PoC||GTFOPoC||GTFOProof

Concept

Get

The

Fuck

Out

o r

fo

0, $0 USD, $0 AUD, 0 RSD, 0 SEK, $50 CAD, 6× 1029 Pengo (3× 108 Adopengo), 100 JPC.Compiled on December 30, 2017. Free Radare2 license included with each and every copy!Des Teufels liebstes Mobelstuck ist die lange Bank. Это самиздат.

17:0217:02 (p. 5) AES-CBC Shellcode(p. 5) AES-CBC Shellcode

17:0317:03 (p. 9) Tall Tales of Science and Fiction(p. 9) Tall Tales of Science and Fiction

17:0417:04 (p. 13) Sniffing BTLE with the Micro:Bit(p. 13) Sniffing BTLE with the Micro:Bit

17:0517:05 (p. 21) Bit-Banging Ethernet(p. 21) Bit-Banging Ethernet

17:0617:06 (p. 32) The DIP Flip Whixr Trick(p. 32) The DIP Flip Whixr Trick

17:0717:07 (p. 34) Injecting Shared Objects on FreeBSD(p. 34) Injecting Shared Objects on FreeBSD

17:0817:08 (p. 42) Murder on the USS Table(p. 42) Murder on the USS Table

17:0917:09 (p. 56) Infect to Protect(p. 56) Infect to Protect

It’s damned cold outside,so let’s light ourselves a fire!

warm ourselves with whiskey!warm ourselves with whiskey!and teach ourselves some tricks!and teach ourselves some tricks!

17:06 The DIP Flip Whixr Trick:An Integrated Circuit That Functions in Either Orientation

by Joe “Kingpin” Grand

Hardware trickery comes in many shapes andsizes: implanting add-on hardware into a finishedproduct, exfiltrating data through optical, thermal,or electromagnetic means, injecting malicious codeinto firmware, BIOS, or microcode, or embeddingTrojans into physical silicon. Hackers, governments,and academics have been playing in this wide openfield for quite some time and there’s no sign of thingsslowing down.

This PoC, inspired by my friend Whixr of#tymkrs, demonstrates the feasibility of an IC be-having differently depending on which way it’s con-nected into the system. Common convention statesthat ICs must be inserted in their specified orien-tation, assisted by the notch or key on the deviceidentifying pin 1, in order to function properly.

So, let’s defy this convention!– — — – — — — — – — –

Most standard chips, like digital logic devicesand microcontrollers, place the power and groundconnections at corners diagonal from each other. Ifone were to physically rotate the IC by 180 degrees,power from the board would connect to the groundpin of the chip or vice versa. This would typicallyresult in damage to the chip, releasing the magicsmoke that it needs to function. The key to thisPoC was finding an IC with a more favorable pinconfiguration.

While searching through microcontroller datasheets, I came across the Microchip PIC12F629.This particular 8-pin device has power and GPIO(General Purpose I/O) pins in locations that wouldallow the chip to be rotated with minimal risk. Ofcourse, this PoC could be applied to any chip witha suitable pin configuration.

In the pinout drawing, which shows the chip fromabove in its normal orientation, arrows denote thealternate functionality of that particular pin whenthe chip is rotated around. Since power (VDD) isnormally connected to pin 1 and ground (VSS) isnormally connected to pin 8, if the chip is rotated,GP2 (pin 5) and GP3 (pin 4) would connect to powerand ground instead. By setting both GP2 and GP3to inputs in firmware and connecting them to powerand ground, respectively, on the board, the PIC willbe properly powered regardless of orientation.

– — — – — — — — – — –

I thought it would be fun to change the datathat the PIC sends to a host PC depending on itsorientation.

On power-up of the PIC, GP1 is used to detectthe orientation of the device and set the mode ac-cordingly. If GP1 is high (caused by the pull-upresistor to VCC), the PIC will execute the normalcode. If GP1 is low (caused by the pull-down re-sistor to VSS), the PIC will know that it has beenrotated and will execute the alternate code. Thisorientation detection could also be done using GP5,but with inverted polarity.

The PIC’s UART (asynchronous serial) outputis bit-banged in firmware, so I’m able to reconfigurethe GPIO pins used for TX and RX (GP0 and GP4)on-the-fly. The TX and RX pins connect directly toan Adafruit FTDI Friend, which is a standard FTDIFT232R-based USB-to-serial adapter. The FTDIFriend also provides 5V (VDD) to the PoC.

In normal operation, the device will look for akey press on GP4 from the FTDI Friend’s TX pinand then repeatedly transmit the character ’A’ at9600 baud via GP0 to the FTDI Friend’s RX pin.When the device is rotated 180 degrees, the devicewill look for a key press on GP0 and repeatedlytransmit the character ’B’ on GP4. As a key pressdetector, instead of reading a full character from thehost, the device just looks for a high-to-low transi-tion on the PIC’s currently configured RX pin. Sincethat pin idles high, the start bit of any data sentfrom the FTDI Friend will be logic low.

32

Adafruit FTDI Friend Interface

1

2

3

4

5

6

P1

Header 6

0.1uF

C1

VDD

GND

CTS ->

VCC <-

TX <-

RX ->

RTS <-

GP52

GP1/ICSPCLK6

GP25

GP3/MCLR4

GP0/ICSPDAT7

VSS8

VDD1

GP43

U1

PIC12F629-I/P

VDD

VDD

VDD

10kR1

10kR2

PIC101

PIC102COC1

PIP101

PIP102

PIP103

PIP104

PIP105

PIP106

COP1

PIR101 PIR102

COR1

PIR201 PIR202

COR2

PIU101

PIU102

PIU103

PIU104 PIU105

PIU106

PIU107

PIU108

COU1

PIC101

PIP106

PIR201

PIU104

PIU108

PIP101

PIP102PIU107

PIP103

PIU103

PIP105

PIR101PIU106

PIR202PIU102

PIC102

PIP104

PIR102

PIU101

PIU105

switch ( input (PIN_A1) ) {// o r i en t a t i onde t e c t i on

2 case MODE_NORMAL: // normal behav ior#use rs232 ( baud=9600 , b i t s =8, pa r i t y=N,stop=1, xmit=PIN_A0, force_sw )

4//wait f o r a keypres s

6 while ( input (PIN_A4) ) ;

8 while (1 ) {p r i n t f ( "A " ) ;

10 delay_ms (10) ;}

12 break ;

14 case MODE_ALTERNATE: // abnormal behav ior#use rs232 ( baud=9600 , b i t s =8, pa r i t y=N,stop=1, xmit=PIN_A4, force_sw )

16// wait f o r a keypress

18 while ( input (PIN_A0) ) ;

20 while (1 ) {p r i n t f ( "B " ) ;

22 delay_ms (10) ;}

24 break ;}

For your viewing entertainment, a demonstra-tion of my breadboard prototype can be found onYoutube.17 Complete engineering documentation,including schematic, bill-of-materials, source code,and layout for a small circuit board module are alsoavailable.18

Let this PoC serve as a reminder that one shouldnot take anything at face value. There are an end-less number of ways that hardware, and the elec-tronic components within a hardware system, canmisbehave. Hopefully, this little trick will inspirefuture hardware mischief and/or the development ofother sneaky circuits. If nothing else, you’re at leastarmed with a snarky response for the next time someover-confident engineer insists ICs will only work inone direction!

17Joe Grand, Sneaky Circuit: This DIP Goes Both Ways18unzip pocorgtfo17.pdf dipflip.zip # or at www.grandideastudio.com/portfolio/sneaky-circuits/

33