ of equipment).
All you need is a JTAG pod, frequency generator (NE555), multi-tester and a little bit of time.

Back In Jan I threw together a library for reading Nand-flash chips on the Arduino, part of the reason for this was to try to throw together a simple and highly cost-effective way to read Nand-flash chips.

Unfortunately it was a failure due to the read speeds…. BUT….

The motivation
The purpose for the experiment was to get people to read the contents of their Nand-Flash devices with a view to performing a wider range of research on what was actually out there.

Not many people know that many of these Nand-Flash USB sticks are actually re-programable(infant many USB/fire wire devices are re-programmable), some of the manufacturers have boot code inside the actual USB stick CPU, this allows program files to be loaded into the embedded micro controller and executed.
Some manufacturers use a reference byte or string of bytes inside the Nand-Flash chip that allows a section of code to be loaded in from the Nand-Flash chip and then executed on the internal embedded CPU, they use this system because in some cases they do not want to go to the expense of a full rom mask, especially where there are so many issues related to wear leveling and errors in the Nand-Flash protocols for the chips*

*You would think that all Nand-Flash chips would be the same as regards to the commands needed to communicate with them… after all that’s what the ONFL standard was for… but no everyone has to do their own shit above and beyond what is documented in the standard.

At least one Nand-Flash controller device and some of its clones actually store the complete executable code on the Nand-Flash chip, on power up the embedded cpu pulls this code off the Nand-Flash memory device and then starts executing the code.(yep you can see where this is going!!!)

Dissertation material
This ties into research I performed many years ago whilst preparing a dissertation. Specifically My hypothesis was that Forensic Write blockers* were basically NFG (no ..f*** good).
*Very briefly….the purpose of a forensic write blocker is to protect the contents of the device under analysis during the forensic recovery process to ensure that the contents of the device are not changed.( It’s a legal thing!!!)

Basically It was postulated that:
The computer and the storage device were ‘Black boxes’ and since the forensic write blocker sat between two ‘black boxes’ there was really no way it could inhibit or control anything that went on INSIDE the black boxes.

This was extended to show that it was possible to build a defense mechanism/ subversion routines into USB peripherals, specifically designed to give a forensic examiner a bad day when examining USB devices ( this also applied to FireWire, notably the Oxford based chips), even when the examiner was following the forensic protocols to the letter.( which strictly prohibits pulling chips of PCB’s)

Something coming…
For the purpose of this dissertation research I threw together two pieces of kit:
1. FPGA Nand-Flash reader.
2 FPGA device emulator.

Which allowed us to flash read/write the contents of a Nand-Flash device and send it over to a Secondary system (OSX computer), where it was mapped out and tracked.
During this time we were working with Logic analyzes and scopes we noticed the USB stick controllers attempting to ‘erase’ parts of the Nand-Flash device as soon as they were powered on….
This had nothing to do with the wear leveling or reclaiming unused data blocks, it also occurred even if the device was plugged into a forensic write blocker.( so much for blocking writes to the device then…)

Back to the future
A couple of years ago I continued with the research using a Xilinx Virtex5 SL506 dev board and then again last year using the following kit( it’s cheaper to blow up instead of a Xilinx development board)
Specifically this reincarnation is a repurposed FPGA board that takes the control lines from a USB storage device and monitors the operations being performed against the Nand-Flash chip(s).

USB storage device analyzer

USB storage device analyzer

A logic Analyzer would appear to do the same function, only difference is that this FPGA based device can monitor a USB storage device for DAYS!!!, since the data is streamed out over a network to a NAS ( FPGA devices don’t have the same issues related to time, everything non-dependant can occur in parallel at the same time!!!)
More importantly, we have the capability to READ/WRITE from/to the Nand-Flash storage directly without going via the controller.
This opens up the ability to perform the following:

  • Realtime research on the actual USB-storage controller
  • Re-programming of the embedded controller
  • Re-write/modify the program whilst the controller is running.
  • Perform ‘what if’ analysis for the error correction routines
  • Analyze possible Injection attacks against the data stream

The other end of the pipe
As stated previously the FPGA system streams the data out over a network connection to an attached device, this secondary device holds the actual Nand-flash image file and the command and control structure as well as a system to record the command stream being issued by the Nand-Flash controller chip**.

We HAVE to capture the control stream from the Nand-Flash controller chip ,because sometimes these flash controller chips issue strange commands that are NOT documented in the Nand-Flash chip data-sheets ( apparently there are some ‘secret’ commands that are NDA for Nand-Flash Chip manufacturers)

But the really cool thing is we can pop into the ‘Nand-flash’ binary image and edit data in real time ( did I mention it is ‘transactional’ and that the base image is never touched, each data write is a snapshot of modifications that can be stepped thru for analysis)


Tags: , , ,

Leave a Reply