Reversing a Japanese Wireless SD Card - From Zero to Code Execution

Black Hat USA 2018

Presented by: Guillaume Valadon
Date: Wednesday August 08, 2018
Time: 13:30 - 14:20
Location: Lagoon JKL

Toshiba FlashAir are wireless SD cards used by photographers and IoT enthusiasts. They integrate both a Japanese SoC and a Japanese Operating System. None of those have been discussed in security conferences, nor were clearly identified before this project. The SoC is employed in embedded devices as well as in the automotive industry. The ISA looks like MIPS with funny instructions such as a loops! The OS implements a RTOS specification that is believed to represent 60% of the embedded OS currently deployed, according to a survey by its designers.

This talk will present investigations that lead to the discovery of the architecture and the operating system from nearly zero knowledge of the card. These investigations were performed with open-source tools only: miasm2 is used as the assembly, disassembly and emulation backend, while radare2 is used as the interface to reverse the firmware. Specific tools were developed during this project and will be released after the talk.

The methodology used and the steps that lead to code execution on the card will be laid out in detail. Some involved reading assembly while other ones were achieved by accessing online documentation in English and Japanese. The main goal is to share lessons learned as well as mistakes made during the project.

Finally, a complete demonstration of code execution will be given.

Guillaume Valadon

Guillaume Valadon is the head of the network security laboratory at ANSSI and holds a PhD in networking. He likes looking at data and crafting packets. In his spare time, he co-maintains Scapy and learns reversing embedded devices. Also, he still remembers what AT+MS=V34 means! Guillaume regularly gives technical presentations, classes and live demonstrations, and write research papers for conferences and magazines.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats