Upload File

30c3 introduction to firmware analysis

41
December 2013 An introduction to Firmware Analysis Stefan Widmann 1 of 41 MOV A,R0 SUBB A,#7 MOV R1,A MOV A,R2 SUBB A,#0 MOV R3,A MOV A,R1 MUL AB ADD A,DPL MOV R1,A MOV A,B ADDC A,DPH MOV R3,A RET MOVX A,@R0 MOV DPH,A INC R0 MOVX A,@R0 MOV DPL,A INC R0 MOVX A,@DPTR POP DPL POP DPH MOVX A,@DPTR DEC A SUBB A,R1 XCH A,R0 XCH A,R1 XCH A,R3 XCH A,R2 XCH A,R3 RET MOV A,R7 MOVX @DPTR,A INC DPTR MOV A,R6 MOVX @DPTR,A RET SETB RS0 MOV P2,R2 MOVX A,@R0 CLR RS0 RET An introduction to Firmware Analysis Stefan Widmann [email protected] CCC Regensburg 30C3 in Hamburg

Upload: montgomery-fortner

Post on 08-Feb-2016

35 views

Category:

Documents


0 download

Report

Tags:

DESCRIPTION

30C3 Introduction to Firmware Analysis

TRANSCRIPT

Page 1: 30C3 Introduction to Firmware Analysis

December 2013 An introduction to Firmware AnalysisStefan Widmann

1 of 41

MOV A,R0SUBB A,#7MOV R1,AMOV A,R2SUBB A,#0MOV R3,AMOV A,R1MUL ABADD A,DPLMOV R1,AMOV A,BADDC A,DPHMOV R3,ARETMOVX A,@R0MOV DPH,AINC R0MOVX A,@R0MOV DPL,AINC R0MOVX A,@DPTR POP DPLPOP DPHMOVX A,@DPTRDEC ASUBB A,R1XCH A,R0XCH A,R1XCH A,R3XCH A,R2XCH A,R3RETMOV A,R7MOVX @DPTR,AINC DPTRMOV A,R6MOVX @DPTR,ARETSETB RS0MOV P2,R2MOVX A,@R0CLR RS0RET

An introduction to Firmware Analysis

Stefan [email protected]

CCC Regensburg

30C3 in Hamburg

Page 2: 30C3 Introduction to Firmware Analysis

December 2013 An introduction to Firmware AnalysisStefan Widmann

2 of 41

MOV A,R0SUBB A,#7MOV R1,AMOV A,R2SUBB A,#0MOV R3,AMOV A,R1MUL ABADD A,DPLMOV R1,AMOV A,BADDC A,DPHMOV R3,ARETMOVX A,@R0MOV DPH,AINC R0MOVX A,@R0MOV DPL,AINC R0MOVX A,@DPTR POP DPLPOP DPHMOVX A,@DPTRDEC ASUBB A,R1XCH A,R0XCH A,R1XCH A,R3XCH A,R2XCH A,R3RETMOV A,R7MOVX @DPTR,AINC DPTRMOV A,R6MOVX @DPTR,ARETSETB RS0MOV P2,R2MOVX A,@R0CLR RS0RET

Contents

● Motivation

● Prerequisites

● Obtaining a Firmware image

● Analyzing the Firmware image

● Modifying the Firmware image

Page 3: 30C3 Introduction to Firmware Analysis

December 2013 An introduction to Firmware AnalysisStefan Widmann

3 of 41

MOV A,R0SUBB A,#7MOV R1,AMOV A,R2SUBB A,#0MOV R3,AMOV A,R1MUL ABADD A,DPLMOV R1,AMOV A,BADDC A,DPHMOV R3,ARETMOVX A,@R0MOV DPH,AINC R0MOVX A,@R0MOV DPL,AINC R0MOVX A,@DPTR POP DPLPOP DPHMOVX A,@DPTRDEC ASUBB A,R1XCH A,R0XCH A,R1XCH A,R3XCH A,R2XCH A,R3RETMOV A,R7MOVX @DPTR,AINC DPTRMOV A,R6MOVX @DPTR,ARETSETB RS0MOV P2,R2MOVX A,@R0CLR RS0RET

Motivation

● Interoperablility

● Fixing bugs because the manufacturer doesn't

● Forensics

Page 4: 30C3 Introduction to Firmware Analysis

December 2013 An introduction to Firmware AnalysisStefan Widmann

4 of 41

MOV A,R0SUBB A,#7MOV R1,AMOV A,R2SUBB A,#0MOV R3,AMOV A,R1MUL ABADD A,DPLMOV R1,AMOV A,BADDC A,DPHMOV R3,ARETMOVX A,@R0MOV DPH,AINC R0MOVX A,@R0MOV DPL,AINC R0MOVX A,@DPTR POP DPLPOP DPHMOVX A,@DPTRDEC ASUBB A,R1XCH A,R0XCH A,R1XCH A,R3XCH A,R2XCH A,R3RETMOV A,R7MOVX @DPTR,AINC DPTRMOV A,R6MOVX @DPTR,ARETSETB RS0MOV P2,R2MOVX A,@R0CLR RS0RET

Prerequisites

● Knowledge about embedded system's architectures

● Good knowledge of assembler languages

● Don't rely on decompilers

● To practice: Compile code on an embedded platform, then analyze the assembly output

● Device programmer?

● Time, time, time

Page 5: 30C3 Introduction to Firmware Analysis

December 2013 An introduction to Firmware AnalysisStefan Widmann

5 of 41

MOV A,R0SUBB A,#7MOV R1,AMOV A,R2SUBB A,#0MOV R3,AMOV A,R1MUL ABADD A,DPLMOV R1,AMOV A,BADDC A,DPHMOV R3,ARETMOVX A,@R0MOV DPH,AINC R0MOVX A,@R0MOV DPL,AINC R0MOVX A,@DPTR POP DPLPOP DPHMOVX A,@DPTRDEC ASUBB A,R1XCH A,R0XCH A,R1XCH A,R3XCH A,R2XCH A,R3RETMOV A,R7MOVX @DPTR,AINC DPTRMOV A,R6MOVX @DPTR,ARETSETB RS0MOV P2,R2MOVX A,@R0CLR RS0RET

Obtaining a Firmware image- non-invasive -

● Download plain binary from manufacturer

● Download extracted binary from internet

● Download Bootdisk / USB / CD boot images, extract using Winrar (Windows) or mount the image (Linux)

● .bin / .hex / .s19 / .mot / .rom / .raw

● Convert non-bin-files to bin (e.g. hex2bin)

Page 6: 30C3 Introduction to Firmware Analysis

December 2013 An introduction to Firmware AnalysisStefan Widmann

6 of 41

MOV A,R0SUBB A,#7MOV R1,AMOV A,R2SUBB A,#0MOV R3,AMOV A,R1MUL ABADD A,DPLMOV R1,AMOV A,BADDC A,DPHMOV R3,ARETMOVX A,@R0MOV DPH,AINC R0MOVX A,@R0MOV DPL,AINC R0MOVX A,@DPTR POP DPLPOP DPHMOVX A,@DPTRDEC ASUBB A,R1XCH A,R0XCH A,R1XCH A,R3XCH A,R2XCH A,R3RETMOV A,R7MOVX @DPTR,AINC DPTRMOV A,R6MOVX @DPTR,ARETSETB RS0MOV P2,R2MOVX A,@R0CLR RS0RET

Obtaining a Firmware image- non-invasive -

● Download an updater from manufacturer

– (.exe → Windows)● Updater types:

– Selfextracting archive

– Installer (like InstallShield, ...)

– Updater containing an image

– Updater downloading an image

– Packed updater (UPX, PECompact, ...)

Page 7: 30C3 Introduction to Firmware Analysis

December 2013 An introduction to Firmware AnalysisStefan Widmann

7 of 41

MOV A,R0SUBB A,#7MOV R1,AMOV A,R2SUBB A,#0MOV R3,AMOV A,R1MUL ABADD A,DPLMOV R1,AMOV A,BADDC A,DPHMOV R3,ARETMOVX A,@R0MOV DPH,AINC R0MOVX A,@R0MOV DPL,AINC R0MOVX A,@DPTR POP DPLPOP DPHMOVX A,@DPTRDEC ASUBB A,R1XCH A,R0XCH A,R1XCH A,R3XCH A,R2XCH A,R3RETMOV A,R7MOVX @DPTR,AINC DPTRMOV A,R6MOVX @DPTR,ARETSETB RS0MOV P2,R2MOVX A,@R0CLR RS0RET

Obtaining a Firmware image- non-invasive -

● Selfextracting archive:

– „RARSFX“ signatures → unrar, WinRAR

– „PK“ signatures → rename to .zip, unzip● Installer (e.g. InstallShield)

– Special unpacker (hard to use)

– Let it install● Plain image● Updater

Page 8: 30C3 Introduction to Firmware Analysis

December 2013 An introduction to Firmware AnalysisStefan Widmann

8 of 41

MOV A,R0SUBB A,#7MOV R1,AMOV A,R2SUBB A,#0MOV R3,AMOV A,R1MUL ABADD A,DPLMOV R1,AMOV A,BADDC A,DPHMOV R3,ARETMOVX A,@R0MOV DPH,AINC R0MOVX A,@R0MOV DPL,AINC R0MOVX A,@DPTR POP DPLPOP DPHMOVX A,@DPTRDEC ASUBB A,R1XCH A,R0XCH A,R1XCH A,R3XCH A,R2XCH A,R3RETMOV A,R7MOVX @DPTR,AINC DPTRMOV A,R6MOVX @DPTR,ARETSETB RS0MOV P2,R2MOVX A,@R0CLR RS0RET

Obtaining a Firmware image- non-invasive -

● Updater containing an image

– Search image in executable (Hexeditor)

– Writing a file → ProcessMonitor● Updater downloading an image

– Download to file → ProcessMonitor

– Download to RAM → Debugger → Dump

Page 9: 30C3 Introduction to Firmware Analysis

December 2013 An introduction to Firmware AnalysisStefan Widmann

9 of 41

MOV A,R0SUBB A,#7MOV R1,AMOV A,R2SUBB A,#0MOV R3,AMOV A,R1MUL ABADD A,DPLMOV R1,AMOV A,BADDC A,DPHMOV R3,ARETMOVX A,@R0MOV DPH,AINC R0MOVX A,@R0MOV DPL,AINC R0MOVX A,@DPTR POP DPLPOP DPHMOVX A,@DPTRDEC ASUBB A,R1XCH A,R0XCH A,R1XCH A,R3XCH A,R2XCH A,R3RETMOV A,R7MOVX @DPTR,AINC DPTRMOV A,R6MOVX @DPTR,ARETSETB RS0MOV P2,R2MOVX A,@R0CLR RS0RET

Obtaining a Firmware image- non-invasive -

● Packed Updater

– Standard UPX → upx -d to unpack

– Modified UPX → special unpacker

– Other packers → special unpacker

Page 10: 30C3 Introduction to Firmware Analysis

December 2013 An introduction to Firmware AnalysisStefan Widmann

10 of 41

MOV A,R0SUBB A,#7MOV R1,AMOV A,R2SUBB A,#0MOV R3,AMOV A,R1MUL ABADD A,DPLMOV R1,AMOV A,BADDC A,DPHMOV R3,ARETMOVX A,@R0MOV DPH,AINC R0MOVX A,@R0MOV DPL,AINC R0MOVX A,@DPTR POP DPLPOP DPHMOVX A,@DPTRDEC ASUBB A,R1XCH A,R0XCH A,R1XCH A,R3XCH A,R2XCH A,R3RETMOV A,R7MOVX @DPTR,AINC DPTRMOV A,R6MOVX @DPTR,ARETSETB RS0MOV P2,R2MOVX A,@R0CLR RS0RET

Obtaining a Firmware image- non-invasive -

● Problem: Compressed images

– Normally unpacked before writing to the device (in RAM) → Debugger → Dump

– Hard: FW is sent compressed to device → invasive techniques

Page 11: 30C3 Introduction to Firmware Analysis

December 2013 An introduction to Firmware AnalysisStefan Widmann

11 of 41

MOV A,R0SUBB A,#7MOV R1,AMOV A,R2SUBB A,#0MOV R3,AMOV A,R1MUL ABADD A,DPLMOV R1,AMOV A,BADDC A,DPHMOV R3,ARETMOVX A,@R0MOV DPH,AINC R0MOVX A,@R0MOV DPL,AINC R0MOVX A,@DPTR POP DPLPOP DPHMOVX A,@DPTRDEC ASUBB A,R1XCH A,R0XCH A,R1XCH A,R3XCH A,R2XCH A,R3RETMOV A,R7MOVX @DPTR,AINC DPTRMOV A,R6MOVX @DPTR,ARETSETB RS0MOV P2,R2MOVX A,@R0CLR RS0RET

Obtaining a Firmware image- non-invasive -

● Sniffing update transfer

– WinXP: TraceSPTI (IDE / SATA / USB)

– Linux: Wireshark (USB)

– Various other tools

– Problem: Image has to be reconstructed

Page 12: 30C3 Introduction to Firmware Analysis

December 2013 An introduction to Firmware AnalysisStefan Widmann

12 of 41

MOV A,R0SUBB A,#7MOV R1,AMOV A,R2SUBB A,#0MOV R3,AMOV A,R1MUL ABADD A,DPLMOV R1,AMOV A,BADDC A,DPHMOV R3,ARETMOVX A,@R0MOV DPH,AINC R0MOVX A,@R0MOV DPL,AINC R0MOVX A,@DPTR POP DPLPOP DPHMOVX A,@DPTRDEC ASUBB A,R1XCH A,R0XCH A,R1XCH A,R3XCH A,R2XCH A,R3RETMOV A,R7MOVX @DPTR,AINC DPTRMOV A,R6MOVX @DPTR,ARETSETB RS0MOV P2,R2MOVX A,@R0CLR RS0RET

Obtaining a Firmware image- invasive? -

● Serial interfaces

– Embedded Linux? → serial console

– JTAG

– More information: 27C3 talk

„JTAG/Serial/FLASH/PCB Embedded Reverse Engineering Tools and Techniques“

https://www.youtube.com/watch?v=pCeedinviN0

Page 13: 30C3 Introduction to Firmware Analysis

December 2013 An introduction to Firmware AnalysisStefan Widmann

13 of 41

MOV A,R0SUBB A,#7MOV R1,AMOV A,R2SUBB A,#0MOV R3,AMOV A,R1MUL ABADD A,DPLMOV R1,AMOV A,BADDC A,DPHMOV R3,ARETMOVX A,@R0MOV DPH,AINC R0MOVX A,@R0MOV DPL,AINC R0MOVX A,@DPTR POP DPLPOP DPHMOVX A,@DPTRDEC ASUBB A,R1XCH A,R0XCH A,R1XCH A,R3XCH A,R2XCH A,R3RETMOV A,R7MOVX @DPTR,AINC DPTRMOV A,R6MOVX @DPTR,ARETSETB RS0MOV P2,R2MOVX A,@R0CLR RS0RET

Obtaining a Firmware image- invasive -

● FW in memory devices

– (E)PROM (27...)

– EEPROM / FLASH (28... / 29... / 39... / 49...)

– Serial FLASH (25..., sometimes even 24...)● Becoming standard● Cheap readers / programmers

Page 14: 30C3 Introduction to Firmware Analysis

December 2013 An introduction to Firmware AnalysisStefan Widmann

14 of 41

MOV A,R0SUBB A,#7MOV R1,AMOV A,R2SUBB A,#0MOV R3,AMOV A,R1MUL ABADD A,DPLMOV R1,AMOV A,BADDC A,DPHMOV R3,ARETMOVX A,@R0MOV DPH,AINC R0MOVX A,@R0MOV DPL,AINC R0MOVX A,@DPTR POP DPLPOP DPHMOVX A,@DPTRDEC ASUBB A,R1XCH A,R0XCH A,R1XCH A,R3XCH A,R2XCH A,R3RETMOV A,R7MOVX @DPTR,AINC DPTRMOV A,R6MOVX @DPTR,ARETSETB RS0MOV P2,R2MOVX A,@R0CLR RS0RET

Obtaining a Firmware image- invasive -

● FW in chip-internal memories

– Proprietary interfaces → try using IDE

– JTAG

– Bootloaders (in ROM)

– Microprobing● More information: 29C3 talk

„Low-Cost Chip Microprobing“

https://www.youtube.com/watch?v=b_MsQRpwRlw

Page 15: 30C3 Introduction to Firmware Analysis

December 2013 An introduction to Firmware AnalysisStefan Widmann

15 of 41

MOV A,R0SUBB A,#7MOV R1,AMOV A,R2SUBB A,#0MOV R3,AMOV A,R1MUL ABADD A,DPLMOV R1,AMOV A,BADDC A,DPHMOV R3,ARETMOVX A,@R0MOV DPH,AINC R0MOVX A,@R0MOV DPL,AINC R0MOVX A,@DPTR POP DPLPOP DPHMOVX A,@DPTRDEC ASUBB A,R1XCH A,R0XCH A,R1XCH A,R3XCH A,R2XCH A,R3RETMOV A,R7MOVX @DPTR,AINC DPTRMOV A,R6MOVX @DPTR,ARETSETB RS0MOV P2,R2MOVX A,@R0CLR RS0RET

Obtaining a Firmware image- invasive -

● CPLDs and FPGAs

– CPLDs: internal EEPROM

– FPGAs: internal SRAM, external serial FLASH

– are sold to be reverse-engineer-proof

Page 16: 30C3 Introduction to Firmware Analysis

December 2013 An introduction to Firmware AnalysisStefan Widmann

16 of 41

MOV A,R0SUBB A,#7MOV R1,AMOV A,R2SUBB A,#0MOV R3,AMOV A,R1MUL ABADD A,DPLMOV R1,AMOV A,BADDC A,DPHMOV R3,ARETMOVX A,@R0MOV DPH,AINC R0MOVX A,@R0MOV DPL,AINC R0MOVX A,@DPTR POP DPLPOP DPHMOVX A,@DPTRDEC ASUBB A,R1XCH A,R0XCH A,R1XCH A,R3XCH A,R2XCH A,R3RETMOV A,R7MOVX @DPTR,AINC DPTRMOV A,R6MOVX @DPTR,ARETSETB RS0MOV P2,R2MOVX A,@R0CLR RS0RET

We have the image!

Congratulations!

You've got a FW binary in front of you!

But what's next?

Page 17: 30C3 Introduction to Firmware Analysis

December 2013 An introduction to Firmware AnalysisStefan Widmann

17 of 41

MOV A,R0SUBB A,#7MOV R1,AMOV A,R2SUBB A,#0MOV R3,AMOV A,R1MUL ABADD A,DPLMOV R1,AMOV A,BADDC A,DPHMOV R3,ARETMOVX A,@R0MOV DPH,AINC R0MOVX A,@R0MOV DPL,AINC R0MOVX A,@DPTR POP DPLPOP DPHMOVX A,@DPTRDEC ASUBB A,R1XCH A,R0XCH A,R1XCH A,R3XCH A,R2XCH A,R3RETMOV A,R7MOVX @DPTR,AINC DPTRMOV A,R6MOVX @DPTR,ARETSETB RS0MOV P2,R2MOVX A,@R0CLR RS0RET

Analyzing the FW binary

● Finding out processor / controller type

– Datasheets?

– Internet?

– Trial and error, trying n different disassemblers● Specific disassembler● IDA● ODA (OnlineDisAssembler)

Page 18: 30C3 Introduction to Firmware Analysis

December 2013 An introduction to Firmware AnalysisStefan Widmann

18 of 41

MOV A,R0SUBB A,#7MOV R1,AMOV A,R2SUBB A,#0MOV R3,AMOV A,R1MUL ABADD A,DPLMOV R1,AMOV A,BADDC A,DPHMOV R3,ARETMOVX A,@R0MOV DPH,AINC R0MOVX A,@R0MOV DPL,AINC R0MOVX A,@DPTR POP DPLPOP DPHMOVX A,@DPTRDEC ASUBB A,R1XCH A,R0XCH A,R1XCH A,R3XCH A,R2XCH A,R3RETMOV A,R7MOVX @DPTR,AINC DPTRMOV A,R6MOVX @DPTR,ARETSETB RS0MOV P2,R2MOVX A,@R0CLR RS0RET

Analyzing the FW binary

0e 43 4e 9304 34 3c 4007 00 7f e35e 53 4c 9303 34 5e e37f e3 5c 530d 12 b0 1234 12 3a 416d b3 02 247d e3 5b 535d b3 02 247f e3 5e 5330 41

Page 19: 30C3 Introduction to Firmware Analysis

December 2013 An introduction to Firmware AnalysisStefan Widmann

19 of 41

MOV A,R0SUBB A,#7MOV R1,AMOV A,R2SUBB A,#0MOV R3,AMOV A,R1MUL ABADD A,DPLMOV R1,AMOV A,BADDC A,DPHMOV R3,ARETMOVX A,@R0MOV DPH,AINC R0MOVX A,@R0MOV DPL,AINC R0MOVX A,@DPTR POP DPLPOP DPHMOVX A,@DPTRDEC ASUBB A,R1XCH A,R0XCH A,R1XCH A,R3XCH A,R2XCH A,R3RETMOV A,R7MOVX @DPTR,AINC DPTRMOV A,R6MOVX @DPTR,ARETSETB RS0MOV P2,R2MOVX A,@R0CLR RS0RET

Analyzing the FW binary

0e 43 4e 9304 34 3c 4007 00 7f e35e 53 4c 9303 34 5e e37f e3 5c 530d 12 b0 1234 12 3a 416d b3 02 247d e3 5b 535d b3 02 247f e3 5e 5330 41

H8s?

Page 20: 30C3 Introduction to Firmware Analysis

December 2013 An introduction to Firmware AnalysisStefan Widmann

20 of 41

MOV A,R0SUBB A,#7MOV R1,AMOV A,R2SUBB A,#0MOV R3,AMOV A,R1MUL ABADD A,DPLMOV R1,AMOV A,BADDC A,DPHMOV R3,ARETMOVX A,@R0MOV DPH,AINC R0MOVX A,@R0MOV DPL,AINC R0MOVX A,@DPTR POP DPLPOP DPHMOVX A,@DPTRDEC ASUBB A,R1XCH A,R0XCH A,R1XCH A,R3XCH A,R2XCH A,R3RETMOV A,R7MOVX @DPTR,AINC DPTRMOV A,R6MOVX @DPTR,ARETSETB RS0MOV P2,R2MOVX A,@R0CLR RS0RET

Analyzing the FW binary

0e 43 4e 9304 34 3c 4007 00 7f e35e 53 4c 9303 34 5e e37f e3 5c 530d 12 b0 1234 12 3a 416d b3 02 247d e3 5b 535d b3 02 247f e3 5e 5330 41

MIPS?

Page 21: 30C3 Introduction to Firmware Analysis

December 2013 An introduction to Firmware AnalysisStefan Widmann

21 of 41

MOV A,R0SUBB A,#7MOV R1,AMOV A,R2SUBB A,#0MOV R3,AMOV A,R1MUL ABADD A,DPLMOV R1,AMOV A,BADDC A,DPHMOV R3,ARETMOVX A,@R0MOV DPH,AINC R0MOVX A,@R0MOV DPL,AINC R0MOVX A,@DPTR POP DPLPOP DPHMOVX A,@DPTRDEC ASUBB A,R1XCH A,R0XCH A,R1XCH A,R3XCH A,R2XCH A,R3RETMOV A,R7MOVX @DPTR,AINC DPTRMOV A,R6MOVX @DPTR,ARETSETB RS0MOV P2,R2MOVX A,@R0CLR RS0RET

Analyzing the FW binary

0e 43 4e 9304 34 3c 4007 00 7f e35e 53 4c 9303 34 5e e37f e3 5c 530d 12 b0 1234 12 3a 416d b3 02 247d e3 5b 535d b3 02 247f e3 5e 5330 41

MN103?

Page 22: 30C3 Introduction to Firmware Analysis

December 2013 An introduction to Firmware AnalysisStefan Widmann

22 of 41

MOV A,R0SUBB A,#7MOV R1,AMOV A,R2SUBB A,#0MOV R3,AMOV A,R1MUL ABADD A,DPLMOV R1,AMOV A,BADDC A,DPHMOV R3,ARETMOVX A,@R0MOV DPH,AINC R0MOVX A,@R0MOV DPL,AINC R0MOVX A,@DPTR POP DPLPOP DPHMOVX A,@DPTRDEC ASUBB A,R1XCH A,R0XCH A,R1XCH A,R3XCH A,R2XCH A,R3RETMOV A,R7MOVX @DPTR,AINC DPTRMOV A,R6MOVX @DPTR,ARETSETB RS0MOV P2,R2MOVX A,@R0CLR RS0RET

Analyzing the FW binary

0e 43 4e 9304 34 3c 4007 00 7f e35e 53 4c 9303 34 5e e37f e3 5c 530d 12 b0 1234 12 3a 416d b3 02 247d e3 5b 535d b3 02 247f e3 5e 5330 41

MSP430?

Page 23: 30C3 Introduction to Firmware Analysis

December 2013 An introduction to Firmware AnalysisStefan Widmann

23 of 41

MOV A,R0SUBB A,#7MOV R1,AMOV A,R2SUBB A,#0MOV R3,AMOV A,R1MUL ABADD A,DPLMOV R1,AMOV A,BADDC A,DPHMOV R3,ARETMOVX A,@R0MOV DPH,AINC R0MOVX A,@R0MOV DPL,AINC R0MOVX A,@DPTR POP DPLPOP DPHMOVX A,@DPTRDEC ASUBB A,R1XCH A,R0XCH A,R1XCH A,R3XCH A,R2XCH A,R3RETMOV A,R7MOVX @DPTR,AINC DPTRMOV A,R6MOVX @DPTR,ARETSETB RS0MOV P2,R2MOVX A,@R0CLR RS0RET

Analyzing the FW binary

● Offset in file often != offset in address space

● No real problem with relative adressing

● Big problem in absolute adressing

● Entry point unknown

● Interrupt vectors unknown

● Subroutine calls do not make sense

● → Load offset must be found out

Page 24: 30C3 Introduction to Firmware Analysis

December 2013 An introduction to Firmware AnalysisStefan Widmann

24 of 41

MOV A,R0SUBB A,#7MOV R1,AMOV A,R2SUBB A,#0MOV R3,AMOV A,R1MUL ABADD A,DPLMOV R1,AMOV A,BADDC A,DPHMOV R3,ARETMOVX A,@R0MOV DPH,AINC R0MOVX A,@R0MOV DPL,AINC R0MOVX A,@DPTR POP DPLPOP DPHMOVX A,@DPTRDEC ASUBB A,R1XCH A,R0XCH A,R1XCH A,R3XCH A,R2XCH A,R3RETMOV A,R7MOVX @DPTR,AINC DPTRMOV A,R6MOVX @DPTR,ARETSETB RS0MOV P2,R2MOVX A,@R0CLR RS0RET

Analyzing the FW binary

● Determination of load offset:

– Method „call distance search“

– Select closely located subroutines addresses

– Decide to use either return instructions or function entry sequences

– Build search string containing wildcards

Page 25: 30C3 Introduction to Firmware Analysis

December 2013 An introduction to Firmware AnalysisStefan Widmann

25 of 41

MOV A,R0SUBB A,#7MOV R1,AMOV A,R2SUBB A,#0MOV R3,AMOV A,R1MUL ABADD A,DPLMOV R1,AMOV A,BADDC A,DPHMOV R3,ARETMOVX A,@R0MOV DPH,AINC R0MOVX A,@R0MOV DPL,AINC R0MOVX A,@DPTR POP DPLPOP DPHMOVX A,@DPTRDEC ASUBB A,R1XCH A,R0XCH A,R1XCH A,R3XCH A,R2XCH A,R3RETMOV A,R7MOVX @DPTR,AINC DPTRMOV A,R6MOVX @DPTR,ARETSETB RS0MOV P2,R2MOVX A,@R0CLR RS0RET

Analyzing the FW binary

Page 26: 30C3 Introduction to Firmware Analysis

December 2013 An introduction to Firmware AnalysisStefan Widmann

26 of 41

MOV A,R0SUBB A,#7MOV R1,AMOV A,R2SUBB A,#0MOV R3,AMOV A,R1MUL ABADD A,DPLMOV R1,AMOV A,BADDC A,DPHMOV R3,ARETMOVX A,@R0MOV DPH,AINC R0MOVX A,@R0MOV DPL,AINC R0MOVX A,@DPTR POP DPLPOP DPHMOVX A,@DPTRDEC ASUBB A,R1XCH A,R0XCH A,R1XCH A,R3XCH A,R2XCH A,R3RETMOV A,R7MOVX @DPTR,AINC DPTRMOV A,R6MOVX @DPTR,ARETSETB RS0MOV P2,R2MOVX A,@R0CLR RS0RET

Analyzing the FW binary

Page 27: 30C3 Introduction to Firmware Analysis

December 2013 An introduction to Firmware AnalysisStefan Widmann

27 of 41

MOV A,R0SUBB A,#7MOV R1,AMOV A,R2SUBB A,#0MOV R3,AMOV A,R1MUL ABADD A,DPLMOV R1,AMOV A,BADDC A,DPHMOV R3,ARETMOVX A,@R0MOV DPH,AINC R0MOVX A,@R0MOV DPL,AINC R0MOVX A,@DPTR POP DPLPOP DPHMOVX A,@DPTRDEC ASUBB A,R1XCH A,R0XCH A,R1XCH A,R3XCH A,R2XCH A,R3RETMOV A,R7MOVX @DPTR,AINC DPTRMOV A,R6MOVX @DPTR,ARETSETB RS0MOV P2,R2MOVX A,@R0CLR RS0RET

Analyzing the FW binary

Page 28: 30C3 Introduction to Firmware Analysis

December 2013 An introduction to Firmware AnalysisStefan Widmann

28 of 41

MOV A,R0SUBB A,#7MOV R1,AMOV A,R2SUBB A,#0MOV R3,AMOV A,R1MUL ABADD A,DPLMOV R1,AMOV A,BADDC A,DPHMOV R3,ARETMOVX A,@R0MOV DPH,AINC R0MOVX A,@R0MOV DPL,AINC R0MOVX A,@DPTR POP DPLPOP DPHMOVX A,@DPTRDEC ASUBB A,R1XCH A,R0XCH A,R1XCH A,R3XCH A,R2XCH A,R3RETMOV A,R7MOVX @DPTR,AINC DPTRMOV A,R6MOVX @DPTR,ARETSETB RS0MOV P2,R2MOVX A,@R0CLR RS0RET

Analyzing the FW binary

Page 29: 30C3 Introduction to Firmware Analysis

December 2013 An introduction to Firmware AnalysisStefan Widmann

29 of 41

MOV A,R0SUBB A,#7MOV R1,AMOV A,R2SUBB A,#0MOV R3,AMOV A,R1MUL ABADD A,DPLMOV R1,AMOV A,BADDC A,DPHMOV R3,ARETMOVX A,@R0MOV DPH,AINC R0MOVX A,@R0MOV DPL,AINC R0MOVX A,@DPTR POP DPLPOP DPHMOVX A,@DPTRDEC ASUBB A,R1XCH A,R0XCH A,R1XCH A,R3XCH A,R2XCH A,R3RETMOV A,R7MOVX @DPTR,AINC DPTRMOV A,R6MOVX @DPTR,ARETSETB RS0MOV P2,R2MOVX A,@R0CLR RS0RET

Analyzing the FW binary

Page 30: 30C3 Introduction to Firmware Analysis

December 2013 An introduction to Firmware AnalysisStefan Widmann

30 of 41

MOV A,R0SUBB A,#7MOV R1,AMOV A,R2SUBB A,#0MOV R3,AMOV A,R1MUL ABADD A,DPLMOV R1,AMOV A,BADDC A,DPHMOV R3,ARETMOVX A,@R0MOV DPH,AINC R0MOVX A,@R0MOV DPL,AINC R0MOVX A,@DPTR POP DPLPOP DPHMOVX A,@DPTRDEC ASUBB A,R1XCH A,R0XCH A,R1XCH A,R3XCH A,R2XCH A,R3RETMOV A,R7MOVX @DPTR,AINC DPTRMOV A,R6MOVX @DPTR,ARETSETB RS0MOV P2,R2MOVX A,@R0CLR RS0RET

Analyzing the FW binary

Page 31: 30C3 Introduction to Firmware Analysis

December 2013 An introduction to Firmware AnalysisStefan Widmann

31 of 41

MOV A,R0SUBB A,#7MOV R1,AMOV A,R2SUBB A,#0MOV R3,AMOV A,R1MUL ABADD A,DPLMOV R1,AMOV A,BADDC A,DPHMOV R3,ARETMOVX A,@R0MOV DPH,AINC R0MOVX A,@R0MOV DPL,AINC R0MOVX A,@DPTR POP DPLPOP DPHMOVX A,@DPTRDEC ASUBB A,R1XCH A,R0XCH A,R1XCH A,R3XCH A,R2XCH A,R3RETMOV A,R7MOVX @DPTR,AINC DPTRMOV A,R6MOVX @DPTR,ARETSETB RS0MOV P2,R2MOVX A,@R0CLR RS0RET

Analyzing the FW binary

Page 32: 30C3 Introduction to Firmware Analysis

December 2013 An introduction to Firmware AnalysisStefan Widmann

32 of 41

MOV A,R0SUBB A,#7MOV R1,AMOV A,R2SUBB A,#0MOV R3,AMOV A,R1MUL ABADD A,DPLMOV R1,AMOV A,BADDC A,DPHMOV R3,ARETMOVX A,@R0MOV DPH,AINC R0MOVX A,@R0MOV DPL,AINC R0MOVX A,@DPTR POP DPLPOP DPHMOVX A,@DPTRDEC ASUBB A,R1XCH A,R0XCH A,R1XCH A,R3XCH A,R2XCH A,R3RETMOV A,R7MOVX @DPTR,AINC DPTRMOV A,R6MOVX @DPTR,ARETSETB RS0MOV P2,R2MOVX A,@R0CLR RS0RET

Analyzing the FW binary

● Question: Is there additional FW?

● Jumps and calls to destinations outside the FW?

● e.g. chip-internal?

● See chapter „Modification“

Page 33: 30C3 Introduction to Firmware Analysis

December 2013 An introduction to Firmware AnalysisStefan Widmann

33 of 41

MOV A,R0SUBB A,#7MOV R1,AMOV A,R2SUBB A,#0MOV R3,AMOV A,R1MUL ABADD A,DPLMOV R1,AMOV A,BADDC A,DPHMOV R3,ARETMOVX A,@R0MOV DPH,AINC R0MOVX A,@R0MOV DPL,AINC R0MOVX A,@DPTR POP DPLPOP DPHMOVX A,@DPTRDEC ASUBB A,R1XCH A,R0XCH A,R1XCH A,R3XCH A,R2XCH A,R3RETMOV A,R7MOVX @DPTR,AINC DPTRMOV A,R6MOVX @DPTR,ARETSETB RS0MOV P2,R2MOVX A,@R0CLR RS0RET

Analyzing the FW binary

● Starting reverse engineering of the code

● Search for strings and references to the strings

● Search for very specific data references / operands

– USB descriptor fields (lsusb -v...)

– USB magics („USBC“ and „USBS“)

– IDE / SATA / ATAPI ID strings

– Typical communicated data blocks

– Error codes (either strings or in code)

Page 34: 30C3 Introduction to Firmware Analysis

December 2013 An introduction to Firmware AnalysisStefan Widmann

34 of 41

MOV A,R0SUBB A,#7MOV R1,AMOV A,R2SUBB A,#0MOV R3,AMOV A,R1MUL ABADD A,DPLMOV R1,AMOV A,BADDC A,DPHMOV R3,ARETMOVX A,@R0MOV DPH,AINC R0MOVX A,@R0MOV DPL,AINC R0MOVX A,@DPTR POP DPLPOP DPHMOVX A,@DPTRDEC ASUBB A,R1XCH A,R0XCH A,R1XCH A,R3XCH A,R2XCH A,R3RETMOV A,R7MOVX @DPTR,AINC DPTRMOV A,R6MOVX @DPTR,ARETSETB RS0MOV P2,R2MOVX A,@R0CLR RS0RET

Analyzing the FW binary

● Very interesting: Finding FW update sequences

● Allows non-invasive modifications

● e.g. chip erase and programming commands

Page 35: 30C3 Introduction to Firmware Analysis

December 2013 An introduction to Firmware AnalysisStefan Widmann

35 of 41

MOV A,R0SUBB A,#7MOV R1,AMOV A,R2SUBB A,#0MOV R3,AMOV A,R1MUL ABADD A,DPLMOV R1,AMOV A,BADDC A,DPHMOV R3,ARETMOVX A,@R0MOV DPH,AINC R0MOVX A,@R0MOV DPL,AINC R0MOVX A,@DPTR POP DPLPOP DPHMOVX A,@DPTRDEC ASUBB A,R1XCH A,R0XCH A,R1XCH A,R3XCH A,R2XCH A,R3RETMOV A,R7MOVX @DPTR,AINC DPTRMOV A,R6MOVX @DPTR,ARETSETB RS0MOV P2,R2MOVX A,@R0CLR RS0RET

Modifying the FW binary

Now we've learned a lot about our device and its FW...

Ready to modify it?

Page 36: 30C3 Introduction to Firmware Analysis

December 2013 An introduction to Firmware AnalysisStefan Widmann

36 of 41

MOV A,R0SUBB A,#7MOV R1,AMOV A,R2SUBB A,#0MOV R3,AMOV A,R1MUL ABADD A,DPLMOV R1,AMOV A,BADDC A,DPHMOV R3,ARETMOVX A,@R0MOV DPH,AINC R0MOVX A,@R0MOV DPL,AINC R0MOVX A,@DPTR POP DPLPOP DPHMOVX A,@DPTRDEC ASUBB A,R1XCH A,R0XCH A,R1XCH A,R3XCH A,R2XCH A,R3RETMOV A,R7MOVX @DPTR,AINC DPTRMOV A,R6MOVX @DPTR,ARETSETB RS0MOV P2,R2MOVX A,@R0CLR RS0RET

Modifying the FW binary

● Be prepared to brick your device

● Integrity checks

– SW based checksum calculation

– HW based checksum calculation

– Combination of both = more than one checksum

● Correct checksums

● Patch checksum algorithms

Page 37: 30C3 Introduction to Firmware Analysis

December 2013 An introduction to Firmware AnalysisStefan Widmann

37 of 41

MOV A,R0SUBB A,#7MOV R1,AMOV A,R2SUBB A,#0MOV R3,AMOV A,R1MUL ABADD A,DPLMOV R1,AMOV A,BADDC A,DPHMOV R3,ARETMOVX A,@R0MOV DPH,AINC R0MOVX A,@R0MOV DPL,AINC R0MOVX A,@DPTR POP DPLPOP DPHMOVX A,@DPTRDEC ASUBB A,R1XCH A,R0XCH A,R1XCH A,R3XCH A,R2XCH A,R3RETMOV A,R7MOVX @DPTR,AINC DPTRMOV A,R6MOVX @DPTR,ARETSETB RS0MOV P2,R2MOVX A,@R0CLR RS0RET

Modifying the FW binary

● Goals:

– Correcting errors

– Dumping additional memory regions● Find or implement memcpy routine● Write memory contents to output

(buffers)– Gather more device internal information

Page 38: 30C3 Introduction to Firmware Analysis

December 2013 An introduction to Firmware AnalysisStefan Widmann

38 of 41

MOV A,R0SUBB A,#7MOV R1,AMOV A,R2SUBB A,#0MOV R3,AMOV A,R1MUL ABADD A,DPLMOV R1,AMOV A,BADDC A,DPHMOV R3,ARETMOVX A,@R0MOV DPH,AINC R0MOVX A,@R0MOV DPL,AINC R0MOVX A,@DPTR POP DPLPOP DPHMOVX A,@DPTRDEC ASUBB A,R1XCH A,R0XCH A,R1XCH A,R3XCH A,R2XCH A,R3RETMOV A,R7MOVX @DPTR,AINC DPTRMOV A,R6MOVX @DPTR,ARETSETB RS0MOV P2,R2MOVX A,@R0CLR RS0RET

Modifying the FW binary

● Inject the modified FW into device

– Using the original updater (checksum check?)

– Re-programming memory device / processor

– Via serial interface (JTAG, proprietary)

Page 39: 30C3 Introduction to Firmware Analysis

December 2013 An introduction to Firmware AnalysisStefan Widmann

39 of 41

MOV A,R0SUBB A,#7MOV R1,AMOV A,R2SUBB A,#0MOV R3,AMOV A,R1MUL ABADD A,DPLMOV R1,AMOV A,BADDC A,DPHMOV R3,ARETMOVX A,@R0MOV DPH,AINC R0MOVX A,@R0MOV DPL,AINC R0MOVX A,@DPTR POP DPLPOP DPHMOVX A,@DPTRDEC ASUBB A,R1XCH A,R0XCH A,R1XCH A,R3XCH A,R2XCH A,R3RETMOV A,R7MOVX @DPTR,AINC DPTRMOV A,R6MOVX @DPTR,ARETSETB RS0MOV P2,R2MOVX A,@R0CLR RS0RET

The end

That's it for now...

mov ax, 0x10D0xor ax, 0x2013ax = ???

Page 40: 30C3 Introduction to Firmware Analysis

December 2013 An introduction to Firmware AnalysisStefan Widmann

40 of 41

MOV A,R0SUBB A,#7MOV R1,AMOV A,R2SUBB A,#0MOV R3,AMOV A,R1MUL ABADD A,DPLMOV R1,AMOV A,BADDC A,DPHMOV R3,ARETMOVX A,@R0MOV DPH,AINC R0MOVX A,@R0MOV DPL,AINC R0MOVX A,@DPTR POP DPLPOP DPHMOVX A,@DPTRDEC ASUBB A,R1XCH A,R0XCH A,R1XCH A,R3XCH A,R2XCH A,R3RETMOV A,R7MOVX @DPTR,AINC DPTRMOV A,R6MOVX @DPTR,ARETSETB RS0MOV P2,R2MOVX A,@R0CLR RS0RET

Links

● Hex-Rays IDA 5.0 Freeware version

https://www.hex-rays.com/products/ida/support/download_freeware.shtml

● OnlineDisAssembler

www.onlinedisassembler.com

● Process Monitor

http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx

Page 41: 30C3 Introduction to Firmware Analysis

December 2013 An introduction to Firmware AnalysisStefan Widmann

41 of 41

MOV A,R0SUBB A,#7MOV R1,AMOV A,R2SUBB A,#0MOV R3,AMOV A,R1MUL ABADD A,DPLMOV R1,AMOV A,BADDC A,DPHMOV R3,ARETMOVX A,@R0MOV DPH,AINC R0MOVX A,@R0MOV DPL,AINC R0MOVX A,@DPTR POP DPLPOP DPHMOVX A,@DPTRDEC ASUBB A,R1XCH A,R0XCH A,R1XCH A,R3XCH A,R2XCH A,R3RETMOV A,R7MOVX @DPTR,AINC DPTRMOV A,R6MOVX @DPTR,ARETSETB RS0MOV P2,R2MOVX A,@R0CLR RS0RET

List of references

● Pictures on slides x to x are taken from

www.onlinedisassembler.com screen output

● Cliparts are taken from www.openclipart.org

http://www.onlinedisassembler.com/

Automated Dynamic Firmware Analysis at Scale: A Case …s3.eurecom.fr/docs/asiaccs16_costin.pdf · Automated Dynamic Firmware Analysis at Scale: ... To perform scalable security testing

Using Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware

30C3 – 30 December 2013 Through a PRISM, Darkly Kurt Opsahl Senior Staff Attorney, EFF

30c3 lightning talks - phdays labyrinth

Moral Reform 30C3 presentation-export.pptx

Firmware Version V2.09 TMCL™ FIRMWARE MANUAL

Analysis, Improvement, and Development of New Firmware for ...mcolom.perso.math.cnrs.fr/download/TFG_UOC.pdf · Universitat Oberta de Catalunya Degree’s Project Analysis, Improvement,

AMT Firmware Rework Instructions V1.00 - Fujitsu United …solutions.us.fujitsu.com/downloads/mobile/fjbios/AMT Firmware... · K:\Service & Support\Level 3\AMT Firmware\AMT Firmware

Automated Dynamic Firmware Analysis at Scale ... - Black · PDF fileAutomated Dynamic Firmware Analysis at Scale: A Case Study on Embedded Web Interfaces ... such as SQL injection

1 Pulsar firmware status June 11th, 2004 Slink format Transmitter firmware Transmitter firmware status Receiver firmware overview Receiver firmware status

A Case Study on Vulnerability Analysis and Firmware ...isyou.info/inpra/papers/inpra-v5n4-03.pdf · A Case Study on Vulnerability Analysis and Firmware Modification Attack J. Shim

GAC2500 Firmware Release Note - Firmware- …firmware.grandstream.com/Release_Note_GAC2500_1.0.3.5.pdfGAC2500 Firmware Release Note Table of Content FIRMWARE VERSION 1.0.3.5

SD Card Hacking - bunniefoobunniefoo.com/bunnie/sdcard-30c3-pub.pdf · SD Card Hacking The Exploration and Exploitation of an SD Memory Card bunnie & xobs 30c3. Origin: Searching

Automating Analysis and Exploitation of Embedded · PDF fileAutomating Analysis and Exploitation of Embedded Device Firmware By: Malachi Jones, PhD

Automating Analysis and Exploitation of Embedded Device Firmware

Anja Kohfeldt 30C3, Hamburg - CCC Event Blog · Anja Kohfeldt December 27, 2013 30C3, Hamburg. ... transition frequency in the optical ... I modulation via phase shift keying

Firmware Analysis of Embedded Systems

A firmware analysis tour with Avatar in 7 minutes · A firmware analysis tour with Avatar in 7 minutes (maybe) Aurélien Francillon, Eurecom Cryptacus Meeting, 6 Nov 2016. HDD backdoor

Hardening Firmware Components with Host‐based …...presented by Hardening Firmware Components with Host‐based Analysis Spring 2019 UEFI Plugfest April 8‐12, 2019 Presented by

UEFI Firmware Storage System Analysis

BigMAC: Fine-Grained Policy Analysis of Android Firmware

Genetic Analyzer: ABI Sequence Analysis Moduleusers.stlcc.edu/departments/fvbio/Genetic_Analyzer... · Other Software/Firmware & Version: Seq-A 5.4 (ex: Seq Analysis v5.3) Other Software/Firmware

Contents SonicWALL Analysis of PenTest Vulnerability …software.sonicwall.com/Firmware/Documentation/232... · SonicWALL Analysis of PenTest Vulnerability Reports ... SonicWALL Analysis

Firmware, the Last Frontier: Open System Firmware (OSF)€¦ · System Firmware development and maintenance. Various System Firmware implementations exists, but not one single implementation

AWG4000 Series firmware upgrade proceduredownload.tek.com/...firmware-upgrade-procedure_0.pdf · AWG4000 Series firmware upgrade procedure 9 AWG4000 Series firmware upgrade procedure

RANDSTREAM ETWORKS - Firmware- Grandstream …firmware.grandstream.com/Release_Note_GXW40xx_HT50x_1.0...Firmware Release Notes Firmware Version 1.0.15.5 Product Name: GXW40XX / HT50X

Fudging With Firmware Analysis

Firmware Analysis of Linksys E900 v. 1.0.09

Automated Dynamic Firmware Analysis at Scale: A …Automated Dynamic Firmware Analysis at Scale: A Case Study on Embedded Web Interfaces Andrei Costin EURECOM Sophia Antipolis, France

Firmware Version V1.26 TMCL™ FIRMWARE MANUAL

Upgrade Firmware Tools User Guide - quectel.com · Firmware Upgrade Tool Lite User Guide Firmware_Upgrade_Tool_Lite_V1.1 -6 - 2. Firmware The firmware package contains three files:

Jacob Appelbaum - To Protect and Infect: The Militarization of the Internet - 30c3 (Slide Presentation)

Polycom SoundStructure Firmware 1.7 · Release Notes for Polycom SoundStructure Firmware 1.7.7 Polycom, Inc. 10 Polycom SoundStructure Firmware 1.7.5 Polycom SoundStructure Firmware

IMPROVING YOUR FIRMWARE SECURITY ANALYSIS PROCESS … · IMPROVING YOUR FIRMWARE SECURITY ANALYSIS PROCESS WITH FACT Johannes vom Dorp Seite 1 @FAandCTool ... Pentesting target

SD Card Hacking · SD Card Hacking The Exploration and Exploitation of an SD Memory Card bunnie & xobs 30c3