Presentation at Hack.lu : Reversing the Broacom NetExtreme's firmware

[Eugen Leitl]

(of course, this capability is not new)

http://esec-lab.sogeti.com/dotclear/index.php?post/2010/11/21/Presentation-at-Hack.lu-:-Reversing-the-Broacom-NetExtreme-s-firmware 

Presentation at Hack.lu : Reversing the Broacom NetExtreme's firmware

By guillaume ; Sunday 21 November 2010, 04:28 - Conferences

I was giving a talk in October during last hack.lu session. The presentation
focuses on the roadmap taken to reverse engineer the Broadcom Ethernet
NetExtreme firmware family : building a firmware debugger, instrumentation
tools, to finally develop a customized network card firmware.

NetExtreme family cards are the standard range of PCI Ethernet cards from
Broadcom. Broadcom released part of their soft specifications (inner
workings, memory mappings, device register definitions...). However those
specifications are incomplete and the firmware is distributed as a binary
blob.

Given publicly available documentation (specifications, Linux open-source
driver) and free open-source tools, I have built a set of tools to instrument
the network card firmware. Those tools provided me a way to debug in
real-time the MIPS CPU of the network card, as well as doing some advanced
instrumentation on the firmware code (execution flow tracing, memory-accesses
logging...). I have also reverse engineered the format of the EEPROM where
firmware code is kept and the bootstrap process of the device leading to
firmware execution. This way it is possible to develop a custom firmware
code, flash the device and get execution on the CPU of the network card.

The main interest is developing a rootkit which will be residing inside the
network card. A network card rootkit offers some very interesting features:

A very stealthy communication end-point over the Ethernet link. It can
intercept and forge network frames without the operating system knowing about
it.

A physical system memory access using DMA over the PCI link, leading to OS
corruption.

No trace of the rootkit on the operating system, as it is being hidden inside
the NIC.

The network card natively needs to perform DMA accesses, so that network
frames can be exchanged between the driver and the device. From the firmware
point of view, everything is operated using special dedicated device
registers, some of them being non-documented. An attacker would then be able
to communicate remotely with the rootkit in the network card and get access
to the underlying operating system thanks to DMA. 

Slides of my presentation are available here.

Here is a little demo of what can be done once you develop your own network
card firmware: