Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Hack.LU 2018 ARM IoT Firmware Emulation Workshop

3,672 views

Published on

Learn how to build your own testing and debugging environment for analysing IoT firmware images. Bug hunting in IoT firmware requires access to debugging, instrumentation and reverse engineering tools.

In this workshop, we shall learn how to extract firmware from a few ARM IoT devices, deploy the extracted filesystems on an ARM QEMU environment, and emulate the firmware as close to the original hardware environment as possible. We shall also learn how to intercept and emulate NVRAM access to faithfully reproduce the exact configuration available on the actual device. Participants are required to bring a laptop capable of running VMware Workstation/Fusion/Player. We shall distribute a virtual machine with ARM QEMU along with firmware images extracted on the spot from a few SoHo routers and IP Cameras.

The methodology discussed in this workshop is put together from the author’s own beats. While we use ARM as the base platform, the same methodology can also work for MIPS or other embedded architectures.

Published in: Technology
  • Be the first to comment

Hack.LU 2018 ARM IoT Firmware Emulation Workshop

  1. 1. NETSQUARE (c) SAUMIL SHAHhack.lu 2018 ARM IoT FIRMWARE EMULATION WORKSHOP Saumil Shah @therealsaumil 16 October 2018
  2. 2. NETSQUARE (c) SAUMIL SHAHhack.lu 2018 # who am i CEO Net Square. • Hacker, Speaker, Trainer, Author. • M.S. Computer Science Purdue University. • LinkedIn: saumilshah • Twitter: @therealsaumil
  3. 3. NETSQUARE (c) SAUMIL SHAHhack.lu 2018 Objectives • Extract the firmware from an IoT device. • Emulate the firmware in QEMU. • "Boot up" the virtual device. • Debugging, Testing and Fuzzing environment.
  4. 4. NETSQUARE (c) SAUMIL SHAHhack.lu 2018 Case Study DLINK DIR-880L
  5. 5. NETSQUARE (c) SAUMIL SHAHhack.lu 2018 Setup • armplayer2.zip - VMware image • dir880_mtdblocks.zip - firmware blobs • dir880_minicom.txt - console msgs • static_arm_bins.zip - fun t00lz • Extract the VM and start it up. • You will need SSH/SCP on your laptop.
  6. 6. NETSQUARE (c) SAUMIL SHAHhack.lu 2018 Lab Virtual Machine All passwords are "exploitlab" J Yes you may write it down
  7. 7. NETSQUARE (c) SAUMIL SHAHhack.lu 2018 armplayer host SSH to port 2222 username: exploitlab QEMU ARMv7 SSH to port 22 username: root
  8. 8. NETSQUARE (c) SAUMIL SHAHhack.lu 2018 IoT Devices - An Introduction
  9. 9. NETSQUARE (c) SAUMIL SHAHhack.lu 2018 Take a look at an IoT device...
  10. 10. NETSQUARE (c) SAUMIL SHAHhack.lu 2018 CPU and Hardware Kernel Drivers File System nvram User Processes API UI libnvram JTAG UART SPI notaccessible ...it is a special computer...
  11. 11. NETSQUARE (c) SAUMIL SHAHhack.lu 2018 CPU and Hardware Kernel Drivers File System nvram User Processes API UI libnvram Authentication Bypass Insecure Direct Obj Ref File Retrieval Remote Command Exec Memory Corruption Buffer Overflows Backdoors Default Passwords Hidden Paths Memory Corruption Buffer Overflows ...with "special" vulnerabilities
  12. 12. NETSQUARE (c) SAUMIL SHAHhack.lu 2018 compressed FS CPU Kernel Boot Loader mounted FS nvram init scripts Services Apps libnvram The IoT Boot Up Process conf conf conf conf firmware Loads Kernel. Uncompresses FS to ramdisk, invokes init process. ramdiskuserland Reads config from nvram. Builds system config files on the fly. Starts up system services. Invokes Applications and Application services. READY POWER ON
  13. 13. NETSQUARE (c) SAUMIL SHAHhack.lu 2018 Obtaining the Firmware • Download the firmware files from the device update website. – binwalk • Find the UART pins on the device's board, solder and connect via serial console. – Extract the firmware via shell over serial console. • Direct hardware level extraction.
  14. 14. NETSQUARE (c) SAUMIL SHAHhack.lu 2018 Serial Console • Most devices run a privileged shell on serial console. • Kernel boot arguments: • Getting firmware from a shell is easy... • ...finding the serial port is a challenge :) root=/dev/mtdblock2 console=ttyS0,115200 init=/sbin/preinit earlyprintk debug
  15. 15. NETSQUARE (c) SAUMIL SHAHhack.lu 2018 Discovering the UART pins • Usually unsoldered. • Identify candidate pins. • Test for Vcc (+3.3V) and GND. • Test for TX, RX. • Important pins – TX, RX, GND.
  16. 16. NETSQUARE (c) SAUMIL SHAHhack.lu 2018 Discovering UART pins Possible UART pins False Positive
  17. 17. NETSQUARE (c) SAUMIL SHAHhack.lu 2018 Discovering UART pins Second Possibility
  18. 18. NETSQUARE (c) SAUMIL SHAHhack.lu 2018 Testing Voltages Vcc (+3.3V) GND GND runs through- out the board
  19. 19. NETSQUARE (c) SAUMIL SHAHhack.lu 2018 Testing Voltages Vcc (+3.3V) GND The other two pins have to be TX, RX. GND Verify continuity across GND
  20. 20. NETSQUARE (c) SAUMIL SHAHhack.lu 2018 Serial Console Device GND TX RX GND TX RX minicom Serial Port = /dev/ttyUSB0 115200 baud 8N1 Vcc
  21. 21. NETSQUARE (c) SAUMIL SHAHhack.lu 2018 Serial Console - working
  22. 22. NETSQUARE (c) SAUMIL SHAHhack.lu 2018 Finished Serial Port Projects
  23. 23. NETSQUARE (c) SAUMIL SHAHhack.lu 2018 # cat /proc/partitions major minor #blocks name 31 0 256 mtdblock0 31 1 64 mtdblock1 31 2 64 mtdblock2 31 3 1472 mtdblock3 31 4 128 mtdblock4 31 5 64 mtdblock5 31 6 2048 mtdblock6 31 7 32768 mtdblock7 31 8 30975 mtdblock8 31 9 131072 mtdblock9 31 10 98304 mtdblock10 Firmware Extraction via Console # cat /proc/cmdline root=/dev/mtdblock8 mtdparts=bcmsflash:256k(u- boot)ro,64k(devconf),64k(devdata),1472k(mydlink),128k(langpack),64k(nvram), 2m@0(flash);nflash:32m(upgrade),32m@0(rootfs)ro,128m@0(nflash);brcmnand:96m @32m(storage) console=ttyS0,115200 init=/sbin/preinit earlyprintk debug # cat /proc/mtd dev: size erasesize name mtd0: 00040000 00010000 "u-boot" mtd1: 00010000 00010000 "devconf" mtd2: 00010000 00010000 "devdata" mtd3: 00170000 00010000 "mydlink" mtd4: 00020000 00010000 "langpack" mtd5: 00010000 00010000 "nvram" mtd6: 00200000 00010000 "flash" mtd7: 02000000 00020000 "upgrade" mtd8: 01e3ffa0 00020000 "rootfs" mtd9: 08000000 00020000 "nflash" mtd10: 06000000 00020000 "storage"
  24. 24. NETSQUARE (c) SAUMIL SHAHhack.lu 2018 New vs Legacy Memory Layout Heap Binary Stack Lib Lib 0x00008000 0xbf000000 0xb6f00000 0xbefdf000 /proc/sys/vm/legacy_va_layout = 0 Heap Binary Stack Lib Lib 0x00008000 0xbf000000 0x40000000 0xbefdf000 /proc/sys/vm/legacy_va_layout = 1 New (current) Layout Legacy Layout
  25. 25. NETSQUARE (c) SAUMIL SHAHhack.lu 2018 QEMU ARM Kernel Emulator Driven Test Bench proc sys dev etc bin squashfs-root chroot environment proc sys dev etc bin init system services user processes nvram config (ini file) nvram shim gdb server multiarch gdb
  26. 26. NETSQUARE (c) SAUMIL SHAHhack.lu 2018 Extract the rootfs
  27. 27. NETSQUARE (c) SAUMIL SHAHhack.lu 2018 rsync rootfs to ARM QEMU
  28. 28. NETSQUARE (c) SAUMIL SHAHhack.lu 2018 chroot the rootfs in QEMU Setup commands for binding /proc, /sys and /dev and running chroot kick off the init scripts
  29. 29. NETSQUARE (c) SAUMIL SHAHhack.lu 2018 The virtual router "boots up"
  30. 30. NETSQUARE (c) SAUMIL SHAHhack.lu 2018 SUCCESS!
  31. 31. NETSQUARE (c) SAUMIL SHAHhack.lu 2018 Wrapping Up • Firmware Emulation takes a LOT of exploration and trial-and-error… • …but it's worth it J • nvram interception code: https://github.com/therealsaumil/custom_nvram
  32. 32. NETSQUARE (c) SAUMIL SHAHhack.lu 2018 THANK YOU! Saumil Shah @therealsaumil #hacklu 2018

×