PALINDROME’s parting gift
Introduction
With the increasing prevalence of IoT, we wanted to highlight the need for better hardware security through a hardware hacking challenge for TISC 2021. Unfortunately, due to the logistics involved, we quickly found that it was an immense task to feature a physical challenge within the confines of an online competition and decided against it for the actual event.
Nonetheless, we stubbornly persevered and managed to feature hardware hacking as a mini challenge for the top 30 participants after the event. Each of them received PALINDROME’s parting gift, a TISC 2021 exclusive swag, in the form of an Arduino board.
The Arduino UNO R3 was chosen as it is affordable, has a generous number of GPIO pins, and could be easily re-purposed by the winners for their hobby projects. Most importantly, for the purpose of this challenge, it has electric regulators and limiters to prevent any permanent damage from improper use.
In the spirit of being aligned with the real-world problem solving, the Game Scenario, played out by the Arduino board, can be solved in different ways:
After defeating PALINDROME you discover devices left behind by them. They have been rigged as bombs and set to explode in a matter of minutes. It is down to you again, to defuse the bombs. You can do so in 2 ways.
Hardware method — Discover how the pins are configured electrically and defuse all 5 stages of the bomb to get the final flag. This disables the final bomb hidden in an undisclosed location.
Firmware Analysis method — Analyze the code on the devices to discover the defuse sequence or even the final flag itself.
As we have yet to find any write-ups online on this mini challenge, we would be revealing the solution for the Hardware method. We are providing some hints on the Firmware Analysis method with the earnest hope that someday, someone else will post a complete write-up.
Hardware method of solving (Defusing all 5 stages)
1. Connect Arduino to PC to observe output
To prevent any incident of short-circuit, we first disconnect all jumper wires from the Arduino. Next, with no screen on the Arduino board, we will have to connect the Arduino to a PC using the USB cable provided.
There are 2 software options to communicate with the board: we may choose to install Arduino IDE and open the serial monitor, or we can connect to it using PuTTY.
We explore using PuTTY below:
Identify the serial port assigned to the Arduino by the PC in the device manager.
Configure PuTTY to talk to the board at 9600 baud.
On connection to the console, we may observe a countdown timer starting from 180 which updates every second. We now have 3 minutes to complete this challenge!
2. Activating READY and Disabling FAILSAFE
This mini challenge is intended to be self-contained, and not require any other power sources. It follows that connections will have to be made within the board, among the GPIO pins.
The instructions to start already gave us the first lead: connect the 5V pin to the A3 pin using the jumper wire. This is to activate the READY pin.
Now we get a message to disable the FAILSAFE.
Is this FAILSAFE mechanism similar to the READY pin as above? Looking at the pins available, only 2 can provide power: the 3.3V and 5V rails. Perhaps we can try connecting the 3.3V rail to a pin to disable FAILSAFE?
Voila! After connecting the 3.3V to pin A4, the message changed. We have started the 1st of 5 stages.
2. Simplified Electronics 101
For the next 5 stages, we need to know some simple definitions, and probe to identify the digital pins based on these definitions
The Arduino has both Analog pins which have a varying voltage from 0.1–5V, and Digital pins that can be either 0 or the TTL voltage in this case, 3.3V.
Using a multimeter in voltage reading mode/voltmeter you can read the voltage the pin is at. They are defined as such.
High — Pin showing a positive voltage at Transistor-Transistor-Logic level (3.3V / 5V)
Low — Pin showing 0 or slightly negative voltage
Floating — Pin showing high impedance. (Need to have high, > 600Ω resistance in both positive/negative current flow directions)
For impedance, you will need to use a multimeter set to resistance mode or an ohmmeter.
There may be slight discrepancies in voltage levels due to variations in equipment.
3. Solving Stage 1
Let’s start by checking the voltage levels and identifying each digital pin.
Pin 0. — Reading is < 0. Identified as Low
Pins 1 to 4 are similarly identified as Low.
However, we see a constant stable voltage for pin 5, which leads us to identify it as High.
Pin 11 is subsequently identified as floating due to having a resistance of 660Ω.
Mapping out all the pins in a table:
There are only 2 interesting pins 5 and 11. Perhaps pin 5 is meant to provide power to the pin 11?
We move to Stage 2 after connecting 5 to 11.
The other stages are intended to be solved in a similar fashion via the following steps:
- Disconnect all pins, except READY & FAILSAFE pins.
- Identify which pin(s):
a. Provide power — High
b. Pulled low — Low
c. Accept input — Floating - Iterate through various combinations of providing or sinking voltage to the Floating pin(s) until the stage is passed.
4. Solving Stage 2
After identifying the pins, we connect both H pins to the F pins to bring us to Stage 3.
5. Solving Stage 3
We find that all pins are Floating except pin 11. Intuitively, we try connecting pin 11 to the other Floating pins, but none of them responds. Did we miss anything?
A possible hypothesis:
- All pins are Floating.
- Only 1 pin is high (11).
- Hence, the only other way to change voltage would be to use Ground (GND).
Hence, we try connecting GND to all the Floating pins sequentially, and at pin 5, we get the message that we have passed the stage. Sweet success!!
6. Solving Stage 4
Taking a cue from the previous stage, we iterate by connecting the Floating pins to either the High pins, or to GND.
By painstakingly going through multiple combinations, we find one solution for the 3 floating pins. Whew! We managed to pass this and move on to the final stage
2 (F) — 11 (H),
7 (F) — 10 (H),
5 (F) — GND
7. Solving Stage 5
We find an additional floating pin, whereas the previous stage only had 3. Perhaps we also need to pull the voltage levels of all 4 of these pins? We sweat through even more combinations to find the final solution:
2 (F) — 7 (H),
6 (F) — 9 (H),
10 (F) — GND,
11 (F) — GND
Final Message: “Congratulations, you’ve successfully defused PALINDROME’s parting gift! Hope you enjoyed TISC 2021!”
Firmware Analysis method — Extraction of Firmware
Before we can analyse any firmware, we need to figure out how to read the firmware image from the device, and the first place we visit is the documentation.
From the Arduino UNO Spec, we can find enough information to extract the firmware via the command line as follows:
- The Arduino Uno uses the ATMega328p
- It is connected to COM3 (on our machine, you need to check on yours)
- Baud rate is 115200
This will dump out an Intel Hex file of the EEPROM contents. For those who are unable to extract the firmware, or do not have access to the swag, the Gdrive link to hex file:
https://drive.google.com/file/d/1N8BT6NudZrW9nKt5ueveuQIF3oCHg4P_
We will leave you here to figure out how to get the flag using purely software means. Maybe try emulating it or using some simulator? As a nod to our efforts in coming up with the mini challenge, do post a writeup if you can complete the exercise.
We hope that you have enjoyed the walkthrough of this mini hardware IoT challenge and that it serves as good entry point into the world of hardware R&D! If you are curious to find out more about hardware-related cyber security and what makes our engineers tick, you can find out more at our website: CSIT Cybersecurity!