The implementation of embedded "hacking machine" will be demonstrated
in Altera's NIOS development board with Stratix EP1S10 FPGA. The board
provides a 10/100-base-T ethernet and a compact-flash connector. Two
RS-232 ports are also provided for serial interfacing and system
configuration purposes, respectively. Besides, the onboard 1MB of SRAM,
16MB of SDRAM, and 8MB of flash memory are ready for embedded linux
installation[6]. The version of embedded linux that is going to be applied
is uClinux from microtronix[7].

Ok, that is the specification of the board. Now, we start our journey
of "hacking machine" design. We use three tools provided by Altera to
implement our "hardware" design. In this case, the term of "hardware" means
it is synthesizable and to be designed in Verilog-HDL. The three tools
being used are: QuartusII ( as synthesis tool), SOPC Builder (as
Nios-core design tool), and C compiler. Others synthesis tools such as
leonardo-spectrum from mentor graphic, and synplify from synplicity are
optional to be used for special purpose. In this case, the synthesized
design in edif format is defined as external module. It is needed to import
the module from QuartusII to perform place-and-route (PAR). The outcome of
PAR is defined as hardware-core. For advanced user, Modelsim from mentor
graphic is highly recommended to perform behavioral simulation and Post-PAR
simulation. Behavioral simulation is a type of functional verification to
the digital hardware design. Timing issues are not put into the
consideration in this state. Instead, Post-PAR simulation is a type of
real-case verification. In this state, all the real-case factors such as
power-consumption and timing conditions (in sdf format) are put into the
consideration. [8,9,10,11,12]

A reference design is provided by microtronix and it is highly
recommended to be the design framework for any others custom design with
appropriate modifications [13]. Well, for our "hacking machine" design
purpose, the only modification that we need to do is to assign the
interrupts of four onboard push-buttons [14]. So, once the design
framework is loaded into QuartusII, SOPC Builder is ready to start
the design of Nios-core, Boot-ROM, SRAM and SDRAM inteface, Ethernet
interface, compact-flash interface and so on. Before starting to generate
synthesizable codes from the design, it is crucial to ensure the check-box
of "Microtronix uClinux" under Software Components is selected (it is in
the "More CPU Settings" tab of the main configuration windows in SOPC
Builder). By selecting this option, it is enabling to build a uClinux
kernel, uClibc library, and some uClinux's general purpose applications by
the time of generating synthesizable codes. Once ready, generate the design
as synthesizable codes in SOPC Builder following by performing PAR in
QuartusII to get a hardware core. In general, there are two formats of
hardware core:-

a) .sof core: To be downloaded into the EP1S10 directly by JTAG and
will require a re-load if the board is power cycled
**(Think as volatile)

b) .pof core: To be downloaded into EPC16 (enhanced configuration
device) and will automatically be loaded into the
FPGA every time the board is power cycled
**(Think as non-volatile)

The raw format of .sof and .pof hardware core is .hexout. As hacker,
we would prefer to work in command line, so we use the hexout2flash tool
to convert the hardware core from .hexout into .flash and relocate the
base address of the core to 0x600000 in flash. The 0x600000 is the startup
core loading address of EP1S10. So, once the .flash file is created, we
use nios-run or nr command to download the hardware core into flash memory
as following:

[Linux Developer] ...uClinux/: nios-run hackcore.hexout.flash

After nios-run indicates that the download has completed successfully,
restart the board. The downloaded core will now start as the default core
whenever the board is restarted.

Fine, the "hardware" part is completed. Now, we look into the
"software" implementation. We start from uClinux. As what is stated, the
SOPC Builder had generated a framework of uClinux kernel, uClibc library,
and some uClinux general purpose applications such as cat, mv, rm, and etc.

We start to reconfigure the kernel by using "make xconfig".

[Linux Developer] ...uClinux/: cd linux
[Linux Developer] ...uClinux/: make xconfig

In xconfig, perform appropriate tuning to the kernel, then use
"make clean" to clean the source tree of any object files.

[Linux Developer] ...linux/: make clean

To start building a new kernel use "make dep" following by "make".

[Linux Developer] ...linux/: make dep
[Linux Developer] ...linux/: make

To build the linux.flash file for uploading, use "make linux.flash".

[Linux Developer] ...uClinux/: make linux.flash

The linux.flash file is defined as the operating system image.
As what we know, an operating system must run with a file system.
So, we need to create a file system image too. First, edit the config
file in userland/.config to select which application packages get
built. For example:

#TITLE agetty
CONFIG_AGETTY=y

If an application package's corresponding variable is set to 'n'
(for example, CONFIG_AGETTY=n), then it will not be built and copied
over to the target/ directory. Then, build all application packages
specified in the userland/.config as following:

[Linux Developer] ...userland/: make

Now, we copy the pre-compiled netcat into target/ directory.
After that, use "make romfs" to start generating the file system or
romdisk image.

[Linux Developer] ...uClinux/: make romfs

Once completed, the resulting romdisk.flash file is ready to be
downloaded
to the target board. First, download the file system image following by
the operating system image into the flash memory.

[Linux Developer] ...uClinux/: nios-run -x romdisk.flash
[Linux Developer] ...uClinux/: nios-run linux.flash

Well, our FPGA-based "hacking machine" is ready now.

Lets try to make use of it to a linux machine with /etc/passwd
enabled. We assume the ip of the target linux machine is 192.168.1.1
as web server in the LAN that utilize MySQL database. Besides, we know
that its show.php is vulnerable to be SQL injected. We also assume it has
some security protections to filter out some dangerous symbols, so we
decided to use char() method of injection. We assume the total columns in
the table that access by show.php is 8.

Now, we define:

char getpass[]="http://192.168.1.1/show.php?id=1%20and%201=2%20union
%20select%208,7,load_file(char(47,101,116,99,47,112,97,115,115,119,
100)),5,4,3,2,1";

as attacking string, and we store the respond data (content of
/etc/passwd) in a file name of password.dat. By creating a pipe to the
netcat, and at the same time to make sure the attacking string is always
triggered by the push-button, well, our "hacking machine" is ready.

Plug the "hacking machine" into any of the RJ45 socket in the LAN,
following by pressing a button to trigger the attacking string against
192.168.1.1. After that, unplug the "hacking machine" and connect to a
pc, download the password.dat from the "hacking machine", and start the
cracking process. By utilizing the advantages of FPGA architecture,
a hardware cracker can be appended for embedded based cracking process.
Any optional module can be designed in Verilog-HDL and attach to the
FPGA for all-in-one hacking purpose. The advantages of FPGA implementation
over the conventional hardcore processors will be deepened in the
following section, with a lot of case-studies, comparisons and
wonderful examples.

Tips:

**FTP server is recommended to be installed in "hacking machine"
because of two reasons:

1) Any new or value-added updates (trojans, exploits, worms,...) to
the "hacking machine" can be done through FTP (online update).

2) The grabbed information (password files, configuration files,...)
can be retrieved easily.

Notes:

**Installation of FTP server in uClinux is done by editing
userland/.config file to enable the ftpd service.

**This is just a demostration, it is nearly impossible to get a
unix/linux machine that do not utilize file-permission and shadow
to protect the password file. This article is purposely to show
the migration of hacking methodology from PC-based into embedded
system based.