ARM IoT Firmware Emulation Workshop
9 likes1,906 views
Saumil Shah gives a presentation on extracting firmware from IoT devices and emulating it using QEMU. He discusses obtaining firmware by downloading from the manufacturer's site, extracting over a UART serial connection, or directly from hardware. The case study looks at a DLink DIR-880L router. The extracted firmware is transferred to a QEMU ARM VM and chrooted to emulate the device and allow debugging and testing.
ARM IoT Firmware Emulation Workshop
- 1. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 ARM IoT FIRMWARE EMULATION WORKSHOP Saumil Shah @therealsaumil 12 September 2018
- 2. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 # who am i CEO Net-square. • Hacker, Speaker, Trainer, Author. • M.S. Computer Science Purdue University. • LinkedIn: saumilshah • Twitter: @therealsaumil
- 3. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Objective • Extract the firmware from an IoT device. • Emulate the firmware in QEMU. • "Boot up" the virtual device. • Debugging, Testing and Fuzzing environment.
- 4. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Case Study DLINK DIR-880L
- 5. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Setup • armplayer2.zip - VMware image • dir880_mtdblocks.zip - firmware blobs • dir880_minicom.txt - console msgs • static_arm_bins.zip - fun t00lz • Extract the VM and start it up. • You need SSH/SCP on your laptop.
- 6. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Lab Virtual Machine All passwords are "exploitlab" J Yes you may write it down
- 7. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 armplayer host SSH to port 2222 username: exploitlab QEMU ARMv7 SSH to port 22 username: root
- 8. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Pentesting Embedded ARM ARM IoT Devices
- 9. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018
- 10. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Take a look at an IoT device...
- 11. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 CPU and Hardware Kernel Drivers File System nvram User Processes API UI libnvram JTAG RS 232 SPI notaccessible ...it is a special computer...
- 12. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 CPU and Hardware Kernel Drivers File System nvram User Processes API UI libnvram JTAG RS 232 SPI notaccessible Authentication Bypass Insecure Direct Obj Ref File Retrieval Remote Command Exec Memory Corruption Buffer Overflows Backdoors Default Passwords Hidden Paths Memory Corruption Buffer Overflows ...with "special" vulnerabilities
- 13. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 compressed FS CPU Kernel Boot Loader mounted FS nvram init scripts Services Apps libnvram The IoT Boot Up Process conf conf conf conf firmware Loads Kernel. Uncompresses FS to ramdisk, invokes init process. ramdiskuserland Reads config from nvram. Builds system config files on the fly. Starts up system services. Invokes Applications and Application services. READY POWER ON
- 14. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Obtaining the Firmware • Download the firmware files from the device update website. – binwalk • Find the UART pins on the device's board, solder and connect via serial console. – Extract the firmware via shell over serial console. • Direct hardware level extraction.
- 15. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Serial Console • Most devices run a privileged shell on serial console. • Kernel boot arguments: • Getting firmware from a shell is easy... • ...finding the serial port is a challenge :) root=/dev/mtdblock2 console=ttyS0,115200 init=/sbin/preinit earlyprintk debug
- 16. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Discovering the UART pins • Usually unsoldered. • Identify candidate pins. • Test for Vcc (+3.3V) and GND. • Test for TX, RX. • Important pins – TX, RX, GND.
- 17. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Discovering UART pins Possible UART pins False Positive
- 18. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Discovering UART pins Second Possibility
- 19. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Testing Voltages Vcc (+3.3V) GND GND runs through- out the board
- 20. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Testing Voltages Vcc (+3.3V) GND The other two pins have to be TX, RX. GND Verify continuity across GND
- 21. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Serial Console Device GND TX RX GND TX RX minicom Serial Port = /dev/ttyUSB0 115200 baud 8N1 Vcc
- 22. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Serial Console - working
- 23. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Finished Serial Port Projects
- 24. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 # cat /proc/partitions major minor #blocks name 31 0 256 mtdblock0 31 1 64 mtdblock1 31 2 64 mtdblock2 31 3 1472 mtdblock3 31 4 128 mtdblock4 31 5 64 mtdblock5 31 6 2048 mtdblock6 31 7 32768 mtdblock7 31 8 30975 mtdblock8 31 9 131072 mtdblock9 31 10 98304 mtdblock10 Firmware Extraction # cat /proc/cmdline root=/dev/mtdblock8 mtdparts=bcmsflash:256k(u- boot)ro,64k(devconf),64k(devdata),1472k(mydlink),128k(langpack),64k(nvram), 2m@0(flash);nflash:32m(upgrade),32m@0(rootfs)ro,128m@0(nflash);brcmnand:96m @32m(storage) console=ttyS0,115200 init=/sbin/preinit earlyprintk debug # cat /proc/mtd dev: size erasesize name mtd0: 00040000 00010000 "u-boot" mtd1: 00010000 00010000 "devconf" mtd2: 00010000 00010000 "devdata" mtd3: 00170000 00010000 "mydlink" mtd4: 00020000 00010000 "langpack" mtd5: 00010000 00010000 "nvram" mtd6: 00200000 00010000 "flash" mtd7: 02000000 00020000 "upgrade" mtd8: 01e3ffa0 00020000 "rootfs" mtd9: 08000000 00020000 "nflash" mtd10: 06000000 00020000 "storage"
- 25. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 New vs Legacy Memory Layout Heap Binary Stack Lib Lib 0x00008000 0xbf000000 0xb6f00000 0xbefdf000 /proc/sys/vm/legacy_va_layout = 0 Heap Binary Stack Lib Lib 0x00008000 0xbf000000 0x40000000 0xbefdf000 /proc/sys/vm/legacy_va_layout = 1 New Layout Legacy Layout
- 26. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 QEMU ARM Kernel Emulator Driven Test Bench proc sys dev etc bin squashfs-root chroot environment proc sys dev etc bin init system services user processes nvram config (ini file) nvram shim gdb server multiarch gdb
- 27. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 Extract the rootfs
- 28. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 rsync rootfs to ARM QEMU
- 29. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 chroot the rootfs in QEMU Setup commands for binding /proc, /sys and /dev and running chroot kick off the init scripts
- 30. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 The virtual router "boots up"
- 31. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 SUCCESS!
- 32. NETSQUARE (c) SAUMIL SHAHThe ARM Exploit Laboratory – 44CON 2018 THANK YOU! Saumil Shah @therealsaumil saumil@net-square.com LinkedIn: saumilshah Follow us on Twitter for: updates new classes on-site training announcements Blog: http://blog.exploitlab.net