Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

ARM IoT Firmware Emulation Workshop

1,441 views

Published on

Learn how to build your own testing and debugging environment for analysing IoT firmware images. Bug hunting in IoT firmware requires access to debugging, instrumentation and reverse engineering tools.

In this workshop, we shall learn how to extract firmware from a few ARM IoT devices, deploy the extracted filesystems on an ARM QEMU environment, and emulate the firmware as close to the original hardware environment as possible. We shall also learn how to intercept and emulate NVRAM access to faithfully reproduce the exact configuration available on the actual device. Participants are required to bring a laptop capable of running VMware Workstation/Fusion/Player. We shall distribute a virtual machine with ARM QEMU along with firmware images extracted on the spot from a few SoHo routers and IP Cameras.

The methodology discussed in this workshop is put together from the author’s own beats. While we use ARM as the base platform, the same methodology can also work for MIPS or other embedded architectures.

Published in: Devices & Hardware
  • Be the first to comment

ARM IoT Firmware Emulation Workshop

  1. 1. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 ARM IoT FIRMWARE EMULATION WORKSHOP Saumil Shah @therealsaumil 12 September 2018
  2. 2. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 # who am i CEO Net-square. • Hacker, Speaker, Trainer, Author. • M.S. Computer Science Purdue University. • LinkedIn: saumilshah • Twitter: @therealsaumil
  3. 3. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Objective • Extract the firmware from an IoT device. • Emulate the firmware in QEMU. • "Boot up" the virtual device. • Debugging, Testing and Fuzzing environment.
  4. 4. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Case Study DLINK DIR-880L
  5. 5. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Setup • armplayer2.zip - VMware image • dir880_mtdblocks.zip - firmware blobs • dir880_minicom.txt - console msgs • static_arm_bins.zip - fun t00lz • Extract the VM and start it up. • You need SSH/SCP on your laptop.
  6. 6. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Lab Virtual Machine All passwords are "exploitlab" J Yes you may write it down
  7. 7. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 armplayer host SSH to port 2222 username: exploitlab QEMU ARMv7 SSH to port 22 username: root
  8. 8. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Pentesting Embedded ARM ARM IoT Devices
  9. 9. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018
  10. 10. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Take a look at an IoT device...
  11. 11. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 CPU and Hardware Kernel Drivers File System nvram User Processes API UI libnvram JTAG RS 232 SPI notaccessible ...it is a special computer...
  12. 12. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 CPU and Hardware Kernel Drivers File System nvram User Processes API UI libnvram JTAG RS 232 SPI notaccessible Authentication Bypass Insecure Direct Obj Ref File Retrieval Remote Command Exec Memory Corruption Buffer Overflows Backdoors Default Passwords Hidden Paths Memory Corruption Buffer Overflows ...with "special" vulnerabilities
  13. 13. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 compressed FS CPU Kernel Boot Loader mounted FS nvram init scripts Services Apps libnvram The IoT Boot Up Process conf conf conf conf firmware Loads Kernel. Uncompresses FS to ramdisk, invokes init process. ramdiskuserland Reads config from nvram. Builds system config files on the fly. Starts up system services. Invokes Applications and Application services. READY POWER ON
  14. 14. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Obtaining the Firmware • Download the firmware files from the device update website. – binwalk • Find the UART pins on the device's board, solder and connect via serial console. – Extract the firmware via shell over serial console. • Direct hardware level extraction.
  15. 15. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Serial Console • Most devices run a privileged shell on serial console. • Kernel boot arguments: • Getting firmware from a shell is easy... • ...finding the serial port is a challenge :) root=/dev/mtdblock2 console=ttyS0,115200 init=/sbin/preinit earlyprintk debug
  16. 16. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Discovering the UART pins • Usually unsoldered. • Identify candidate pins. • Test for Vcc (+3.3V) and GND. • Test for TX, RX. • Important pins – TX, RX, GND.
  17. 17. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Discovering UART pins Possible UART pins False Positive
  18. 18. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Discovering UART pins Second Possibility
  19. 19. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Testing Voltages Vcc (+3.3V) GND GND runs through- out the board
  20. 20. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Testing Voltages Vcc (+3.3V) GND The other two pins have to be TX, RX. GND Verify continuity across GND
  21. 21. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Serial Console Device GND TX RX GND TX RX minicom Serial Port = /dev/ttyUSB0 115200 baud 8N1 Vcc
  22. 22. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Serial Console - working
  23. 23. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Finished Serial Port Projects
  24. 24. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 # cat /proc/partitions major minor #blocks name 31 0 256 mtdblock0 31 1 64 mtdblock1 31 2 64 mtdblock2 31 3 1472 mtdblock3 31 4 128 mtdblock4 31 5 64 mtdblock5 31 6 2048 mtdblock6 31 7 32768 mtdblock7 31 8 30975 mtdblock8 31 9 131072 mtdblock9 31 10 98304 mtdblock10 Firmware Extraction # cat /proc/cmdline root=/dev/mtdblock8 mtdparts=bcmsflash:256k(u- boot)ro,64k(devconf),64k(devdata),1472k(mydlink),128k(langpack),64k(nvram), 2m@0(flash);nflash:32m(upgrade),32m@0(rootfs)ro,128m@0(nflash);brcmnand:96m @32m(storage) console=ttyS0,115200 init=/sbin/preinit earlyprintk debug # cat /proc/mtd dev: size erasesize name mtd0: 00040000 00010000 "u-boot" mtd1: 00010000 00010000 "devconf" mtd2: 00010000 00010000 "devdata" mtd3: 00170000 00010000 "mydlink" mtd4: 00020000 00010000 "langpack" mtd5: 00010000 00010000 "nvram" mtd6: 00200000 00010000 "flash" mtd7: 02000000 00020000 "upgrade" mtd8: 01e3ffa0 00020000 "rootfs" mtd9: 08000000 00020000 "nflash" mtd10: 06000000 00020000 "storage"
  25. 25. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 New vs Legacy Memory Layout Heap Binary Stack Lib Lib 0x00008000 0xbf000000 0xb6f00000 0xbefdf000 /proc/sys/vm/legacy_va_layout = 0 Heap Binary Stack Lib Lib 0x00008000 0xbf000000 0x40000000 0xbefdf000 /proc/sys/vm/legacy_va_layout = 1 New Layout Legacy Layout
  26. 26. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 QEMU ARM Kernel Emulator Driven Test Bench proc sys dev etc bin squashfs-root chroot environment proc sys dev etc bin init system services user processes nvram config (ini file) nvram shim gdb server multiarch gdb
  27. 27. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Extract the rootfs
  28. 28. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 rsync rootfs to ARM QEMU
  29. 29. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 chroot the rootfs in QEMU Setup commands for binding /proc, /sys and /dev and running chroot kick off the init scripts
  30. 30. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 The virtual router "boots up"
  31. 31. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 SUCCESS!
  32. 32. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 THANK YOU! Saumil Shah @therealsaumil saumil@net-square.com LinkedIn: saumilshah Follow us on Twitter for: updates new classes on-site training announcements Blog: http://blog.exploitlab.net

×