This course covers the reverse-engineering and exploitation of a hardened MSP430-based device, focusing on techniques to exploit similar devices. The learning outcomes include understanding attacks against the MSP's BSL, performing successful firmware extraction on an MSP430 with a blown JTAG fuse, and executing a software-only attack to extract sensitive data from RAM. The course teaches skills such as firmware extraction, reverse-engineering MSP430 firmware, and exploiting vulnerabilities using timing attacks and hardware backdoors. The teaching method involves a presentation that walks through the steps of reverse-engineering, demonstrating practical attacks, and discussing security solutions. The intended audience for this course includes security researchers, embedded device enthusiasts, and individuals interested in learning about firmware security and exploitation techniques.
Exploitation of a Hardened MSP430-Based Device - Braden Thomas - Ekoparty Security Conference - 2014
Ekoparty Security Conference via YouTube
Overview
Syllabus
Intro
Unnamed real estate lockbox
ekey Android app
Programmed auth flow
Must access firmware
Physical access
Board photos
Internals
Reverse-engineering steps
MSP430 firmware extraction
BSL Overview
Voltage glitching attack
Results of voltage glitching
BSL timing attack
Timing attack problems
Timing attack results
Modified attack results
Timing attack conclusions
MSP430 JTAG security
MSP430 1/2/4xx fuse
MSP430 firmware reversing
Firmware reversing finds
Manufacturer's crypto architecture
Syscode Key
Third authentication mode
Brute Force
Hardware backdoor
Flash write+erase attack
Conclusions/solutions
Taught by
Ekoparty Security Conference
