Hacking Hadoukens

Reverse Engineering a Street Fighter Two Cabinet

Table of Contents

• Introduction
• Platform Overview / Goals
• Hardware Teardown
• Firmware Extraction
• Firmware Analysis
• Conclusion

Introduction

• whoami?

  • Matthew Alt
  • @wrongbaud

• Security researcher for Caesar Creek Software

  • Previously @ MIT Lincoln Laboratory, Revo Technik/STASIS Engineering
  • Recovering ECU tuner

• Offer private training/consulting through VoidStar Security LLC

Presentation Goals

1. Explain how to perform black-box analysis of embedded systems
2. Learn how to extract SPI flash memory
3. Review initial steps to take when looking at firmware binaries
4. Review UART/SPI protocols and the tools to interface with them
5. Parse a custom filesystem image with Kaitai Struct

Platform Overview

• Street Fighter 2 Championship Edition Arcade Cab
  • Developed by "My Arcade"
• Allows for two-player co-op
• 6 button layout + coin insert buttons
  • Perfect for generic MAME

Research Goals

1. Extract all non-volatile storage
2. Perform cursory analysis of firmware
   • Operating System
   • Application structure
3. Determine if it's possible to run custom programs on the target
4. Overwrite the SFII ROM with a different ROM

Hardware Overview: Interfaces

• When reviewing an embedded system, it is essential to review its external interfaces
• The SF2 cabinet has the following externally exposed interfaces:
  • USB (Charging)
  • Serial (via 3.5mm audio connector) for multiplayer
• This does not leave us with a large attack surface so that we will perform a hardware teardown

Hardware Overview: Goals

• What are we looking for when we perform a hardware teardown?
  • Processors
  • Non-volatile flash devices
  • Debug interfaces
  • Silkscreen or other information labeled on the PCB
• When performing a hardware teardown, be sure to write down / document part numbers for components!
  • Sometimes you can find datasheets

Hardware Teardown

This target consists of two main PCBs that we will review

Hardware Teardown

• This is our main PCB which contains most of our components of interest

Hardware Teardown

CPU / Processors

• The first component that stands out is likely the CPU
• The following characteristics indicate that this is a CPU
  • Central board location
  • Oscillator connected to it
  • All traces lead to it

Hardware Teardown

Debug Headers

• These vias are sometimes indicative of debug headers
• Note that one is silk-screened GND/TX

Hardware Teardown

SPI Flash

• The highlighted component is a SPI flash chip
• This is likely where our data is stored!
• Part number: EN25QH64

Hardware Teardown

USB / Serial Connections

• This smaller board houses the USB connector and 3.5mm connector
• TX/RX/DET are used for multiplayer purposes, not debugging :(

Hardware Teardown

Main Board Bottom Side

• There are not many components on the underside of the PCB
• The silkscreen gives us more information about the test pads
  • IO lines for buttons
  • FPC connector for USB/3.5mm PCB

Hardware Teardown: Component Overview

• Based on our hardware teardown, we now know:
  • Utilizes on G20 ARM
  • Contains a SPI flash chip
  • Has a potential debug header (GND/TX)
• Next, we will examine our two potential interfaces
  • UART
  • SPI

UART: Overview

• UART = Universal Asynchronous Receiver Transmitter

  • Asynchronous = no external clock
  • Often referred to simply as “serial.”

• Used to transmit and receive serial data between two components

• Utilizes two lines, Tx and Rx

  • Tx = Transmit
  • Rx = Receive

UART: Pi Interfacing

• TXD0/IO14 = Transmit
• RXD0/IO15 = Receive
• Can be accessed via /dev/ttyS0
  

UART Tools: screen/minicom

• The Unix tool screen can be used to access serial ports
  • screen /path/to/device baudrate
  • Exit by pressing Ctrl-a then k
• minicom can also be used to interact with serial ports and provides
  additional features
  • sudo minicom -b baudrate /path/to/device
  • Allows more complex settings to be saved in a config file

SF2: UART Access

• We will connect to the cabinet's serial debug header with a baudrate of 115200
• sudo screen /dev/ttyS0 115200

SF2: UART Access

SF2 UART Access

• The debug logs for this device are very verbose
  • Over 14kb of data!
• While the information is useful, we are not given a shell or any other kind of access
  • This is still useful for debugging
• Some interesting strings appear in the logfile:
  • EPOS_MEM_DBG ON?, log_mem:0x0
  • fba_open:d:\game\sf2ceua.zip
  • read hiscore file, szFilename:e:\sf2ceua.hi, fp:-1037855776

SF2: UART Access Conclusion

• With this UART we can get access to debug logs
  • There is no Rx line, so we can only receive data from the target
• The debug logs tell us the following:
  • The EPOS RTOS is likely being used
  • The SF2 ROM is likely a standard MAME ROM
• The application in use is FB Alpha
  • FB Alpha is an arcade emulator!
• To learn more, we will need to try to dump the flash

SPI Flash Extraction

• We have identified the component which likely holds our data
  • EN25QH64
• SPI flash chips can be extracted in circuit (without removing them)
  • We will use a Raspberry Pi for this

Serial Peripheral Interface

• SPI is a synchronous serial communications interface
  • Commonly used for external sensors, SPI flash, etc
• SPI operates in full-duplex mode
  • This means that both lines are active
• It requires 4 lines to be implemented
  • CS/CLK/SDI/SDO
• The protocol utilizes a host/target paradigm

SPI: Pin Usage / Definition

SPI Connections

The host controls the CS, CLK and SDO lines. The target responds on the SDI line

SPI: Pi Interfacing

• IO10/SDO
• IO9/SDI
• IO11/SCLK
• IO8/CS

SPI Tools: flashrom

• Flashrom is an open-source utility that can read and write SPI flash memory
  • Many chips and targets are supported
  • Adding additional chips is straightforward
• Flashrom can run on the Raspberry Pi!
  • Check out the man pages: man flashrom

SPI Tools: flashrom

• Flashrom can interact with multiple hardware devices, referred to as "programmers."
  • FT2232h (FTDI)
  • Linux SPI Peripherals (Like the one on the Pi!)
  • More are listed in the documentation
• The programmer is specified with the -p argument

SPI Tools: flashrom

Programmer Selection

• An example programmer argument can be seen below:
  • -p linux_spi:dev=/dev/spidev0.0,spispeed=800
• linux_spi
  • Linux based spi subsystem is to be used
• dev=/dev/spidev0.0
  • Path to SPI device
• spispeed=800
  • Clock speed to be used (in Khz)

SPI Flash Extraction:

SPI Flash Extraction

SPI Flash Extraction

Flashrom was able to dump the SPI flash memory, both dumps have the same md5sum result

SPI Flash: Initial Analysis

After extracting the firmware, we will use binwalk/strings on the resulting image

SPI FLash: Binwalk Output

SPI Flash: Initial Analysis

Examining the strings in the binary showed some plaintext data

RE Tips: Firmware Blob Analysis

• In addition to running binwalk and strings, examine the beginning of the file for header information
  • hexdump -C -n512 file.bin
• When examining firmware headers, look for:
  • Start addresses (0x80000000, etc.)
  • Branch instructions (architecture-dependent)
  • Size fields / possible checksums

SPI Flash Analysis

Examining the first 512 bytes of the file reveal what looks like a header; googling these strings leads us to the Sunxi FEL Webpage

SPI Flash Analysis

The first byte sequence - a8 00 00 ea is an ARM branch instruction!

SPI Flash Analysis

• Now that we have extracted the SPI flash, we will attempt to understand the boot process
  • How many stages are there in the boot process?
  • Are there any stages that we can interrupt?
• We also need to answer the following questions:
  • What OS is in use? (if any)
  • What filesystem(s) are present?

SPI Flash Analysis

• Here we see some debug strings
  • Are these present in our serial logs?

Understanding the Boot Process

Understanding the Boot Process

• After further analysis of the flash, there are two possible boot images:
  • eGON.BT0 at address 0
  • eGON.BT1 at address 0x6000
• In both boot images, there are references to jump to fel
• After researching FEL we find the following on the Allwinner website

Understanding FEL Mode

• FEL is a low-level subroutine contained in the BootROM on Allwinner devices.
  • It is used for initial programming and recovery of devices using USB.
• Devices must enter FEL mode, causing them to present themselves as a USB device
  • FEL mode is entered by holding certain IO lines on boot
• If this mode is present on our cabinet, how might we trigger it?

Understanding FEL Mode

• After testing, it was discovered that holding volume down during startup causes FEL mode to be entered

SPI Flash: Analysis

• Based on our initial analysis of the SPI flash, we know the following:
  • There is a two-stage bootloader
  • FEL mode can be entered on startup
  • The CPU is an Allwinner Series CPU
  • FB Alpha Emulation software is in use
  • The SF2 ROM in use is likely a standard one
    • It matches the same structure as the typical MAME ROM

Using FEL Mode

• We can enter FEL mode, causing the cabinet to present itself as a USB device
  • What can we do with this?

Using FEL Mode

• To communicate with the device in FEL mode, we need to build the sunxi-tools
• After building this software, the FEL version can be queried as shown below:

Using FEL Mode

• The standard FEL tools do not have support for our chip ID
• After searching through GitHub using the chip ID a fork of this repo was found that supports our chip!
• What can we do with these tools?

Using FEL Mode

• Using the fel tools, we can:
  • Read and write RAM
  • Read and write SPI flash memory
  • Load arbitrary firmware binaries into RAM

FEL Mode: Conclusion

• Using FEL mode, we can now read and write the SPI flash over USB
• This is much more efficient than using the clips
• This method can also easily be employed by other people for testing!
• We still need to answer the following:
  • What OS/RTOS is in use?
  • What filesystem is in use?

Understanding the OS

• Throughout our serial log we see multiple strings such as:
  • esMODS_MInstall
  • esDEV_Plugin
  • EPOS_MEM_DBG
  • L560(Esh_shell.c):Esh msg: shell main thread: Bye Bye!
• After researching these debug logs, it appears that the OS in use is ePOS v1.0

ePOS v1.0

• Not much information is available on ePOS v1.0
  • https://epos.lisha.ufsc.br/EPOS+Overview
  • Embedded Parallel Operating System

Understanding the Filesystem

• Based on some strings in the binary, we see references to the following:
  • MinFS
  • Fat16
• A Fat16 header is present in the image

MinFS Tables

• At ROM offset 0x24400, we see the string MINFS

• What follows this entry is what appears to be a list of files

Analyzying Unknown Headers: Where to Start?

• When looking at an unknown binary format, look for the following:
  • Length fields (before strings etc.)
  • Size fields (of entire structure)
  • Pointers / Offset values
• Examining formats like this takes patience
  • Look for a parser if possible
    Google is your friend!

Analyzying Unknown Headers

Here is a sample consisting of multiple file entries

Analyzying Unknown Headers

There is what appears to be a length field for the filename
apps is 4 bytes
app_config.bin is 0xE bytes

Analyzying Unknown Headers

0x1A is a likely the candidate for a field representing the total length

Analyzing Unknown Headers

Examine the Data in 010Editor -- Live analysis!

MinFS Table Entry Structure

Now that we understand the format, we need to develop a tool to parse it

Kaitai Struct

• Kaitai Struct is a binary format analysis tool
  • Defines a declarative language used to define binary structures
• Free and open source

Kaitai Struct

• Binary formats can be defined with a .ksy file
• Kaitai includes a visualizer to debug your format
• .ksy files are compiled into a language source file
  • Python
  • Javascript
  • C#
• Automatically generates classes for parsing your defined data

Kaitai Struct: Example .ksy file

Kaitai Struct: Writing a Template

• Templates are written in a YAML based format
  • Documentation is here
• The seq element describes the attributes that make up the structure
• The web-based editor can debug templates
  • This can be run locally!

Kaitai Struct: .ksy Attributes

• id is used to give the attribute a name
• type gives the attribute a type
• Common types include:
  • u1 Unsigned Byte
  • u2 Unsigned Word
  • s1 Signed byte
  • s2 Signed Word

Kaitai Struct: .ksy Substructures

• Types are defined with the types element

Kaitai Struct: .ksy Enums

Kaitai Struct: MinFS Table Header

Kaitai Struct: MinFS Table Entry

Kaitai Struct: Final Sequence

Kaitai Struct: Testing the Template

Kaitai Struct: Parsing the Filesystem

• Using Kaitai, we can now generate a python library to parse our structure
  • This allows us to parse them with the following code quickly:

Filesystem Analysis: Examining the Binaries

• After running our script to parse the filesystem, we generate the following files:

Filesystem Analysis: Conclusion

• Using Kaitai, we were able to develop a parser for this filesystem quickly
  • This was much easier than manually defining the structs in python!
• With the parser generated by Kaitai, we can extract all of the files from the filesystem!
• The parser also worked on the included ramdisk
• Next steps are to further investigate their custom compression

Questions?

Binary Image Structure