Saumil Shah, CEO of Net Square, introduces ARMX, an ARM firmware emulation framework aimed at creating a virtual IoT device for runtime analysis, reverse engineering, and exploit development. The document outlines the boot-up process of IoT devices, including various components like CPU, kernel drivers, and user processes, as well as the challenges of emulation. Additionally, it provides links to resources and demos associated with the ARMX project.

1. (c) SAUMIL SHAH
@DC11332
DEEP DIVE INTO
SAUMIL SHAH
@therealsaumil
15 June 2021
DC11332 meetup

2. (c) SAUMIL SHAH
@DC11332
# WHO AM I
Saumil Shah
CEO, Net Square
@therealsaumil
educating, entertaining
and exasperating
audiences since 1999

3. (c) SAUMIL SHAH
@DC11332
A Word From
Our Sponsors
KEEP
CALM
AND
NAMASTE
!

4. (c) SAUMIL SHAH
@DC11332
Introducing ARMX
• An ARM Firmware Emulation Framework.
• Ultimate Goal - create an IoT VM!
• A Virtual IoT device makes for easy
– runtime analysis
– reverse engineering
– fuzzing
– exploit development
• Gain insight into embedded hardware by
trying to emulate it.

5. (c) SAUMIL SHAH
@DC11332

6. (c) SAUMIL SHAH
@DC11332
Inside an IoT device…

7. (c) SAUMIL SHAH
@DC11332
CPU and
Hardware
Kernel
Drivers
File System
nvram
User Processes
API
UI
libnvram
…same same but different

8. (c) SAUMIL SHAH
@DC11332
compressed FS
CPU
Kernel
Boot Loader
mounted
FS
nvram
init
scripts
Services
Apps
libnvram
The IoT Boot Up Process
conf
conf
conf
conf
firmware
Loads Kernel.
Uncompresses FS to ramdisk,
invokes init process.
ramdisk
userland
Reads config from nvram.
Builds system config files on
the fly.
Starts up system services.
Invokes Applications and
Application services.
READY
POWER ON

9. (c) SAUMIL SHAH
@DC11332
QEMU
CPU and
Limited
Hardware
Kernel
Drivers
uncompressed
Filesystem
emulated
nvram
init scripts
Services
Apps
libnvram
Emulation: Goals and Challenges
x
x
x
x
BUILDROOT
Match the kernel with the
one on the device
chroot environment
Implemented as an INI file,
preloaded before "boot up"
conf
conf
Fix to match QEMU environment
Not all drivers load successfully

10. (c) SAUMIL SHAH
@DC11332
JUST RELEASED!

11. (c) SAUMIL SHAH
@DC11332
ARMX docker container

12. (c) SAUMIL SHAH
@DC11332
ARMX directory layout

13. (c) SAUMIL SHAH
@DC11332
Starting an ARMX device

14. (c) SAUMIL SHAH
@DC11332

15. (c) SAUMIL SHAH
@DC11332
QEMU
CPU and
Limited
Hardware
Kernel
Kernel and hostfs ready
hostfs NFS /armx

16. (c) SAUMIL SHAH
@DC11332

17. (c) SAUMIL SHAH
@DC11332
QEMU
CPU and
Limited
Hardware
Kernel
Drivers
NFS /armx
emulated
nvram
nvram and userland init scripts
conf
conf
init scripts
libnvram

18. (c) SAUMIL SHAH
@DC11332

19. (c) SAUMIL SHAH
@DC11332
QEMU
CPU and
Limited
Hardware
Kernel
Drivers
NFS /armx
emulated
nvram
init scripts
Services
Apps
libnvram
ARM-X: Device "booted up"
x
x
x
x
conf
conf

20. (c) SAUMIL SHAH
@DC11332

21. (c) SAUMIL SHAH
@DC11332

22. (c) SAUMIL SHAH
@DC11332
EYOD

23. (c) SAUMIL SHAH
@DC11332
Firmware
Firmware
.bin file
from
Web/FTP
UART
Serial
Console
Direct
from
Flash
memory

24. (c) SAUMIL SHAH
@DC11332
1: Web/FTP site

25. (c) SAUMIL SHAH
@DC11332
2: Hidden UART interfaces

26. (c) SAUMIL SHAH
@DC11332
3: Take it directly from the chip!

27. (c) SAUMIL SHAH
@DC11332
DEMO TIME!

28. (c) SAUMIL SHAH
@DC11332
HERE BE THE GOODS
https://github.com/therealsaumil/armx
!
Announcements: @therealsaumil

29. (c) SAUMIL SHAH
@DC11332
Thank you
and … QUESTIONS?
@therealsaumil