A hardware hacker’s journey toward a rooted device typically includes only a brief sojourn within the U-Boot bootloader environment, which is often left unprotected and trivially abused. However, devices that attempt to bolt vendor-specific security mechanisms onto U-Boot offer exciting opportunities to pursue creative bypasses and explore underappreciated U-Boot functionality. This talk details how clever abuses of various aspects of U-Boot, including commonly overlooked memory access primitives and exported data structures, can be leveraged to analyze and attack devices. We will explore these in the context of NCC Group’s recently released “Depthcharge” toolkit, complete with an example of its use in a tethered root of a smart speaker that leverages secure boot functionality. By the end of this presentation attendees will be armed with the U-Boot hacking arcanum necessary to use and expand upon Depthcharge, enabling them to more effectively audit and exploit weaknesses in vendor-customized U-Boot builds.
Jon Szymaniak is Principal Security Consultant in NCC Group’s Hardware & Embedded Systems Services practice and a former embedded systems software engineer. Since joining NCC Group in 2016, Jon has conducted security assessments for a plethora of targets, including automotive ECUs, Android devices, “smart home” products, and boot ROMs. His areas of focus include U-Boot, Linux, Yocto, and firmware reverse engineering.