Debug UEFI code by single-stepping your Coffee Lake-S hardware CPU

Debug UEFI code by single-stepping your Coffee Lake-S hardware CPU

In the post I will cover: Configuring an ASRock H370M-ITX/ac to allow DCI DbC debugging; Using Intel System Studio and System Debugger to single-step a Coffee Lake-S i7-8700 CPU; and Debugging an example exploitable UEFI application on hardware.

TL;DR, if you have a newer CPU & chipset you can purchase a $15 off-the-shelf cable and single-step your hardware threads. The cable is a USB 3.0 debugging cable; and is similar to an Ethernet crossover cable in the sense that the internal wiring is crossed.

Read More

Exploring Universal Flash Storage (UFS) Write Protection on the HiKey960

This post explores the potential of a do-it-yourself root of trust on the HiKey960 using UFS hardware write protections. The 960 version has an onboard Universal Flash Storage (UFS) devices, the future of MMC, and much faster! UFS as a standard has existed since 2011, but seems only since 2017 they were generally obtainable. Support in Linux has experienced very-recent updates (4.15+).

The unfortunate news is I have not found a way to implement an open-source/do-it-yourself Root of Trust on the HiKey960. I will explain why during this post, but this post will focus more on UFS write-protection.

Read More

Hands on Introduction to ARM Firmware using the 96Boards HiKey

Hands on Introduction to ARM Firmware using the 96Boards HiKey

This ARM Cortex-A53, 8-core, 2GB DDR3, board is amazing! I'm an entry-level ARM security enthusiast and this board feels like the perfect starting place for TrustZone and a secure/verified boot research.

Hikey supports the ARM Trusted Firmware and OP-TEE reference specifications so we can *clone* from Github, compile, and flash rather effortlessly. We can write the secure 'ROM', secure world operating system, and the non-trusted firmware executing in the normal world.

Read More

Embedded Trust (P1): Beginning to trust my BeagleBone

I plan to have a series of posts outlining my curiosity with embedded development and trust. Let's start with poking around where my (our) trust lies when deciding on a SoC for embedded development, using the BeagleBone [SRM] as an example. In this post we'll move trust from CircuitCO's (the Bone manufacture) included bootloaders, Angstrom Linux kernel, and Angstrom development environment to your own compiled bootloaders, kernel, and OS.

Read More

SIM card curiosity, and a little Hardware Hacking

A few months ago I took an interest in the layer 2/3 protocols (and their implementations) for mobile networks. I quickly arrived at SIM card hacking and like a young schoolboy thought, “man if only I could MitM the hardware communication I could spoof other’s SIM cards and use free Internet!” Nope. Well, not nope, but it’s not that easy.

Read More