Learn how to build your own testing and debugging environment for analysing IoT firmware images. Bug hunting in IoT firmware requires access to debugging, instrumentation and reverse engineering tools.
In this workshop, we shall learn how to extract firmware from a few ARM IoT devices, deploy the extracted filesystems on an ARM QEMU environment, and emulate the firmware as close to the original hardware environment as possible. We shall also learn how to intercept and emulate NVRAM access to faithfully reproduce the exact configuration available on the actual device. Participants are required to bring a laptop capable of running VMware Workstation/Fusion/Player. We shall distribute a virtual machine with ARM QEMU along with firmware images extracted on the spot from a few SoHo routers and IP Cameras.
The methodology discussed in this workshop is put together from the author’s own beats. While we use ARM as the base platform, the same methodology can also work for MIPS or other embedded architectures.
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Hack.LU 2018 ARM IoT Firmware Emulation Workshop
1. NETSQUARE (c) SAUMIL SHAHhack.lu 2018
ARM IoT FIRMWARE
EMULATION WORKSHOP
Saumil Shah
@therealsaumil
16 October 2018
2. NETSQUARE (c) SAUMIL SHAHhack.lu 2018
# who am i
CEO Net Square.
• Hacker, Speaker, Trainer,
Author.
• M.S. Computer Science
Purdue University.
• LinkedIn: saumilshah
• Twitter: @therealsaumil
3. NETSQUARE (c) SAUMIL SHAHhack.lu 2018
Objectives
• Extract the firmware from an IoT device.
• Emulate the firmware in QEMU.
• "Boot up" the virtual device.
• Debugging, Testing and Fuzzing
environment.
5. NETSQUARE (c) SAUMIL SHAHhack.lu 2018
Setup
• armplayer2.zip - VMware image
• dir880_mtdblocks.zip - firmware blobs
• dir880_minicom.txt - console msgs
• static_arm_bins.zip - fun t00lz
• Extract the VM and start it up.
• You will need SSH/SCP on your laptop.
6. NETSQUARE (c) SAUMIL SHAHhack.lu 2018
Lab Virtual Machine
All passwords are "exploitlab" J Yes you may write it down
7. NETSQUARE (c) SAUMIL SHAHhack.lu 2018
armplayer host
SSH to port 2222
username: exploitlab QEMU ARMv7
SSH to port 22
username: root
10. NETSQUARE (c) SAUMIL SHAHhack.lu 2018
CPU and
Hardware
Kernel
Drivers
File System
nvram
User Processes
API
UI
libnvram
JTAG
UART
SPI
notaccessible
...it is a special computer...
11. NETSQUARE (c) SAUMIL SHAHhack.lu 2018
CPU and
Hardware
Kernel
Drivers
File System
nvram
User Processes
API
UI
libnvram
Authentication Bypass
Insecure Direct Obj Ref
File Retrieval
Remote Command
Exec
Memory Corruption
Buffer Overflows
Backdoors
Default Passwords
Hidden Paths
Memory Corruption
Buffer Overflows
...with "special" vulnerabilities
12. NETSQUARE (c) SAUMIL SHAHhack.lu 2018
compressed FS
CPU
Kernel
Boot Loader
mounted
FS
nvram
init
scripts
Services
Apps
libnvram
The IoT Boot Up Process
conf
conf
conf
conf
firmware
Loads Kernel.
Uncompresses FS to ramdisk,
invokes init process.
ramdiskuserland
Reads config from nvram.
Builds system config files on
the fly.
Starts up system services.
Invokes Applications and
Application services.
READY
POWER ON
13. NETSQUARE (c) SAUMIL SHAHhack.lu 2018
Obtaining the Firmware
• Download the firmware files from the
device update website.
– binwalk
• Find the UART pins on the device's
board, solder and connect via serial
console.
– Extract the firmware via shell over serial
console.
• Direct hardware level extraction.
14. NETSQUARE (c) SAUMIL SHAHhack.lu 2018
Serial Console
• Most devices run a privileged shell on
serial console.
• Kernel boot arguments:
• Getting firmware from a shell is easy...
• ...finding the serial port is a challenge :)
root=/dev/mtdblock2 console=ttyS0,115200
init=/sbin/preinit earlyprintk debug
15. NETSQUARE (c) SAUMIL SHAHhack.lu 2018
Discovering the UART pins
• Usually unsoldered.
• Identify candidate pins.
• Test for Vcc (+3.3V) and GND.
• Test for TX, RX.
• Important pins – TX, RX, GND.
25. NETSQUARE (c) SAUMIL SHAHhack.lu 2018
QEMU ARM
Kernel
Emulator Driven Test Bench
proc sys dev etc bin
squashfs-root
chroot
environment
proc sys dev etc bin
init
system services
user processes
nvram
config
(ini file)
nvram shim
gdb
server
multiarch
gdb
28. NETSQUARE (c) SAUMIL SHAHhack.lu 2018
chroot the rootfs in QEMU
Setup commands for binding
/proc, /sys and /dev and
running chroot
kick off the init scripts
31. NETSQUARE (c) SAUMIL SHAHhack.lu 2018
Wrapping Up
• Firmware Emulation takes a LOT of
exploration and trial-and-error…
• …but it's worth it J
• nvram interception code:
https://github.com/therealsaumil/custom_nvram