Saumil Shah gives a presentation on extracting firmware from IoT devices and emulating it using QEMU. He discusses obtaining firmware by downloading from the manufacturer's site, extracting over a UART serial connection, or directly from hardware. The case study looks at a DLink DIR-880L router. The extracted firmware is transferred to a QEMU ARM VM and chrooted to emulate the device and allow debugging and testing.

1. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018
ARM IoT FIRMWARE
EMULATION WORKSHOP
Saumil Shah
@therealsaumil
12 September 2018

2. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018
# who am i
CEO Net-square.
• Hacker, Speaker, Trainer,
Author.
• M.S. Computer Science
Purdue University.
• LinkedIn: saumilshah
• Twitter: @therealsaumil

3. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018
Objective
• Extract the firmware from an IoT device.
• Emulate the firmware in QEMU.
• "Boot up" the virtual device.
• Debugging, Testing and Fuzzing
environment.

4. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018
Case Study DLINK DIR-880L

5. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018
Setup
• armplayer2.zip - VMware image
• dir880_mtdblocks.zip - firmware blobs
• dir880_minicom.txt - console msgs
• static_arm_bins.zip - fun t00lz
• Extract the VM and start it up.
• You need SSH/SCP on your laptop.

6. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018
Lab Virtual Machine
All passwords are "exploitlab" J Yes you may write it down

7. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018
armplayer host
SSH to port 2222
username: exploitlab QEMU ARMv7
SSH to port 22
username: root

8. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018
Pentesting Embedded ARM
ARM IoT Devices

9. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018

10. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018
Take a look at an IoT device...

11. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018
CPU and
Hardware
Kernel
Drivers
File System
nvram
User Processes
API
UI
libnvram
JTAG
RS
232
SPI
notaccessible
...it is a special computer...

12. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018
CPU and
Hardware
Kernel
Drivers
File System
nvram
User Processes
API
UI
libnvram
JTAG
RS
232
SPI
notaccessible
Authentication Bypass
Insecure Direct Obj Ref
File Retrieval
Remote Command
Exec
Memory Corruption
Buffer Overflows
Backdoors
Default Passwords
Hidden Paths
Memory Corruption
Buffer Overflows
...with "special" vulnerabilities

13. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018
compressed FS
CPU
Kernel
Boot Loader
mounted
FS
nvram
init
scripts
Services
Apps
libnvram
The IoT Boot Up Process
conf
conf
conf
conf
firmware
Loads Kernel.
Uncompresses FS to ramdisk,
invokes init process.
ramdiskuserland
Reads config from nvram.
Builds system config files on
the fly.
Starts up system services.
Invokes Applications and
Application services.
READY
POWER ON

14. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018
Obtaining the Firmware
• Download the firmware files from the
device update website.
– binwalk
• Find the UART pins on the device's
board, solder and connect via serial
console.
– Extract the firmware via shell over serial
console.
• Direct hardware level extraction.

15. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018
Serial Console
• Most devices run a privileged shell on
serial console.
• Kernel boot arguments:
• Getting firmware from a shell is easy...
• ...finding the serial port is a challenge :)
root=/dev/mtdblock2 console=ttyS0,115200
init=/sbin/preinit earlyprintk debug

16. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018
Discovering the UART pins
• Usually unsoldered.
• Identify candidate pins.
• Test for Vcc (+3.3V) and GND.
• Test for TX, RX.
• Important pins – TX, RX, GND.

17. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018
Discovering UART pins
Possible UART pins
False Positive

18. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018
Discovering UART pins
Second Possibility

19. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018
Testing Voltages
Vcc (+3.3V)
GND
GND
runs
through-
out the
board

20. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018
Testing Voltages
Vcc (+3.3V) GND
The other
two pins
have to
be TX, RX.
GND
Verify continuity across GND

21. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018
Serial Console
Device
GND
TX
RX
GND
TX
RX
minicom
Serial Port = /dev/ttyUSB0
115200 baud
8N1
Vcc

22. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018
Serial Console - working

23. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018
Finished Serial Port Projects

24. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018
# cat /proc/partitions
major minor #blocks name
31 0 256 mtdblock0
31 1 64 mtdblock1
31 2 64 mtdblock2
31 3 1472 mtdblock3
31 4 128 mtdblock4
31 5 64 mtdblock5
31 6 2048 mtdblock6
31 7 32768 mtdblock7
31 8 30975 mtdblock8
31 9 131072 mtdblock9
31 10 98304 mtdblock10
Firmware Extraction
# cat /proc/cmdline
root=/dev/mtdblock8 mtdparts=bcmsflash:256k(u-
boot)ro,64k(devconf),64k(devdata),1472k(mydlink),128k(langpack),64k(nvram),
2m@0(flash);nflash:32m(upgrade),32m@0(rootfs)ro,128m@0(nflash);brcmnand:96m
@32m(storage) console=ttyS0,115200 init=/sbin/preinit earlyprintk debug
# cat /proc/mtd
dev: size erasesize name
mtd0: 00040000 00010000 "u-boot"
mtd1: 00010000 00010000 "devconf"
mtd2: 00010000 00010000 "devdata"
mtd3: 00170000 00010000 "mydlink"
mtd4: 00020000 00010000 "langpack"
mtd5: 00010000 00010000 "nvram"
mtd6: 00200000 00010000 "flash"
mtd7: 02000000 00020000 "upgrade"
mtd8: 01e3ffa0 00020000 "rootfs"
mtd9: 08000000 00020000 "nflash"
mtd10: 06000000 00020000 "storage"

25. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018
New vs Legacy Memory Layout
Heap
Binary
Stack
Lib
Lib
0x00008000
0xbf000000
0xb6f00000
0xbefdf000
/proc/sys/vm/legacy_va_layout = 0
Heap
Binary
Stack
Lib
Lib
0x00008000
0xbf000000
0x40000000
0xbefdf000
/proc/sys/vm/legacy_va_layout = 1
New Layout Legacy Layout

26. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018
QEMU ARM
Kernel
Emulator Driven Test Bench
proc sys dev etc bin
squashfs-root
chroot
environment
proc sys dev etc bin
init
system services
user processes
nvram
config
(ini file)
nvram shim
gdb
server
multiarch
gdb

27. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018
Extract the rootfs

28. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018
rsync rootfs to ARM QEMU

29. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018
chroot the rootfs in QEMU
Setup commands for binding
/proc, /sys and /dev and
running chroot
kick off the init scripts

30. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018
The virtual router "boots up"

31. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018
SUCCESS!

32. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018
THANK YOU!
Saumil Shah
@therealsaumil
saumil@net-square.com
LinkedIn: saumilshah
Follow us on Twitter for:
updates
new classes
on-site training
announcements
Blog:
http://blog.exploitlab.net