Saumil Shah, profile picture
Uploaded bySaumil Shah
25,581 views

Introducing ARM-X

This document introduces ARM-X, an ARM firmware emulation framework being developed by Saumil Shah. The goals of ARM-X include creating an IoT virtual machine to enable runtime analysis, reverse engineering, fuzzing, and exploit development of IoT devices. It discusses challenges with emulating IoT device firmware using QEMU and matching the kernel and drivers to the actual device. Extraction of firmware from IoT devices directly from flash memory or via hidden UART interfaces and serial consoles is also covered. A preview release of ARM-X is announced for October 23, 2019.

Software
Related topics:
Information Security

Embed presentation

NETSQUARE (c) SAUMIL SHAHHITB Cyberweek 2019 UAE Introducing ARM-X Saumil Shah @therealsaumil 16 October 2019
NETSQUARE (c) SAUMIL SHAHHITB Cyberweek 2019 UAE # WHO AM I Saumil Shah CEO, Net Square @therealsaumil educating, entertaining and exasperating audiences since 1999
NETSQUARE (c) SAUMIL SHAHHITB Cyberweek 2019 UAE Introducing ARM-X • An ARM Firmware Emulation Framework. • Ultimate Goal - create an IoT VM! • A Virtual IoT device makes for easy – runtime analysis – reverse engineering – fuzzing – exploit development • Great insight into embedded hardware by trying to emulate it.
NETSQUARE (c) SAUMIL SHAHHITB Cyberweek 2019 UAE
NETSQUARE (c) SAUMIL SHAHHITB Cyberweek 2019 UAE
NETSQUARE (c) SAUMIL SHAHHITB Cyberweek 2019 UAE Take a look at an IoT device...
NETSQUARE (c) SAUMIL SHAHHITB Cyberweek 2019 UAE CPU and Hardware Kernel Drivers File System nvram User Processes API UI libnvram JTAG UART SPI ...it is a special computer...
NETSQUARE (c) SAUMIL SHAHHITB Cyberweek 2019 UAE compressed FS CPU Kernel Boot Loader mounted FS nvram init scripts Services Apps libnvram The IoT Boot Up Process conf conf conf conf firmware Loads Kernel. Uncompresses FS to ramdisk, invokes init process. ramdiskuserland Reads config from nvram. Builds system config files on the fly. Starts up system services. Invokes Applications and Application services. READY POWER ON
NETSQUARE (c) SAUMIL SHAHHITB Cyberweek 2019 UAE QEMU CPU and Limited Hardware Kernel Drivers uncompressed Filesystem emulated nvram init scripts Services Apps libnvram Emulation: Goals and Challenges x x x x BUILDROOT Match the kernel with the one on the device chroot environment Implemented as an INI file, preloaded before "boot up" conf conf Fix to match QEMU environment Not all drivers load successfully
NETSQUARE (c) SAUMIL SHAHHITB Cyberweek 2019 UAE QEMU CPU and Limited Hardware Kernel The ARM-X Startup Process
NETSQUARE (c) SAUMIL SHAHHITB Cyberweek 2019 UAE
NETSQUARE (c) SAUMIL SHAHHITB Cyberweek 2019 UAE
NETSQUARE (c) SAUMIL SHAHHITB Cyberweek 2019 UAE QEMU CPU and Limited Hardware Kernel Drivers uncompressed Filesystem emulated nvram Emulation: Goals and Challenges conf conf
NETSQUARE (c) SAUMIL SHAHHITB Cyberweek 2019 UAE
NETSQUARE (c) SAUMIL SHAHHITB Cyberweek 2019 UAE
NETSQUARE (c) SAUMIL SHAHHITB Cyberweek 2019 UAE QEMU CPU and Limited Hardware Kernel Drivers uncompressed Filesystem emulated nvram init scripts libnvram Emulation: Goals and Challenges conf conf
NETSQUARE (c) SAUMIL SHAHHITB Cyberweek 2019 UAE
NETSQUARE (c) SAUMIL SHAHHITB Cyberweek 2019 UAE QEMU CPU and Limited Hardware Kernel Drivers uncompressed Filesystem emulated nvram init scripts Services Apps libnvram Emulation: Goals and Challenges x x x x conf conf
NETSQUARE (c) SAUMIL SHAHHITB Cyberweek 2019 UAE
NETSQUARE (c) SAUMIL SHAHHITB Cyberweek 2019 UAE Obtaining the Firmware Firmware rootfs Firmware .bin file rootfs+nvram Serial Console Direct from Flash memory
NETSQUARE (c) SAUMIL SHAHHITB Cyberweek 2019 UAE 1: Web/FTP site
NETSQUARE (c) SAUMIL SHAHHITB Cyberweek 2019 UAE 2: Hidden UART interfaces Vcc (+3.3V) GND The other two pins have to be TX, RX. GND Verify continuity across GND
NETSQUARE (c) SAUMIL SHAHHITB Cyberweek 2019 UAE Serial Console Device GND TX RX GND TX RX minicom Serial Port = /dev/ttyUSB0 115200 baud 8N1 Vcc
NETSQUARE (c) SAUMIL SHAHHITB Cyberweek 2019 UAE Serial Console - working
NETSQUARE (c) SAUMIL SHAHHITB Cyberweek 2019 UAE Finished Serial Port Projects
NETSQUARE (c) SAUMIL SHAHHITB Cyberweek 2019 UAE # cat /proc/partitions major minor #blocks name 31 0 256 mtdblock0 31 1 64 mtdblock1 31 2 64 mtdblock2 31 3 1472 mtdblock3 31 4 128 mtdblock4 31 5 64 mtdblock5 31 6 2048 mtdblock6 31 7 32768 mtdblock7 31 8 30975 mtdblock8 31 9 131072 mtdblock9 31 10 98304 mtdblock10 Firmware Extraction # cat /proc/mtd dev: size erasesize name mtd0: 00040000 00010000 "u-boot" mtd1: 00010000 00010000 "devconf" mtd2: 00010000 00010000 "devdata" mtd3: 00170000 00010000 "mydlink" mtd4: 00020000 00010000 "langpack" mtd5: 00010000 00010000 "nvram" mtd6: 00200000 00010000 "flash" mtd7: 02000000 00020000 "upgrade" mtd8: 01e3ffa0 00020000 "rootfs" mtd9: 08000000 00020000 "nflash" mtd10: 06000000 00020000 "storage" dd if=/dev/mtdblock8 …
NETSQUARE (c) SAUMIL SHAHHITB Cyberweek 2019 UAE 3: Take it directly from the chip!
NETSQUARE (c) SAUMIL SHAHHITB Cyberweek 2019 UAE DEMO TIME!
NETSQUARE (c) SAUMIL SHAHHITB Cyberweek 2019 UAE WATCH THIS SPACE Downloads: https://armx.exploitlab.net/ ! Announcements: @therealsaumil Expect PREVIEW RELEASE 23 October 2019
NETSQUARE (c) SAUMIL SHAHHITB Cyberweek 2019 UAE Thank you and … QUESTIONS? @therealsaumil 16 October 2019

More Related Content

PPTX
リアルタイムサーバー 〜Erlang/OTPで作るPubSubサーバー〜
byYugo Shimizu
 
PPTX
冬のLock free祭り safe
byKumazaki Hiroki
 
PDF
12 分くらいで知るLuaVM
byYuki Tamura
 
PDF
FPGA+SoC+Linux実践勉強会資料
by一路 川染
 
PDF
Docker Meetup at Docker HQ: Docker Cloud
byDocker, Inc.
 
PDF
C/C++プログラマのための開発ツール
byMITSUNARI Shigeo
 
PDF
ARM IoT Firmware Emulation Workshop
bySaumil Shah
 
PDF
OpenShift Meetup #5 OperatorとOperator Lifecycle Manager(OLM)の概要とデモ
byAkiyoshiYonekura
 
リアルタイムサーバー 〜Erlang/OTPで作るPubSubサーバー〜
byYugo Shimizu
 
冬のLock free祭り safe
byKumazaki Hiroki
 
12 分くらいで知るLuaVM
byYuki Tamura
 
FPGA+SoC+Linux実践勉強会資料
by一路 川染
 
Docker Meetup at Docker HQ: Docker Cloud
byDocker, Inc.
 
C/C++プログラマのための開発ツール
byMITSUNARI Shigeo
 
ARM IoT Firmware Emulation Workshop
bySaumil Shah
 
OpenShift Meetup #5 OperatorとOperator Lifecycle Manager(OLM)の概要とデモ
byAkiyoshiYonekura
 

What's hot

PDF
Android binder introduction
byDerek Fang
 
PDF
20分くらいでわかった気分になれるC++20コルーチン
byyohhoy
 
PDF
Linux KVM環境におけるGPGPU活用最新動向
byTaira Hajime
 
PDF
Qemu device prototyping
byYan Vugenfirer
 
PDF
Binderのはじめの一歩とAndroid
byl_b__
 
PDF
Namespaces and cgroups - the basis of Linux containers
byKernel TLV
 
PPTX
Polyphony の行く末(2018/3/3)
byryos36
 
PDF
The Linux Block Layer - Built for Fast Storage
byKernel TLV
 
PDF
[Container Runtime Meetup] runc & User Namespaces
byAkihiro Suda
 
PDF
Rules to Hack By - Offensivecon 2022 keynote
byMarkDowd13
 
PDF
Automation with ansible
byKhizer Naeem
 
PDF
C++ マルチスレッドプログラミング
byKohsuke Yuasa
 
PDF
Comparing Next-Generation Container Image Building Tools
byAkihiro Suda
 
PDF
OpenStack Watcher
byopenstackindia
 
PDF
10GbE時代のネットワークI/O高速化
byTakuya ASADA
 
PDF
Interpreter, Compiler, JIT from scratch
byNational Cheng Kung University
 
PDF
プログラムを高速化する話Ⅱ 〜GPGPU編〜
by京大 マイコンクラブ
 
PDF
DevConf 2014 Kernel Networking Walkthrough
byThomas Graf
 
PDF
規格書で読むC++11のスレッド
byKohsuke Yuasa
 
PPTX
Room 1 - 7 - Lê Quốc Đạt - Upgrading network of Openstack to SDN with Tungste...
byVietnam Open Infrastructure User Group
 
Android binder introduction
byDerek Fang
 
20分くらいでわかった気分になれるC++20コルーチン
byyohhoy
 
Linux KVM環境におけるGPGPU活用最新動向
byTaira Hajime
 
Qemu device prototyping
byYan Vugenfirer
 
Binderのはじめの一歩とAndroid
byl_b__
 
Namespaces and cgroups - the basis of Linux containers
byKernel TLV
 
Polyphony の行く末(2018/3/3)
byryos36
 
The Linux Block Layer - Built for Fast Storage
byKernel TLV
 
[Container Runtime Meetup] runc & User Namespaces
byAkihiro Suda
 
Rules to Hack By - Offensivecon 2022 keynote
byMarkDowd13
 
Automation with ansible
byKhizer Naeem
 
C++ マルチスレッドプログラミング
byKohsuke Yuasa
 
Comparing Next-Generation Container Image Building Tools
byAkihiro Suda
 
OpenStack Watcher
byopenstackindia
 
10GbE時代のネットワークI/O高速化
byTakuya ASADA
 
Interpreter, Compiler, JIT from scratch
byNational Cheng Kung University
 
プログラムを高速化する話Ⅱ 〜GPGPU編〜
by京大 マイコンクラブ
 
DevConf 2014 Kernel Networking Walkthrough
byThomas Graf
 
規格書で読むC++11のスレッド
byKohsuke Yuasa
 
Room 1 - 7 - Lê Quốc Đạt - Upgrading network of Openstack to SDN with Tungste...
byVietnam Open Infrastructure User Group
 

Similar to Introducing ARM-X

PDF
INSIDE ARM-X - Countermeasure 2019
bySaumil Shah
 
PDF
INSIDE ARM-X Cansecwest 2020
bySaumil Shah
 
PDF
Hack.LU 2018 ARM IoT Firmware Emulation Workshop
bySaumil Shah
 
PDF
Announcing ARMX Docker - DC11332
bySaumil Shah
 
PDF
Unveiling EMUX - ARM and MIPS IoT Emulation Framework
bySaumil Shah
 
PDF
Develop Your Own Operating Systems using Cheap ARM Boards
byNational Cheng Kung University
 
PDF
XPDS16: Xenbedded: Xen-based client virtualization for phones and tablets - ...
byThe Linux Foundation
 
PPTX
Kernel modules
byElmàgic Àlàâ
 
PDF
Embedded Linux
byShiraz LUG
 
PDF
RDMA on ARM
byinside-BigData.com
 
PPTX
04-ARM mbed IOT Device Introduction.pptx
byMohammed Moufti
 
PDF
HackLU 2018 Make ARM Shellcode Great Again
bySaumil Shah
 
PDF
Linaro connect : Introduction to Xen on ARM
byThe Linux Foundation
 
PDF
It's Assembler, Jim, but not as we know it: (ab)using binaries from embedded ...
byPriyanka Aash
 
PDF
Dec.20.2019, Arduino based on Mbed os
byDaniel Lee
 
PPT
Lemay jin-reddy-schoudel
byxu3stones
 
PDF
Linux for embedded_systems
byVandana Salve
 
PDF
ARM Polyglot Shellcode - HITB2019AMS
bySaumil Shah
 
PDF
Building
bySatpal Parmar
 
PDF
International Journal of Computational Engineering Research(IJCER)
byijceronline
 
INSIDE ARM-X - Countermeasure 2019
bySaumil Shah
 
INSIDE ARM-X Cansecwest 2020
bySaumil Shah
 
Hack.LU 2018 ARM IoT Firmware Emulation Workshop
bySaumil Shah
 
Announcing ARMX Docker - DC11332
bySaumil Shah
 
Unveiling EMUX - ARM and MIPS IoT Emulation Framework
bySaumil Shah
 
Develop Your Own Operating Systems using Cheap ARM Boards
byNational Cheng Kung University
 
XPDS16: Xenbedded: Xen-based client virtualization for phones and tablets - ...
byThe Linux Foundation
 
Kernel modules
byElmàgic Àlàâ
 
Embedded Linux
byShiraz LUG
 
RDMA on ARM
byinside-BigData.com
 
04-ARM mbed IOT Device Introduction.pptx
byMohammed Moufti
 
HackLU 2018 Make ARM Shellcode Great Again
bySaumil Shah
 
Linaro connect : Introduction to Xen on ARM
byThe Linux Foundation
 
It's Assembler, Jim, but not as we know it: (ab)using binaries from embedded ...
byPriyanka Aash
 
Dec.20.2019, Arduino based on Mbed os
byDaniel Lee
 
Lemay jin-reddy-schoudel
byxu3stones
 
Linux for embedded_systems
byVandana Salve
 
ARM Polyglot Shellcode - HITB2019AMS
bySaumil Shah
 
Building
bySatpal Parmar
 
International Journal of Computational Engineering Research(IJCER)
byijceronline
 

More from Saumil Shah

PDF
The Hand That Strikes, Also Blocks
bySaumil Shah
 
PDF
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
bySaumil Shah
 
PDF
Precise Presentations
bySaumil Shah
 
PDF
Effective Webinars: Presentation Skills for a Virtual Audience
bySaumil Shah
 
PDF
Cyberspace And Security - India's Decade Ahead
bySaumil Shah
 
PDF
Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
bySaumil Shah
 
PDF
NSConclave2020 The Decade Behind And The Decade Ahead
bySaumil Shah
 
PDF
Cybersecurity In India - The Decade Ahead
bySaumil Shah
 
PDF
The Road To Defendable Systems - Emirates NBD
bySaumil Shah
 
PDF
The CISO's Dilemma 44CON 2019
bySaumil Shah
 
PDF
The CISO's Dilemma HITBGSEC2019
bySaumil Shah
 
PDF
Schrödinger's ARM Assembly
bySaumil Shah
 
PDF
What Makes a Compelling Photograph
bySaumil Shah
 
PDF
Make ARM Shellcode Great Again - HITB2018PEK
bySaumil Shah
 
PDF
Make ARM Shellcode Great Again
bySaumil Shah
 
PDF
Cross Border Cyber Attacks: Impact on Digital Sovereignty
bySaumil Shah
 
PDF
The Seven Axioms of Security - ITWeb 2017
bySaumil Shah
 
PDF
Redefining Defense - HITB2017AMS Keynote
bySaumil Shah
 
PDF
The Seven Axioms Of Security
bySaumil Shah
 
PDF
Hack.LU - The Infosec Crossroads
bySaumil Shah
 
The Hand That Strikes, Also Blocks
bySaumil Shah
 
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
bySaumil Shah
 
Precise Presentations
bySaumil Shah
 
Effective Webinars: Presentation Skills for a Virtual Audience
bySaumil Shah
 
Cyberspace And Security - India's Decade Ahead
bySaumil Shah
 
Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
bySaumil Shah
 
NSConclave2020 The Decade Behind And The Decade Ahead
bySaumil Shah
 
Cybersecurity In India - The Decade Ahead
bySaumil Shah
 
The Road To Defendable Systems - Emirates NBD
bySaumil Shah
 
The CISO's Dilemma 44CON 2019
bySaumil Shah
 
The CISO's Dilemma HITBGSEC2019
bySaumil Shah
 
Schrödinger's ARM Assembly
bySaumil Shah
 
What Makes a Compelling Photograph
bySaumil Shah
 
Make ARM Shellcode Great Again - HITB2018PEK
bySaumil Shah
 
Make ARM Shellcode Great Again
bySaumil Shah
 
Cross Border Cyber Attacks: Impact on Digital Sovereignty
bySaumil Shah
 
The Seven Axioms of Security - ITWeb 2017
bySaumil Shah
 
Redefining Defense - HITB2017AMS Keynote
bySaumil Shah
 
The Seven Axioms Of Security
bySaumil Shah
 
Hack.LU - The Infosec Crossroads
bySaumil Shah
 

Recently uploaded

PDF
Figma systems development services
bydavidjohansen1597
 
PDF
LogiNext Media Kit & Company Overview 2025
bypriyajoshi2929
 
PDF
AI-native development: from Prompt to Platform
byMaxim Salnikov
 
PDF
Own Your Domain Before It Owns You - Domain Driven Design for Pragmaticians
byPosedio GmbH
 
PDF
Visualizing Your Data Lake with Grafana - Amsterdam
byImma Valls Bernaus
 
PDF
LogiNext Media Kit & Company Overview 2025
bydhrutipatelk5617
 
PDF
SLIDE PROPARTNER SUMMIT 2025 - ITALY.pdf
bygiuo
 
PDF
Water Delivery App Development Solutions.pdf
byeSiteWorld TechnoLabs Pvt. Ltd.
 
PDF
Why I Volunteer at FOSDEM and You Should Too
byImma Valls Bernaus
 
PDF
Smart ways to se AI in your business , presentation
byAI n Dot Net
 
PDF
LogiNext Media Kit & Company Overview 2025
bynidhisharmaq7184
 
PDF
How to find your event photos instantly with a selfie using SnapSeek
bySnapSeek.app
 
PDF
LogiNext Media Kit & Company Overview 2025
bysanikaroy72
 
PDF
Introducing MySQL HeatWave Migration Assistant
byAlexander Hitrov
 
PDF
Accelerating Data Validation with QuerySurge AI
byRTTS
 
PDF
LogiNext Media Kit & Company Overview 2025
byswatishahz9031
 
PDF
Pet Care Service App Development Company
byV3CUBE TECHNOLABS
 
PPTX
Windows File System Monitoring Tool Using C and C++
byAkshay Muley
 
PDF
Physiotherapist App Development for Modern Rehabilitation
byV3CUBE TECHNOLABS
 
PPTX
Applicius Technologies: Full Service Overview for Branding, SEO, Web & App De...
byappliciustech
 
Figma systems development services
bydavidjohansen1597
 
LogiNext Media Kit & Company Overview 2025
bypriyajoshi2929
 
AI-native development: from Prompt to Platform
byMaxim Salnikov
 
Own Your Domain Before It Owns You - Domain Driven Design for Pragmaticians
byPosedio GmbH
 
Visualizing Your Data Lake with Grafana - Amsterdam
byImma Valls Bernaus
 
LogiNext Media Kit & Company Overview 2025
bydhrutipatelk5617
 
SLIDE PROPARTNER SUMMIT 2025 - ITALY.pdf
bygiuo
 
Water Delivery App Development Solutions.pdf
byeSiteWorld TechnoLabs Pvt. Ltd.
 
Why I Volunteer at FOSDEM and You Should Too
byImma Valls Bernaus
 
Smart ways to se AI in your business , presentation
byAI n Dot Net
 
LogiNext Media Kit & Company Overview 2025
bynidhisharmaq7184
 
How to find your event photos instantly with a selfie using SnapSeek
bySnapSeek.app
 
LogiNext Media Kit & Company Overview 2025
bysanikaroy72
 
Introducing MySQL HeatWave Migration Assistant
byAlexander Hitrov
 
Accelerating Data Validation with QuerySurge AI
byRTTS
 
LogiNext Media Kit & Company Overview 2025
byswatishahz9031
 
Pet Care Service App Development Company
byV3CUBE TECHNOLABS
 
Windows File System Monitoring Tool Using C and C++
byAkshay Muley
 
Physiotherapist App Development for Modern Rehabilitation
byV3CUBE TECHNOLABS
 
Applicius Technologies: Full Service Overview for Branding, SEO, Web & App De...
byappliciustech
 

Introducing ARM-X

  • 1.
    NETSQUARE (c) SAUMILSHAHHITB Cyberweek 2019 UAE Introducing ARM-X Saumil Shah @therealsaumil 16 October 2019
  • 2.
    NETSQUARE (c) SAUMILSHAHHITB Cyberweek 2019 UAE # WHO AM I Saumil Shah CEO, Net Square @therealsaumil educating, entertaining and exasperating audiences since 1999
  • 3.
    NETSQUARE (c) SAUMILSHAHHITB Cyberweek 2019 UAE Introducing ARM-X • An ARM Firmware Emulation Framework. • Ultimate Goal - create an IoT VM! • A Virtual IoT device makes for easy – runtime analysis – reverse engineering – fuzzing – exploit development • Great insight into embedded hardware by trying to emulate it.
  • 4.
    NETSQUARE (c) SAUMILSHAHHITB Cyberweek 2019 UAE
  • 5.
    NETSQUARE (c) SAUMILSHAHHITB Cyberweek 2019 UAE
  • 6.
    NETSQUARE (c) SAUMILSHAHHITB Cyberweek 2019 UAE Take a look at an IoT device...
  • 7.
    NETSQUARE (c) SAUMILSHAHHITB Cyberweek 2019 UAE CPU and Hardware Kernel Drivers File System nvram User Processes API UI libnvram JTAG UART SPI ...it is a special computer...
  • 8.
    NETSQUARE (c) SAUMILSHAHHITB Cyberweek 2019 UAE compressed FS CPU Kernel Boot Loader mounted FS nvram init scripts Services Apps libnvram The IoT Boot Up Process conf conf conf conf firmware Loads Kernel. Uncompresses FS to ramdisk, invokes init process. ramdiskuserland Reads config from nvram. Builds system config files on the fly. Starts up system services. Invokes Applications and Application services. READY POWER ON
  • 9.
    NETSQUARE (c) SAUMILSHAHHITB Cyberweek 2019 UAE QEMU CPU and Limited Hardware Kernel Drivers uncompressed Filesystem emulated nvram init scripts Services Apps libnvram Emulation: Goals and Challenges x x x x BUILDROOT Match the kernel with the one on the device chroot environment Implemented as an INI file, preloaded before "boot up" conf conf Fix to match QEMU environment Not all drivers load successfully
  • 10.
    NETSQUARE (c) SAUMILSHAHHITB Cyberweek 2019 UAE QEMU CPU and Limited Hardware Kernel The ARM-X Startup Process
  • 11.
    NETSQUARE (c) SAUMILSHAHHITB Cyberweek 2019 UAE
  • 12.
    NETSQUARE (c) SAUMILSHAHHITB Cyberweek 2019 UAE
  • 13.
    NETSQUARE (c) SAUMILSHAHHITB Cyberweek 2019 UAE QEMU CPU and Limited Hardware Kernel Drivers uncompressed Filesystem emulated nvram Emulation: Goals and Challenges conf conf
  • 14.
    NETSQUARE (c) SAUMILSHAHHITB Cyberweek 2019 UAE
  • 15.
    NETSQUARE (c) SAUMILSHAHHITB Cyberweek 2019 UAE
  • 16.
    NETSQUARE (c) SAUMILSHAHHITB Cyberweek 2019 UAE QEMU CPU and Limited Hardware Kernel Drivers uncompressed Filesystem emulated nvram init scripts libnvram Emulation: Goals and Challenges conf conf
  • 17.
    NETSQUARE (c) SAUMILSHAHHITB Cyberweek 2019 UAE
  • 18.
    NETSQUARE (c) SAUMILSHAHHITB Cyberweek 2019 UAE QEMU CPU and Limited Hardware Kernel Drivers uncompressed Filesystem emulated nvram init scripts Services Apps libnvram Emulation: Goals and Challenges x x x x conf conf
  • 19.
    NETSQUARE (c) SAUMILSHAHHITB Cyberweek 2019 UAE
  • 20.
    NETSQUARE (c) SAUMILSHAHHITB Cyberweek 2019 UAE Obtaining the Firmware Firmware rootfs Firmware .bin file rootfs+nvram Serial Console Direct from Flash memory
  • 21.
    NETSQUARE (c) SAUMILSHAHHITB Cyberweek 2019 UAE 1: Web/FTP site
  • 22.
    NETSQUARE (c) SAUMILSHAHHITB Cyberweek 2019 UAE 2: Hidden UART interfaces Vcc (+3.3V) GND The other two pins have to be TX, RX. GND Verify continuity across GND
  • 23.
    NETSQUARE (c) SAUMILSHAHHITB Cyberweek 2019 UAE Serial Console Device GND TX RX GND TX RX minicom Serial Port = /dev/ttyUSB0 115200 baud 8N1 Vcc
  • 24.
    NETSQUARE (c) SAUMILSHAHHITB Cyberweek 2019 UAE Serial Console - working
  • 25.
    NETSQUARE (c) SAUMILSHAHHITB Cyberweek 2019 UAE Finished Serial Port Projects
  • 26.
    NETSQUARE (c) SAUMILSHAHHITB Cyberweek 2019 UAE # cat /proc/partitions major minor #blocks name 31 0 256 mtdblock0 31 1 64 mtdblock1 31 2 64 mtdblock2 31 3 1472 mtdblock3 31 4 128 mtdblock4 31 5 64 mtdblock5 31 6 2048 mtdblock6 31 7 32768 mtdblock7 31 8 30975 mtdblock8 31 9 131072 mtdblock9 31 10 98304 mtdblock10 Firmware Extraction # cat /proc/mtd dev: size erasesize name mtd0: 00040000 00010000 "u-boot" mtd1: 00010000 00010000 "devconf" mtd2: 00010000 00010000 "devdata" mtd3: 00170000 00010000 "mydlink" mtd4: 00020000 00010000 "langpack" mtd5: 00010000 00010000 "nvram" mtd6: 00200000 00010000 "flash" mtd7: 02000000 00020000 "upgrade" mtd8: 01e3ffa0 00020000 "rootfs" mtd9: 08000000 00020000 "nflash" mtd10: 06000000 00020000 "storage" dd if=/dev/mtdblock8 …
  • 27.
    NETSQUARE (c) SAUMILSHAHHITB Cyberweek 2019 UAE 3: Take it directly from the chip!
  • 28.
    NETSQUARE (c) SAUMILSHAHHITB Cyberweek 2019 UAE DEMO TIME!
  • 29.
    NETSQUARE (c) SAUMILSHAHHITB Cyberweek 2019 UAE WATCH THIS SPACE Downloads: https://armx.exploitlab.net/ ! Announcements: @therealsaumil Expect PREVIEW RELEASE 23 October 2019
  • 30.
    NETSQUARE (c) SAUMILSHAHHITB Cyberweek 2019 UAE Thank you and … QUESTIONS? @therealsaumil 16 October 2019