Uploaded bySaumil Shah
INSIDE ARM-X - Countermeasure 2019
The document introduces arm-x, an ARM firmware emulation framework aimed at facilitating the analysis, reverse engineering, fuzzing, and exploit development for IoT devices. It outlines the boot process of an IoT device, hardware and software requirements for emulation, and steps to add new devices to the arm-x environment. Additionally, it provides insights on firmware extraction and offers a link for further resources and challenges.
More Related Content
Similar to INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019
- 1. NETSQUARE (c) SAUMILSHAHCOUNTERMEASURE | 2019 INSIDE SAUMIL SHAH @therealsaumil 7 November 2019 COUNTERMEASURE|2019
- 2. NETSQUARE (c) SAUMILSHAHCOUNTERMEASURE | 2019 # WHO AM I Saumil Shah CEO, Net Square @therealsaumil educating, entertaining and exasperating audiences since 1999
- 3. NETSQUARE (c) SAUMILSHAHCOUNTERMEASURE | 2019 Introducing ARM-X • An ARM Firmware Emulation Framework. • Ultimate Goal - create an IoT VM! • A Virtual IoT device makes for easy – runtime analysis – reverse engineering – fuzzing – exploit development • Great insight into embedded hardware by trying to emulate it.
- 4. NETSQUARE (c) SAUMILSHAHCOUNTERMEASURE | 2019
- 5. NETSQUARE (c) SAUMILSHAHCOUNTERMEASURE | 2019
- 6. NETSQUARE (c) SAUMILSHAHCOUNTERMEASURE | 2019 Inside an IoT device…
- 7. NETSQUARE (c) SAUMILSHAHCOUNTERMEASURE | 2019 CPU and Hardware Kernel Drivers File System nvram User Processes API UI libnvram …same same but different
- 8. NETSQUARE (c) SAUMILSHAHCOUNTERMEASURE | 2019 compressed FS CPU Kernel Boot Loader mounted FS nvram init scripts Services Apps libnvram The IoT Boot Up Process conf conf conf conf firmware Loads Kernel. Uncompresses FS to ramdisk, invokes init process. ramdiskuserland Reads config from nvram. Builds system config files on the fly. Starts up system services. Invokes Applications and Application services. READY POWER ON
- 9. NETSQUARE (c) SAUMILSHAHCOUNTERMEASURE | 2019 QEMU CPU and Limited Hardware Kernel Drivers uncompressed Filesystem emulated nvram init scripts Services Apps libnvram Emulation: Goals and Challenges x x x x BUILDROOT Match the kernel with the one on the device chroot environment Implemented as an INI file, preloaded before "boot up" conf conf Fix to match QEMU environment Not all drivers load successfully
- 10. NETSQUARE (c) SAUMILSHAHCOUNTERMEASURE | 2019 ARM-X Architecture
- 11. NETSQUARE (c) SAUMILSHAHCOUNTERMEASURE | 2019 ARM-X Architecture
- 12. NETSQUARE (c) SAUMILSHAHCOUNTERMEASURE | 2019 Starting an ARM-X device
- 13. NETSQUARE (c) SAUMILSHAHCOUNTERMEASURE | 2019
- 14. NETSQUARE (c) SAUMILSHAHCOUNTERMEASURE | 2019 2 - Booting the device Kernel
- 15. NETSQUARE (c) SAUMILSHAHCOUNTERMEASURE | 2019
- 16. NETSQUARE (c) SAUMILSHAHCOUNTERMEASURE | 2019 QEMU CPU and Limited Hardware Kernel Kernel and hostfs ready hostfs NFS /armx
- 17. NETSQUARE (c) SAUMILSHAHCOUNTERMEASURE | 2019 3 - ARM-X Userland
- 18. NETSQUARE (c) SAUMILSHAHCOUNTERMEASURE | 2019
- 19. NETSQUARE (c) SAUMILSHAHCOUNTERMEASURE | 2019 4 - nvram and userland init
- 20. NETSQUARE (c) SAUMILSHAHCOUNTERMEASURE | 2019 QEMU CPU and Limited Hardware Kernel Drivers NFS /armx emulated nvram nvram and userland init scripts conf conf init scripts libnvram
- 21. NETSQUARE (c) SAUMILSHAHCOUNTERMEASURE | 2019
- 22. NETSQUARE (c) SAUMILSHAHCOUNTERMEASURE | 2019 QEMU CPU and Limited Hardware Kernel Drivers NFS /armx emulated nvram init scripts Services Apps libnvram ARM-X: Device "booted up" x x x x conf conf
- 23. NETSQUARE (c) SAUMILSHAHCOUNTERMEASURE | 2019
- 24. NETSQUARE (c) SAUMILSHAHCOUNTERMEASURE | 2019 5 - ARM-X hostfs/debug Shell
- 25. NETSQUARE (c) SAUMILSHAHCOUNTERMEASURE | 2019
- 26. NETSQUARE (c) SAUMILSHAHCOUNTERMEASURE | 2019 How to add a new device to ARM-X BUILDROOT Firmware image
- 27. NETSQUARE (c) SAUMILSHAHCOUNTERMEASURE | 2019 Obtaining the Firmware Firmware rootfs Firmware .bin file rootfs+nvram Serial Console Direct from Flash memory
- 28. NETSQUARE (c) SAUMILSHAHCOUNTERMEASURE | 2019 1: Web/FTP site
- 29. NETSQUARE (c) SAUMILSHAHCOUNTERMEASURE | 2019 2: Hidden UART interfaces Vcc (+3.3V) GND TX/RX GND
- 30. NETSQUARE (c) SAUMILSHAHCOUNTERMEASURE | 2019 Serial Console - working
- 31. NETSQUARE (c) SAUMILSHAHCOUNTERMEASURE | 2019 # cat /proc/partitions major minor #blocks name 31 0 256 mtdblock0 31 1 64 mtdblock1 31 2 64 mtdblock2 31 3 1472 mtdblock3 31 4 128 mtdblock4 31 5 64 mtdblock5 31 6 2048 mtdblock6 31 7 32768 mtdblock7 31 8 30975 mtdblock8 31 9 131072 mtdblock9 31 10 98304 mtdblock10 Firmware Extraction # cat /proc/mtd dev: size erasesize name mtd0: 00040000 00010000 "u-boot" mtd1: 00010000 00010000 "devconf" mtd2: 00010000 00010000 "devdata" mtd3: 00170000 00010000 "mydlink" mtd4: 00020000 00010000 "langpack" mtd5: 00010000 00010000 "nvram" mtd6: 00200000 00010000 "flash" mtd7: 02000000 00020000 "upgrade" mtd8: 01e3ffa0 00020000 "rootfs" mtd9: 08000000 00020000 "nflash" mtd10: 06000000 00020000 "storage" dd if=/dev/mtdblock8 …
- 32. NETSQUARE (c) SAUMILSHAHCOUNTERMEASURE | 2019 3: Take it directly from the chip!
- 33. NETSQUARE (c) SAUMILSHAHCOUNTERMEASURE | 2019 DEMO TIME!
- 34. NETSQUARE (c) SAUMILSHAHCOUNTERMEASURE | 2019 HERE BE THE GOODS Downloads: https://armx.exploitlab.net/ ! Announcements: @therealsaumil IP Camera CTF Challenge - blog.exploitlab.net
- 35. NETSQUARE (c) SAUMILSHAHCOUNTERMEASURE | 2019 Thank you and … QUESTIONS? @therealsaumil COUNTERMEASURE|2019