Uwe Muller, Eicke Hauck, Timm Welz, Jiska Classen, Matthias Hollick (Secure Mobile Networking Lab, TU Darmstadt)

Even though PowerPC mostly disappeared from the consumer device market, its architectural properties continue being popular for highly specialized systems. This particularly includes embedded systems with real-time requirements that are deeply integrated into critical infrastructures as well as aeronautics, transportation, control systems in power plants, etc. One example is Terrestrial Trunked Radio (TETRA), a digital radio system used in the public safety domain and deployed in more than 120 countries worldwide: base stations of at least one of the main vendors are based on PowerPC. Despite the criticality of the aforementioned systems, many follow a security by obscurity approach and there are no openly available analysis tools. While analyzing a TETRA base station, we design and develop a set of analysis tools centered around a PowerPC binary patcher. We further create various dynamic tooling on top, including a fast memory dumper, function tracer, flexible patching capabilities at runtime, and a fuzzer. We describe the genesis of these tools and detail the binary patcher, which is general in nature and not limited to our base station under test.

View More Papers

Polypyus – The Firmware Historian

Jan Friebertshauser, Florian Kosterhon, Jiska Classen, Matthias Hollick (Secure Mobile Networking Lab, TU Darmstad)

Read More

FitM: Binary-Only Coverage-GuidedFuzzing for Stateful Network Protocols

Dominik Maier, Otto Bittner, Marc Munier, Julian Beier (TU Berlin)

Read More

NetPlier: Probabilistic Network Protocol Reverse Engineering from Message Traces

Yapeng Ye (Purdue University), Zhuo Zhang (Purdue University), Fei Wang (Purdue University), Xiangyu Zhang (Purdue University), Dongyan Xu (Purdue University)

Read More