Battery Firmware Hacking

《Battery Firmware Hacking》由会员上传分享，免费在线阅读，更多相关内容在学术论文-天天文库。

1、BatteryFirmwareHackingInsidetheinnardsofaSmartBatteryCharlieMillerAccuvantLabscharlie.miller.comTwitter:0xcharlieJuly12,2011TableofContentsIntroduction!3Background!3Insideamacbookbattery!5SBS(SmartBatterySpecification)!11Sniffing!14Differentbatterymodes!20TexasInstrumentsEvaluationMod

2、ule!21Reprogramingthetestgauge!23Devicelayout!24Reprogrammingtherealbatterygasgauge!25Thebatteryfirmwareitself!26Firmwarechecksum!29Modifyingthefirmware!31Example:“Hotelbattery”!32Conclusions!36SpecialThanks!37Bibliography!38IntroductionEverwonderhowyourlaptopbatteryknowswhentostopcha

3、rgingwhenitispluggedintothewall,butthecomputerispoweredoff?Moderncomputersarenolongerjustcomposedofasingleprocessor.Computerspossessmanyotherembeddedmicroprocessors.Researchersareonlyrecentlyconsideringthesecurityimplicationsofmultipleprocessors,multiplepiecesofembeddedmemory,etc.Th

4、ispapertakesanindepthlookatacommonembeddedcontrollerusedinLithiumIon(Li-Ion)andLithiumPolymerbatteries,inparticular,thiscontrollerisusedinalargenumberofMacBook,MacBookPro,andMacBookAirlaptopcomputers.Thisisespeciallyimportantbecauseifanattackercanmodifytheoperationofsuchanembeddedco

5、ntroller,itmaybepossibletocauseasafetyhazardsuchasoverheatingthebatteryorevencausingittocatchonfire.Additionally,beingabletotakecontrolofsuchanembeddedcontrollercouldprovideamechanismforattackerpersistenceeveninthepresenceofacompletesystemreinstall.Itmightalsoprovideaquickmethodforim

6、plantingadevicebysimplyswitchingoutthebatteryinit.ItmightalsoprovideamethodforanattackertoobservetrustedoperationslikecommunicationstoandfromtheTPMchip.Inthispaper,wedemonstratehowtheembeddedcontrollerworks.Wereverseengineeredthefirmwareandthefirmwareflashingprocessforaparticularsmartb

7、atterycontroller.Inparticular,weshowhowtocompletelyreprogramthesmartbatterybymodifyingthefirmwareonit.ThisispossibledueinparttoAppleʼsuseofdefaultpasswordsforbothunsealingthebatteryandopeningupfullaccessmodetoit.Also,wereverseengineerthechecksumusedbythefirmwaretoensureonlylegitimatefi

8、rmwaresareused,andi