A few thousands attempts later he had the key and was able to dump the firmware. It turned out that the chip was vulnerable to a timing attack. He had to find another way.Īfter trying a few attacks he did discover that when testing different keys sometimes the answer arrived 3 microseconds later than in other cases. He discovered that without the knowledge of a secret key dumping will be impossible. Sergiusz had to prepare another circuit board, use his soldering skills and try to dump the firmware. Looks like a new task for the hardware guy. The controller itself was responsible for decryption, therefore the keys and algorithm never left the chip. They reversed the updater only to find out that the encrypted firmware was delivered directly to the controller. Fortunately they discovered an updater for a very similar model, Toshiba Portégé S100. First, there were no software updates available for this laptop model. This one turned out to be a much tough nut to crack. Further analysis showed that they have to dump another chip – this time the keyboard controller. Unfortunately it turned out that all arguments are sent to a single function, which in turn sends them to a specific I/O port, which turned out to be a communication channel to a microcontroller. You can try follow Michał’s own explanation (remember, Polish) with the help of English slides (starting on slide 30).Īfter the necessary magic Michał located the code responsible for challenge-response mechanism. We can’t guide you through it, but involved a lot of reading of Intel manuals and learning how the boot process works inside the BIOS and memory. What they had was na 500 KB file where they needed to identify the part responsible for checking the password and calculating the challenge-response scheme. Only a single byte was wrong in Sergiusz’s dump. It was repeated several dozens times to apply simple statistics to determine which bytes were right and which wrong.įirmware dumping ended on the very same day Michał finally decrypted the firmware update, so they were able to compare the results of their work. With a heat gun, custom made circuit board, a soldering iron and lots of cables he was able to start dumping the BIOS chipset.ĭumping process was far from perfect and generated lots of errors. While Michał was fighting with the updater, Sergiusz tried another approach. Fortunatelly Michał was able to find a newer 32-bit updater, reverse it and identify functions that decrypted the firmware. The updater turned out to be a 16-bit one. Unpacking it was quite easy, but the image itself looked encrypted. They did however locate a BIOS firmware update for this model on Toshiba’s website. Dumping from memory is not an option when you cannot run the OS. Geting the BIOS firmwareįirst they wanted to start with analysing BIOS firmware. He enlisted the help of his friend Michał “Redford” Kowalczyk and they started a 3-year long journey which ended with the ability to unlock any business Toshiba laptop made between 20. The owner soon gave up, but Sergiusz just couldn’t leave the old laptop alone. He did discover the service mode (Ctrl+Tab Ctrl+Enter) where a challenge is presented and a proper answer can unlock the machine when you lost the password, but he did not have the tool (most probably proprietary service tool made by Toshiba) to get the proper answer. Sergiusz tried all the clever tricks with batteries and jumpers, but none worked. It had a BIOS password set up, unknown to the current owner. Someone came to Sergiusz “q3k” Bazański asking for help in unlocking it. We’ll do our best to describe what we can, but there will be moments when we can’t even pretend to understand what was happening – please refer to the slides/Hackaday entry or try to decrypt the recorded presentation. There’s also a partial project log – in English as well. There are also slides – this time in English, from Recon 2017 – but no recording. There is a recording, published yesterday, but it’s encrypted in Polish. We had the pleasure to watch this talk live at Security PWNing conference in 2017 in Warsaw. There will be plenty of hardware hacking, reverse engineering and perseverance. This is a great story about hacking a BIOS-level locked Toshiba laptop.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |