INSIDE ARM-X - Countermeasure 2019

Saumil Shah
Saumil ShahCEO and Founder, Net Square at Net Square
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 INSIDE SAUMIL SHAH @therealsaumil 7 November 2019 COUNTERMEASURE|2019
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 # WHO AM I Saumil Shah CEO, Net Square @therealsaumil educating, entertaining and exasperating audiences since 1999
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 Introducing ARM-X • An ARM Firmware Emulation Framework. • Ultimate Goal - create an IoT VM! • A Virtual IoT device makes for easy – runtime analysis – reverse engineering – fuzzing – exploit development • Great insight into embedded hardware by trying to emulate it.
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 Inside an IoT device…
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 CPU and Hardware Kernel Drivers File System nvram User Processes API UI libnvram …same same but different
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 compressed FS CPU Kernel Boot Loader mounted FS nvram init scripts Services Apps libnvram The IoT Boot Up Process conf conf conf conf firmware Loads Kernel. Uncompresses FS to ramdisk, invokes init process. ramdiskuserland Reads config from nvram. Builds system config files on the fly. Starts up system services. Invokes Applications and Application services. READY POWER ON
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 QEMU CPU and Limited Hardware Kernel Drivers uncompressed Filesystem emulated nvram init scripts Services Apps libnvram Emulation: Goals and Challenges x x x x BUILDROOT Match the kernel with the one on the device chroot environment Implemented as an INI file, preloaded before "boot up" conf conf Fix to match QEMU environment Not all drivers load successfully
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 ARM-X Architecture
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 ARM-X Architecture
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 Starting an ARM-X device
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 2 - Booting the device Kernel
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 QEMU CPU and Limited Hardware Kernel Kernel and hostfs ready hostfs NFS /armx
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 3 - ARM-X Userland
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 4 - nvram and userland init
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 QEMU CPU and Limited Hardware Kernel Drivers NFS /armx emulated nvram nvram and userland init scripts conf conf init scripts libnvram
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 QEMU CPU and Limited Hardware Kernel Drivers NFS /armx emulated nvram init scripts Services Apps libnvram ARM-X: Device "booted up" x x x x conf conf
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 5 - ARM-X hostfs/debug Shell
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 How to add a new device to ARM-X BUILDROOT Firmware image
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 Obtaining the Firmware Firmware rootfs Firmware .bin file rootfs+nvram Serial Console Direct from Flash memory
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 1: Web/FTP site
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 2: Hidden UART interfaces Vcc (+3.3V) GND TX/RX GND
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 Serial Console - working
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 # cat /proc/partitions major minor #blocks name 31 0 256 mtdblock0 31 1 64 mtdblock1 31 2 64 mtdblock2 31 3 1472 mtdblock3 31 4 128 mtdblock4 31 5 64 mtdblock5 31 6 2048 mtdblock6 31 7 32768 mtdblock7 31 8 30975 mtdblock8 31 9 131072 mtdblock9 31 10 98304 mtdblock10 Firmware Extraction # cat /proc/mtd dev: size erasesize name mtd0: 00040000 00010000 "u-boot" mtd1: 00010000 00010000 "devconf" mtd2: 00010000 00010000 "devdata" mtd3: 00170000 00010000 "mydlink" mtd4: 00020000 00010000 "langpack" mtd5: 00010000 00010000 "nvram" mtd6: 00200000 00010000 "flash" mtd7: 02000000 00020000 "upgrade" mtd8: 01e3ffa0 00020000 "rootfs" mtd9: 08000000 00020000 "nflash" mtd10: 06000000 00020000 "storage" dd if=/dev/mtdblock8 …
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 3: Take it directly from the chip!
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 DEMO TIME!
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 HERE BE THE GOODS Downloads: https://armx.exploitlab.net/ ! Announcements: @therealsaumil IP Camera CTF Challenge - blog.exploitlab.net
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 Thank you and … QUESTIONS? @therealsaumil COUNTERMEASURE|2019
1 of 35

INSIDE ARM-X - Countermeasure 2019

Technology

The closest you will get to a VM for testing IoT devices. The ARM-X IoT Firmware Emulation Framework is a tried-and-tested framework which has led to four 0-days discovered on SoHo routers, IP cameras and VoIP exchanges. In this talk, I shall cover the evolution of ARM-X, demonstrate a few use cases and discuss future directions of IoT firmware emulation.

Saumil Shah
Saumil ShahCEO and Founder, Net Square at Net Square

Recommended

INSIDE ARM-X Cansecwest 2020 by
INSIDE ARM-X Cansecwest 2020INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020Saumil Shah
425 views36 slides
Announcing ARMX Docker - DC11332 by
Announcing ARMX Docker - DC11332Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332Saumil Shah
6.8K views29 slides
Introducing ARM-X by
Introducing ARM-XIntroducing ARM-X
Introducing ARM-XSaumil Shah
18.3K views30 slides
AWS ロボを作ろう JAWSUG Kobe by
AWS ロボを作ろう JAWSUG KobeAWS ロボを作ろう JAWSUG Kobe
AWS ロボを作ろう JAWSUG Kobe崇之 清水
4.6K views36 slides
3D Project network by
3D Project network3D Project network
3D Project networkAdrian Barker
141 views1 slide
USB 3.0 CAPTURE HDMI 4K with Loop-through for Image redistribution by
USB 3.0 CAPTURE HDMI 4K with Loop-through for Image redistributionUSB 3.0 CAPTURE HDMI 4K with Loop-through for Image redistribution
USB 3.0 CAPTURE HDMI 4K with Loop-through for Image redistributionNaoto MATSUMOTO
201 views2 slides

More Related Content

Similar to INSIDE ARM-X - Countermeasure 2019

Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI by
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMIKernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMIAnne Nicolas
3.7K views44 slides
"Efficient Deployment of Quantized ML Models at the Edge Using Snapdragon SoC... by
"Efficient Deployment of Quantized ML Models at the Edge Using Snapdragon SoC..."Efficient Deployment of Quantized ML Models at the Edge Using Snapdragon SoC...
"Efficient Deployment of Quantized ML Models at the Edge Using Snapdragon SoC...Edge AI and Vision Alliance
697 views18 slides
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t... by
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...Anne Nicolas
781 views47 slides
HSA-4024, OpenJDK Sumatra Project: Bringing the GPU to Java, by Eric Caspole by
HSA-4024, OpenJDK Sumatra Project: Bringing the GPU to Java, by Eric CaspoleHSA-4024, OpenJDK Sumatra Project: Bringing the GPU to Java, by Eric Caspole
HSA-4024, OpenJDK Sumatra Project: Bringing the GPU to Java, by Eric CaspoleAMD Developer Central
2.1K views25 slides
Machine Learning using Kubernetes - AI Conclave 2019 by
Machine Learning using Kubernetes - AI Conclave 2019Machine Learning using Kubernetes - AI Conclave 2019
Machine Learning using Kubernetes - AI Conclave 2019Arun Gupta
718 views49 slides
AWS SAM でLambda開発 by
AWS SAM でLambda開発AWS SAM でLambda開発
AWS SAM でLambda開発虎の穴 開発室
70 views28 slides

Similar to INSIDE ARM-X - Countermeasure 2019(20)

Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI by Anne Nicolas
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMIKernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
Anne Nicolas3.7K views
"Efficient Deployment of Quantized ML Models at the Edge Using Snapdragon SoC... by Edge AI and Vision Alliance
"Efficient Deployment of Quantized ML Models at the Edge Using Snapdragon SoC..."Efficient Deployment of Quantized ML Models at the Edge Using Snapdragon SoC...
"Efficient Deployment of Quantized ML Models at the Edge Using Snapdragon SoC...
Edge AI and Vision Alliance697 views
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t... by Anne Nicolas
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...
Anne Nicolas781 views
HSA-4024, OpenJDK Sumatra Project: Bringing the GPU to Java, by Eric Caspole by AMD Developer Central
HSA-4024, OpenJDK Sumatra Project: Bringing the GPU to Java, by Eric CaspoleHSA-4024, OpenJDK Sumatra Project: Bringing the GPU to Java, by Eric Caspole
HSA-4024, OpenJDK Sumatra Project: Bringing the GPU to Java, by Eric Caspole
AMD Developer Central 2.1K views
Machine Learning using Kubernetes - AI Conclave 2019 by Arun Gupta
Machine Learning using Kubernetes - AI Conclave 2019Machine Learning using Kubernetes - AI Conclave 2019
Machine Learning using Kubernetes - AI Conclave 2019
Arun Gupta718 views
AWS SAM でLambda開発 by 虎の穴 開発室
AWS SAM でLambda開発AWS SAM でLambda開発
AWS SAM でLambda開発
虎の穴 開発室70 views
Introduction to EC2 A1 instances, powered by the AWS Graviton processor - CMP... by Amazon Web Services
Introduction to EC2 A1 instances, powered by the AWS Graviton processor - CMP...Introduction to EC2 A1 instances, powered by the AWS Graviton processor - CMP...
Introduction to EC2 A1 instances, powered by the AWS Graviton processor - CMP...
Amazon Web Services1.2K views
Spring Boot and Spring Cloud Inside NissanConnect at SPRING FEST '19 by Daisuke Morishita
Spring Boot and Spring Cloud Inside NissanConnect at SPRING FEST '19Spring Boot and Spring Cloud Inside NissanConnect at SPRING FEST '19
Spring Boot and Spring Cloud Inside NissanConnect at SPRING FEST '19
Daisuke Morishita3.8K views
Final lisa opening_keynote_draft_-_v12.1tb by r Skip
Final lisa opening_keynote_draft_-_v12.1tbFinal lisa opening_keynote_draft_-_v12.1tb
Final lisa opening_keynote_draft_-_v12.1tb
r Skip597 views
Keynote (Dr. Lisa Su) - Developers: The Heart of AMD Innovation - by Dr. Lisa... by AMD Developer Central
Keynote (Dr. Lisa Su) - Developers: The Heart of AMD Innovation - by Dr. Lisa...Keynote (Dr. Lisa Su) - Developers: The Heart of AMD Innovation - by Dr. Lisa...
Keynote (Dr. Lisa Su) - Developers: The Heart of AMD Innovation - by Dr. Lisa...
AMD Developer Central 3.1K views
Getting Started with ARM-Based EC2 A1 Instances - CMP302 - Anaheim AWS Summit by Amazon Web Services
Getting Started with ARM-Based EC2 A1 Instances - CMP302 - Anaheim AWS SummitGetting Started with ARM-Based EC2 A1 Instances - CMP302 - Anaheim AWS Summit
Getting Started with ARM-Based EC2 A1 Instances - CMP302 - Anaheim AWS Summit
Amazon Web Services604 views
The state of server-side Swift by Ciprian Redinciuc
The state of server-side SwiftThe state of server-side Swift
The state of server-side Swift
Ciprian Redinciuc111 views
Digital Security by Design: Imperas’ Interests - Simon Davidmann, Imperas Sof... by KTN
Digital Security by Design: Imperas’ Interests - Simon Davidmann, Imperas Sof...Digital Security by Design: Imperas’ Interests - Simon Davidmann, Imperas Sof...
Digital Security by Design: Imperas’ Interests - Simon Davidmann, Imperas Sof...
KTN219 views
IBM Cloud Private and IBM Power Systems: Overview and Real-World Scenarios by Joe Cropper
IBM Cloud Private and IBM Power Systems: Overview and Real-World ScenariosIBM Cloud Private and IBM Power Systems: Overview and Real-World Scenarios
IBM Cloud Private and IBM Power Systems: Overview and Real-World Scenarios
Joe Cropper219 views
Modern-Application-Design-with-Amazon-ECS by Amazon Web Services
Modern-Application-Design-with-Amazon-ECSModern-Application-Design-with-Amazon-ECS
Modern-Application-Design-with-Amazon-ECS
Amazon Web Services562 views
IoT Edge Data Processing with NVidia Jetson Nano oct 3 2019 by Timothy Spann
IoT Edge Data Processing with NVidia Jetson Nano oct 3 2019IoT Edge Data Processing with NVidia Jetson Nano oct 3 2019
IoT Edge Data Processing with NVidia Jetson Nano oct 3 2019
Timothy Spann1.5K views
Amazon EC2 A1 instances, powered by the AWS Graviton processor - CMP303 - San... by Amazon Web Services
Amazon EC2 A1 instances, powered by the AWS Graviton processor - CMP303 - San...Amazon EC2 A1 instances, powered by the AWS Graviton processor - CMP303 - San...
Amazon EC2 A1 instances, powered by the AWS Graviton processor - CMP303 - San...
Amazon Web Services823 views
GPU-Accelerated Route Planning of Multi-UAV Systems Using Simulated Annealing... by Seval Çapraz
GPU-Accelerated Route Planning of Multi-UAV Systems Using Simulated Annealing...GPU-Accelerated Route Planning of Multi-UAV Systems Using Simulated Annealing...
GPU-Accelerated Route Planning of Multi-UAV Systems Using Simulated Annealing...
Seval Çapraz60 views
Low code & technology stacks. by Daniel Le Couilliard
Low code & technology stacks.Low code & technology stacks.
Low code & technology stacks.
Daniel Le Couilliard79 views
PAN-OS - Network Security/Prevention Everywhere by Global Knowledge Training
PAN-OS - Network Security/Prevention EverywherePAN-OS - Network Security/Prevention Everywhere
PAN-OS - Network Security/Prevention Everywhere
Global Knowledge Training927 views

More from Saumil Shah

The Hand That Strikes, Also Blocks by
The Hand That Strikes, Also BlocksThe Hand That Strikes, Also Blocks
The Hand That Strikes, Also BlocksSaumil Shah
98 views67 slides
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS by
Debugging with EMUX - RIngzer0 BACK2WORKSHOPSDebugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPSSaumil Shah
91 views23 slides
Unveiling EMUX - ARM and MIPS IoT Emulation Framework by
Unveiling EMUX - ARM and MIPS IoT Emulation FrameworkUnveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation FrameworkSaumil Shah
265 views20 slides
Precise Presentations by
Precise PresentationsPrecise Presentations
Precise PresentationsSaumil Shah
557 views18 slides
Effective Webinars: Presentation Skills for a Virtual Audience by
Effective Webinars: Presentation Skills for a Virtual AudienceEffective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual AudienceSaumil Shah
1.4K views28 slides
Cyberspace And Security - India's Decade Ahead by
Cyberspace And Security - India's Decade AheadCyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade AheadSaumil Shah
1K views67 slides

More from Saumil Shah(20)

The Hand That Strikes, Also Blocks by Saumil Shah
The Hand That Strikes, Also BlocksThe Hand That Strikes, Also Blocks
The Hand That Strikes, Also Blocks
Saumil Shah98 views
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS by Saumil Shah
Debugging with EMUX - RIngzer0 BACK2WORKSHOPSDebugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
Saumil Shah91 views
Unveiling EMUX - ARM and MIPS IoT Emulation Framework by Saumil Shah
Unveiling EMUX - ARM and MIPS IoT Emulation FrameworkUnveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation Framework
Saumil Shah265 views
Precise Presentations by Saumil Shah
Precise PresentationsPrecise Presentations
Precise Presentations
Saumil Shah557 views
Effective Webinars: Presentation Skills for a Virtual Audience by Saumil Shah
Effective Webinars: Presentation Skills for a Virtual AudienceEffective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual Audience
Saumil Shah1.4K views
Cyberspace And Security - India's Decade Ahead by Saumil Shah
Cyberspace And Security - India's Decade AheadCyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade Ahead
Saumil Shah1K views
Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace by Saumil Shah
Cybersecurity And Sovereignty - A Look At Society's Transformation In CyberspaceCybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Saumil Shah503 views
NSConclave2020 The Decade Behind And The Decade Ahead by Saumil Shah
NSConclave2020 The Decade Behind And The Decade AheadNSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade Ahead
Saumil Shah155 views
Cybersecurity In India - The Decade Ahead by Saumil Shah
Cybersecurity In India - The Decade AheadCybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade Ahead
Saumil Shah361 views
The Road To Defendable Systems - Emirates NBD by Saumil Shah
The Road To Defendable Systems - Emirates NBDThe Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBD
Saumil Shah630 views
The CISO's Dilemma 44CON 2019 by Saumil Shah
The CISO's Dilemma 44CON 2019The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019
Saumil Shah1.1K views
The CISO's Dilemma HITBGSEC2019 by Saumil Shah
The CISO's Dilemma HITBGSEC2019The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019
Saumil Shah903 views
Schrödinger's ARM Assembly by Saumil Shah
Schrödinger's ARM AssemblySchrödinger's ARM Assembly
Schrödinger's ARM Assembly
Saumil Shah659 views
ARM Polyglot Shellcode - HITB2019AMS by Saumil Shah
ARM Polyglot Shellcode - HITB2019AMSARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMS
Saumil Shah1.9K views
What Makes a Compelling Photograph by Saumil Shah
What Makes a Compelling PhotographWhat Makes a Compelling Photograph
What Makes a Compelling Photograph
Saumil Shah341 views
Make ARM Shellcode Great Again - HITB2018PEK by Saumil Shah
Make ARM Shellcode Great Again - HITB2018PEKMake ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEK
Saumil Shah373 views
HackLU 2018 Make ARM Shellcode Great Again by Saumil Shah
HackLU 2018 Make ARM Shellcode Great AgainHackLU 2018 Make ARM Shellcode Great Again
HackLU 2018 Make ARM Shellcode Great Again
Saumil Shah1.7K views
Hack.LU 2018 ARM IoT Firmware Emulation Workshop by Saumil Shah
Hack.LU 2018 ARM IoT Firmware Emulation WorkshopHack.LU 2018 ARM IoT Firmware Emulation Workshop
Hack.LU 2018 ARM IoT Firmware Emulation Workshop
Saumil Shah5.4K views
Make ARM Shellcode Great Again by Saumil Shah
Make ARM Shellcode Great AgainMake ARM Shellcode Great Again
Make ARM Shellcode Great Again
Saumil Shah810 views
ARM IoT Firmware Emulation Workshop by Saumil Shah
ARM IoT Firmware Emulation WorkshopARM IoT Firmware Emulation Workshop
ARM IoT Firmware Emulation Workshop
Saumil Shah1.8K views

Recently uploaded

PRODUCT PRESENTATION.pptx by
PRODUCT PRESENTATION.pptxPRODUCT PRESENTATION.pptx
PRODUCT PRESENTATION.pptxangelicacueva6
18 views1 slide
Democratising digital commerce in India-Report by
Democratising digital commerce in India-ReportDemocratising digital commerce in India-Report
Democratising digital commerce in India-ReportKapil Khandelwal (KK)
20 views161 slides
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院 by
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院IttrainingIttraining
69 views8 slides
Scaling Knowledge Graph Architectures with AI by
Scaling Knowledge Graph Architectures with AIScaling Knowledge Graph Architectures with AI
Scaling Knowledge Graph Architectures with AIEnterprise Knowledge
50 views15 slides
20231123_Camunda Meetup Vienna.pdf by
20231123_Camunda Meetup Vienna.pdf20231123_Camunda Meetup Vienna.pdf
20231123_Camunda Meetup Vienna.pdfPhactum Softwareentwicklung GmbH
45 views73 slides
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N... by
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...James Anderson
126 views32 slides

Recently uploaded(20)

PRODUCT PRESENTATION.pptx by angelicacueva6
PRODUCT PRESENTATION.pptxPRODUCT PRESENTATION.pptx
PRODUCT PRESENTATION.pptx
angelicacueva618 views
Democratising digital commerce in India-Report by Kapil Khandelwal (KK)
Democratising digital commerce in India-ReportDemocratising digital commerce in India-Report
Democratising digital commerce in India-Report
Kapil Khandelwal (KK)20 views
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院 by IttrainingIttraining
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院
IttrainingIttraining69 views
Scaling Knowledge Graph Architectures with AI by Enterprise Knowledge
Scaling Knowledge Graph Architectures with AIScaling Knowledge Graph Architectures with AI
Scaling Knowledge Graph Architectures with AI
Enterprise Knowledge50 views
20231123_Camunda Meetup Vienna.pdf by Phactum Softwareentwicklung GmbH
20231123_Camunda Meetup Vienna.pdf20231123_Camunda Meetup Vienna.pdf
20231123_Camunda Meetup Vienna.pdf
Phactum Softwareentwicklung GmbH45 views
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N... by James Anderson
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...
James Anderson126 views
Zero to Automated in Under a Year by Network Automation Forum
Zero to Automated in Under a YearZero to Automated in Under a Year
Zero to Automated in Under a Year
Network Automation Forum22 views
virtual reality.pptx by G036GaikwadSnehal
virtual reality.pptxvirtual reality.pptx
virtual reality.pptx
G036GaikwadSnehal18 views
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas... by Bernd Ruecker
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...
Bernd Ruecker48 views
STPI OctaNE CoE Brochure.pdf by madhurjyapb
STPI OctaNE CoE Brochure.pdfSTPI OctaNE CoE Brochure.pdf
STPI OctaNE CoE Brochure.pdf
madhurjyapb14 views
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ... by Jasper Oosterveld
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...
Jasper Oosterveld27 views
Future of AR - Facebook Presentation by Rob McCarty
Future of AR - Facebook PresentationFuture of AR - Facebook Presentation
Future of AR - Facebook Presentation
Rob McCarty22 views
Business Analyst Series 2023 - Week 3 Session 5 by DianaGray10
Business Analyst Series 2023 - Week 3 Session 5Business Analyst Series 2023 - Week 3 Session 5
Business Analyst Series 2023 - Week 3 Session 5
DianaGray10345 views
The Research Portal of Catalonia: Growing more (information) & more (services) by CSUC - Consorci de Serveis Universitaris de Catalunya
The Research Portal of Catalonia: Growing more (information) & more (services)The Research Portal of Catalonia: Growing more (information) & more (services)
The Research Portal of Catalonia: Growing more (information) & more (services)
CSUC - Consorci de Serveis Universitaris de Catalunya115 views
SUPPLIER SOURCING.pptx by angelicacueva6
SUPPLIER SOURCING.pptxSUPPLIER SOURCING.pptx
SUPPLIER SOURCING.pptx
angelicacueva620 views
Future of Indian ConsumerTech by Kapil Khandelwal (KK)
Future of Indian ConsumerTechFuture of Indian ConsumerTech
Future of Indian ConsumerTech
Kapil Khandelwal (KK)24 views
Vertical User Stories by Moisés Armani Ramírez
Vertical User StoriesVertical User Stories
Vertical User Stories
Moisés Armani Ramírez17 views
Five Things You SHOULD Know About Postman by Postman
Five Things You SHOULD Know About PostmanFive Things You SHOULD Know About Postman
Five Things You SHOULD Know About Postman
Postman38 views
Uni Systems for Power Platform.pptx by Uni Systems S.M.S.A.
Uni Systems for Power Platform.pptxUni Systems for Power Platform.pptx
Uni Systems for Power Platform.pptx
Uni Systems S.M.S.A.58 views
Ransomware is Knocking your Door_Final.pdf by Security Bootcamp
Ransomware is Knocking your Door_Final.pdfRansomware is Knocking your Door_Final.pdf
Ransomware is Knocking your Door_Final.pdf
Security Bootcamp66 views

INSIDE ARM-X - Countermeasure 2019

  • 1. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 INSIDE SAUMIL SHAH @therealsaumil 7 November 2019 COUNTERMEASURE|2019
  • 2. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 # WHO AM I Saumil Shah CEO, Net Square @therealsaumil educating, entertaining and exasperating audiences since 1999
  • 3. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 Introducing ARM-X • An ARM Firmware Emulation Framework. • Ultimate Goal - create an IoT VM! • A Virtual IoT device makes for easy – runtime analysis – reverse engineering – fuzzing – exploit development • Great insight into embedded hardware by trying to emulate it.
  • 4. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
  • 5. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
  • 6. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 Inside an IoT device…
  • 7. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 CPU and Hardware Kernel Drivers File System nvram User Processes API UI libnvram …same same but different
  • 8. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 compressed FS CPU Kernel Boot Loader mounted FS nvram init scripts Services Apps libnvram The IoT Boot Up Process conf conf conf conf firmware Loads Kernel. Uncompresses FS to ramdisk, invokes init process. ramdiskuserland Reads config from nvram. Builds system config files on the fly. Starts up system services. Invokes Applications and Application services. READY POWER ON
  • 9. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 QEMU CPU and Limited Hardware Kernel Drivers uncompressed Filesystem emulated nvram init scripts Services Apps libnvram Emulation: Goals and Challenges x x x x BUILDROOT Match the kernel with the one on the device chroot environment Implemented as an INI file, preloaded before "boot up" conf conf Fix to match QEMU environment Not all drivers load successfully
  • 10. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 ARM-X Architecture
  • 11. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 ARM-X Architecture
  • 12. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 Starting an ARM-X device
  • 13. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
  • 14. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 2 - Booting the device Kernel
  • 15. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
  • 16. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 QEMU CPU and Limited Hardware Kernel Kernel and hostfs ready hostfs NFS /armx
  • 17. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 3 - ARM-X Userland
  • 18. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
  • 19. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 4 - nvram and userland init
  • 20. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 QEMU CPU and Limited Hardware Kernel Drivers NFS /armx emulated nvram nvram and userland init scripts conf conf init scripts libnvram
  • 21. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
  • 22. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 QEMU CPU and Limited Hardware Kernel Drivers NFS /armx emulated nvram init scripts Services Apps libnvram ARM-X: Device "booted up" x x x x conf conf
  • 23. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
  • 24. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 5 - ARM-X hostfs/debug Shell
  • 25. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
  • 26. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 How to add a new device to ARM-X BUILDROOT Firmware image
  • 27. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 Obtaining the Firmware Firmware rootfs Firmware .bin file rootfs+nvram Serial Console Direct from Flash memory
  • 28. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 1: Web/FTP site
  • 29. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 2: Hidden UART interfaces Vcc (+3.3V) GND TX/RX GND
  • 30. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 Serial Console - working
  • 31. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 # cat /proc/partitions major minor #blocks name 31 0 256 mtdblock0 31 1 64 mtdblock1 31 2 64 mtdblock2 31 3 1472 mtdblock3 31 4 128 mtdblock4 31 5 64 mtdblock5 31 6 2048 mtdblock6 31 7 32768 mtdblock7 31 8 30975 mtdblock8 31 9 131072 mtdblock9 31 10 98304 mtdblock10 Firmware Extraction # cat /proc/mtd dev: size erasesize name mtd0: 00040000 00010000 "u-boot" mtd1: 00010000 00010000 "devconf" mtd2: 00010000 00010000 "devdata" mtd3: 00170000 00010000 "mydlink" mtd4: 00020000 00010000 "langpack" mtd5: 00010000 00010000 "nvram" mtd6: 00200000 00010000 "flash" mtd7: 02000000 00020000 "upgrade" mtd8: 01e3ffa0 00020000 "rootfs" mtd9: 08000000 00020000 "nflash" mtd10: 06000000 00020000 "storage" dd if=/dev/mtdblock8 …
  • 32. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 3: Take it directly from the chip!
  • 33. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 DEMO TIME!
  • 34. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 HERE BE THE GOODS Downloads: https://armx.exploitlab.net/ ! Announcements: @therealsaumil IP Camera CTF Challenge - blog.exploitlab.net
  • 35. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 Thank you and … QUESTIONS? @therealsaumil COUNTERMEASURE|2019