A Deep Dive Into Unconstrained Code Execution on Siemens S7 PLCs

Explore a deep dive investigation into the bootloader and ADONIS Operating System of Siemens S7 PLCs in this conference talk from the 36th Chaos Communication Congress. Uncover the undocumented "special access feature" in the Siemens S7-1200 PLC bootloader, which can be exploited for arbitrary code execution and memory dumping. Learn about the security implications of this feature and its potential for both malicious attacks and forensic analysis. Gain insights into the hardware architecture, firmware update process, and security measures of Siemens PLCs. Examine the ADONIS RTOS components, CoreSight debugging technology, and the intricacies of the firmware boot process. Witness a demonstration of the findings and discuss potential methods for injecting custom code into the firmware. Delve into the world of industrial automation security and explore the complexities of protecting critical infrastructure components.

Intro
Process Automation
What we do with much more complex control loops?
Background on Siemens PLCs Market Share
S7-1200 v4 PLC hardware - SoC Decap
S7-1200 v4 Closer Look
M25P40/ Serial Flash Embedded Memory (bootloader)
D X-Ray Tomography
Siemens Bootloader, Startup Process
Siemens AG ADONIS RTOS Components
CoreSight in Siemens PLCs
Background on CoreSight
ARM CoreSight Sources
CoreSight in Siemens S7 PLC
Siemens Firmware Dump
Execution Mode Stack in S7-1200 v4
ADONIS MPU Configuration at Ox00040084
Siemens Firmware Boot Process
ADONIS Kernel
ADONIS File System
ADONIS TCP/IP Stack
Firmware Update Process On S7 PLC
Decompressed Firmware Update File Structure
MiniWeb Scripting Language (MWSL)
Special Access Feature
Ox80 Handler, Update Mode Function
Siemens S7-1200/S7-200 SMART Bootloader Arbitrary Code Execution
Siemens S7-1200 PLC Bootloader Arbitrary Code Execution
Slager Payload
DEMO
Ideas for Injecting Custom Code into the Firmware
What else is out there?
Conclusions
Questions?