==Phrack Inc.== Volume 0x0b, Issue 0x3f, Phile #0x11 of 0x14 |=------------[ Security Review Of Embedded Systems And Its ]------------=| |=------------[ Applications To Hacking Methodology ]------------=| |=-----------------------------------------------------------------------=| |=----[ Cawan: or ]----=| --=[ Contents 1. - Introduction 2. - Architectures Classification 3. - Hacking with Embedded System 4. - Hacking with Embedded Linux 5. - "Hacking Machine" Implementation In FPGA 6. - What The Advantages Of Using FPGA In Hacking ? 7. - What Else Of Magic That Embedded Linux Can Do ? 8. - Conclusion --[ 1. - Introduction Embedded systems have been penetrated the daily human life. In residential home, the deployment of "smart" systems have brought out the term of "smart-home". It is dealing with the home security, electronic appliances control and monitoring, audio/video based entertainment, home networking, and etc. In building automation, embedded system provides the ability of network enabled (Lonwork, Bacnet or X10) for extra convenient control and monitoring purposes. For intra-building communication, the physical network media including power-line, RS485, optical fiber, RJ45, IrDA, RF, and etc. In this case, media gateway is playing the roll to provide inter-media interfacing for the system. For personal handheld systems, mobile devices such as handphone/smartphone and PDA/XDA are going to be the necessity in human life. However, the growing of 3G is not as good as what is planning initially. The slow adoption in 3G is because it is lacking of direct compatibility to TCP/IP. As a result, 4G with Wimax technology is more likely to look forward by communication industry regarding to its wireless broadband with OFDM. Obviously, the development trend of embedded systems application is going to be convergence - by applying TCP/IP as "protocol glue" for inter-media interfacing purpose. Since the deployment of IPv6 will cause an unreasonable overshooting cost, so the widespread of IPv6 products still needs some extra times to be negotiated. As a result, IPv4 will continue to dominate the world of networking, especially in embedded applications. As what we know, the brand-old IPv4 is being challenged by its native security problems in terms of confidentiality, integrity, and authentication. Extra value added modules such as SSL and SSH would be the best solution to protect most of the attacks such as Denial of Service, hijacking, spooling, sniffing, and etc. However, the implementation of such value added module in embedded system is optional because it is lacking of available hardware resources. For example, it is not reasonable to implement SSL in SitePlayer[1] for a complicated web-based control and monitoring system by considering the available flash and memory that can be utilized. By the time of IPv4 is going to conquer the embedded system's world, the native characteristic of IPv4 and the reduced structure of embedded system would be problems in security consideration. These would probably a hidden timer-bomb that is waiting to be exploited. As an example, by simply performing port scan with pattern recognition to a range of IP address, any of the running SC12 IPC@CHIP[2] can be identified and exposed. Once the IP address of a running SC12 is confirmed, by applying a sequence of five ping packet with the length of 65500 is sufficient to crash it until reset. --[ 2. - Architectures Classification With the advent of commodity electronics in the 1980s, digital utility began to proliferate beyond the world of technology and industry. By its nature digital signal can be represented exactly and easily, which gives it much more utility. In term of digital system design, programmable logic has a primary advantage over custom gate arrays and standard cells by enabling faster time-to-complete and shorter design cycles. By using software, digital design can be programmed directly into programmable logic and allowing making revisions to the design relatively quickly. The two major types of programmable logic devices are Field Programmable Logic Arrays (FPGAs) and Complex Programmable Logic Devices (CPLDs). FPGAs offer the highest amount of logic density, the most features, and the highest performance. These advanced devices also offer features such as built-in hardwired processors (such as the IBM Power PC), substantial amounts of memory, clock management systems, and support for many of the latest very fast device-to-device signaling technologies. FPGAs are used in a wide variety of applications ranging from data processing and storage, instrumentation, telecommunications, and digital signal processing. Instead, CPLDs offer much smaller amounts of logic (approximately 10,000 gates). But CPLDs offer very predictable timing characteristics and are therefore ideal for critical control applications. Besides, CPLDs also require extremely low amounts of power and are very inexpensive. Well, it is the time to discuss about Hardware Description Language (HDL). HDL is a software programming language used to model the intended operation of a piece of hardware. There are two aspects to the description of hardware that an HDL facilitates: true abstract behavior modeling and hardware structure modeling. The behavior of hardware may be modeled and represented at various levels of abstraction during the design process. Higher level models describe the operation of hardware abstractly, while lower level models include more detail, such as inferred hardware structure. There are two types of HDL: VHDL and Verilog-HDL. The history of VHDL started from 1980 when the USA Department of Defence (DoD) wanted to make circuit design self documenting, follow a common design methodology and be reusable with new technologies. It became clear there was a need for a standard programming language for describing the function and structure of digital circuits for the design of integrated circuits (ICs). The DoD funded a project under the Very High Speed Integrated Circuit (VHSIC) program to create a standard hardware description language. The result was the creation of the VHSIC hardware description language or VHDL as it is now commonly known. The history of Verilog-HDL started from 1981, when a CAE software company called Gateway Design Automation that was founded by Prabhu Goel. One of the Gateway's first employees was Phil Moorby, who was an original author of GenRad's Hardware Description Language (GHDL) and HILO simulator. On 1983, Gateway released the Verilog Hardware Description Language known as Verilog-HDL or simply Verilog together with a Verilog simulator. Both VHDL and Verilog-HDL are reviewed and adopted by IEEE as IEEE standard 1076 and 1364, respectively. Modern hardware implementation of embedded systems can be classified into two categories: hardcore processing and softcore processing. Hardcore processing is a method of applying hard processor(s) such as ARM, MIPS, x86, and etc as processing unit with integrated protocol stack. For example, SC12 with x86, IP2022 with Scenix RISC, eZ80, SitePlayer and Rabbit are dropped in the category of hardcore processing.Instead, softcore processing is applying a synthesizable core that can be targeted into different semiconductor fabrics. The semiconductor fabrics should be programmable as what FPGA and CPLD do. Altera[3] and Xilinx[4] are the only FPGA/CPLD manufacturers in the market that supporting softcore processor. Altera provides NIOS processor that can be implemented in SOPC Builder that is targeted to its Cyclone and Stratix FPGAs. Xilinx provides two types of softcore: Picoblaze, that is targeted to its CoolRunner-2 CPLD; and Microblaze, that is targeted to its Spartan and Virtex FPGAs. For the case of FPGAs with embedded hardcore, for example ARM-core in Stratix, and MIPS-core in Virtex are classified as embedded hardcore processing. On the other hand, FPGAs with embedded softcore such as NIOS-core in Cyclone or Stratix, and Microblaze-core in Spartan or Virtex are classified as softcore processing. Besides, the embedded softcore can be associated with others synthesizable peripherals such as DMA controller for advanced processing purpose. In general, the classical point of view regarding to the hardcore processing might assuming it is always running faster than softcore processing. However, it is not the fact. Processor performance is often limited by how fast the instruction and data can be pipelined from external memory into execution unit. As a result, hardcore processing is more suitable for general application purpose but softcore processing is more liable to be used in customized application purpose with parallel processing and DSP. It is targeted to flexible implementation in adaptive platform. --[ 3. - Hacking with Embedded System When the advantages of softcore processing are applied in hacking, it brings out more creative methods of attack, the only limitation is the imagination. Richard Clayton had shown the method of extracting a 3DES key from an IBM 4758 that is running Common Cryptographic Architecture (CCA)[5]. The IBM 4758 with its CCA software is widely used in the banking industry to hold encryption keys securely. The device is extremely tamper-resistant and no physical attack is known that will allow keys to be accessed. According to Richard, about 20 minutes of uninterrupted access to the IBM 4758 with Combine_Key_Parts permission is sufficient to export the DES and 3DES keys. For convenience purpose, it is more likely to implement an embedded system with customized application to get the keys within the 20 minutes of accessing to the device. An evaluation board from Altera was selected by Richard Clayton for the purpose of keys exporting and additional two days of offline key cracking. In practice, by using multiple NIOS-core with customized peripherals would provide better performance in offline key cracking. In fact, customized parallel processing is very suitable to exploit both symmetrical and asymmetrical encrypted keys. --[ 4. - Hacking with Embedded Linux For application based hacking, such as buffer overflow and SQL injection, it is more preferred to have RTOS installed in the embedded system. For code reusability purpose, embedded linux would be the best choice of embedded hacking platform. The following examples have clearly shown the possible attacks under an embedded platform. The condition of the embedded platform is come with a Nios-core in Stratix and uClinux being installed. By recompiling the source code of netcat and make it run in uClinux, a swiss army knife is created and ready to perform penetration as listed below: - a) Port Scan With Pattern Recognition A list of subnet can be defined initially in the embedded system and bring it into a commercial building. Plug the embedded system into any RJ45 socket in the building, press a button to perform port scan with pattern recognition and identify any vulnerable network embedded system in the building. Press another button to launch attack (Denial of Service) to the target network embedded system(s). This is a serious problem when the target network embedded system(s) is/are related to the building evacuation system, surveillance system or security system. b) Automatic Brute-Force Attack Defines server(s) address, dictionary, and brute-force pattern in the embedded system. Again, plug the embedded system into any RJ45 socket in the building, press a button to start the password guessing process. While this small box of embedded system is located in a hidden corner of any RJ45 socket, it can perform the task of cracking over days, powered by battery. c) LAN Hacking By pre-identify the server(s) address, version of patch, type of service(s), a structured attack can be launched within the area of the building. For example, by defining: http://192.168.1.1/show.php?id=1%20and%201=2%20union%20select%20 8,7,load_file(char(47,101,116,99,47,112,97,115,115,119,100)),5,4, 3,2,1 **char(47,101,116,99,47,112,97,115,115,119,100) = /etc/passwd in the embedded system initially. Again, plug the embedded system into any RJ45 socket in the building (within the LAN), press a button to start SQL injection attack to grab the password file of the Unix machine (in the LAN). The password file is then store in the flash memory and ready to be loaded out for offline cracking. Instead of performing SQL injection, exploits can be used for the same purpose. d) Virus/Worm Spreading The virus/worm can be pre-loaded in the embedded system. Again, plug the embedded system into any RJ45 socket in the building, press a button to run an exploit to any vulnerable target machine, and load the virus/worm into the LAN. e) Embedded Sniffer Switch the network interface from normal mode into promiscuous mode and define the sniffing conditions. Again, plug the embedded system into any RJ45 socket in the building, press a button to start the sniffer. To make sure the sniffing process can be proceed in switch LAN, ARP sniffer is recommended for this purpose. --[ 5. - "Hacking Machine" Implementation In FPGA The implementation of embedded "hacking machine" will be demonstrated in Altera's NIOS development board with Stratix EP1S10 FPGA. The board provides a 10/100-base-T ethernet and a compact-flash connector. Two RS-232 ports are also provided for serial interfacing and system configuration purposes, respectively. Besides, the onboard 1MB of SRAM, 16MB of SDRAM, and 8MB of flash memory are ready for embedded linux installation[6]. The version of embedded linux that is going to be applied is uClinux from microtronix[7]. Ok, that is the specification of the board. Now, we start our journey of "hacking machine" design. We use three tools provided by Altera to implement our "hardware" design. In this case, the term of "hardware" means it is synthesizable and to be designed in Verilog-HDL. The three tools being used are: QuartusII ( as synthesis tool), SOPC Builder (as Nios-core design tool), and C compiler. Others synthesis tools such as leonardo-spectrum from mentor graphic, and synplify from synplicity are optional to be used for special purpose. In this case, the synthesized design in edif format is defined as external module. It is needed to import the module from QuartusII to perform place-and-route (PAR). The outcome of PAR is defined as hardware-core. For advanced user, Modelsim from mentor graphic is highly recommended to perform behavioral simulation and Post-PAR simulation. Behavioral simulation is a type of functional verification to the digital hardware design. Timing issues are not put into the consideration in this state. Instead, Post-PAR simulation is a type of real-case verification. In this state, all the real-case factors such as power-consumption and timing conditions (in sdf format) are put into the consideration. [8,9,10,11,12] A reference design is provided by microtronix and it is highly recommended to be the design framework for any others custom design with appropriate modifications [13]. Well, for our "hacking machine" design purpose, the only modification that we need to do is to assign the interrupts of four onboard push-buttons [14]. So, once the design framework is loaded into QuartusII, SOPC Builder is ready to start the design of Nios-core, Boot-ROM, SRAM and SDRAM inteface, Ethernet interface, compact-flash interface and so on. Before starting to generate synthesizable codes from the design, it is crucial to ensure the check-box of "Microtronix uClinux" under Software Components is selected (it is in the "More CPU Settings" tab of the main configuration windows in SOPC Builder). By selecting this option, it is enabling to build a uClinux kernel, uClibc library, and some uClinux's general purpose applications by the time of generating synthesizable codes. Once ready, generate the design as synthesizable codes in SOPC Builder following by performing PAR in QuartusII to get a hardware core. In general, there are two formats of hardware core:- a) .sof core: To be downloaded into the EP1S10 directly by JTAG and will require a re-load if the board is power cycled **(Think as volatile) b) .pof core: To be downloaded into EPC16 (enhanced configuration device) and will automatically be loaded into the FPGA every time the board is power cycled **(Think as non-volatile) The raw format of .sof and .pof hardware core is .hexout. As hacker, we would prefer to work in command line, so we use the hexout2flash tool to convert the hardware core from .hexout into .flash and relocate the base address of the core to 0x600000 in flash. The 0x600000 is the startup core loading address of EP1S10. So, once the .flash file is created, we use nios-run or nr command to download the hardware core into flash memory as following: [Linux Developer] ...uClinux/: nios-run hackcore.hexout.flash After nios-run indicates that the download has completed successfully, restart the board. The downloaded core will now start as the default core whenever the board is restarted. Fine, the "hardware" part is completed. Now, we look into the "software" implementation. We start from uClinux. As what is stated, the SOPC Builder had generated a framework of uClinux kernel, uClibc library, and some uClinux general purpose applications such as cat, mv, rm, and etc. We start to reconfigure the kernel by using "make xconfig". [Linux Developer] ...uClinux/: cd linux [Linux Developer] ...uClinux/: make xconfig In xconfig, perform appropriate tuning to the kernel, then use "make clean" to clean the source tree of any object files. [Linux Developer] ...linux/: make clean To start building a new kernel use "make dep" following by "make". [Linux Developer] ...linux/: make dep [Linux Developer] ...linux/: make To build the linux.flash file for uploading, use "make linux.flash". [Linux Developer] ...uClinux/: make linux.flash The linux.flash file is defined as the operating system image. As what we know, an operating system must run with a file system. So, we need to create a file system image too. First, edit the config file in userland/.config to select which application packages get built. For example: #TITLE agetty CONFIG_AGETTY=y If an application package's corresponding variable is set to 'n' (for example, CONFIG_AGETTY=n), then it will not be built and copied over to the target/ directory. Then, build all application packages specified in the userland/.config as following: [Linux Developer] ...userland/: make Now, we copy the pre-compiled netcat into target/ directory. After that, use "make romfs" to start generating the file system or romdisk image. [Linux Developer] ...uClinux/: make romfs Once completed, the resulting romdisk.flash file is ready to be downloaded to the target board. First, download the file system image following by the operating system image into the flash memory. [Linux Developer] ...uClinux/: nios-run -x romdisk.flash [Linux Developer] ...uClinux/: nios-run linux.flash Well, our FPGA-based "hacking machine" is ready now. Lets try to make use of it to a linux machine with /etc/passwd enabled. We assume the ip of the target linux machine is 192.168.1.1 as web server in the LAN that utilize MySQL database. Besides, we know that its show.php is vulnerable to be SQL injected. We also assume it has some security protections to filter out some dangerous symbols, so we decided to use char() method of injection. We assume the total columns in the table that access by show.php is 8. Now, we define: char getpass[]="http://192.168.1.1/show.php?id=1%20and%201=2%20union %20select%208,7,load_file(char(47,101,116,99,47,112,97,115,115,119, 100)),5,4,3,2,1"; as attacking string, and we store the respond data (content of /etc/passwd) in a file name of password.dat. By creating a pipe to the netcat, and at the same time to make sure the attacking string is always triggered by the push-button, well, our "hacking machine" is ready. Plug the "hacking machine" into any of the RJ45 socket in the LAN, following by pressing a button to trigger the attacking string against 192.168.1.1. After that, unplug the "hacking machine" and connect to a pc, download the password.dat from the "hacking machine", and start the cracking process. By utilizing the advantages of FPGA architecture, a hardware cracker can be appended for embedded based cracking process. Any optional module can be designed in Verilog-HDL and attach to the FPGA for all-in-one hacking purpose. The advantages of FPGA implementation over the conventional hardcore processors will be deepened in the following section, with a lot of case-studies, comparisons and wonderful examples. Tips: **FTP server is recommended to be installed in "hacking machine" because of two reasons: 1) Any new or value-added updates (trojans, exploits, worms,...) to the "hacking machine" can be done through FTP (online update). 2) The grabbed information (password files, configuration files,...) can be retrieved easily. Notes: **Installation of FTP server in uClinux is done by editing userland/.config file to enable the ftpd service. **This is just a demostration, it is nearly impossible to get a unix/linux machine that do not utilize file-permission and shadow to protect the password file. This article is purposely to show the migration of hacking methodology from PC-based into embedded system based. --[ 6. - What The Advantages Of Using FPGA In Hacking ? Well, this is a good question while someone will ask by using a $50 Rabbit module, a 9V battery and 20 lines of Dynamic C, a simple "hacking machine" can be implemented, instead of using a $300 FPGA development board and a proprietary embedded processor with another $495. The answer is, FPGA provides a very unique feature based on its architecture that is able to be hardware re-programmable. As what we know, FPGA is a well known platform for algorithm verification in hardware implementation, especially in DSP applications. The demand for higher bit rates by the wired and wireless communications industry has led to the development of higher bit rate and low cost serial link interface chips. Based on such considerations, some demands of programmable channel and band scanning are needed to be digitized and re-programmable. A new term has been created for this type of framework as "software defined radio" or SDR. However, the slow adoption of SDR is due to the limitation in Analog-to-Digital Converter(ADC) to digitize the analog demodulation unit in transceiver module. Although the sampling rate of the most advanced ADC is not yet to meet the specification of SDR, but it will come true soon. In this case, the application of conventional DSP chips such as TMS320C6200 (for fixed-point processing) and TMS320C6700 (for floating-point processing) are a little bit harder to handle such extremely high bit rates. Of course, someone may claim its parallel processing technique could solve the problem by using the following symbols in linear assembly language[15]. Inst1 || Inst2 || Inst3 || Inst4 || Inst5 || Inst6 Inst7 The double-pipe symbols (||) indicate instructions that are in parallel with a previous instruction. Inst2 to Inst6, these five instructions run in parallel with the first instruction, Inst1. In TMS320, up to eight instructions can be running in parallel. However, this is not a true parallel method, but perform pipelining in different time-slot within a single clock cycle. Instead, the true parallel processing can only be implemented with different sets of hardware module. So, FPGA should be the only solution to implement a true parallel processing architecture. For the case of SDR that is mentioned, it is just a an example to show the limitation of data processing in the structure of resource sharing. Meanwhile, when we consider to implement an encryption module, it is the same case as what data processing do. The method of parallel processing is extremely worth to enhance the time of key cracking process. Besides, it is significant to know that the implementation of encryption module in FPGA is hardware-driven. It is totally free from the limitation of any hardcore processor structure that is using a single instruction pointer (or program counter) to performing push and pop operations interactively over the stack memory. So, both of the mentioned advantages: true-parallel processing, and hardware-driven, are nicely clarified the uniqueness of FPGA's architecture for advanced applications. While we go further with the uniqueness of FPGA's architecture, more and more interesting issues can come into the discussion. For hacking purpose, we focus and stick to the discussion of utilizing the ability of hardware re-programmable in a FPGA-based "hacking machine". We ignore the ability of "software re-programmable" here because it can be done by any of the hardcore processor in the lowest cost. By applying the characterictic of hardware re-programmable, a segment of space in flash memory is reserved for hardware image. In Nios, it is started from 0x600000. This segment is available to be updated from remote through the network interface. In advanced mobile communication, this type of feature is started to be used for hardware bug-fix as well as module update [16] purpose. It is usually known as Over-The-Air (OTA) technology. For hacking purpose, the characteristic of hardware re-programmable had made our "hacking machine" to be general purpose. It can come with a hardware-driven DES cracker, and easily be changed to MD5 cracker or any other types of hardware-driven module. Besides, it can also be changed from an online cracker to be a proxy, in a second of time. In this state, the uniqueness of FPGA's architecture is clear now. So, it is the time to start the discussion of black magic with the characteristic of hardware re-programmable in further detail. By using Nios-core, we explore from two points: custom instruction and user peripheral. A custom instruction is hardware-driven and implemented by custom logic as shown below: |---->|------------| | |Custom Logic|-| | |-->|------------| | | | | | | |----------------|| A ---->| |-| | | Nios-ALU | |----> OUT B ---->| |-| |-----------------| By defining a custom logic that is parallel connected with Nios-ALU inputs, a new custom instruction is successfully created. With SOPC Builder, custom logic can be easily add-on and take-out from Nios-ALU, and so is the case of custom instruction. Now, we create a new custom instruction, let say nm_fpmult(). We apply the following codes: float a, b, result_slow, result_fast; result_slow = a * b; //Takes 2874 clock cycles result_fast = nm_fpmult(a, b); //Takes 19 clock cycles From the running result, the operation of hardware-based multiplication as custom instruction is so fast that is even faster than a DSP chip. For cracking purpose, custom instructions set can be build up in respective to the frequency of operations being used. The instructions set is easily to be plugged and unplugged for different types of encryption being adopted. The user peripheral is the second black magic of hardware re-programmable. As we know Nios-core is a soft processor, so a bus specification is needed for the communication of soft processor with other peripherals, such as RAM, ROM, UART, and timer. Nios-core is using a proprietary bus specification, known as Avalon-bus for peripheral-to-peripheral and Nios-core-to-peripheral communication purpose. So, user peripherals such as IDE and USB modules are usually be designed to expand the usability of embedded system. For hacking purpose, we ignore the IDE and USB peripherals because we are more interested to design user peripheral for custom communication channel synchronization. When we consider to hack a customize system such as building automation, public addressing, evacuation, security, and so on, the main obstacle is its proprietary communication protocol [17, 18, 19, 20, 21, 22]. In such case, a typical network interface is almost impossible to synchronize into the communication channel of a customize system. For example, a system that is running at 50Mbps, neither a 10Based-T nor 100Based-T network interface card can communicate with any module within the system. However, by knowing the technical specification of such system, a custom communication peripheral can be created in FPGA. So, it is able to synchronize our "hacking machine" into the communication channel of the customize system. By going through the Avalon-bus, Nios-core is available to manipulate the data-flow of the customize system. So, the custom communication peripheral is going to be the customize media gateway of our "hacking machine". The theoretical basis of custom communication peripheral is come from the mechanism of clock data recovery (CDR). CDR is a method to ensure the data regeneration is done with a decision circuit that samples the data signal at the optimal instant indicated by a clock. The clock must be synchronized as exactly the same frequency as the data rate, and be aligned in phase with respect to the data. The production of such a clock at the receiver is the goal of CDR. In general, the task of CDR is divided into two: frequency acquisition and timing alignment. Frequency acquisition is the process that locks the receiver clock frequency to the transmitted data frequency. Timing alignment is the phase alignment of the clock so the decision circuit samples the data at the optimal instant. Sometime, it is also named as bit synchronization or phase locking. Most timing alignment circuits can perform a limited degree of frequency acquisition, but additional acquisition aids may be needed. Data oversampling method is being used to create the CDR for our "hacking machine". By using the method of data oversampling, frequency acquisition is no longer be put into the design consideration. By ensuring the sampling frequency is always N times over than data rate, the CDR is able to work as normal. To synchronize multiple of customize systems, a frequency synthesis unit such as PLL is recommended to be used to make sure the sampling frequency is always N times over than data rate. A framework of CDR based-on the data oversampling method with N=4 is shown as following in Verilog-HDL. **The sampling frequency is 48MHz (mclk), which is 4 times of data rate (12MHz). //define input and output input data_in; input mclk; input rst; output data_buf; //asynchronous edge detector wire reset = (rst & ~(data_in ^ capture_buf)); //data oversampling module reg capture_buf; always @ (posedge mclk or negedge rst) if (rst == 0) capture_buf <= 0; else capture_buf <= data_in; //edge detection module reg [1:0] mclk_divd; always @ (posedge mclk or negedge reset or posedge reset) if (reset == 0) mclk_divd <= 2'b00; else mclk_divd <= mclk_divd + 1; //capture at data eye and put into a 16-bit buffer reg [15:0] data_buf; always @ (posedge mclk_divd[1] or negedge rst) if (rst == 0) data_buf <= 0; else data_buf <= {data_buf[14:0],capture_buf}; Once the channel is synchronized, the data can be transferred to Nios-core through the Avalon-Bus for further processing and interaction. The framework of CDR is plenty worth for channel synchronization in various types of custom communication channels. Jean P. Nicolle had shown another type of CDR for 10Base-T bit synchronization [23]. As someone might query for the most common approach of performing CDR channel synchronization in Phase-Locked Loop (PLL). Yes, this is a type of well known analog approach, by we are more interested to the digital approach, with the reason of hardware re-programmable - our black magic of FPGA. For those who interested to know more advantages of digital CDR approach over the analog CDR approach can refer to [24]. Anyway, the analog CDR approach is the only option for a hardcore-based (Scenix, Rabbit, SC12 ,...) "hacking machine" design, and it is sufferred to: 1. Longer design time for different data rate of the communication link. The PLL lock-time to preamble length, charge-pump circuit design, Voltage Controlled Oscillator (VCO), are very critical points. 2. Fixed-structure design. Any changes of "hacking application" need to re-design the circuit itself, and it is quite cumbersome. As a result, by getting a detail technical specification of a customized system, the possibility to hack into the system has always existed, especially to launch the Denial of Service attack. By disabling an evacuation system, or a fire alarm system at emergency, it is a very serious problem than ever. Try to imagine, when different types of CDRs are implemented in a single FPGA, and it is able to perform automatic switching to select a right CDR for channel synchronization. On the other hand, any custom defined module is able to plug into the system itself and freely communicate through Avalon-bus. Besides, the generated hardware image is able to be downloaded into flash memory through tftp. By following with a soft-reset to re-configure the FPGA, the "hacking machine" is successfully updated. So, it is ready to hack multiple of custom systems at the same time. case study: **The development of OPC technology is slowly become popular. According to The OPC Foundation, OPC technology can eliminate expensive custom interfaces and drivers tranditionally required for moving information easily around the enterprise. It promotes interoperability, including amongst different computing solutions and platforms both horizontally and vertically in the emterprise [25]. --[ 7. - What Else Of Magic That Embedded Linux Can Do ? So, we know the weakness of embedded system now, and we also know how to utilize the advantages of embedded system for hacking purpose. Then, what else of magic that we can do with embedded system? This is a good question. By referring to the development of network applications, ubiquitous and pervasive computing would be the latest issues. Embedded system would probably to be the future framework as embedded firewall, ubiquitous gateway/router, embedded IDS, mobile device security server, and so on. While existing systems are looking for network-enabled, embedded system had established its unique position for such purpose. A good example is migrating MySQL into embedded linux to provide online database-on-chip service (in FPGA) for a building access system with RFID tags. Again, the usage and development of embedded system has no limitation, the only limitation is the imagination. Tips: **If an embedded system works as a server (http, ftp, ...), it is going to provide services such as web control, web monitoring,... **If an embedded system works as a client (http, ftp, telnet, ..), then it is more likely to be a programmable "hacking machine" --[ 8. - Conclusion Embedded system is an extremely useful technology, because we can't expect every processing unit in the world as a personal computer. While we are begining to exploit the usefullness of embedded system, we need to consider all the cases properly, where we should use it and where we shouldn't use it. Embedded security might be too new to discuss seriously now but it always exist, and sometime naive. Besides, the abuse of embedded system would cause more mysterious cases in the hacking world. --=[ References [1] http://www.siteplayer.com/ [2] http://www.beck-ipc.com/ [3] http://www.altera.com/ [4] http://www.xilinx.com/ [5] http://www.cl.cam.ac.uk/users/rnc1/descrack/index.html [6] Nios Development Kit, Stratix Edition: Getting Started User Guide (Version 1.2) - July 2003 http://www.altera.com/literature/ug/ug_nios_gsg_stratix_1s10.pdf [7] http://www.microtronix.com/ [8] Nios Hardware Development Tutorial (Version 1.1) - July 2003 http://www.altera.com/literature/tt/tt_nios2_hardware_tutorial.pdf [9] Nios Software Development Tutorial (Version 1.3) - July 2003 http://www.altera.com/literature/tt/tt_nios_sw.pdf [10] Designing With The Nios (Part 1) - Second-Order, Closed-Loop Servo Control Circuit Cellar, #167, June 2004 [11] Designing With The Nios (Part 2) - System Enhancement Circuit Cellar, #168, July 2004 [12] Nios Tutorial (Version 1.1) February 2004 http://www.altera.com/literature/tt/tt_nios_hw_apex_20k200e.pdf [13] Microtronix Embedded Linux Development - Getting Started Guide: Document Revision 1.2 http://www.pldworld.com/_altera/html/_excalibur/niosldk/httpd/ getting_started_guide.pdf [14] Stratix EP1S10 Device: Pin Information February 2004 http://www.fulcrum.ru/Read/CDROMs/Altera/literature/lit-stx.html [15] TMS320C6000 Assembly Language Tools User's Guide http://www.tij.co.jp/jsc/docs/dsps/support/download/tools/ toolspdf6000/spru186i.pdf [16] Dynamic Spectrum Allocation In Composite Reconfigurable Wireless Networks IEEE Communications Magazine, May 2004. http://ieeexplore.ieee.org/iel5/35/28868/01299346.pdf?tp=&arnumber= 1299346&isnumber=28868 [17] TOA - VX-2000 (Digital Matrix System) http://www.toa-corp.co.uk/asp/catalogue/products.asp?prodcode=VX-2000 [18] Klotz Digital - Vadis (Audio Matrix), VariZone (Complex Digital PA System For Emergency Evacuation Applications) http://www.klotz-digital.de/products/pa.htm [19] Peavey - MediaMatrix System http://mediamatrix.peavey.com/home.cfm [20] Optimus - Optimus (Audio & Communication), Improve (Distributed Audio) http://www.optimus.es/eng/english.html [21] Simplex - TrueAlarm (Fire Alarm Systems) http://www.simplexgrinnell.com/ [22] Tyco - Fire Detection and Alarm, Integrated Security Systems, Health Care Communication Systems http://www.tycosafetyproducts-us.com [23] 10Base-T FPGA Interface - Ethernet Packets: Sending and Receiving http://www.fpga4fun.com/10BASE-T.html [24] Ethernet Receiver http://www.holmea.demon.co.uk/Ethernet/EthernetRx.htm [25] The OPC Foundation http://www.opcfoundation.org/ [26] www.ubicom.com (IP2022) [27] http://www.zilog.com/products/family.asp?fam=218 (eZ80) [29] http://www.fpga4fun.com/ [29] http://www.elektroda.pl/eboard |=[ EOF ]=---------------------------------------------------------------=|