This course focuses on the reverse engineering and exploitation of a hardened MSP430-based device, specifically the Supra iBox BT. The learning outcomes include understanding techniques to exploit similar devices, successfully extracting firmware from an MSP430 with a blown JTAG fuse, and analyzing the complex crypto key management scheme used by Supra. The course teaches skills such as firmware extraction, reverse-engineering steps, MSP430 firmware reversing, and exploiting vulnerabilities in embedded devices. The teaching method involves a presentation that covers the device's internals, existing BSL attacks, voltage glitching attacks, timing attacks, and MSP430 JTAG security. The intended audience for this course includes researchers, developers, and cybersecurity professionals interested in embedded device security and reverse engineering.
Reverse-Engineering the Supra iBox - Exploitation of a Hardened MSP430-Based Device
Overview
Syllabus
Intro
Supra iBox
ekey Android app
Programmed auth flow
Must access firmware
Physical access
Board photos
Internals
Reverse-engineering steps
MSP430 firmware extraction
BSL Overview
Existing BSL attacks
Voltage glitching attack
Results of voltage glitching
BSL timing attack
Timing attack problems
Timing attack game plan
Timing attack results
Modified attack results
Timing attack conclusions
MSP430 JTAG security
MSP430 1/2/4xx fuse
"Paparazzi" attack: Why?
MSP430 firmware reversing
IrDA
Firmware reversing finds
Supra crypto architecture
Syscode Key
Third authentication mode
Brute Force
Hardware backdoor
Flash write terase attack
Conclusions/solutions
Taught by
Black Hat
