Skip to main content

Sydney

image

User Manual

Lockitall                                            LOCKIT PRO r a.02
______________________________________________________________________

              User Manual: Lockitall LockIT Pro, rev a.02              
______________________________________________________________________


OVERVIEW

    - We have revised the software in revision 02.
    - This lock is not attached to any hardware security module.


DETAILS

    The LockIT Pro a.02  is the first of a new series  of locks. It is
    controlled by a  MSP430 microcontroller, and is  the most advanced
    MCU-controlled lock available on the  market. The MSP430 is a very
    low-power device which allows the LockIT  Pro to run in almost any
    environment.

    The  LockIT  Pro   contains  a  Bluetooth  chip   allowing  it  to
    communiciate with the  LockIT Pro App, allowing the  LockIT Pro to
    be inaccessable from the exterior of the building.

    There is  no default password  on the LockIT  Pro---upon receiving
    the LockIT Pro, a new password must be set by connecting it to the
    LockIT Pro  App and  entering a password  when prompted,  and then
    restarting the LockIT Pro using the red button on the back.
    
    This is Hardware  Version A.  It contains  the Bluetooth connector
    built in, and one available port  to which the LockIT Pro Deadbolt
    should be connected.

    This is  Software Revision 02.  We have received reports  that the
    prior  version of  the  lock was  bypassable  without knowing  the
    password. We have fixed this and removed the password from memory.

    


(c) 2013 LOCKITALL                                            Page 1/1

Let's set a breakpoint at main and continue execution flow.

Debugger Console
> break main
  Breakpoint set
> continue

image

We can see that the program no longer calls the create_password function. So we'll have to find a new approach to open the lock.

check_password

The check_password function is still being called, so let's set a breakpoint there.

Debugger Console
> break check_password
  Breakpoint set
> continue

We are then asked to enter the password.

image

If we continue the program execution, it stops at the breakpoint that we set earlier at check_password.

Debugger Console
> continue

image

So the user's input is being compared as follows:

  • 1st and 2nd bytes: 0x5567, Ug in ASCII
  • 3rd and 4th bytes: 0x6b25, k% in ASCII
  • 5th and 6th bytes: 0x253e, %> in ASCII
  • 7th and 8th bytes: 0x793e, y> in ASCII

Let's rerun the program using the reset command and give it the password Ugk%%>y>.

Debugger Console
> reset

image

Our password is in the memory, we're going to unlock the lock, right?

Debugger Console
> continue
CPUOFF flag set; program no longer running. CPU must now be reset.

If we continue execution, the program exits. We can find the cause by looking the registers, especially the status register sr.

Let's set a breakpoint at the instruction right after the first comparison.

image

Debugger Console
> break 0x4490
  Breakpoint set
> continue

Next, let's reset the program, and repeat the steps.

Debugger Console
> reset

Once we hit the breakpoint at 0x4490, we can see that the sr register is modified.

image

image

Status register sr

BitFlagValueMeaning
0C (Carry)1A carry occurred (or no borrow in compare/subtract) — in unsigned math: b ≥ a in cmp
1Z (Zero)0Result ≠ 0
2N (Negative)0Result is not negative (MSB is 0)
3GIE (Interrupts)0General interrupts are disabled

Then, the jnz instruction checks if the zero bit of the status register sr is set. If it isn't set, that means the difference between the two values was not 0, and thus the values being compared were not the same.

In order to undertand why the values were not the same even when we explicitely set them to be, we have to understand Endinaness.

Endianness

Big endian

  0x439c   0x439d   
┌────────┬────────┐
│   55   │   67   │ 
└────────┴────────┘

The LSB is stored in the high memory address (0x439d) while the MSB is stored in the low memory address (0x439c).

This is the format in which humans write numbers. Network traffic is also sent in big endian format.

Little endian

  0x439c   0x439d   
┌────────┬────────┐
│   67   │   55   │ 
└────────┴────────┘

The LSB is stored in the low memory address (0x439c) while the MSB is stored in the high memory address (0x439d).

This is the format in which machines store data. This is the relevant format for our level.

So when it reads our first word for comparison, it expects them to in little-endian format i.e. 0x6755. In the same manner, the next word should be 0x256b, the third one should 0x3e25 and the last word should 0x3e79.

In order to pass the checks, our bytes need to be flipped when they are stored so that the program, when reading, will interpret them correctly.

Therefore our input should actually be gU%k>%>y.

image

image

image