Saumil Shah gives a presentation on extracting firmware from IoT devices and emulating it using QEMU. He discusses obtaining firmware by downloading from the manufacturer's site, extracting over a UART serial connection, or directly from hardware. The case study looks at a DLink DIR-880L router. The extracted firmware is transferred to a QEMU ARM VM and chrooted to emulate the device and allow debugging and testing.
Uae-NO1 Amil Baba In Karachi Kala Jadu In Karachi Amil baba In Karachi Addres...
ARM IoT Firmware Emulation Workshop
1. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018
ARM IoT FIRMWARE
EMULATION WORKSHOP
Saumil Shah
@therealsaumil
12 September 2018
2. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018
# who am i
CEO Net-square.
• Hacker, Speaker, Trainer,
Author.
• M.S. Computer Science
Purdue University.
• LinkedIn: saumilshah
• Twitter: @therealsaumil
3. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018
Objective
• Extract the firmware from an IoT device.
• Emulate the firmware in QEMU.
• "Boot up" the virtual device.
• Debugging, Testing and Fuzzing
environment.
4. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018
Case Study DLINK DIR-880L
5. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018
Setup
• armplayer2.zip - VMware image
• dir880_mtdblocks.zip - firmware blobs
• dir880_minicom.txt - console msgs
• static_arm_bins.zip - fun t00lz
• Extract the VM and start it up.
• You need SSH/SCP on your laptop.
6. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018
Lab Virtual Machine
All passwords are "exploitlab" J Yes you may write it down
7. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018
armplayer host
SSH to port 2222
username: exploitlab QEMU ARMv7
SSH to port 22
username: root
8. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018
Pentesting Embedded ARM
ARM IoT Devices
10. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018
Take a look at an IoT device...
11. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018
CPU and
Hardware
Kernel
Drivers
File System
nvram
User Processes
API
UI
libnvram
JTAG
RS
232
SPI
notaccessible
...it is a special computer...
12. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018
CPU and
Hardware
Kernel
Drivers
File System
nvram
User Processes
API
UI
libnvram
JTAG
RS
232
SPI
notaccessible
Authentication Bypass
Insecure Direct Obj Ref
File Retrieval
Remote Command
Exec
Memory Corruption
Buffer Overflows
Backdoors
Default Passwords
Hidden Paths
Memory Corruption
Buffer Overflows
...with "special" vulnerabilities
13. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018
compressed FS
CPU
Kernel
Boot Loader
mounted
FS
nvram
init
scripts
Services
Apps
libnvram
The IoT Boot Up Process
conf
conf
conf
conf
firmware
Loads Kernel.
Uncompresses FS to ramdisk,
invokes init process.
ramdiskuserland
Reads config from nvram.
Builds system config files on
the fly.
Starts up system services.
Invokes Applications and
Application services.
READY
POWER ON
14. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018
Obtaining the Firmware
• Download the firmware files from the
device update website.
– binwalk
• Find the UART pins on the device's
board, solder and connect via serial
console.
– Extract the firmware via shell over serial
console.
• Direct hardware level extraction.
15. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018
Serial Console
• Most devices run a privileged shell on
serial console.
• Kernel boot arguments:
• Getting firmware from a shell is easy...
• ...finding the serial port is a challenge :)
root=/dev/mtdblock2 console=ttyS0,115200
init=/sbin/preinit earlyprintk debug
16. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018
Discovering the UART pins
• Usually unsoldered.
• Identify candidate pins.
• Test for Vcc (+3.3V) and GND.
• Test for TX, RX.
• Important pins – TX, RX, GND.
17. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018
Discovering UART pins
Possible UART pins
False Positive
18. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018
Discovering UART pins
Second Possibility
19. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018
Testing Voltages
Vcc (+3.3V)
GND
GND
runs
through-
out the
board
20. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018
Testing Voltages
Vcc (+3.3V) GND
The other
two pins
have to
be TX, RX.
GND
Verify continuity across GND
21. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018
Serial Console
Device
GND
TX
RX
GND
TX
RX
minicom
Serial Port = /dev/ttyUSB0
115200 baud
8N1
Vcc
22. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018
Serial Console - working
23. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018
Finished Serial Port Projects
26. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018
QEMU ARM
Kernel
Emulator Driven Test Bench
proc sys dev etc bin
squashfs-root
chroot
environment
proc sys dev etc bin
init
system services
user processes
nvram
config
(ini file)
nvram shim
gdb
server
multiarch
gdb
27. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018
Extract the rootfs
28. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018
rsync rootfs to ARM QEMU
29. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018
chroot the rootfs in QEMU
Setup commands for binding
/proc, /sys and /dev and
running chroot
kick off the init scripts
30. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018
The virtual router "boots up"