LAS VEGAS -Like many good hacks, necessity was the mother of invention for researcher Guillaume Valadon.
When the head of the network security laboratory at ANSSI tried turn a cheap non-wired digital photo frame lying around his house into a wireless one with a Toshiba FlashAir SD storage card little did he know he was embarking on a three year adventure.
“It became something I did in my spare time. Something I continued in an effort to teach myself how to reverse engineer hardware,” he said. Fast forward, and Valadon had saved himself the cost of a wireless digital picture frame (about $30) and created his own.
At a Black Hat session here on Wednesday, Valadon demonstrated how he hacked the Toshiba FlashAir SD storage card and was able to execute code on the card. The challenge, he pointed out, was that the card was a virtual black box. He had nothing to go by – from the unidentified OS running on the card, the mystery firmware and a custom unidentified Toshiba chipset.
The Toshiba FlashAir card hacked by Valadon was a 2015 model W-03 version running firmware V.01 that is still widely available today for around $25. Toshiba has since launched a W-04 model in 2017, which was not involved in this project.
“First, I needed a binary to analyze, then I needed to find the CPU architecture, the operating system and finally an execution vector,” he said. The execution vector, or payload, could be anything from a buffer overflow to an undocumented command such as “print a calc.”
To accomplish his unraveling of the card, Valadon said he used only about eight open-source tools and toolsets such as Sibyl, flasher and R2Scapy, a python-based interactive packet manipulation program.
After cracking open the card and visually examining the components he began to painstakingly scour publicly available documentation on components and use tools to comb through error strings generated by the OS.
“A lot of error strings have the same format. This one got my attention: it is three letters, underscore, three letters, an error code, and a function name. ‘wup_tsk’ looked like a promising clue,” he said.
Searching the internet for “wup_tsk” led to site on a task synchronization function. “It says that wup_tsk is used to wake up a task in a system operation named T-Kernel,” he said. “T-Kernel is part of the TRON family – the real-time operating system Nucleus.”
Using similar reverse-engineering sleuthing techniques Valadon chased down the card’s CPU, a Toshiba Media-embedded Processor (MeP).
Once he accurately identified system firmware, OS and components, the PoC exploit could proceed. “I was really surprised to discover that the card is using an operating system and chips architecture that seems unknown to the security community,” he said.
“First, I would like to look for remote vulnerabilities. I am was really interested in the 802.11 component of the card,” he said.
Valadon eventually targeted vulnerabilities in the card’s DHCP, HTTP and 802.11 networking. He then cracked open the card and manually updated the firmware with his own. From there code execution was possible remotely within proximity of the card’s WiFi range.
“This is the first time that native code execution on the FlashAir is described. Moreover, this is likely a typical example of a complex analysis of an embedded system,” he said.
For Valadon, the hack allows him to wirelessly display images on his non-wired picture frame. Other applications, he said, could include an on-the-fly auto-encrypt feature for images when photographers are taking pictures in prohibitive environments. Or perhaps rerouting images stored on the camera to be sent to a third-party.