SlideShare a Scribd company logo

ARM IoT Firmware Emulation Workshop

Saumil Shah
Saumil Shah

Saumil Shah gives a presentation on extracting firmware from IoT devices and emulating it using QEMU. He discusses obtaining firmware by downloading from the manufacturer's site, extracting over a UART serial connection, or directly from hardware. The case study looks at a DLink DIR-880L router. The extracted firmware is transferred to a QEMU ARM VM and chrooted to emulate the device and allow debugging and testing.

Devices & Hardware
1 of 32
NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 ARM IoT FIRMWARE EMULATION WORKSHOP Saumil Shah @therealsaumil 12 September 2018
NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 # who am i CEO Net-square. • Hacker, Speaker, Trainer, Author. • M.S. Computer Science Purdue University. • LinkedIn: saumilshah • Twitter: @therealsaumil
NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Objective • Extract the firmware from an IoT device. • Emulate the firmware in QEMU. • "Boot up" the virtual device. • Debugging, Testing and Fuzzing environment.
NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Case Study DLINK DIR-880L
NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Setup • armplayer2.zip - VMware image • dir880_mtdblocks.zip - firmware blobs • dir880_minicom.txt - console msgs • static_arm_bins.zip - fun t00lz • Extract the VM and start it up. • You need SSH/SCP on your laptop.
NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Lab Virtual Machine All passwords are "exploitlab" J Yes you may write it down
NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 armplayer host SSH to port 2222 username: exploitlab QEMU ARMv7 SSH to port 22 username: root
NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Pentesting Embedded ARM ARM IoT Devices
NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018
NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Take a look at an IoT device...
NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 CPU and Hardware Kernel Drivers File System nvram User Processes API UI libnvram JTAG RS 232 SPI notaccessible ...it is a special computer...
NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 CPU and Hardware Kernel Drivers File System nvram User Processes API UI libnvram JTAG RS 232 SPI notaccessible Authentication Bypass Insecure Direct Obj Ref File Retrieval Remote Command Exec Memory Corruption Buffer Overflows Backdoors Default Passwords Hidden Paths Memory Corruption Buffer Overflows ...with "special" vulnerabilities
NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 compressed FS CPU Kernel Boot Loader mounted FS nvram init scripts Services Apps libnvram The IoT Boot Up Process conf conf conf conf firmware Loads Kernel. Uncompresses FS to ramdisk, invokes init process. ramdiskuserland Reads config from nvram. Builds system config files on the fly. Starts up system services. Invokes Applications and Application services. READY POWER ON
NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Obtaining the Firmware • Download the firmware files from the device update website. – binwalk • Find the UART pins on the device's board, solder and connect via serial console. – Extract the firmware via shell over serial console. • Direct hardware level extraction.
NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Serial Console • Most devices run a privileged shell on serial console. • Kernel boot arguments: • Getting firmware from a shell is easy... • ...finding the serial port is a challenge :) root=/dev/mtdblock2 console=ttyS0,115200 init=/sbin/preinit earlyprintk debug
NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Discovering the UART pins • Usually unsoldered. • Identify candidate pins. • Test for Vcc (+3.3V) and GND. • Test for TX, RX. • Important pins – TX, RX, GND.
NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Discovering UART pins Possible UART pins False Positive
NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Discovering UART pins Second Possibility
NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Testing Voltages Vcc (+3.3V) GND GND runs through- out the board
NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Testing Voltages Vcc (+3.3V) GND The other two pins have to be TX, RX. GND Verify continuity across GND
NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Serial Console Device GND TX RX GND TX RX minicom Serial Port = /dev/ttyUSB0 115200 baud 8N1 Vcc
NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Serial Console - working
NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Finished Serial Port Projects
NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 # cat /proc/partitions major minor #blocks name 31 0 256 mtdblock0 31 1 64 mtdblock1 31 2 64 mtdblock2 31 3 1472 mtdblock3 31 4 128 mtdblock4 31 5 64 mtdblock5 31 6 2048 mtdblock6 31 7 32768 mtdblock7 31 8 30975 mtdblock8 31 9 131072 mtdblock9 31 10 98304 mtdblock10 Firmware Extraction # cat /proc/cmdline root=/dev/mtdblock8 mtdparts=bcmsflash:256k(u- boot)ro,64k(devconf),64k(devdata),1472k(mydlink),128k(langpack),64k(nvram), 2m@0(flash);nflash:32m(upgrade),32m@0(rootfs)ro,128m@0(nflash);brcmnand:96m @32m(storage) console=ttyS0,115200 init=/sbin/preinit earlyprintk debug # cat /proc/mtd dev: size erasesize name mtd0: 00040000 00010000 "u-boot" mtd1: 00010000 00010000 "devconf" mtd2: 00010000 00010000 "devdata" mtd3: 00170000 00010000 "mydlink" mtd4: 00020000 00010000 "langpack" mtd5: 00010000 00010000 "nvram" mtd6: 00200000 00010000 "flash" mtd7: 02000000 00020000 "upgrade" mtd8: 01e3ffa0 00020000 "rootfs" mtd9: 08000000 00020000 "nflash" mtd10: 06000000 00020000 "storage"
NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 New vs Legacy Memory Layout Heap Binary Stack Lib Lib 0x00008000 0xbf000000 0xb6f00000 0xbefdf000 /proc/sys/vm/legacy_va_layout = 0 Heap Binary Stack Lib Lib 0x00008000 0xbf000000 0x40000000 0xbefdf000 /proc/sys/vm/legacy_va_layout = 1 New Layout Legacy Layout
NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 QEMU ARM Kernel Emulator Driven Test Bench proc sys dev etc bin squashfs-root chroot environment proc sys dev etc bin init system services user processes nvram config (ini file) nvram shim gdb server multiarch gdb
NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Extract the rootfs
NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 rsync rootfs to ARM QEMU
NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 chroot the rootfs in QEMU Setup commands for binding /proc, /sys and /dev and running chroot kick off the init scripts
NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 The virtual router "boots up"
NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 SUCCESS!
NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 THANK YOU! Saumil Shah @therealsaumil saumil@net-square.com LinkedIn: saumilshah Follow us on Twitter for: updates new classes on-site training announcements Blog: http://blog.exploitlab.net

Recommended

Network Drivers
Network DriversNetwork Drivers
Network DriversAnil Kumar Pugalia
 
U-Boot presentation 2013
U-Boot presentation 2013U-Boot presentation 2013
U-Boot presentation 2013Wave Digitech
 
U-Boot - An universal bootloader
U-Boot - An universal bootloader U-Boot - An universal bootloader
U-Boot - An universal bootloader Emertxe Information Technologies Pvt Ltd
 
A practical guide to buildroot
A practical guide to buildrootA practical guide to buildroot
A practical guide to buildrootEmertxe Information Technologies Pvt Ltd
 
Embedded_Linux_Booting
Embedded_Linux_BootingEmbedded_Linux_Booting
Embedded_Linux_BootingRashila Rr
 
Kernel Recipes 2015: Representing device-tree peripherals in ACPI
Kernel Recipes 2015: Representing device-tree peripherals in ACPIKernel Recipes 2015: Representing device-tree peripherals in ACPI
Kernel Recipes 2015: Representing device-tree peripherals in ACPIAnne Nicolas
 
Introduction to Modern U-Boot
Introduction to Modern U-BootIntroduction to Modern U-Boot
Introduction to Modern U-BootGlobalLogic Ukraine
 
Jagan Teki - U-boot from scratch
Jagan Teki - U-boot from scratchJagan Teki - U-boot from scratch
Jagan Teki - U-boot from scratchlinuxlab_conf
 

Recommended

Network Drivers
Network DriversNetwork Drivers
Network DriversAnil Kumar Pugalia
 
U-Boot presentation 2013
U-Boot presentation 2013U-Boot presentation 2013
U-Boot presentation 2013Wave Digitech
 
U-Boot - An universal bootloader
U-Boot - An universal bootloader U-Boot - An universal bootloader
U-Boot - An universal bootloader Emertxe Information Technologies Pvt Ltd
 
A practical guide to buildroot
A practical guide to buildrootA practical guide to buildroot
A practical guide to buildrootEmertxe Information Technologies Pvt Ltd
 
Embedded_Linux_Booting
Embedded_Linux_BootingEmbedded_Linux_Booting
Embedded_Linux_BootingRashila Rr
 
Kernel Recipes 2015: Representing device-tree peripherals in ACPI
Kernel Recipes 2015: Representing device-tree peripherals in ACPIKernel Recipes 2015: Representing device-tree peripherals in ACPI
Kernel Recipes 2015: Representing device-tree peripherals in ACPIAnne Nicolas
 
Introduction to Modern U-Boot
Introduction to Modern U-BootIntroduction to Modern U-Boot
Introduction to Modern U-BootGlobalLogic Ukraine
 
Jagan Teki - U-boot from scratch
Jagan Teki - U-boot from scratchJagan Teki - U-boot from scratch
Jagan Teki - U-boot from scratchlinuxlab_conf
 
Firmadyne
FirmadyneFirmadyne
FirmadyneRedhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.
 
malloc & vmalloc in Linux
malloc & vmalloc in Linuxmalloc & vmalloc in Linux
malloc & vmalloc in LinuxAdrian Huang
 
Linux Initialization Process (2)
Linux Initialization Process (2)Linux Initialization Process (2)
Linux Initialization Process (2)shimosawa
 
DMA Survival Guide
DMA Survival GuideDMA Survival Guide
DMA Survival GuideKernel TLV
 
Launch the First Process in Linux System
Launch the First Process in Linux SystemLaunch the First Process in Linux System
Launch the First Process in Linux SystemJian-Hong Pan
 
U boot porting guide for SoC
U boot porting guide for SoCU boot porting guide for SoC
U boot porting guide for SoCMacpaul Lin
 
I2c drivers
I2c driversI2c drivers
I2c driversPradeep Tewani
 
Linux kernel debugging
Linux kernel debuggingLinux kernel debugging
Linux kernel debuggingHao-Ran Liu
 
U Boot or Universal Bootloader
U Boot or Universal BootloaderU Boot or Universal Bootloader
U Boot or Universal BootloaderSatpal Parmar
 
Linux dma engine
Linux dma engineLinux dma engine
Linux dma enginepradeep_tewani
 
Qemu JIT Code Generator and System Emulation
Qemu JIT Code Generator and System EmulationQemu JIT Code Generator and System Emulation
Qemu JIT Code Generator and System EmulationNational Cheng Kung University
 
Slab Allocator in Linux Kernel
Slab Allocator in Linux KernelSlab Allocator in Linux Kernel
Slab Allocator in Linux KernelAdrian Huang
 
Spi drivers
Spi driversSpi drivers
Spi driverspradeep_tewani
 
Arm device tree and linux device drivers
Arm device tree and linux device driversArm device tree and linux device drivers
Arm device tree and linux device driversHoucheng Lin
 
Board Bringup
Board BringupBoard Bringup
Board BringupAnil Kumar Pugalia
 
Linux Porting
Linux PortingLinux Porting
Linux PortingChamp Yen
 
qemu + gdb: The efficient way to understand/debug Linux kernel code/data stru...
qemu + gdb: The efficient way to understand/debug Linux kernel code/data stru...qemu + gdb: The efficient way to understand/debug Linux kernel code/data stru...
qemu + gdb: The efficient way to understand/debug Linux kernel code/data stru...Adrian Huang
 
QEMU - Binary Translation
QEMU - Binary Translation QEMU - Binary Translation
QEMU - Binary Translation Jiann-Fuh Liaw
 
SFO15-TR9: PSCI, ACPI (and UEFI to boot)
SFO15-TR9: PSCI, ACPI (and UEFI to boot)SFO15-TR9: PSCI, ACPI (and UEFI to boot)
SFO15-TR9: PSCI, ACPI (and UEFI to boot)Linaro
 
Understanding a kernel oops and a kernel panic
Understanding a kernel oops and a kernel panicUnderstanding a kernel oops and a kernel panic
Understanding a kernel oops and a kernel panicJoseph Lu
 
Hack.LU 2018 ARM IoT Firmware Emulation Workshop
Hack.LU 2018 ARM IoT Firmware Emulation WorkshopHack.LU 2018 ARM IoT Firmware Emulation Workshop
Hack.LU 2018 ARM IoT Firmware Emulation WorkshopSaumil Shah
 
Deep submicron-backdoors-ortega-syscan-2014-slides
Deep submicron-backdoors-ortega-syscan-2014-slidesDeep submicron-backdoors-ortega-syscan-2014-slides
Deep submicron-backdoors-ortega-syscan-2014-slidesortegaalfredo
 

More Related Content

What's hot

malloc & vmalloc in Linux
malloc & vmalloc in Linuxmalloc & vmalloc in Linux
malloc & vmalloc in LinuxAdrian Huang
 
Linux Initialization Process (2)
Linux Initialization Process (2)Linux Initialization Process (2)
Linux Initialization Process (2)shimosawa
 
DMA Survival Guide
DMA Survival GuideDMA Survival Guide
DMA Survival GuideKernel TLV
 
Launch the First Process in Linux System
Launch the First Process in Linux SystemLaunch the First Process in Linux System
Launch the First Process in Linux SystemJian-Hong Pan
 
U boot porting guide for SoC
U boot porting guide for SoCU boot porting guide for SoC
U boot porting guide for SoCMacpaul Lin
 
Linux kernel debugging
Linux kernel debuggingLinux kernel debugging
Linux kernel debuggingHao-Ran Liu
 
U Boot or Universal Bootloader
U Boot or Universal BootloaderU Boot or Universal Bootloader
U Boot or Universal BootloaderSatpal Parmar
 
Slab Allocator in Linux Kernel
Slab Allocator in Linux KernelSlab Allocator in Linux Kernel
Slab Allocator in Linux KernelAdrian Huang
 
Arm device tree and linux device drivers
Arm device tree and linux device driversArm device tree and linux device drivers
Arm device tree and linux device driversHoucheng Lin
 
Linux Porting
Linux PortingLinux Porting
Linux PortingChamp Yen
 
qemu + gdb: The efficient way to understand/debug Linux kernel code/data stru...
qemu + gdb: The efficient way to understand/debug Linux kernel code/data stru...qemu + gdb: The efficient way to understand/debug Linux kernel code/data stru...
qemu + gdb: The efficient way to understand/debug Linux kernel code/data stru...Adrian Huang
 
QEMU - Binary Translation
QEMU - Binary Translation QEMU - Binary Translation
QEMU - Binary Translation Jiann-Fuh Liaw
 
SFO15-TR9: PSCI, ACPI (and UEFI to boot)
SFO15-TR9: PSCI, ACPI (and UEFI to boot)SFO15-TR9: PSCI, ACPI (and UEFI to boot)
SFO15-TR9: PSCI, ACPI (and UEFI to boot)Linaro
 
Understanding a kernel oops and a kernel panic
Understanding a kernel oops and a kernel panicUnderstanding a kernel oops and a kernel panic
Understanding a kernel oops and a kernel panicJoseph Lu
 

What's hot (20)

Firmadyne
FirmadyneFirmadyne
Firmadyne
 
malloc & vmalloc in Linux
malloc & vmalloc in Linuxmalloc & vmalloc in Linux
malloc & vmalloc in Linux
 
Linux Initialization Process (2)
Linux Initialization Process (2)Linux Initialization Process (2)
Linux Initialization Process (2)
 
DMA Survival Guide
DMA Survival GuideDMA Survival Guide
DMA Survival Guide
 
Launch the First Process in Linux System
Launch the First Process in Linux SystemLaunch the First Process in Linux System
Launch the First Process in Linux System
 
U boot porting guide for SoC
U boot porting guide for SoCU boot porting guide for SoC
U boot porting guide for SoC
 
I2c drivers
I2c driversI2c drivers
I2c drivers
 
Linux kernel debugging
Linux kernel debuggingLinux kernel debugging
Linux kernel debugging
 
U Boot or Universal Bootloader
U Boot or Universal BootloaderU Boot or Universal Bootloader
U Boot or Universal Bootloader
 
Linux dma engine
Linux dma engineLinux dma engine
Linux dma engine
 
Qemu JIT Code Generator and System Emulation
Qemu JIT Code Generator and System EmulationQemu JIT Code Generator and System Emulation
Qemu JIT Code Generator and System Emulation
 
Slab Allocator in Linux Kernel
Slab Allocator in Linux KernelSlab Allocator in Linux Kernel
Slab Allocator in Linux Kernel
 
Spi drivers
Spi driversSpi drivers
Spi drivers
 
Arm device tree and linux device drivers
Arm device tree and linux device driversArm device tree and linux device drivers
Arm device tree and linux device drivers
 
Board Bringup
Board BringupBoard Bringup
Board Bringup
 
Linux Porting
Linux PortingLinux Porting
Linux Porting
 
qemu + gdb: The efficient way to understand/debug Linux kernel code/data stru...
qemu + gdb: The efficient way to understand/debug Linux kernel code/data stru...qemu + gdb: The efficient way to understand/debug Linux kernel code/data stru...
qemu + gdb: The efficient way to understand/debug Linux kernel code/data stru...
 
QEMU - Binary Translation
QEMU - Binary Translation QEMU - Binary Translation
QEMU - Binary Translation
 
SFO15-TR9: PSCI, ACPI (and UEFI to boot)
SFO15-TR9: PSCI, ACPI (and UEFI to boot)SFO15-TR9: PSCI, ACPI (and UEFI to boot)
SFO15-TR9: PSCI, ACPI (and UEFI to boot)
 
Understanding a kernel oops and a kernel panic
Understanding a kernel oops and a kernel panicUnderstanding a kernel oops and a kernel panic
Understanding a kernel oops and a kernel panic
 

Similar to ARM IoT Firmware Emulation Workshop

Hack.LU 2018 ARM IoT Firmware Emulation Workshop
Hack.LU 2018 ARM IoT Firmware Emulation WorkshopHack.LU 2018 ARM IoT Firmware Emulation Workshop
Hack.LU 2018 ARM IoT Firmware Emulation WorkshopSaumil Shah
 
Deep submicron-backdoors-ortega-syscan-2014-slides
Deep submicron-backdoors-ortega-syscan-2014-slidesDeep submicron-backdoors-ortega-syscan-2014-slides
Deep submicron-backdoors-ortega-syscan-2014-slidesortegaalfredo
 
Using VPP and SRIO-V with Clear Containers
Using VPP and SRIO-V with Clear ContainersUsing VPP and SRIO-V with Clear Containers
Using VPP and SRIO-V with Clear ContainersMichelle Holley
 
The power of linux advanced tracer [POUG18]
The power of linux advanced tracer [POUG18]The power of linux advanced tracer [POUG18]
The power of linux advanced tracer [POUG18]Mahmoud Hatem
 
OT Security - h-c0n 2020
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020Jose Palanco
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rulesFreddy Buenaño
 
20131015_demo_oshk
20131015_demo_oshk20131015_demo_oshk
20131015_demo_oshkJeff Yang
 
hacking-embedded-devices.pptx
hacking-embedded-devices.pptxhacking-embedded-devices.pptx
hacking-embedded-devices.pptxssuserfcf43f
 
IoT exploitation: from memory corruption to code execution by Marco Romano
IoT exploitation: from memory corruption to code execution by Marco RomanoIoT exploitation: from memory corruption to code execution by Marco Romano
IoT exploitation: from memory corruption to code execution by Marco RomanoCodemotion
 
IoT exploitation: from memory corruption to code execution - Marco Romano - C...
IoT exploitation: from memory corruption to code execution - Marco Romano - C...IoT exploitation: from memory corruption to code execution - Marco Romano - C...
IoT exploitation: from memory corruption to code execution - Marco Romano - C...Codemotion
 
Ironic 140622212631-phpapp02
Ironic 140622212631-phpapp02Ironic 140622212631-phpapp02
Ironic 140622212631-phpapp02Narender Kumar
 
Ironic 140622212631-phpapp02
Ironic 140622212631-phpapp02Ironic 140622212631-phpapp02
Ironic 140622212631-phpapp02Narender Kumar
 
From printed circuit boards to exploits
From printed circuit boards to exploitsFrom printed circuit boards to exploits
From printed circuit boards to exploitsvirtualabs
 
Ubuntu core on bubblegum 96
Ubuntu core on bubblegum 96Ubuntu core on bubblegum 96
Ubuntu core on bubblegum 96波 董
 
Ubuntu core on bubblegum 96
Ubuntu core on bubblegum 96Ubuntu core on bubblegum 96
Ubuntu core on bubblegum 96波 董
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar Santhosh Kumar
 
Linux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - WonokaerunLinux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - Wonokaerunidsecconf
 
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey GordeychikCODE BLUE
 

Similar to ARM IoT Firmware Emulation Workshop (20)

Hack.LU 2018 ARM IoT Firmware Emulation Workshop
Hack.LU 2018 ARM IoT Firmware Emulation WorkshopHack.LU 2018 ARM IoT Firmware Emulation Workshop
Hack.LU 2018 ARM IoT Firmware Emulation Workshop
 
Deep submicron-backdoors-ortega-syscan-2014-slides
Deep submicron-backdoors-ortega-syscan-2014-slidesDeep submicron-backdoors-ortega-syscan-2014-slides
Deep submicron-backdoors-ortega-syscan-2014-slides
 
Using VPP and SRIO-V with Clear Containers
Using VPP and SRIO-V with Clear ContainersUsing VPP and SRIO-V with Clear Containers
Using VPP and SRIO-V with Clear Containers
 
The power of linux advanced tracer [POUG18]
The power of linux advanced tracer [POUG18]The power of linux advanced tracer [POUG18]
The power of linux advanced tracer [POUG18]
 
OT Security - h-c0n 2020
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules
 
20131015_demo_oshk
20131015_demo_oshk20131015_demo_oshk
20131015_demo_oshk
 
hacking-embedded-devices.pptx
hacking-embedded-devices.pptxhacking-embedded-devices.pptx
hacking-embedded-devices.pptx
 
IoT exploitation: from memory corruption to code execution by Marco Romano
IoT exploitation: from memory corruption to code execution by Marco RomanoIoT exploitation: from memory corruption to code execution by Marco Romano
IoT exploitation: from memory corruption to code execution by Marco Romano
 
IoT exploitation: from memory corruption to code execution - Marco Romano - C...
IoT exploitation: from memory corruption to code execution - Marco Romano - C...IoT exploitation: from memory corruption to code execution - Marco Romano - C...
IoT exploitation: from memory corruption to code execution - Marco Romano - C...
 
Ironic 140622212631-phpapp02
Ironic 140622212631-phpapp02Ironic 140622212631-phpapp02
Ironic 140622212631-phpapp02
 
Ironic 140622212631-phpapp02
Ironic 140622212631-phpapp02Ironic 140622212631-phpapp02
Ironic 140622212631-phpapp02
 
Ironic
IronicIronic
Ironic
 
From printed circuit boards to exploits
From printed circuit boards to exploitsFrom printed circuit boards to exploits
From printed circuit boards to exploits
 
Ubuntu core on bubblegum 96
Ubuntu core on bubblegum 96Ubuntu core on bubblegum 96
Ubuntu core on bubblegum 96
 
Ubuntu core on bubblegum 96
Ubuntu core on bubblegum 96Ubuntu core on bubblegum 96
Ubuntu core on bubblegum 96
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
 
Linux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - WonokaerunLinux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - Wonokaerun
 
PNETLab.pdf
PNETLab.pdfPNETLab.pdf
PNETLab.pdf
 
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
 

More from Saumil Shah

The Hand That Strikes, Also Blocks
The Hand That Strikes, Also BlocksThe Hand That Strikes, Also Blocks
The Hand That Strikes, Also BlocksSaumil Shah
 
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPSDebugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPSSaumil Shah
 
Unveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation FrameworkUnveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation FrameworkSaumil Shah
 
Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332Saumil Shah
 
Precise Presentations
Precise PresentationsPrecise Presentations
Precise PresentationsSaumil Shah
 
Effective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual AudienceEffective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual AudienceSaumil Shah
 
INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020Saumil Shah
 
Cyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade AheadCyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade AheadSaumil Shah
 
Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In CyberspaceCybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In CyberspaceSaumil Shah
 
NSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade AheadNSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade AheadSaumil Shah
 
Cybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade AheadCybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade AheadSaumil Shah
 
INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019Saumil Shah
 
Introducing ARM-X
Introducing ARM-XIntroducing ARM-X
Introducing ARM-XSaumil Shah
 
The Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBDThe Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBDSaumil Shah
 
The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019Saumil Shah
 
The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019Saumil Shah
 
Schrödinger's ARM Assembly
Schrödinger's ARM AssemblySchrödinger's ARM Assembly
Schrödinger's ARM AssemblySaumil Shah
 
ARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMSARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMSSaumil Shah
 
What Makes a Compelling Photograph
What Makes a Compelling PhotographWhat Makes a Compelling Photograph
What Makes a Compelling PhotographSaumil Shah
 
Make ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEKMake ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEKSaumil Shah
 

More from Saumil Shah (20)

The Hand That Strikes, Also Blocks
The Hand That Strikes, Also BlocksThe Hand That Strikes, Also Blocks
The Hand That Strikes, Also Blocks
 
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPSDebugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
 
Unveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation FrameworkUnveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation Framework
 
Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332
 
Precise Presentations
Precise PresentationsPrecise Presentations
Precise Presentations
 
Effective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual AudienceEffective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual Audience
 
INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020
 
Cyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade AheadCyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade Ahead
 
Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In CyberspaceCybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
 
NSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade AheadNSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade Ahead
 
Cybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade AheadCybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade Ahead
 
INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019
 
Introducing ARM-X
Introducing ARM-XIntroducing ARM-X
Introducing ARM-X
 
The Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBDThe Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBD
 
The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019
 
The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019
 
Schrödinger's ARM Assembly
Schrödinger's ARM AssemblySchrödinger's ARM Assembly
Schrödinger's ARM Assembly
 
ARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMSARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMS
 
What Makes a Compelling Photograph
What Makes a Compelling PhotographWhat Makes a Compelling Photograph
What Makes a Compelling Photograph
 
Make ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEKMake ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEK
 

Recently uploaded

Kwin - Trang Tải App Game Kwin68 Club Chính Thức
Kwin - Trang Tải App Game Kwin68 Club Chính ThứcKwin - Trang Tải App Game Kwin68 Club Chính Thức
Kwin - Trang Tải App Game Kwin68 Club Chính ThứcKwin68 Club
 
NO1 Certified Black Magic Specialist Expert Amil baba in Uk England Northern ...
NO1 Certified Black Magic Specialist Expert Amil baba in Uk England Northern ...NO1 Certified Black Magic Specialist Expert Amil baba in Uk England Northern ...
NO1 Certified Black Magic Specialist Expert Amil baba in Uk England Northern ...Amil Baba Dawood bangali
 
RBS学位证,鹿特丹商学院毕业证书1:1制作
RBS学位证,鹿特丹商学院毕业证书1:1制作RBS学位证,鹿特丹商学院毕业证书1:1制作
RBS学位证,鹿特丹商学院毕业证书1:1制作f3774p8b
 
AIMA_ch3_L2-complement.ppt kjekfkjekjfkjefkjefkjek
AIMA_ch3_L2-complement.ppt kjekfkjekjfkjefkjefkjekAIMA_ch3_L2-complement.ppt kjekfkjekjfkjefkjefkjek
AIMA_ch3_L2-complement.ppt kjekfkjekjfkjefkjefkjekpavan402055
 
澳洲Deakin学位证,迪肯大学毕业证书1:1制作
澳洲Deakin学位证,迪肯大学毕业证书1:1制作澳洲Deakin学位证,迪肯大学毕业证书1:1制作
澳洲Deakin学位证,迪肯大学毕业证书1:1制作rpb5qxou
 
美国IUB学位证,印第安纳大学伯明顿分校毕业证书1:1制作
美国IUB学位证,印第安纳大学伯明顿分校毕业证书1:1制作美国IUB学位证,印第安纳大学伯明顿分校毕业证书1:1制作
美国IUB学位证,印第安纳大学伯明顿分校毕业证书1:1制作ss846v0c
 
Computer Organization and Architecture 10th - William Stallings, Ch01.pdf
Computer Organization and Architecture 10th - William Stallings, Ch01.pdfComputer Organization and Architecture 10th - William Stallings, Ch01.pdf
Computer Organization and Architecture 10th - William Stallings, Ch01.pdfShahdAbdElsamea2
 
Dubai Call Girls O525547819 Spring Break Fast Call Girls Dubai
Dubai Call Girls O525547819 Spring Break Fast Call Girls DubaiDubai Call Girls O525547819 Spring Break Fast Call Girls Dubai
Dubai Call Girls O525547819 Spring Break Fast Call Girls Dubaikojalkojal131
 
Uae-NO1 Amil Baba In Karachi Kala Jadu In Karachi Amil baba In Karachi Addres...
Uae-NO1 Amil Baba In Karachi Kala Jadu In Karachi Amil baba In Karachi Addres...Uae-NO1 Amil Baba In Karachi Kala Jadu In Karachi Amil baba In Karachi Addres...
Uae-NO1 Amil Baba In Karachi Kala Jadu In Karachi Amil baba In Karachi Addres...Amil baba
 

Recently uploaded (9)

Kwin - Trang Tải App Game Kwin68 Club Chính Thức
Kwin - Trang Tải App Game Kwin68 Club Chính ThứcKwin - Trang Tải App Game Kwin68 Club Chính Thức
Kwin - Trang Tải App Game Kwin68 Club Chính Thức
 
NO1 Certified Black Magic Specialist Expert Amil baba in Uk England Northern ...
NO1 Certified Black Magic Specialist Expert Amil baba in Uk England Northern ...NO1 Certified Black Magic Specialist Expert Amil baba in Uk England Northern ...
NO1 Certified Black Magic Specialist Expert Amil baba in Uk England Northern ...
 
RBS学位证,鹿特丹商学院毕业证书1:1制作
RBS学位证,鹿特丹商学院毕业证书1:1制作RBS学位证,鹿特丹商学院毕业证书1:1制作
RBS学位证,鹿特丹商学院毕业证书1:1制作
 
AIMA_ch3_L2-complement.ppt kjekfkjekjfkjefkjefkjek
AIMA_ch3_L2-complement.ppt kjekfkjekjfkjefkjefkjekAIMA_ch3_L2-complement.ppt kjekfkjekjfkjefkjefkjek
AIMA_ch3_L2-complement.ppt kjekfkjekjfkjefkjefkjek
 
澳洲Deakin学位证,迪肯大学毕业证书1:1制作
澳洲Deakin学位证,迪肯大学毕业证书1:1制作澳洲Deakin学位证,迪肯大学毕业证书1:1制作
澳洲Deakin学位证,迪肯大学毕业证书1:1制作
 
美国IUB学位证,印第安纳大学伯明顿分校毕业证书1:1制作
美国IUB学位证,印第安纳大学伯明顿分校毕业证书1:1制作美国IUB学位证,印第安纳大学伯明顿分校毕业证书1:1制作
美国IUB学位证,印第安纳大学伯明顿分校毕业证书1:1制作
 
Computer Organization and Architecture 10th - William Stallings, Ch01.pdf
Computer Organization and Architecture 10th - William Stallings, Ch01.pdfComputer Organization and Architecture 10th - William Stallings, Ch01.pdf
Computer Organization and Architecture 10th - William Stallings, Ch01.pdf
 
Dubai Call Girls O525547819 Spring Break Fast Call Girls Dubai
Dubai Call Girls O525547819 Spring Break Fast Call Girls DubaiDubai Call Girls O525547819 Spring Break Fast Call Girls Dubai
Dubai Call Girls O525547819 Spring Break Fast Call Girls Dubai
 
Uae-NO1 Amil Baba In Karachi Kala Jadu In Karachi Amil baba In Karachi Addres...
Uae-NO1 Amil Baba In Karachi Kala Jadu In Karachi Amil baba In Karachi Addres...Uae-NO1 Amil Baba In Karachi Kala Jadu In Karachi Amil baba In Karachi Addres...
Uae-NO1 Amil Baba In Karachi Kala Jadu In Karachi Amil baba In Karachi Addres...
 

ARM IoT Firmware Emulation Workshop

  • 1. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 ARM IoT FIRMWARE EMULATION WORKSHOP Saumil Shah @therealsaumil 12 September 2018
  • 2. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 # who am i CEO Net-square. • Hacker, Speaker, Trainer, Author. • M.S. Computer Science Purdue University. • LinkedIn: saumilshah • Twitter: @therealsaumil
  • 3. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Objective • Extract the firmware from an IoT device. • Emulate the firmware in QEMU. • "Boot up" the virtual device. • Debugging, Testing and Fuzzing environment.
  • 4. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Case Study DLINK DIR-880L
  • 5. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Setup • armplayer2.zip - VMware image • dir880_mtdblocks.zip - firmware blobs • dir880_minicom.txt - console msgs • static_arm_bins.zip - fun t00lz • Extract the VM and start it up. • You need SSH/SCP on your laptop.
  • 6. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Lab Virtual Machine All passwords are "exploitlab" J Yes you may write it down
  • 7. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 armplayer host SSH to port 2222 username: exploitlab QEMU ARMv7 SSH to port 22 username: root
  • 8. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Pentesting Embedded ARM ARM IoT Devices
  • 9. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018
  • 10. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Take a look at an IoT device...
  • 11. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 CPU and Hardware Kernel Drivers File System nvram User Processes API UI libnvram JTAG RS 232 SPI notaccessible ...it is a special computer...
  • 12. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 CPU and Hardware Kernel Drivers File System nvram User Processes API UI libnvram JTAG RS 232 SPI notaccessible Authentication Bypass Insecure Direct Obj Ref File Retrieval Remote Command Exec Memory Corruption Buffer Overflows Backdoors Default Passwords Hidden Paths Memory Corruption Buffer Overflows ...with "special" vulnerabilities
  • 13. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 compressed FS CPU Kernel Boot Loader mounted FS nvram init scripts Services Apps libnvram The IoT Boot Up Process conf conf conf conf firmware Loads Kernel. Uncompresses FS to ramdisk, invokes init process. ramdiskuserland Reads config from nvram. Builds system config files on the fly. Starts up system services. Invokes Applications and Application services. READY POWER ON
  • 14. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Obtaining the Firmware • Download the firmware files from the device update website. – binwalk • Find the UART pins on the device's board, solder and connect via serial console. – Extract the firmware via shell over serial console. • Direct hardware level extraction.
  • 15. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Serial Console • Most devices run a privileged shell on serial console. • Kernel boot arguments: • Getting firmware from a shell is easy... • ...finding the serial port is a challenge :) root=/dev/mtdblock2 console=ttyS0,115200 init=/sbin/preinit earlyprintk debug
  • 16. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Discovering the UART pins • Usually unsoldered. • Identify candidate pins. • Test for Vcc (+3.3V) and GND. • Test for TX, RX. • Important pins – TX, RX, GND.
  • 17. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Discovering UART pins Possible UART pins False Positive
  • 18. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Discovering UART pins Second Possibility
  • 19. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Testing Voltages Vcc (+3.3V) GND GND runs through- out the board
  • 20. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Testing Voltages Vcc (+3.3V) GND The other two pins have to be TX, RX. GND Verify continuity across GND
  • 21. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Serial Console Device GND TX RX GND TX RX minicom Serial Port = /dev/ttyUSB0 115200 baud 8N1 Vcc
  • 22. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Serial Console - working
  • 23. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Finished Serial Port Projects
  • 24. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 # cat /proc/partitions major minor #blocks name 31 0 256 mtdblock0 31 1 64 mtdblock1 31 2 64 mtdblock2 31 3 1472 mtdblock3 31 4 128 mtdblock4 31 5 64 mtdblock5 31 6 2048 mtdblock6 31 7 32768 mtdblock7 31 8 30975 mtdblock8 31 9 131072 mtdblock9 31 10 98304 mtdblock10 Firmware Extraction # cat /proc/cmdline root=/dev/mtdblock8 mtdparts=bcmsflash:256k(u- boot)ro,64k(devconf),64k(devdata),1472k(mydlink),128k(langpack),64k(nvram), 2m@0(flash);nflash:32m(upgrade),32m@0(rootfs)ro,128m@0(nflash);brcmnand:96m @32m(storage) console=ttyS0,115200 init=/sbin/preinit earlyprintk debug # cat /proc/mtd dev: size erasesize name mtd0: 00040000 00010000 "u-boot" mtd1: 00010000 00010000 "devconf" mtd2: 00010000 00010000 "devdata" mtd3: 00170000 00010000 "mydlink" mtd4: 00020000 00010000 "langpack" mtd5: 00010000 00010000 "nvram" mtd6: 00200000 00010000 "flash" mtd7: 02000000 00020000 "upgrade" mtd8: 01e3ffa0 00020000 "rootfs" mtd9: 08000000 00020000 "nflash" mtd10: 06000000 00020000 "storage"
  • 25. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 New vs Legacy Memory Layout Heap Binary Stack Lib Lib 0x00008000 0xbf000000 0xb6f00000 0xbefdf000 /proc/sys/vm/legacy_va_layout = 0 Heap Binary Stack Lib Lib 0x00008000 0xbf000000 0x40000000 0xbefdf000 /proc/sys/vm/legacy_va_layout = 1 New Layout Legacy Layout
  • 26. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 QEMU ARM Kernel Emulator Driven Test Bench proc sys dev etc bin squashfs-root chroot environment proc sys dev etc bin init system services user processes nvram config (ini file) nvram shim gdb server multiarch gdb
  • 27. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Extract the rootfs
  • 28. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 rsync rootfs to ARM QEMU
  • 29. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 chroot the rootfs in QEMU Setup commands for binding /proc, /sys and /dev and running chroot kick off the init scripts
  • 30. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 The virtual router "boots up"
  • 31. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 SUCCESS!
  • 32. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 THANK YOU! Saumil Shah @therealsaumil saumil@net-square.com LinkedIn: saumilshah Follow us on Twitter for: updates new classes on-site training announcements Blog: http://blog.exploitlab.net