Doors of Durin - The Veiled Gate to Siemens S7 Silicon

Explore a comprehensive analysis of the security measures in Siemens S7 PLC series, focusing on firmware integrity verification and bootloader code. Delve into the intricate details of industrial automation components, examining recent attacks against Industrial Control Systems (ICS) and the S7-1200 V4 PLC hardware. Investigate the S7-1200 v4 architecture, including its SOC decapsulation, embedded memory, and 3D X-Ray tomography. Gain insights into Siemens firmware components, execution mode stack, and ADONIS MPU configuration. Understand the firmware boot process, update procedures, and undocumented HTTP handlers. Discover the special access features and primary handlers after handshake. Analyze the x80 handler, update mode function, and 0x1C primary handler. Learn about the Siemens S7-1200 PLC bootloader arbitrary code execution vulnerability. Conclude with future implications and potential areas for further research in industrial automation security.

Intro
Process Automation
What we do with much more complex control loops?
Programmable Logic Controllers
Recent Attacks Against ICS
S7-1200 V4 PLC HARDWARE - SOC DECAP
S7-1200 v4 Closer Look
M25P40/ Serial Flash Embedded Memory (bootloader)
S7-1200 Specs, 3D X-Ray Tomography
Siemens Firmware Components
Execution Mode Stack in S7-1200 v4
ADONIS MPU Configuration at 0x000400B4
Siemens Firmware Boot Process
ADONIS Kernel
Firmware Update Process On S7 PLC
Decompressed Firmware Update File Structure
Undocumented HTTP Handlers
Special Access Feature
Primary Handlers After Handshake
x80 Handler, Update Mode Function
Ox1C Primary Handler
Siemens S7-1200 PLC Bootloader Arbitrary Code Execution
Conclusions and Future Works