SlideShare ist ein Scribd-Unternehmen logo

Hack.LU 2018 ARM IoT Firmware Emulation Workshop

Saumil Shah
Saumil Shah

Learn how to build your own testing and debugging environment for analysing IoT firmware images. Bug hunting in IoT firmware requires access to debugging, instrumentation and reverse engineering tools. In this workshop, we shall learn how to extract firmware from a few ARM IoT devices, deploy the extracted filesystems on an ARM QEMU environment, and emulate the firmware as close to the original hardware environment as possible. We shall also learn how to intercept and emulate NVRAM access to faithfully reproduce the exact configuration available on the actual device. Participants are required to bring a laptop capable of running VMware Workstation/Fusion/Player. We shall distribute a virtual machine with ARM QEMU along with firmware images extracted on the spot from a few SoHo routers and IP Cameras. The methodology discussed in this workshop is put together from the author’s own beats. While we use ARM as the base platform, the same methodology can also work for MIPS or other embedded architectures.

Technologie
1 von 32
NETSQUARE (c) SAUMIL SHAHhack.lu 2018 ARM IoT FIRMWARE EMULATION WORKSHOP Saumil Shah @therealsaumil 16 October 2018
NETSQUARE (c) SAUMIL SHAHhack.lu 2018 # who am i CEO Net Square. • Hacker, Speaker, Trainer, Author. • M.S. Computer Science Purdue University. • LinkedIn: saumilshah • Twitter: @therealsaumil
NETSQUARE (c) SAUMIL SHAHhack.lu 2018 Objectives • Extract the firmware from an IoT device. • Emulate the firmware in QEMU. • "Boot up" the virtual device. • Debugging, Testing and Fuzzing environment.
NETSQUARE (c) SAUMIL SHAHhack.lu 2018 Case Study DLINK DIR-880L
NETSQUARE (c) SAUMIL SHAHhack.lu 2018 Setup • armplayer2.zip - VMware image • dir880_mtdblocks.zip - firmware blobs • dir880_minicom.txt - console msgs • static_arm_bins.zip - fun t00lz • Extract the VM and start it up. • You will need SSH/SCP on your laptop.
NETSQUARE (c) SAUMIL SHAHhack.lu 2018 Lab Virtual Machine All passwords are "exploitlab" J Yes you may write it down
NETSQUARE (c) SAUMIL SHAHhack.lu 2018 armplayer host SSH to port 2222 username: exploitlab QEMU ARMv7 SSH to port 22 username: root
NETSQUARE (c) SAUMIL SHAHhack.lu 2018 IoT Devices - An Introduction
NETSQUARE (c) SAUMIL SHAHhack.lu 2018 Take a look at an IoT device...
NETSQUARE (c) SAUMIL SHAHhack.lu 2018 CPU and Hardware Kernel Drivers File System nvram User Processes API UI libnvram JTAG UART SPI notaccessible ...it is a special computer...
NETSQUARE (c) SAUMIL SHAHhack.lu 2018 CPU and Hardware Kernel Drivers File System nvram User Processes API UI libnvram Authentication Bypass Insecure Direct Obj Ref File Retrieval Remote Command Exec Memory Corruption Buffer Overflows Backdoors Default Passwords Hidden Paths Memory Corruption Buffer Overflows ...with "special" vulnerabilities
NETSQUARE (c) SAUMIL SHAHhack.lu 2018 compressed FS CPU Kernel Boot Loader mounted FS nvram init scripts Services Apps libnvram The IoT Boot Up Process conf conf conf conf firmware Loads Kernel. Uncompresses FS to ramdisk, invokes init process. ramdiskuserland Reads config from nvram. Builds system config files on the fly. Starts up system services. Invokes Applications and Application services. READY POWER ON
NETSQUARE (c) SAUMIL SHAHhack.lu 2018 Obtaining the Firmware • Download the firmware files from the device update website. – binwalk • Find the UART pins on the device's board, solder and connect via serial console. – Extract the firmware via shell over serial console. • Direct hardware level extraction.
NETSQUARE (c) SAUMIL SHAHhack.lu 2018 Serial Console • Most devices run a privileged shell on serial console. • Kernel boot arguments: • Getting firmware from a shell is easy... • ...finding the serial port is a challenge :) root=/dev/mtdblock2 console=ttyS0,115200 init=/sbin/preinit earlyprintk debug
NETSQUARE (c) SAUMIL SHAHhack.lu 2018 Discovering the UART pins • Usually unsoldered. • Identify candidate pins. • Test for Vcc (+3.3V) and GND. • Test for TX, RX. • Important pins – TX, RX, GND.
NETSQUARE (c) SAUMIL SHAHhack.lu 2018 Discovering UART pins Possible UART pins False Positive
NETSQUARE (c) SAUMIL SHAHhack.lu 2018 Discovering UART pins Second Possibility
NETSQUARE (c) SAUMIL SHAHhack.lu 2018 Testing Voltages Vcc (+3.3V) GND GND runs through- out the board
NETSQUARE (c) SAUMIL SHAHhack.lu 2018 Testing Voltages Vcc (+3.3V) GND The other two pins have to be TX, RX. GND Verify continuity across GND
NETSQUARE (c) SAUMIL SHAHhack.lu 2018 Serial Console Device GND TX RX GND TX RX minicom Serial Port = /dev/ttyUSB0 115200 baud 8N1 Vcc
NETSQUARE (c) SAUMIL SHAHhack.lu 2018 Serial Console - working
NETSQUARE (c) SAUMIL SHAHhack.lu 2018 Finished Serial Port Projects
NETSQUARE (c) SAUMIL SHAHhack.lu 2018 # cat /proc/partitions major minor #blocks name 31 0 256 mtdblock0 31 1 64 mtdblock1 31 2 64 mtdblock2 31 3 1472 mtdblock3 31 4 128 mtdblock4 31 5 64 mtdblock5 31 6 2048 mtdblock6 31 7 32768 mtdblock7 31 8 30975 mtdblock8 31 9 131072 mtdblock9 31 10 98304 mtdblock10 Firmware Extraction via Console # cat /proc/cmdline root=/dev/mtdblock8 mtdparts=bcmsflash:256k(u- boot)ro,64k(devconf),64k(devdata),1472k(mydlink),128k(langpack),64k(nvram), 2m@0(flash);nflash:32m(upgrade),32m@0(rootfs)ro,128m@0(nflash);brcmnand:96m @32m(storage) console=ttyS0,115200 init=/sbin/preinit earlyprintk debug # cat /proc/mtd dev: size erasesize name mtd0: 00040000 00010000 "u-boot" mtd1: 00010000 00010000 "devconf" mtd2: 00010000 00010000 "devdata" mtd3: 00170000 00010000 "mydlink" mtd4: 00020000 00010000 "langpack" mtd5: 00010000 00010000 "nvram" mtd6: 00200000 00010000 "flash" mtd7: 02000000 00020000 "upgrade" mtd8: 01e3ffa0 00020000 "rootfs" mtd9: 08000000 00020000 "nflash" mtd10: 06000000 00020000 "storage"
NETSQUARE (c) SAUMIL SHAHhack.lu 2018 New vs Legacy Memory Layout Heap Binary Stack Lib Lib 0x00008000 0xbf000000 0xb6f00000 0xbefdf000 /proc/sys/vm/legacy_va_layout = 0 Heap Binary Stack Lib Lib 0x00008000 0xbf000000 0x40000000 0xbefdf000 /proc/sys/vm/legacy_va_layout = 1 New (current) Layout Legacy Layout
NETSQUARE (c) SAUMIL SHAHhack.lu 2018 QEMU ARM Kernel Emulator Driven Test Bench proc sys dev etc bin squashfs-root chroot environment proc sys dev etc bin init system services user processes nvram config (ini file) nvram shim gdb server multiarch gdb
NETSQUARE (c) SAUMIL SHAHhack.lu 2018 Extract the rootfs
NETSQUARE (c) SAUMIL SHAHhack.lu 2018 rsync rootfs to ARM QEMU
NETSQUARE (c) SAUMIL SHAHhack.lu 2018 chroot the rootfs in QEMU Setup commands for binding /proc, /sys and /dev and running chroot kick off the init scripts
NETSQUARE (c) SAUMIL SHAHhack.lu 2018 The virtual router "boots up"
NETSQUARE (c) SAUMIL SHAHhack.lu 2018 SUCCESS!
NETSQUARE (c) SAUMIL SHAHhack.lu 2018 Wrapping Up • Firmware Emulation takes a LOT of exploration and trial-and-error… • …but it's worth it J • nvram interception code: https://github.com/therealsaumil/custom_nvram
NETSQUARE (c) SAUMIL SHAHhack.lu 2018 THANK YOU! Saumil Shah @therealsaumil #hacklu 2018

Empfohlen

PKCS11
PKCS11PKCS11
PKCS11Byeong Yeong Jeong
 
ARM IoT Firmware Emulation Workshop
ARM IoT Firmware Emulation WorkshopARM IoT Firmware Emulation Workshop
ARM IoT Firmware Emulation WorkshopSaumil Shah
 
Abusing Symlinks on Windows
Abusing Symlinks on WindowsAbusing Symlinks on Windows
Abusing Symlinks on WindowsOWASP Delhi
 
YoctoLTSについて調べてみた
YoctoLTSについて調べてみたYoctoLTSについて調べてみた
YoctoLTSについて調べてみたwata2ki
 
Jagan Teki - U-boot from scratch
Jagan Teki - U-boot from scratchJagan Teki - U-boot from scratch
Jagan Teki - U-boot from scratchlinuxlab_conf
 
Eclipseデバッガを活用するための31のtips
Eclipseデバッガを活用するための31のtipsEclipseデバッガを活用するための31のtips
Eclipseデバッガを活用するための31のtipsHiroki Kondo
 
Wireshark だけに頼らない! パケット解析ツールの紹介
Wireshark だけに頼らない! パケット解析ツールの紹介Wireshark だけに頼らない! パケット解析ツールの紹介
Wireshark だけに頼らない! パケット解析ツールの紹介morihisa
 
LAS16-403: GDB Linux Kernel Awareness
LAS16-403: GDB Linux Kernel AwarenessLAS16-403: GDB Linux Kernel Awareness
LAS16-403: GDB Linux Kernel AwarenessLinaro
 

Empfohlen

PKCS11
PKCS11PKCS11
PKCS11Byeong Yeong Jeong
 
ARM IoT Firmware Emulation Workshop
ARM IoT Firmware Emulation WorkshopARM IoT Firmware Emulation Workshop
ARM IoT Firmware Emulation WorkshopSaumil Shah
 
Abusing Symlinks on Windows
Abusing Symlinks on WindowsAbusing Symlinks on Windows
Abusing Symlinks on WindowsOWASP Delhi
 
YoctoLTSについて調べてみた
YoctoLTSについて調べてみたYoctoLTSについて調べてみた
YoctoLTSについて調べてみたwata2ki
 
Jagan Teki - U-boot from scratch
Jagan Teki - U-boot from scratchJagan Teki - U-boot from scratch
Jagan Teki - U-boot from scratchlinuxlab_conf
 
Eclipseデバッガを活用するための31のtips
Eclipseデバッガを活用するための31のtipsEclipseデバッガを活用するための31のtips
Eclipseデバッガを活用するための31のtipsHiroki Kondo
 
Wireshark だけに頼らない! パケット解析ツールの紹介
Wireshark だけに頼らない! パケット解析ツールの紹介Wireshark だけに頼らない! パケット解析ツールの紹介
Wireshark だけに頼らない! パケット解析ツールの紹介morihisa
 
LAS16-403: GDB Linux Kernel Awareness
LAS16-403: GDB Linux Kernel AwarenessLAS16-403: GDB Linux Kernel Awareness
LAS16-403: GDB Linux Kernel AwarenessLinaro
 
SR-IOV ixgbe Driver Limitations and Improvement
SR-IOV ixgbe Driver Limitations and ImprovementSR-IOV ixgbe Driver Limitations and Improvement
SR-IOV ixgbe Driver Limitations and ImprovementLF Events
 
30分で分かる!OSの作り方 ver.2
30分で分かる!OSの作り方 ver.230分で分かる!OSの作り方 ver.2
30分で分かる!OSの作り方 ver.2uchan_nos
 
Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakAbraham Aranguren
 
C++でできる!OS自作入門
C++でできる!OS自作入門C++でできる!OS自作入門
C++でできる!OS自作入門uchan_nos
 
ハッカー入門 公開鍵で学ぶ、ものごとの裏側を考える技術 (Qiita Conference 2022登壇資料).pdf
ハッカー入門 公開鍵で学ぶ、ものごとの裏側を考える技術 (Qiita Conference 2022登壇資料).pdfハッカー入門 公開鍵で学ぶ、ものごとの裏側を考える技術 (Qiita Conference 2022登壇資料).pdf
ハッカー入門 公開鍵で学ぶ、ものごとの裏側を考える技術 (Qiita Conference 2022登壇資料).pdfYuichiro Smith
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
 
Conan a C/C++ Package Manager
Conan a C/C++ Package ManagerConan a C/C++ Package Manager
Conan a C/C++ Package ManagerUilian Ries
 
アプリの鍵が消える時_Droid kaigi2018
アプリの鍵が消える時_Droid kaigi2018アプリの鍵が消える時_Droid kaigi2018
アプリの鍵が消える時_Droid kaigi2018ak_shio_555
 
Python and GObject Introspection
Python and GObject IntrospectionPython and GObject Introspection
Python and GObject IntrospectionYuren Ju
 
Conan.io - The C/C++ package manager for Developers
Conan.io - The C/C++ package manager for DevelopersConan.io - The C/C++ package manager for Developers
Conan.io - The C/C++ package manager for DevelopersUilian Ries
 
たった一ファイルの python スクリプトから始めるOSS開発入門 / PyCon JP 2016
たった一ファイルの python スクリプトから始めるOSS開発入門 / PyCon JP 2016たった一ファイルの python スクリプトから始めるOSS開発入門 / PyCon JP 2016
たった一ファイルの python スクリプトから始めるOSS開発入門 / PyCon JP 2016Kei IWASAKI
 
Linux : PSCI
Linux : PSCILinux : PSCI
Linux : PSCIMr. Vengineer
 
今だからこそ知りたい Docker Compose/Swarm 入門
今だからこそ知りたい Docker Compose/Swarm 入門今だからこそ知りたい Docker Compose/Swarm 入門
今だからこそ知りたい Docker Compose/Swarm 入門Masahito Zembutsu
 
SSHの便利な使い方〜マイナーな小技編〜
SSHの便利な使い方〜マイナーな小技編〜SSHの便利な使い方〜マイナーな小技編〜
SSHの便利な使い方〜マイナーな小技編〜ktateish
 
MediaRecorder と WebM で、オレオレ Live Streaming
MediaRecorder と WebM で、オレオレ Live StreamingMediaRecorder と WebM で、オレオレ Live Streaming
MediaRecorder と WebM で、オレオレ Live Streamingmganeko
 
Linux Server Hardening - Steps by Steps
Linux Server Hardening - Steps by StepsLinux Server Hardening - Steps by Steps
Linux Server Hardening - Steps by StepsSunil Paudel
 
Responding to Cobalt Strike
Responding to Cobalt StrikeResponding to Cobalt Strike
Responding to Cobalt StrikeChristopher Gerritz
 
Unveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation FrameworkUnveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation FrameworkSaumil Shah
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016Russel Van Tuyl
 
イエラエセキュリティMeet up 20210820
イエラエセキュリティMeet up 20210820イエラエセキュリティMeet up 20210820
イエラエセキュリティMeet up 20210820GMOサイバーセキュリティ byイエラエ株式会社
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemCyber Security Alliance
 
OT Security - h-c0n 2020
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020Jose Palanco
 

Weitere ähnliche Inhalte

Was ist angesagt?

SR-IOV ixgbe Driver Limitations and Improvement
SR-IOV ixgbe Driver Limitations and ImprovementSR-IOV ixgbe Driver Limitations and Improvement
SR-IOV ixgbe Driver Limitations and ImprovementLF Events
 
30分で分かる!OSの作り方 ver.2
30分で分かる!OSの作り方 ver.230分で分かる!OSの作り方 ver.2
30分で分かる!OSの作り方 ver.2uchan_nos
 
Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakAbraham Aranguren
 
C++でできる!OS自作入門
C++でできる!OS自作入門C++でできる!OS自作入門
C++でできる!OS自作入門uchan_nos
 
ハッカー入門 公開鍵で学ぶ、ものごとの裏側を考える技術 (Qiita Conference 2022登壇資料).pdf
ハッカー入門 公開鍵で学ぶ、ものごとの裏側を考える技術 (Qiita Conference 2022登壇資料).pdfハッカー入門 公開鍵で学ぶ、ものごとの裏側を考える技術 (Qiita Conference 2022登壇資料).pdf
ハッカー入門 公開鍵で学ぶ、ものごとの裏側を考える技術 (Qiita Conference 2022登壇資料).pdfYuichiro Smith
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
 
Conan a C/C++ Package Manager
Conan a C/C++ Package ManagerConan a C/C++ Package Manager
Conan a C/C++ Package ManagerUilian Ries
 
アプリの鍵が消える時_Droid kaigi2018
アプリの鍵が消える時_Droid kaigi2018アプリの鍵が消える時_Droid kaigi2018
アプリの鍵が消える時_Droid kaigi2018ak_shio_555
 
Python and GObject Introspection
Python and GObject IntrospectionPython and GObject Introspection
Python and GObject IntrospectionYuren Ju
 
Conan.io - The C/C++ package manager for Developers
Conan.io - The C/C++ package manager for DevelopersConan.io - The C/C++ package manager for Developers
Conan.io - The C/C++ package manager for DevelopersUilian Ries
 
たった一ファイルの python スクリプトから始めるOSS開発入門 / PyCon JP 2016
たった一ファイルの python スクリプトから始めるOSS開発入門 / PyCon JP 2016たった一ファイルの python スクリプトから始めるOSS開発入門 / PyCon JP 2016
たった一ファイルの python スクリプトから始めるOSS開発入門 / PyCon JP 2016Kei IWASAKI
 
今だからこそ知りたい Docker Compose/Swarm 入門
今だからこそ知りたい Docker Compose/Swarm 入門今だからこそ知りたい Docker Compose/Swarm 入門
今だからこそ知りたい Docker Compose/Swarm 入門Masahito Zembutsu
 
SSHの便利な使い方〜マイナーな小技編〜
SSHの便利な使い方〜マイナーな小技編〜SSHの便利な使い方〜マイナーな小技編〜
SSHの便利な使い方〜マイナーな小技編〜ktateish
 
MediaRecorder と WebM で、オレオレ Live Streaming
MediaRecorder と WebM で、オレオレ Live StreamingMediaRecorder と WebM で、オレオレ Live Streaming
MediaRecorder と WebM で、オレオレ Live Streamingmganeko
 
Linux Server Hardening - Steps by Steps
Linux Server Hardening - Steps by StepsLinux Server Hardening - Steps by Steps
Linux Server Hardening - Steps by StepsSunil Paudel
 
Unveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation FrameworkUnveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation FrameworkSaumil Shah
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016Russel Van Tuyl
 

Was ist angesagt? (20)

SR-IOV ixgbe Driver Limitations and Improvement
SR-IOV ixgbe Driver Limitations and ImprovementSR-IOV ixgbe Driver Limitations and Improvement
SR-IOV ixgbe Driver Limitations and Improvement
 
30分で分かる!OSの作り方 ver.2
30分で分かる!OSの作り方 ver.230分で分かる!OSの作り方 ver.2
30分で分かる!OSの作り方 ver.2
 
Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreak
 
C++でできる!OS自作入門
C++でできる!OS自作入門C++でできる!OS自作入門
C++でできる!OS自作入門
 
ハッカー入門 公開鍵で学ぶ、ものごとの裏側を考える技術 (Qiita Conference 2022登壇資料).pdf
ハッカー入門 公開鍵で学ぶ、ものごとの裏側を考える技術 (Qiita Conference 2022登壇資料).pdfハッカー入門 公開鍵で学ぶ、ものごとの裏側を考える技術 (Qiita Conference 2022登壇資料).pdf
ハッカー入門 公開鍵で学ぶ、ものごとの裏側を考える技術 (Qiita Conference 2022登壇資料).pdf
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
 
Conan a C/C++ Package Manager
Conan a C/C++ Package ManagerConan a C/C++ Package Manager
Conan a C/C++ Package Manager
 
アプリの鍵が消える時_Droid kaigi2018
アプリの鍵が消える時_Droid kaigi2018アプリの鍵が消える時_Droid kaigi2018
アプリの鍵が消える時_Droid kaigi2018
 
Python and GObject Introspection
Python and GObject IntrospectionPython and GObject Introspection
Python and GObject Introspection
 
Conan.io - The C/C++ package manager for Developers
Conan.io - The C/C++ package manager for DevelopersConan.io - The C/C++ package manager for Developers
Conan.io - The C/C++ package manager for Developers
 
たった一ファイルの python スクリプトから始めるOSS開発入門 / PyCon JP 2016
たった一ファイルの python スクリプトから始めるOSS開発入門 / PyCon JP 2016たった一ファイルの python スクリプトから始めるOSS開発入門 / PyCon JP 2016
たった一ファイルの python スクリプトから始めるOSS開発入門 / PyCon JP 2016
 
Linux : PSCI
Linux : PSCILinux : PSCI
Linux : PSCI
 
今だからこそ知りたい Docker Compose/Swarm 入門
今だからこそ知りたい Docker Compose/Swarm 入門今だからこそ知りたい Docker Compose/Swarm 入門
今だからこそ知りたい Docker Compose/Swarm 入門
 
SSHの便利な使い方〜マイナーな小技編〜
SSHの便利な使い方〜マイナーな小技編〜SSHの便利な使い方〜マイナーな小技編〜
SSHの便利な使い方〜マイナーな小技編〜
 
MediaRecorder と WebM で、オレオレ Live Streaming
MediaRecorder と WebM で、オレオレ Live StreamingMediaRecorder と WebM で、オレオレ Live Streaming
MediaRecorder と WebM で、オレオレ Live Streaming
 
Linux Server Hardening - Steps by Steps
Linux Server Hardening - Steps by StepsLinux Server Hardening - Steps by Steps
Linux Server Hardening - Steps by Steps
 
Responding to Cobalt Strike
Responding to Cobalt StrikeResponding to Cobalt Strike
Responding to Cobalt Strike
 
Unveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation FrameworkUnveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation Framework
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016
 
イエラエセキュリティMeet up 20210820
イエラエセキュリティMeet up 20210820イエラエセキュリティMeet up 20210820
イエラエセキュリティMeet up 20210820
 

Ähnlich wie Hack.LU 2018 ARM IoT Firmware Emulation Workshop

Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemCyber Security Alliance
 
OT Security - h-c0n 2020
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020Jose Palanco
 
hacking-embedded-devices.pptx
hacking-embedded-devices.pptxhacking-embedded-devices.pptx
hacking-embedded-devices.pptxssuserfcf43f
 
Moksha - HTML5/CSS with Qt5+Snowshoe on AM335x
Moksha - HTML5/CSS with Qt5+Snowshoe on AM335xMoksha - HTML5/CSS with Qt5+Snowshoe on AM335x
Moksha - HTML5/CSS with Qt5+Snowshoe on AM335xPrabindh Sundareson
 
The power of linux advanced tracer [POUG18]
The power of linux advanced tracer [POUG18]The power of linux advanced tracer [POUG18]
The power of linux advanced tracer [POUG18]Mahmoud Hatem
 
Deep submicron-backdoors-ortega-syscan-2014-slides
Deep submicron-backdoors-ortega-syscan-2014-slidesDeep submicron-backdoors-ortega-syscan-2014-slides
Deep submicron-backdoors-ortega-syscan-2014-slidesortegaalfredo
 
20131015_demo_oshk
20131015_demo_oshk20131015_demo_oshk
20131015_demo_oshkJeff Yang
 
Labs_BT_20221017.pptx
Labs_BT_20221017.pptxLabs_BT_20221017.pptx
Labs_BT_20221017.pptxssuserb4d806
 
Replatforming Legacy Packaged Applications: Block-by-Block with Minecraft
Replatforming Legacy Packaged Applications: Block-by-Block with MinecraftReplatforming Legacy Packaged Applications: Block-by-Block with Minecraft
Replatforming Legacy Packaged Applications: Block-by-Block with MinecraftVMware Tanzu
 
HKG18-TR14 - Postmortem Debugging with Coresight
HKG18-TR14 - Postmortem Debugging with CoresightHKG18-TR14 - Postmortem Debugging with Coresight
HKG18-TR14 - Postmortem Debugging with CoresightLinaro
 
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...Felipe Prado
 
Android Boot Time Optimization
Android Boot Time OptimizationAndroid Boot Time Optimization
Android Boot Time OptimizationKan-Ru Chen
 
Using VPP and SRIO-V with Clear Containers
Using VPP and SRIO-V with Clear ContainersUsing VPP and SRIO-V with Clear Containers
Using VPP and SRIO-V with Clear ContainersMichelle Holley
 
IoT exploitation: from memory corruption to code execution by Marco Romano
IoT exploitation: from memory corruption to code execution by Marco RomanoIoT exploitation: from memory corruption to code execution by Marco Romano
IoT exploitation: from memory corruption to code execution by Marco RomanoCodemotion
 
IoT exploitation: from memory corruption to code execution - Marco Romano - C...
IoT exploitation: from memory corruption to code execution - Marco Romano - C...IoT exploitation: from memory corruption to code execution - Marco Romano - C...
IoT exploitation: from memory corruption to code execution - Marco Romano - C...Codemotion
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Andrew Case
 
Managing Large-scale Networks with Trigger
Managing Large-scale Networks with TriggerManaging Large-scale Networks with Trigger
Managing Large-scale Networks with Triggerjathanism
 
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the NameSCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the NamePositive Hack Days
 

Ähnlich wie Hack.LU 2018 ARM IoT Firmware Emulation Workshop (20)

Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
 
OT Security - h-c0n 2020
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020
 
hacking-embedded-devices.pptx
hacking-embedded-devices.pptxhacking-embedded-devices.pptx
hacking-embedded-devices.pptx
 
C&C Botnet Factory
C&C Botnet FactoryC&C Botnet Factory
C&C Botnet Factory
 
Moksha - HTML5/CSS with Qt5+Snowshoe on AM335x
Moksha - HTML5/CSS with Qt5+Snowshoe on AM335xMoksha - HTML5/CSS with Qt5+Snowshoe on AM335x
Moksha - HTML5/CSS with Qt5+Snowshoe on AM335x
 
Linux boot-time
Linux boot-timeLinux boot-time
Linux boot-time
 
The power of linux advanced tracer [POUG18]
The power of linux advanced tracer [POUG18]The power of linux advanced tracer [POUG18]
The power of linux advanced tracer [POUG18]
 
Deep submicron-backdoors-ortega-syscan-2014-slides
Deep submicron-backdoors-ortega-syscan-2014-slidesDeep submicron-backdoors-ortega-syscan-2014-slides
Deep submicron-backdoors-ortega-syscan-2014-slides
 
20131015_demo_oshk
20131015_demo_oshk20131015_demo_oshk
20131015_demo_oshk
 
Labs_BT_20221017.pptx
Labs_BT_20221017.pptxLabs_BT_20221017.pptx
Labs_BT_20221017.pptx
 
Replatforming Legacy Packaged Applications: Block-by-Block with Minecraft
Replatforming Legacy Packaged Applications: Block-by-Block with MinecraftReplatforming Legacy Packaged Applications: Block-by-Block with Minecraft
Replatforming Legacy Packaged Applications: Block-by-Block with Minecraft
 
HKG18-TR14 - Postmortem Debugging with Coresight
HKG18-TR14 - Postmortem Debugging with CoresightHKG18-TR14 - Postmortem Debugging with Coresight
HKG18-TR14 - Postmortem Debugging with Coresight
 
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...
 
Android Boot Time Optimization
Android Boot Time OptimizationAndroid Boot Time Optimization
Android Boot Time Optimization
 
Using VPP and SRIO-V with Clear Containers
Using VPP and SRIO-V with Clear ContainersUsing VPP and SRIO-V with Clear Containers
Using VPP and SRIO-V with Clear Containers
 
IoT exploitation: from memory corruption to code execution by Marco Romano
IoT exploitation: from memory corruption to code execution by Marco RomanoIoT exploitation: from memory corruption to code execution by Marco Romano
IoT exploitation: from memory corruption to code execution by Marco Romano
 
IoT exploitation: from memory corruption to code execution - Marco Romano - C...
IoT exploitation: from memory corruption to code execution - Marco Romano - C...IoT exploitation: from memory corruption to code execution - Marco Romano - C...
IoT exploitation: from memory corruption to code execution - Marco Romano - C...
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)
 
Managing Large-scale Networks with Trigger
Managing Large-scale Networks with TriggerManaging Large-scale Networks with Trigger
Managing Large-scale Networks with Trigger
 
SCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the NameSCADA Strangelove: Hacking in the Name
SCADA Strangelove: Hacking in the Name
 

Mehr von Saumil Shah

The Hand That Strikes, Also Blocks
The Hand That Strikes, Also BlocksThe Hand That Strikes, Also Blocks
The Hand That Strikes, Also BlocksSaumil Shah
 
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPSDebugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPSSaumil Shah
 
Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332Saumil Shah
 
Precise Presentations
Precise PresentationsPrecise Presentations
Precise PresentationsSaumil Shah
 
Effective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual AudienceEffective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual AudienceSaumil Shah
 
INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020Saumil Shah
 
Cyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade AheadCyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade AheadSaumil Shah
 
Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In CyberspaceCybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In CyberspaceSaumil Shah
 
NSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade AheadNSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade AheadSaumil Shah
 
Cybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade AheadCybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade AheadSaumil Shah
 
INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019Saumil Shah
 
Introducing ARM-X
Introducing ARM-XIntroducing ARM-X
Introducing ARM-XSaumil Shah
 
The Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBDThe Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBDSaumil Shah
 
The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019Saumil Shah
 
The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019Saumil Shah
 
Schrödinger's ARM Assembly
Schrödinger's ARM AssemblySchrödinger's ARM Assembly
Schrödinger's ARM AssemblySaumil Shah
 
ARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMSARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMSSaumil Shah
 
What Makes a Compelling Photograph
What Makes a Compelling PhotographWhat Makes a Compelling Photograph
What Makes a Compelling PhotographSaumil Shah
 
Make ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEKMake ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEKSaumil Shah
 
HackLU 2018 Make ARM Shellcode Great Again
HackLU 2018 Make ARM Shellcode Great AgainHackLU 2018 Make ARM Shellcode Great Again
HackLU 2018 Make ARM Shellcode Great AgainSaumil Shah
 

Mehr von Saumil Shah (20)

The Hand That Strikes, Also Blocks
The Hand That Strikes, Also BlocksThe Hand That Strikes, Also Blocks
The Hand That Strikes, Also Blocks
 
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPSDebugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
 
Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332
 
Precise Presentations
Precise PresentationsPrecise Presentations
Precise Presentations
 
Effective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual AudienceEffective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual Audience
 
INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020
 
Cyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade AheadCyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade Ahead
 
Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In CyberspaceCybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
 
NSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade AheadNSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade Ahead
 
Cybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade AheadCybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade Ahead
 
INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019
 
Introducing ARM-X
Introducing ARM-XIntroducing ARM-X
Introducing ARM-X
 
The Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBDThe Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBD
 
The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019
 
The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019
 
Schrödinger's ARM Assembly
Schrödinger's ARM AssemblySchrödinger's ARM Assembly
Schrödinger's ARM Assembly
 
ARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMSARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMS
 
What Makes a Compelling Photograph
What Makes a Compelling PhotographWhat Makes a Compelling Photograph
What Makes a Compelling Photograph
 
Make ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEKMake ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEK
 
HackLU 2018 Make ARM Shellcode Great Again
HackLU 2018 Make ARM Shellcode Great AgainHackLU 2018 Make ARM Shellcode Great Again
HackLU 2018 Make ARM Shellcode Great Again
 

Kürzlich hochgeladen

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 

Kürzlich hochgeladen (20)

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 

Hack.LU 2018 ARM IoT Firmware Emulation Workshop

  • 1. NETSQUARE (c) SAUMIL SHAHhack.lu 2018 ARM IoT FIRMWARE EMULATION WORKSHOP Saumil Shah @therealsaumil 16 October 2018
  • 2. NETSQUARE (c) SAUMIL SHAHhack.lu 2018 # who am i CEO Net Square. • Hacker, Speaker, Trainer, Author. • M.S. Computer Science Purdue University. • LinkedIn: saumilshah • Twitter: @therealsaumil
  • 3. NETSQUARE (c) SAUMIL SHAHhack.lu 2018 Objectives • Extract the firmware from an IoT device. • Emulate the firmware in QEMU. • "Boot up" the virtual device. • Debugging, Testing and Fuzzing environment.
  • 4. NETSQUARE (c) SAUMIL SHAHhack.lu 2018 Case Study DLINK DIR-880L
  • 5. NETSQUARE (c) SAUMIL SHAHhack.lu 2018 Setup • armplayer2.zip - VMware image • dir880_mtdblocks.zip - firmware blobs • dir880_minicom.txt - console msgs • static_arm_bins.zip - fun t00lz • Extract the VM and start it up. • You will need SSH/SCP on your laptop.
  • 6. NETSQUARE (c) SAUMIL SHAHhack.lu 2018 Lab Virtual Machine All passwords are "exploitlab" J Yes you may write it down
  • 7. NETSQUARE (c) SAUMIL SHAHhack.lu 2018 armplayer host SSH to port 2222 username: exploitlab QEMU ARMv7 SSH to port 22 username: root
  • 8. NETSQUARE (c) SAUMIL SHAHhack.lu 2018 IoT Devices - An Introduction
  • 9. NETSQUARE (c) SAUMIL SHAHhack.lu 2018 Take a look at an IoT device...
  • 10. NETSQUARE (c) SAUMIL SHAHhack.lu 2018 CPU and Hardware Kernel Drivers File System nvram User Processes API UI libnvram JTAG UART SPI notaccessible ...it is a special computer...
  • 11. NETSQUARE (c) SAUMIL SHAHhack.lu 2018 CPU and Hardware Kernel Drivers File System nvram User Processes API UI libnvram Authentication Bypass Insecure Direct Obj Ref File Retrieval Remote Command Exec Memory Corruption Buffer Overflows Backdoors Default Passwords Hidden Paths Memory Corruption Buffer Overflows ...with "special" vulnerabilities
  • 12. NETSQUARE (c) SAUMIL SHAHhack.lu 2018 compressed FS CPU Kernel Boot Loader mounted FS nvram init scripts Services Apps libnvram The IoT Boot Up Process conf conf conf conf firmware Loads Kernel. Uncompresses FS to ramdisk, invokes init process. ramdiskuserland Reads config from nvram. Builds system config files on the fly. Starts up system services. Invokes Applications and Application services. READY POWER ON
  • 13. NETSQUARE (c) SAUMIL SHAHhack.lu 2018 Obtaining the Firmware • Download the firmware files from the device update website. – binwalk • Find the UART pins on the device's board, solder and connect via serial console. – Extract the firmware via shell over serial console. • Direct hardware level extraction.
  • 14. NETSQUARE (c) SAUMIL SHAHhack.lu 2018 Serial Console • Most devices run a privileged shell on serial console. • Kernel boot arguments: • Getting firmware from a shell is easy... • ...finding the serial port is a challenge :) root=/dev/mtdblock2 console=ttyS0,115200 init=/sbin/preinit earlyprintk debug
  • 15. NETSQUARE (c) SAUMIL SHAHhack.lu 2018 Discovering the UART pins • Usually unsoldered. • Identify candidate pins. • Test for Vcc (+3.3V) and GND. • Test for TX, RX. • Important pins – TX, RX, GND.
  • 16. NETSQUARE (c) SAUMIL SHAHhack.lu 2018 Discovering UART pins Possible UART pins False Positive
  • 17. NETSQUARE (c) SAUMIL SHAHhack.lu 2018 Discovering UART pins Second Possibility
  • 18. NETSQUARE (c) SAUMIL SHAHhack.lu 2018 Testing Voltages Vcc (+3.3V) GND GND runs through- out the board
  • 19. NETSQUARE (c) SAUMIL SHAHhack.lu 2018 Testing Voltages Vcc (+3.3V) GND The other two pins have to be TX, RX. GND Verify continuity across GND
  • 20. NETSQUARE (c) SAUMIL SHAHhack.lu 2018 Serial Console Device GND TX RX GND TX RX minicom Serial Port = /dev/ttyUSB0 115200 baud 8N1 Vcc
  • 21. NETSQUARE (c) SAUMIL SHAHhack.lu 2018 Serial Console - working
  • 22. NETSQUARE (c) SAUMIL SHAHhack.lu 2018 Finished Serial Port Projects
  • 23. NETSQUARE (c) SAUMIL SHAHhack.lu 2018 # cat /proc/partitions major minor #blocks name 31 0 256 mtdblock0 31 1 64 mtdblock1 31 2 64 mtdblock2 31 3 1472 mtdblock3 31 4 128 mtdblock4 31 5 64 mtdblock5 31 6 2048 mtdblock6 31 7 32768 mtdblock7 31 8 30975 mtdblock8 31 9 131072 mtdblock9 31 10 98304 mtdblock10 Firmware Extraction via Console # cat /proc/cmdline root=/dev/mtdblock8 mtdparts=bcmsflash:256k(u- boot)ro,64k(devconf),64k(devdata),1472k(mydlink),128k(langpack),64k(nvram), 2m@0(flash);nflash:32m(upgrade),32m@0(rootfs)ro,128m@0(nflash);brcmnand:96m @32m(storage) console=ttyS0,115200 init=/sbin/preinit earlyprintk debug # cat /proc/mtd dev: size erasesize name mtd0: 00040000 00010000 "u-boot" mtd1: 00010000 00010000 "devconf" mtd2: 00010000 00010000 "devdata" mtd3: 00170000 00010000 "mydlink" mtd4: 00020000 00010000 "langpack" mtd5: 00010000 00010000 "nvram" mtd6: 00200000 00010000 "flash" mtd7: 02000000 00020000 "upgrade" mtd8: 01e3ffa0 00020000 "rootfs" mtd9: 08000000 00020000 "nflash" mtd10: 06000000 00020000 "storage"
  • 24. NETSQUARE (c) SAUMIL SHAHhack.lu 2018 New vs Legacy Memory Layout Heap Binary Stack Lib Lib 0x00008000 0xbf000000 0xb6f00000 0xbefdf000 /proc/sys/vm/legacy_va_layout = 0 Heap Binary Stack Lib Lib 0x00008000 0xbf000000 0x40000000 0xbefdf000 /proc/sys/vm/legacy_va_layout = 1 New (current) Layout Legacy Layout
  • 25. NETSQUARE (c) SAUMIL SHAHhack.lu 2018 QEMU ARM Kernel Emulator Driven Test Bench proc sys dev etc bin squashfs-root chroot environment proc sys dev etc bin init system services user processes nvram config (ini file) nvram shim gdb server multiarch gdb
  • 26. NETSQUARE (c) SAUMIL SHAHhack.lu 2018 Extract the rootfs
  • 27. NETSQUARE (c) SAUMIL SHAHhack.lu 2018 rsync rootfs to ARM QEMU
  • 28. NETSQUARE (c) SAUMIL SHAHhack.lu 2018 chroot the rootfs in QEMU Setup commands for binding /proc, /sys and /dev and running chroot kick off the init scripts
  • 29. NETSQUARE (c) SAUMIL SHAHhack.lu 2018 The virtual router "boots up"
  • 30. NETSQUARE (c) SAUMIL SHAHhack.lu 2018 SUCCESS!
  • 31. NETSQUARE (c) SAUMIL SHAHhack.lu 2018 Wrapping Up • Firmware Emulation takes a LOT of exploration and trial-and-error… • …but it's worth it J • nvram interception code: https://github.com/therealsaumil/custom_nvram
  • 32. NETSQUARE (c) SAUMIL SHAHhack.lu 2018 THANK YOU! Saumil Shah @therealsaumil #hacklu 2018