EEL4742 1 Introduction

Embedded Systems Homework 5: Reverse Engineering Capture The Flag

There are times when we are interested in knowing how an embedded system works, but we do not have any documentation about its internals available. At this point, the art of reverse engineering a device comes into play. Although the practice is sometimes legally questionable, as with parts obtained under Non-Disclosure Agreements (NDAs) or under an End User License Agreement (EULA), Section 1201 of the Digital Millenium Copyright Act (DMCA) allows reverse engineering in a permissible way as long as:

You lawfully obtained the right to use the part (or computer program)

You disclosed the information you obtained in a good faith manner, that did not enable or

promote copyright infringement or computer fraud,

Your sole purpose in circumventing is to identify and analyze parts of the program (or device) needed to achieve interoperability,

The reverse engineering will reveal information necessary to achieve interoperability,

Any interoperable program you created as a result of the reverse engineering is non-infringing,

You have authorization from the owner or operator of the reverse engineered software or the protected computer system to do your research,

You are engaged in a legitimate course of study, are employed, or are approprietely trained or experienced, in the field of encryption technology

You provide a timely notice of your findings to the copyright owner [1] For the purposes of reverse engineering, security research, encryption research, and distributions of

these tools, the DMCA provides safeguards for us in the field to perform the task at hand.

For the purposes of this homework, you will be reverse engineering a binary to extract three flags from it. The flags are messages that the program will show under certain conditions. It is your task to find these conditions to trigger the messages.

2 Materials

You are given four files alongside this document. Each file contains the same program in a different representation. Table 1 provides a description of each file.

Along with this file, to test your findings, you should utilize the Texas Instruments MSP-EXP430G2 development board. You do not need to perform any modifications to the board to run the program.

1

EEL4742

File Description

Embedded Systems Homework 5: Reverse Engineering Capture The Flag

binary.elf binary.hdr binary.dsm binary.hex 

Executable and Linkable Format (ELF) file with code for the MSP430G2553 mi- crocontroller. ELF headers for the file. Shows the sections of the file and the places they occupy on the memory layout of the microcontroller.

Disassembled binary. Shows the disassembled binary. Note that you will not be able to utilize this listing to reassemble the binary. Intel HEX file containing the binary. Some programs will be able to parse this file and use it to program your microcontroller.

Table 1: Distributed files for this homework.

2.1 Launching The Challenge

Program your board and access it through a serial terminal with your terminal configured to 9600 8N1. Reset the microcontroller and you should observe the following prompt:

Hello, world! ================= Ready to capture the flags? These are the rules: 

 * You can use whatever tools you find online to reverse engineer this binary. 

 * You are not allowed to modify the binary. This includes all code and data segments. 

 * Your only method of input is through the UART. Type rules to show this message again. Happy hacking! 

input>

At this point, you should be able to enter inputs and observe the programs behavior.

2.2 The Rules of the Challenge

The following rules apply to the homework:

You can use whatever tools you find online to reverse engineer the binary.

You are not allowed to modify the binary. This includes all code and data segments.

The flags must be triggered on a stock binary with only input entered through the UART. Halting execution is not allowed.

2

EEL4742

Embedded Systems Homework 5: Reverse Engineering Capture The Flag

You are not allowed to modify the any memory or register in the microcontroller with a debugger probe. However, you may trace program execution and change register or memory values during testing.

Submissions that do not follow these rules will not be accepted.

2.3 Possibly Useful Tools

The following are tools that may be useful in reverse engineering and testing your binary:

mspdebug: Open source MSP430 debugger. Available for all major operating systems. It can provide a gdb server for interfacing with the GNU debugger. Command-line interface only.

gdb: The GNU Debugger. Open source multiarchitecture debugger. Available for major operating systems from Texas Instruments for the MSP430 target. It can load the binary and provide a more powerful interface when combined with mspdebug. Command-line interface only.

UniFlash: Texas Instruments proprietary flashing tool. Provides a graphical user interface.

Python: High level programming language with various associated libraries. You may utilize

this language to develop scripts to help you test your payloads.

We are aware that we are omitting IDA Pro from the list above. The reason for this is that this piece of software is extremely expensive to acquire, although its price is justified. For this reason, we are not allowing the usage of IDA Pro in this homework, as we feel that those who have access to this software would have an unfair advantage over others.

Any other freely available resource you find online is of fair usage.

3 The Flags

There are three flags in the application. It is your job to identify and trigger these flags. A flag is considered to be triggered when the program sends the flag through the UART interface. Table 2 shows the grading scale for this homework.

3.1 Hints

The ensuing are a series of hints that may aid you with solving this homework:

Do not attempt to dive into the disassembly of the binary without running the binary first. Running the binary will give you an idea of how it works.

3

EEL4742

Flag

A

B

C

Embedded Systems Homework 5: Reverse Engineering Capture The Flag

Description

The warmup flag. You should attempt to discover how to trigger this flag first as it provides an overview to what is expected. Once you trigger this flag, triggering the rest of the flags will become easier. This flag tests your understanding of the MSP430 assembly language. To obtain full credit for this flag you must also submit a report.

The second flag to trigger. Triggering this flag is a bit more involved and requires some thinking. Use what you learned in triggering flag A to attempt to trigger this flag. This flag tests your understanding of the safeguards that must be in place when coding.

The extra credit flag. Triggering this flag may require some extra work and a specially crafted input. This flag tests your understanding of the MSP430 architecture.

Points

75

25

10

Table 2: Grading distribution for the homework.

Find the interrupt vector table of the program. From here, attempt to find the entry point of the program and any other peripherals which may trigger interrupts.

Carefully examine the memory accesses the application performs.

Remember from the first few lectures the type of architecture the MSP430 uses and its consequences.

4 Submission

For this homework, you should submit a two page minimum report describing the steps you took to reverse engineer the program, alongside a brief description of the tools you used. Furthermore, you must provide the input that triggered the flags and an explanation as to why the flag was triggered. Flags will be graded in accordance to Table 2.

Happy Hacking!

References

[1] Electronic Frontier Foundation. Coders rights project reverse engineering faq. https://www. eff.org/issues/coders/reverse-engineering-faq.

4

Here is the link to where the binary is: https://github.com/ucfssl/EEL4742SP2017/tree/master/src/hw_5_data