This course aims to provide an understanding of the security measures integrated into Siemens S7 PLCs, focusing on firmware integrity verification at boot time using a separate bootloader code. The course covers topics such as recent attacks against ICSS7-1200 V4 PLC hardware, the execution mode stack in S7-1200 V4, Siemens firmware components, and the firmware update process on S7 PLC. The course teaches skills in analyzing PLC hardware, firmware components, and bootloader code, with a teaching method that includes detailed technical analysis and demonstrations. This course is intended for individuals interested in industrial automation, PLC security, and firmware analysis.
Doors of Durin - The Veiled Gate to Siemens S7 Silicon
Overview
Syllabus
Intro
Process Automation
What we do with much more complex control loops?
Programmable Logic Controllers
Recent Attacks Against ICS
S7-1200 V4 PLC HARDWARE - SOC DECAP
S7-1200 v4 Closer Look
M25P40/ Serial Flash Embedded Memory (bootloader)
S7-1200 Specs, 3D X-Ray Tomography
Siemens Firmware Components
Execution Mode Stack in S7-1200 v4
ADONIS MPU Configuration at 0x000400B4
Siemens Firmware Boot Process
ADONIS Kernel
Firmware Update Process On S7 PLC
Decompressed Firmware Update File Structure
Undocumented HTTP Handlers
Special Access Feature
Primary Handlers After Handshake
x80 Handler, Update Mode Function
Ox1C Primary Handler
Siemens S7-1200 PLC Bootloader Arbitrary Code Execution
Conclusions and Future Works
Taught by
Black Hat
