SlideShare a Scribd company logo

Firmware Extraction & Fuzzing - Jatan Raval

NSConclave, profile picture
NSConclave

The workshop covers methods for firmware extraction and analysis, emphasizing the importance of firmware in understanding hardware architecture and vulnerabilities. Techniques discussed include using serial consoles, bin file dumps, and accessing devices via SSH and telnet. The session provides practical guidance on extracting firmware from devices such as IP cameras and working with EEPROMs.

Technology
1 of 21
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
Firmware Extraction & Fuzzing Jatan Raval
INTRODUCTION In this workshop you will learn the different ways of extracting the firmware and analysing the firmware. We will also cover the basic concepts of remote and guided fuzzing.
My #firmware details ● Jatan K Raval ● Trainer ● M.Tech. in Cyber Security & Incident Response, GFSU. ● OSCP, OSCE ● Twitter: @jatankraval
WHY DO WE NEED FIRMWARE? Firmware is a core part which provide integral functions for the hardware. It reveals the device architecture and the process to access the hardware
WHY DO WE ANALYZE THE FIRMWARE? VULNERABILITIES SENSITIVE INFORMATION QEMU SHELL
Firmware Extraction ● Serial Console ● Bin file dump ● SSH & Telnet
SERIAL CONSOLE ● Identify the debug pins: Tx, Rx ● Usually the serial console pins are left for the debug purpose. ● It is used to catch the boot process and shell.
SERIAL CONSOLE
BIN FILE DUMP ● Dump the bin file from EEPROM ● Tools: ○ HARDSPLOIT ○ RASPBERRY PI ○ Programmer
BIN FILE DUMP ● Identify the EEPROM model. ● Connect the pins or desolder the EEPROM ● Put it in the programmer and read the chip content.
BIN FILE DUMP
BIN FILE DUMP
BIN FILE DUMP: Raspberry Pi
BIN FILE DUMP: Programmer ● Here we will extract the firmware of the IP Camera. ● Untie the screws and open the backpanel
BIN FILE DUMP: Programmer ● Open the back panel and identify the UART pins. ● Identify the EEPROM details
BIN FILE DUMP: Programmer ● Identify the EEPROM details and check the programer support.
BIN FILE DUMP: Programmer ● Connect SOIC8 Clip to the EEPROM. ● Download the datasheet of the EEPROM.
BIN FILE DUMP: Programmer ● Connect the pins to the programmer and select the EEPROM version family in prgrammer.
BIN FILE DUMP: Programmer ● Dump the EEPROM content in a bin file.
BIN FILE DUMP: Programmer ● Different programmers are also available which can read the EEPROM content.
SSH & Telnet ● Enable the web console from the admin panel. ● Connect to the admin panel using the telnet. ● The SSH service is also enabled on some IoT devices.

More Related Content

PDF
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Edureka!
 
PPTX
Pen Testing Explained
Rand W. Hirt
 
PDF
Nessus Software
Megha Sahu
 
PPTX
CISSP - Software Development Security
Karthikeyan Dhayalan
 
PPTX
Vulnerability and Assessment Penetration Testing
Yvonne Marambanyika
 
PPTX
Nessus-Vulnerability Tester
Aditya Jain
 
PPTX
Intrusion detection system
Aparna Bhadran
 
PPTX
computer forensic tools-Hardware & Software tools
N.Jagadish Kumar
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Edureka!
 
Pen Testing Explained
Rand W. Hirt
 
Nessus Software
Megha Sahu
 
CISSP - Software Development Security
Karthikeyan Dhayalan
 
Vulnerability and Assessment Penetration Testing
Yvonne Marambanyika
 
Nessus-Vulnerability Tester
Aditya Jain
 
Intrusion detection system
Aparna Bhadran
 
computer forensic tools-Hardware & Software tools
N.Jagadish Kumar
 

What's hot (20)

PPT
Hacking web applications
Adeel Javaid
 
PPTX
Cyber security
Sabir Raja
 
PDF
Access Control Presentation
Wajahat Rajab
 
PPT
Keyloggers
novacharter
 
PDF
Embedded Systems Security
Malachi Jones
 
PPTX
Inetsecurity.in Ethical Hacking presentation
Joshua Prince
 
PPT
Counter Measures Of Virus
shusrusha
 
PPTX
Introduction to Malware Analysis
Andrew McNicol
 
PDF
CNIT 141: 8. Authenticated Encryption
Sam Bowne
 
PPTX
User authentication
CAS
 
PPTX
Security Testing
Qualitest
 
PPTX
Keyloger & spyware
KashifKhan417
 
PPTX
Black box software testing
Rana Muhammad Asif
 
PPTX
Firmware Reverse Engineering
Satria Ady Pradana
 
PPT
Bluetooth security
Ramasubbu .P
 
PDF
What is integration testing
TestingXperts
 
PDF
CISSP Prep: Ch 8. Security Operations
Sam Bowne
 
PPTX
Encryption algorithms
trilokchandra prakash
 
PDF
CNIT 127: Ch 18: Source Code Auditing
Sam Bowne
 
PDF
Introduction to char device driver
Vandana Salve
 
Hacking web applications
Adeel Javaid
 
Cyber security
Sabir Raja
 
Access Control Presentation
Wajahat Rajab
 
Keyloggers
novacharter
 
Embedded Systems Security
Malachi Jones
 
Inetsecurity.in Ethical Hacking presentation
Joshua Prince
 
Counter Measures Of Virus
shusrusha
 
Introduction to Malware Analysis
Andrew McNicol
 
CNIT 141: 8. Authenticated Encryption
Sam Bowne
 
User authentication
CAS
 
Security Testing
Qualitest
 
Keyloger & spyware
KashifKhan417
 
Black box software testing
Rana Muhammad Asif
 
Firmware Reverse Engineering
Satria Ady Pradana
 
Bluetooth security
Ramasubbu .P
 
What is integration testing
TestingXperts
 
CISSP Prep: Ch 8. Security Operations
Sam Bowne
 
Encryption algorithms
trilokchandra prakash
 
CNIT 127: Ch 18: Source Code Auditing
Sam Bowne
 
Introduction to char device driver
Vandana Salve
 
Ad

Similar to Firmware Extraction & Fuzzing - Jatan Raval (20)

PDF
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
Yogesh Ojha
 
PDF
Make Your Own Developement Board @ 2014.4.21 JuluOSDev
Jian-Hong Pan
 
PDF
HKG18-TR14 - Postmortem Debugging with Coresight
Linaro
 
PDF
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON
 
PDF
From printed circuit boards to exploits
virtualabs
 
PDF
Infecting the Embedded Supply Chain
Priyanka Aash
 
PPTX
Micro c lab2(led patterns)
Mashood
 
PDF
Lcu14 101- coresight overview
Linaro
 
PDF
Nsk products
RAMANAREDDY35
 
PDF
Finding Xori: Malware Analysis Triage with Automated Disassembly
Priyanka Aash
 
PDF
DEF CON 27- JISKA FABIAN - vacuum cleaning security
Felipe Prado
 
PDF
Your Peripheral Has Planted Malware—An Exploit of NXP SOCs Vulnerability
Priyanka Aash
 
PDF
Practical reverse engineering and exploit development for AVR-based Embedded ...
Alexander Bolshev
 
PPTX
FPGA workshop
Alex Borisevich
 
PDF
ARM IoT Firmware Emulation Workshop
Saumil Shah
 
PDF
DevDays: Profiling With Java Flight Recorder
Miro Wengner
 
PDF
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
Linaro
 
PDF
BKK16-110~---3892hnfi2r8ru94jofmcw8ujd.pdf
satyabratmallaBujarb
 
PPTX
Hacker bootcamp
Gregory Hanis
 
PDF
Exploit development 101 - Part 1 - Null Singapore
Mohammed A. Imran
 
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
Yogesh Ojha
 
Make Your Own Developement Board @ 2014.4.21 JuluOSDev
Jian-Hong Pan
 
HKG18-TR14 - Postmortem Debugging with Coresight
Linaro
 
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON
 
From printed circuit boards to exploits
virtualabs
 
Infecting the Embedded Supply Chain
Priyanka Aash
 
Micro c lab2(led patterns)
Mashood
 
Lcu14 101- coresight overview
Linaro
 
Nsk products
RAMANAREDDY35
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Priyanka Aash
 
DEF CON 27- JISKA FABIAN - vacuum cleaning security
Felipe Prado
 
Your Peripheral Has Planted Malware—An Exploit of NXP SOCs Vulnerability
Priyanka Aash
 
Practical reverse engineering and exploit development for AVR-based Embedded ...
Alexander Bolshev
 
FPGA workshop
Alex Borisevich
 
ARM IoT Firmware Emulation Workshop
Saumil Shah
 
DevDays: Profiling With Java Flight Recorder
Miro Wengner
 
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
Linaro
 
BKK16-110~---3892hnfi2r8ru94jofmcw8ujd.pdf
satyabratmallaBujarb
 
Hacker bootcamp
Gregory Hanis
 
Exploit development 101 - Part 1 - Null Singapore
Mohammed A. Imran
 
Ad

More from NSConclave (20)

PDF
RED-TEAM_Conclave
NSConclave
 
PPTX
Create a Custom Plugin in Burp Suite using the Extension
NSConclave
 
PPTX
IOT SECURITY ASSESSMENT Pentester's Approach
NSConclave
 
PPTX
Debugging Android Native Library
NSConclave
 
PPTX
Burp Suite Extension Development
NSConclave
 
PDF
Log Analysis
NSConclave
 
PDF
Regular Expression Injection
NSConclave
 
PDF
HTML5 Messaging (Post Message)
NSConclave
 
PDF
Node.js Deserialization
NSConclave
 
PDF
RIA Cross Domain Policy
NSConclave
 
PDF
LDAP Injection
NSConclave
 
PDF
Python Deserialization Attacks
NSConclave
 
PDF
Sandboxing
NSConclave
 
PDF
NoSql Injection
NSConclave
 
PDF
Thick Client Testing Advanced
NSConclave
 
PDF
Thick Client Testing Basics
NSConclave
 
PDF
Markdown
NSConclave
 
PDF
Docker 101
NSConclave
 
PDF
Security Architecture Consulting - Hiren Shah
NSConclave
 
PDF
OSINT: Open Source Intelligence - Rohan Braganza
NSConclave
 
RED-TEAM_Conclave
NSConclave
 
Create a Custom Plugin in Burp Suite using the Extension
NSConclave
 
IOT SECURITY ASSESSMENT Pentester's Approach
NSConclave
 
Debugging Android Native Library
NSConclave
 
Burp Suite Extension Development
NSConclave
 
Log Analysis
NSConclave
 
Regular Expression Injection
NSConclave
 
HTML5 Messaging (Post Message)
NSConclave
 
Node.js Deserialization
NSConclave
 
RIA Cross Domain Policy
NSConclave
 
LDAP Injection
NSConclave
 
Python Deserialization Attacks
NSConclave
 
Sandboxing
NSConclave
 
NoSql Injection
NSConclave
 
Thick Client Testing Advanced
NSConclave
 
Thick Client Testing Basics
NSConclave
 
Markdown
NSConclave
 
Docker 101
NSConclave
 
Security Architecture Consulting - Hiren Shah
NSConclave
 
OSINT: Open Source Intelligence - Rohan Braganza
NSConclave
 

Recently uploaded (20)

PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Cloud computing and distributed systems.
kkkkkhan
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Approach and Philosophy of On baking technology
30anthuong17
 

Firmware Extraction & Fuzzing - Jatan Raval

  • 2. INTRODUCTION In this workshop you will learn the different ways of extracting the firmware and analysing the firmware. We will also cover the basic concepts of remote and guided fuzzing.
  • 3. My #firmware details ● Jatan K Raval ● Trainer ● M.Tech. in Cyber Security & Incident Response, GFSU. ● OSCP, OSCE ● Twitter: @jatankraval
  • 4. WHY DO WE NEED FIRMWARE? Firmware is a core part which provide integral functions for the hardware. It reveals the device architecture and the process to access the hardware
  • 5. WHY DO WE ANALYZE THE FIRMWARE? VULNERABILITIES SENSITIVE INFORMATION QEMU SHELL
  • 6. Firmware Extraction ● Serial Console ● Bin file dump ● SSH & Telnet
  • 7. SERIAL CONSOLE ● Identify the debug pins: Tx, Rx ● Usually the serial console pins are left for the debug purpose. ● It is used to catch the boot process and shell.
  • 9. BIN FILE DUMP ● Dump the bin file from EEPROM ● Tools: ○ HARDSPLOIT ○ RASPBERRY PI ○ Programmer
  • 10. BIN FILE DUMP ● Identify the EEPROM model. ● Connect the pins or desolder the EEPROM ● Put it in the programmer and read the chip content.
  • 13. BIN FILE DUMP: Raspberry Pi
  • 14. BIN FILE DUMP: Programmer ● Here we will extract the firmware of the IP Camera. ● Untie the screws and open the backpanel
  • 15. BIN FILE DUMP: Programmer ● Open the back panel and identify the UART pins. ● Identify the EEPROM details
  • 16. BIN FILE DUMP: Programmer ● Identify the EEPROM details and check the programer support.
  • 17. BIN FILE DUMP: Programmer ● Connect SOIC8 Clip to the EEPROM. ● Download the datasheet of the EEPROM.
  • 18. BIN FILE DUMP: Programmer ● Connect the pins to the programmer and select the EEPROM version family in prgrammer.
  • 19. BIN FILE DUMP: Programmer ● Dump the EEPROM content in a bin file.
  • 20. BIN FILE DUMP: Programmer ● Different programmers are also available which can read the EEPROM content.
  • 21. SSH & Telnet ● Enable the web console from the admin panel. ● Connect to the admin panel using the telnet. ● The SSH service is also enabled on some IoT devices.