Reversing a Japanese Wireless SD Card - From Zero to Code Execution

Conference:  BlackHat USA 2018



Toshiba FlashAir are wireless SD cards used by photographers and IoT enthusiasts. They integrate both a Japanese SoC and a Japanese Operating System. None of those have been discussed in security conferences, nor were clearly identified before this project. The SoC is employed in embedded devices as well as in the automotive industry. The ISA looks like MIPS with funny instructions such as a loops! The OS implements a RTOS specification that is believed to represent 60% of the embedded OS currently deployed, according to a survey by its designers.This talk will present investigations that lead to the discovery of the architecture and the operating system from nearly zero knowledge of the card. These investigations were performed with open-source tools only: miasm2 is used as the assembly, disassembly and emulation backend, while radare2 is used as the interface to reverse the firmware. Specific tools were developed during this project and will be released after the talk.The methodology used and the steps that lead to code execution on the card will be laid out in detail. Some involved reading assembly while other ones were achieved by accessing online documentation in English and Japanese. The main goal is to share lessons learned as well as mistakes made during the project.Finally, a complete demonstration of code execution will be given.