i.mx memory madness · 2019-05-15 · accessing files stored in various images $...
TRANSCRIPT
![Page 1: I.MX MEMORY MADNESS · 2019-05-15 · ACCESSING FILES STORED IN VARIOUS IMAGES $ ubireader_extract_files -iw img-xx_vol-iio_0633_0.ubifs [...] $ ls ubifs-root/ -al total 76 drwxr-xr-x](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed3d9bc06c58a42a1629d22/html5/thumbnails/1.jpg)
I.MX MEMORYI.MX MEMORYMADNESSMADNESS
HOW TO DUMP, PARSE, AND ANALYZE I.MX FLASHHOW TO DUMP, PARSE, AND ANALYZE I.MX FLASH
MEMORY CHIPSMEMORY CHIPS
Damien Cauquil | HITB Amsterdam 2019 (🎂🎉)
![Page 2: I.MX MEMORY MADNESS · 2019-05-15 · ACCESSING FILES STORED IN VARIOUS IMAGES $ ubireader_extract_files -iw img-xx_vol-iio_0633_0.ubifs [...] $ ls ubifs-root/ -al total 76 drwxr-xr-x](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed3d9bc06c58a42a1629d22/html5/thumbnails/2.jpg)
WHO AM I ?WHO AM I ?
Head of R&D @ Econocom Digital.Security
Senior security researcher
Hardware hacker (or at least pretending)
![Page 3: I.MX MEMORY MADNESS · 2019-05-15 · ACCESSING FILES STORED IN VARIOUS IMAGES $ ubireader_extract_files -iw img-xx_vol-iio_0633_0.ubifs [...] $ ls ubifs-root/ -al total 76 drwxr-xr-x](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed3d9bc06c58a42a1629d22/html5/thumbnails/3.jpg)
AGENDAAGENDA
Firmware extraction 101Meet the i.MX architecturei.MX flash memory layoutimx-nand-tools FTWBest practices
![Page 4: I.MX MEMORY MADNESS · 2019-05-15 · ACCESSING FILES STORED IN VARIOUS IMAGES $ ubireader_extract_files -iw img-xx_vol-iio_0633_0.ubifs [...] $ ls ubifs-root/ -al total 76 drwxr-xr-x](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed3d9bc06c58a42a1629d22/html5/thumbnails/4.jpg)
FIRMWARE EXTRACTION 101FIRMWARE EXTRACTION 101
![Page 5: I.MX MEMORY MADNESS · 2019-05-15 · ACCESSING FILES STORED IN VARIOUS IMAGES $ ubireader_extract_files -iw img-xx_vol-iio_0633_0.ubifs [...] $ ls ubifs-root/ -al total 76 drwxr-xr-x](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed3d9bc06c58a42a1629d22/html5/thumbnails/5.jpg)
WHY DO WE WANT TO EXTRACT AWHY DO WE WANT TO EXTRACT ADEVICE'S FIRMWARE ?DEVICE'S FIRMWARE ?
Contains filesystems, applications, binary files May also contain VERY interesting data:encryption/decryption keys, certificates, passwords
![Page 6: I.MX MEMORY MADNESS · 2019-05-15 · ACCESSING FILES STORED IN VARIOUS IMAGES $ ubireader_extract_files -iw img-xx_vol-iio_0633_0.ubifs [...] $ ls ubifs-root/ -al total 76 drwxr-xr-x](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed3d9bc06c58a42a1629d22/html5/thumbnails/6.jpg)
WHY DO WE WANT TO EXTRACT AWHY DO WE WANT TO EXTRACT ADEVICE'S FIRMWARE ?DEVICE'S FIRMWARE ?
We need to understand everything about a device:
How it has been designed How it (really) works Where and how every bit of data is stored
![Page 7: I.MX MEMORY MADNESS · 2019-05-15 · ACCESSING FILES STORED IN VARIOUS IMAGES $ ubireader_extract_files -iw img-xx_vol-iio_0633_0.ubifs [...] $ ls ubifs-root/ -al total 76 drwxr-xr-x](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed3d9bc06c58a42a1629d22/html5/thumbnails/7.jpg)
METHOD #1: CLIPPING & READINGMETHOD #1: CLIPPING & READING
![Page 8: I.MX MEMORY MADNESS · 2019-05-15 · ACCESSING FILES STORED IN VARIOUS IMAGES $ ubireader_extract_files -iw img-xx_vol-iio_0633_0.ubifs [...] $ ls ubifs-root/ -al total 76 drwxr-xr-x](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed3d9bc06c58a42a1629d22/html5/thumbnails/8.jpg)
METHOD #2: CHIP-OFFMETHOD #2: CHIP-OFF
![Page 9: I.MX MEMORY MADNESS · 2019-05-15 · ACCESSING FILES STORED IN VARIOUS IMAGES $ ubireader_extract_files -iw img-xx_vol-iio_0633_0.ubifs [...] $ ls ubifs-root/ -al total 76 drwxr-xr-x](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed3d9bc06c58a42a1629d22/html5/thumbnails/9.jpg)
PROFESSIONAL FLASH PROGRAMMERPROFESSIONAL FLASH PROGRAMMER
![Page 10: I.MX MEMORY MADNESS · 2019-05-15 · ACCESSING FILES STORED IN VARIOUS IMAGES $ ubireader_extract_files -iw img-xx_vol-iio_0633_0.ubifs [...] $ ls ubifs-root/ -al total 76 drwxr-xr-x](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed3d9bc06c58a42a1629d22/html5/thumbnails/10.jpg)
![Page 11: I.MX MEMORY MADNESS · 2019-05-15 · ACCESSING FILES STORED IN VARIOUS IMAGES $ ubireader_extract_files -iw img-xx_vol-iio_0633_0.ubifs [...] $ ls ubifs-root/ -al total 76 drwxr-xr-x](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed3d9bc06c58a42a1629d22/html5/thumbnails/11.jpg)
![Page 12: I.MX MEMORY MADNESS · 2019-05-15 · ACCESSING FILES STORED IN VARIOUS IMAGES $ ubireader_extract_files -iw img-xx_vol-iio_0633_0.ubifs [...] $ ls ubifs-root/ -al total 76 drwxr-xr-x](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed3d9bc06c58a42a1629d22/html5/thumbnails/12.jpg)
NAND DUMP SIZENAND DUMP SIZE
Dump file is greater than 1 GB !
$ ls -alh camera.bin -rwx------ 1 virtualabs virtualabs 1,1G camera.bin
![Page 13: I.MX MEMORY MADNESS · 2019-05-15 · ACCESSING FILES STORED IN VARIOUS IMAGES $ ubireader_extract_files -iw img-xx_vol-iio_0633_0.ubifs [...] $ ls ubifs-root/ -al total 76 drwxr-xr-x](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed3d9bc06c58a42a1629d22/html5/thumbnails/13.jpg)
PAGES, BYTES AND OOBPAGES, BYTES AND OOB
Bytes are stored, erased, and modified in pages NAND flash chips are not 100% reliable and errorswhen storing bits may occur To avoid this, vendors usually provide more space tostore Error Correction Codes (ECC) in spare-bytearea (OOB)
![Page 14: I.MX MEMORY MADNESS · 2019-05-15 · ACCESSING FILES STORED IN VARIOUS IMAGES $ ubireader_extract_files -iw img-xx_vol-iio_0633_0.ubifs [...] $ ls ubifs-root/ -al total 76 drwxr-xr-x](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed3d9bc06c58a42a1629d22/html5/thumbnails/14.jpg)
PAGES, BYTES AND OOBPAGES, BYTES AND OOB
![Page 15: I.MX MEMORY MADNESS · 2019-05-15 · ACCESSING FILES STORED IN VARIOUS IMAGES $ ubireader_extract_files -iw img-xx_vol-iio_0633_0.ubifs [...] $ ls ubifs-root/ -al total 76 drwxr-xr-x](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed3d9bc06c58a42a1629d22/html5/thumbnails/15.jpg)
PAGES, BYTES AND OOBPAGES, BYTES AND OOB
![Page 16: I.MX MEMORY MADNESS · 2019-05-15 · ACCESSING FILES STORED IN VARIOUS IMAGES $ ubireader_extract_files -iw img-xx_vol-iio_0633_0.ubifs [...] $ ls ubifs-root/ -al total 76 drwxr-xr-x](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed3d9bc06c58a42a1629d22/html5/thumbnails/16.jpg)
REMOVING THE OOB DATAREMOVING THE OOB DATA
import sys PAGE, OOB = 4096, 224 BLOCK = PAGE + OOB orig_dump = open(sys.argv[1], 'rb').read() out_dump = open(sys.argv[2], 'wb') nblocks = int(len(orig_dump) / BLOCK) for i in range(nblocks): out_dump.write(orig_dump[i*BLOCK:(i+1)*PAGE + OOB]) out_dump.close() orig_dump.close()
![Page 17: I.MX MEMORY MADNESS · 2019-05-15 · ACCESSING FILES STORED IN VARIOUS IMAGES $ ubireader_extract_files -iw img-xx_vol-iio_0633_0.ubifs [...] $ ls ubifs-root/ -al total 76 drwxr-xr-x](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed3d9bc06c58a42a1629d22/html5/thumbnails/17.jpg)
![Page 18: I.MX MEMORY MADNESS · 2019-05-15 · ACCESSING FILES STORED IN VARIOUS IMAGES $ ubireader_extract_files -iw img-xx_vol-iio_0633_0.ubifs [...] $ ls ubifs-root/ -al total 76 drwxr-xr-x](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed3d9bc06c58a42a1629d22/html5/thumbnails/18.jpg)
CHECKING OUR DUMP WITH BINWALKCHECKING OUR DUMP WITH BINWALK
$ binwalk ipcam.fw.bin DECIMAL HEXADECIMAL DESCRIPTION ----------------------------------------------------------- 96188 0x177BC CRC32 polynomial table, [...] [...] 2490368 0x260000 Squashfs filesystem, [...] 4456448 0x440000 Squashfs filesystem, [...] 5505024 0x540000 Squashfs filesystem, [...] 6684672 0x660000 Squashfs filesystem, [...] 7208960 0x6E0000 JFFS2 filesystem, little endian 7643512 0x74A178 JFFS2 filesystem, little endian
![Page 19: I.MX MEMORY MADNESS · 2019-05-15 · ACCESSING FILES STORED IN VARIOUS IMAGES $ ubireader_extract_files -iw img-xx_vol-iio_0633_0.ubifs [...] $ ls ubifs-root/ -al total 76 drwxr-xr-x](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed3d9bc06c58a42a1629d22/html5/thumbnails/19.jpg)
EXTRACTING FILES FROM VARIOUSEXTRACTING FILES FROM VARIOUSFILESYSTEMSFILESYSTEMS
: compressed filesystem, one
partition/image: Yet Another Flash FS
: Journalized Flash FS version 2, onepartition/image
: Unsorted Block Image, multiple partitions withvarious FS
SquashFS
YAFFS2JFFS2
UBI
![Page 20: I.MX MEMORY MADNESS · 2019-05-15 · ACCESSING FILES STORED IN VARIOUS IMAGES $ ubireader_extract_files -iw img-xx_vol-iio_0633_0.ubifs [...] $ ls ubifs-root/ -al total 76 drwxr-xr-x](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed3d9bc06c58a42a1629d22/html5/thumbnails/20.jpg)
![Page 21: I.MX MEMORY MADNESS · 2019-05-15 · ACCESSING FILES STORED IN VARIOUS IMAGES $ ubireader_extract_files -iw img-xx_vol-iio_0633_0.ubifs [...] $ ls ubifs-root/ -al total 76 drwxr-xr-x](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed3d9bc06c58a42a1629d22/html5/thumbnails/21.jpg)
IT'S A DOCUMENTED PROCESSIT'S A DOCUMENTED PROCESS
PenTestPartners just published a blog entry:
http://bit.ly/HITB-PTPFW
![Page 22: I.MX MEMORY MADNESS · 2019-05-15 · ACCESSING FILES STORED IN VARIOUS IMAGES $ ubireader_extract_files -iw img-xx_vol-iio_0633_0.ubifs [...] $ ls ubifs-root/ -al total 76 drwxr-xr-x](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed3d9bc06c58a42a1629d22/html5/thumbnails/22.jpg)
AND WE STUMBLED UPON AN I.MX6AND WE STUMBLED UPON AN I.MX6SYSTEMSYSTEM
![Page 23: I.MX MEMORY MADNESS · 2019-05-15 · ACCESSING FILES STORED IN VARIOUS IMAGES $ ubireader_extract_files -iw img-xx_vol-iio_0633_0.ubifs [...] $ ls ubifs-root/ -al total 76 drwxr-xr-x](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed3d9bc06c58a42a1629d22/html5/thumbnails/23.jpg)
![Page 24: I.MX MEMORY MADNESS · 2019-05-15 · ACCESSING FILES STORED IN VARIOUS IMAGES $ ubireader_extract_files -iw img-xx_vol-iio_0633_0.ubifs [...] $ ls ubifs-root/ -al total 76 drwxr-xr-x](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed3d9bc06c58a42a1629d22/html5/thumbnails/24.jpg)
![Page 25: I.MX MEMORY MADNESS · 2019-05-15 · ACCESSING FILES STORED IN VARIOUS IMAGES $ ubireader_extract_files -iw img-xx_vol-iio_0633_0.ubifs [...] $ ls ubifs-root/ -al total 76 drwxr-xr-x](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed3d9bc06c58a42a1629d22/html5/thumbnails/25.jpg)
HEX ANALYSIS REVEALED WEIRD BYTESHEX ANALYSIS REVEALED WEIRD BYTES
![Page 26: I.MX MEMORY MADNESS · 2019-05-15 · ACCESSING FILES STORED IN VARIOUS IMAGES $ ubireader_extract_files -iw img-xx_vol-iio_0633_0.ubifs [...] $ ls ubifs-root/ -al total 76 drwxr-xr-x](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed3d9bc06c58a42a1629d22/html5/thumbnails/26.jpg)
A CRAPPY BYTE BEFORE UBI SIGNATUREA CRAPPY BYTE BEFORE UBI SIGNATURE
![Page 27: I.MX MEMORY MADNESS · 2019-05-15 · ACCESSING FILES STORED IN VARIOUS IMAGES $ ubireader_extract_files -iw img-xx_vol-iio_0633_0.ubifs [...] $ ls ubifs-root/ -al total 76 drwxr-xr-x](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed3d9bc06c58a42a1629d22/html5/thumbnails/27.jpg)
SAME 1-BYTE OFFSET IN BINWALKSAME 1-BYTE OFFSET IN BINWALKOUTPUTOUTPUT
UBI header is not aligned on page size (0x1000)
![Page 28: I.MX MEMORY MADNESS · 2019-05-15 · ACCESSING FILES STORED IN VARIOUS IMAGES $ ubireader_extract_files -iw img-xx_vol-iio_0633_0.ubifs [...] $ ls ubifs-root/ -al total 76 drwxr-xr-x](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed3d9bc06c58a42a1629d22/html5/thumbnails/28.jpg)
THAT'S WEIRD 😕THAT'S WEIRD 😕
Quick investigation revealed anomalies Our dump seems OK, but we still cannot extractdata from it It must be related to i.MX: maybe a custom storagemechanism
![Page 29: I.MX MEMORY MADNESS · 2019-05-15 · ACCESSING FILES STORED IN VARIOUS IMAGES $ ubireader_extract_files -iw img-xx_vol-iio_0633_0.ubifs [...] $ ls ubifs-root/ -al total 76 drwxr-xr-x](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed3d9bc06c58a42a1629d22/html5/thumbnails/29.jpg)
I.MX ARCHITECTURE ANDI.MX ARCHITECTURE ANDMEMORY LAYOUTMEMORY LAYOUT
![Page 30: I.MX MEMORY MADNESS · 2019-05-15 · ACCESSING FILES STORED IN VARIOUS IMAGES $ ubireader_extract_files -iw img-xx_vol-iio_0633_0.ubifs [...] $ ls ubifs-root/ -al total 76 drwxr-xr-x](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed3d9bc06c58a42a1629d22/html5/thumbnails/30.jpg)
I.MX ARCHITECTUREI.MX ARCHITECTURE
Integrated Multimedia Application processors Popular in automotive and home automationindustries Provides a lot of features including:
Secure/non-secure RAMSATA II supportSecure Boot ...
![Page 31: I.MX MEMORY MADNESS · 2019-05-15 · ACCESSING FILES STORED IN VARIOUS IMAGES $ ubireader_extract_files -iw img-xx_vol-iio_0633_0.ubifs [...] $ ls ubifs-root/ -al total 76 drwxr-xr-x](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed3d9bc06c58a42a1629d22/html5/thumbnails/31.jpg)
I.MX ARCHITECTUREI.MX ARCHITECTURE
![Page 32: I.MX MEMORY MADNESS · 2019-05-15 · ACCESSING FILES STORED IN VARIOUS IMAGES $ ubireader_extract_files -iw img-xx_vol-iio_0633_0.ubifs [...] $ ls ubifs-root/ -al total 76 drwxr-xr-x](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed3d9bc06c58a42a1629d22/html5/thumbnails/32.jpg)
I.MX ARCHITECTUREI.MX ARCHITECTURE
Can boot on various storage devices:NAND FlashParallel NOR FlashSD cardMMCSATA HDD
It also embeds a boot ROM (Freescale Inc.)
![Page 33: I.MX MEMORY MADNESS · 2019-05-15 · ACCESSING FILES STORED IN VARIOUS IMAGES $ ubireader_extract_files -iw img-xx_vol-iio_0633_0.ubifs [...] $ ls ubifs-root/ -al total 76 drwxr-xr-x](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed3d9bc06c58a42a1629d22/html5/thumbnails/33.jpg)
GENERAL-PURPOSE MULTIMEDIAGENERAL-PURPOSE MULTIMEDIAINTERFACEINTERFACE
controls how data is read/stored on NAND flashchips supports multiple NAND flash chips uses BCH to perform error control and correction
![Page 34: I.MX MEMORY MADNESS · 2019-05-15 · ACCESSING FILES STORED IN VARIOUS IMAGES $ ubireader_extract_files -iw img-xx_vol-iio_0633_0.ubifs [...] $ ls ubifs-root/ -al total 76 drwxr-xr-x](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed3d9bc06c58a42a1629d22/html5/thumbnails/34.jpg)
NAND FLASH STRUCTURENAND FLASH STRUCTURE
(image extracted from i.MX28 reference manual)
![Page 35: I.MX MEMORY MADNESS · 2019-05-15 · ACCESSING FILES STORED IN VARIOUS IMAGES $ ubireader_extract_files -iw img-xx_vol-iio_0633_0.ubifs [...] $ ls ubifs-root/ -al total 76 drwxr-xr-x](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed3d9bc06c58a42a1629d22/html5/thumbnails/35.jpg)
HOW IS DATA STORED ?HOW IS DATA STORED ?
Data is split in 512-byte chunks ECC bits are added at the end of each chunk Chunks are then grouped and stored in a pagepreceeded by one metadata block Bad block marker byte is swapped with firstmetadata byte !
![Page 36: I.MX MEMORY MADNESS · 2019-05-15 · ACCESSING FILES STORED IN VARIOUS IMAGES $ ubireader_extract_files -iw img-xx_vol-iio_0633_0.ubifs [...] $ ls ubifs-root/ -al total 76 drwxr-xr-x](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed3d9bc06c58a42a1629d22/html5/thumbnails/36.jpg)
WEIRD BYTE EXPLAINED !WEIRD BYTE EXPLAINED !
![Page 37: I.MX MEMORY MADNESS · 2019-05-15 · ACCESSING FILES STORED IN VARIOUS IMAGES $ ubireader_extract_files -iw img-xx_vol-iio_0633_0.ubifs [...] $ ls ubifs-root/ -al total 76 drwxr-xr-x](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed3d9bc06c58a42a1629d22/html5/thumbnails/37.jpg)
FIRMWARE CONFIGURATION BLOCKFIRMWARE CONFIGURATION BLOCK(FCB)(FCB)
This structure contains all the required informationabout how data is stored It must be present in the first 1MB Second field of this structure contains "FCB " inASCII
![Page 38: I.MX MEMORY MADNESS · 2019-05-15 · ACCESSING FILES STORED IN VARIOUS IMAGES $ ubireader_extract_files -iw img-xx_vol-iio_0633_0.ubifs [...] $ ls ubifs-root/ -al total 76 drwxr-xr-x](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed3d9bc06c58a42a1629d22/html5/thumbnails/38.jpg)
FCB SIGNATURE IN HEXDUMPFCB SIGNATURE IN HEXDUMP
![Page 39: I.MX MEMORY MADNESS · 2019-05-15 · ACCESSING FILES STORED IN VARIOUS IMAGES $ ubireader_extract_files -iw img-xx_vol-iio_0633_0.ubifs [...] $ ls ubifs-root/ -al total 76 drwxr-xr-x](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed3d9bc06c58a42a1629d22/html5/thumbnails/39.jpg)
FIRMWARE CONFIGURATION BLOCKFIRMWARE CONFIGURATION BLOCK(FCB)(FCB)
NAND page data sizeBlock N ECC typeBlock N sizeBlock 0 ECC typeBlock 0 sizeNumber of bytes in metadata of a page...
![Page 40: I.MX MEMORY MADNESS · 2019-05-15 · ACCESSING FILES STORED IN VARIOUS IMAGES $ ubireader_extract_files -iw img-xx_vol-iio_0633_0.ubifs [...] $ ls ubifs-root/ -al total 76 drwxr-xr-x](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed3d9bc06c58a42a1629d22/html5/thumbnails/40.jpg)
FCB SIGNATURE IN HEXDUMPFCB SIGNATURE IN HEXDUMP
Offset +0x3C: number of bytes of metadata block
![Page 41: I.MX MEMORY MADNESS · 2019-05-15 · ACCESSING FILES STORED IN VARIOUS IMAGES $ ubireader_extract_files -iw img-xx_vol-iio_0633_0.ubifs [...] $ ls ubifs-root/ -al total 76 drwxr-xr-x](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed3d9bc06c58a42a1629d22/html5/thumbnails/41.jpg)
1-BYTE OFFSET EXPLAINED !1-BYTE OFFSET EXPLAINED !
![Page 42: I.MX MEMORY MADNESS · 2019-05-15 · ACCESSING FILES STORED IN VARIOUS IMAGES $ ubireader_extract_files -iw img-xx_vol-iio_0633_0.ubifs [...] $ ls ubifs-root/ -al total 76 drwxr-xr-x](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed3d9bc06c58a42a1629d22/html5/thumbnails/42.jpg)
DISCOVERED BAD BLOCK TABLE (DBBT)DISCOVERED BAD BLOCK TABLE (DBBT)
Provides custom NAND bad block management Its headers provide information about the numberof bad blocks and impacted pages
![Page 43: I.MX MEMORY MADNESS · 2019-05-15 · ACCESSING FILES STORED IN VARIOUS IMAGES $ ubireader_extract_files -iw img-xx_vol-iio_0633_0.ubifs [...] $ ls ubifs-root/ -al total 76 drwxr-xr-x](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed3d9bc06c58a42a1629d22/html5/thumbnails/43.jpg)
ECCECC
(image extracted from i.MX28 reference manual)
![Page 44: I.MX MEMORY MADNESS · 2019-05-15 · ACCESSING FILES STORED IN VARIOUS IMAGES $ ubireader_extract_files -iw img-xx_vol-iio_0633_0.ubifs [...] $ ls ubifs-root/ -al total 76 drwxr-xr-x](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed3d9bc06c58a42a1629d22/html5/thumbnails/44.jpg)
ECCECC
Provides a way to dynamically fix errors, if possible Uses BCH (Bose, Ray-Chaudhuri and Hocquenghem)error-correcting code Data bytes may be shi�ed by a number of bits dueto BCH bits
![Page 45: I.MX MEMORY MADNESS · 2019-05-15 · ACCESSING FILES STORED IN VARIOUS IMAGES $ ubireader_extract_files -iw img-xx_vol-iio_0633_0.ubifs [...] $ ls ubifs-root/ -al total 76 drwxr-xr-x](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed3d9bc06c58a42a1629d22/html5/thumbnails/45.jpg)
SO, WHAT'S NEXT ?SO, WHAT'S NEXT ?
![Page 46: I.MX MEMORY MADNESS · 2019-05-15 · ACCESSING FILES STORED IN VARIOUS IMAGES $ ubireader_extract_files -iw img-xx_vol-iio_0633_0.ubifs [...] $ ls ubifs-root/ -al total 76 drwxr-xr-x](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed3d9bc06c58a42a1629d22/html5/thumbnails/46.jpg)
FROM NAND FLASH DUMP TOFROM NAND FLASH DUMP TOFILESYSTEMSFILESYSTEMS
![Page 47: I.MX MEMORY MADNESS · 2019-05-15 · ACCESSING FILES STORED IN VARIOUS IMAGES $ ubireader_extract_files -iw img-xx_vol-iio_0633_0.ubifs [...] $ ls ubifs-root/ -al total 76 drwxr-xr-x](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed3d9bc06c58a42a1629d22/html5/thumbnails/47.jpg)
RECOVER AND REMAP ALL THE BYTESRECOVER AND REMAP ALL THE BYTES
We first find an FCB structure and parse it to recoverall the critical parameters Then we remove every metadata and ECC bitsaccording to this FCB We use ECC bits to fix errors and save each block inan output file
![Page 48: I.MX MEMORY MADNESS · 2019-05-15 · ACCESSING FILES STORED IN VARIOUS IMAGES $ ubireader_extract_files -iw img-xx_vol-iio_0633_0.ubifs [...] $ ls ubifs-root/ -al total 76 drwxr-xr-x](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed3d9bc06c58a42a1629d22/html5/thumbnails/48.jpg)
![Page 49: I.MX MEMORY MADNESS · 2019-05-15 · ACCESSING FILES STORED IN VARIOUS IMAGES $ ubireader_extract_files -iw img-xx_vol-iio_0633_0.ubifs [...] $ ls ubifs-root/ -al total 76 drwxr-xr-x](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed3d9bc06c58a42a1629d22/html5/thumbnails/49.jpg)
IMX NAND TOOLSIMX NAND TOOLS
$ sudo pip install imx-nand-tools
https://github.com/DigitalSecurity/imx-nand-tools/
![Page 50: I.MX MEMORY MADNESS · 2019-05-15 · ACCESSING FILES STORED IN VARIOUS IMAGES $ ubireader_extract_files -iw img-xx_vol-iio_0633_0.ubifs [...] $ ls ubifs-root/ -al total 76 drwxr-xr-x](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed3d9bc06c58a42a1629d22/html5/thumbnails/50.jpg)
FCB PARSINGFCB PARSING
![Page 51: I.MX MEMORY MADNESS · 2019-05-15 · ACCESSING FILES STORED IN VARIOUS IMAGES $ ubireader_extract_files -iw img-xx_vol-iio_0633_0.ubifs [...] $ ls ubifs-root/ -al total 76 drwxr-xr-x](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed3d9bc06c58a42a1629d22/html5/thumbnails/51.jpg)
CONVERTING IMAGE TO USEABLE DUMPCONVERTING IMAGE TO USEABLE DUMP
![Page 52: I.MX MEMORY MADNESS · 2019-05-15 · ACCESSING FILES STORED IN VARIOUS IMAGES $ ubireader_extract_files -iw img-xx_vol-iio_0633_0.ubifs [...] $ ls ubifs-root/ -al total 76 drwxr-xr-x](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed3d9bc06c58a42a1629d22/html5/thumbnails/52.jpg)
ANALYZING THIS NEW DUMPANALYZING THIS NEW DUMP
![Page 53: I.MX MEMORY MADNESS · 2019-05-15 · ACCESSING FILES STORED IN VARIOUS IMAGES $ ubireader_extract_files -iw img-xx_vol-iio_0633_0.ubifs [...] $ ls ubifs-root/ -al total 76 drwxr-xr-x](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed3d9bc06c58a42a1629d22/html5/thumbnails/53.jpg)
UBI OVERVIEWUBI OVERVIEW
![Page 54: I.MX MEMORY MADNESS · 2019-05-15 · ACCESSING FILES STORED IN VARIOUS IMAGES $ ubireader_extract_files -iw img-xx_vol-iio_0633_0.ubifs [...] $ ls ubifs-root/ -al total 76 drwxr-xr-x](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed3d9bc06c58a42a1629d22/html5/thumbnails/54.jpg)
UBIREADERUBIREADER
Provides a set of tools to parse, analyze and extractvolumes and files from a UBI container Open-source and available on Github Written in Python Does not support fastboot mode
![Page 55: I.MX MEMORY MADNESS · 2019-05-15 · ACCESSING FILES STORED IN VARIOUS IMAGES $ ubireader_extract_files -iw img-xx_vol-iio_0633_0.ubifs [...] $ ls ubifs-root/ -al total 76 drwxr-xr-x](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed3d9bc06c58a42a1629d22/html5/thumbnails/55.jpg)
ACCESSING FILES STORED IN VARIOUSACCESSING FILES STORED IN VARIOUSIMAGESIMAGES
$ ubireader_extract_files -iw img-xx_vol-iio_0633_0.ubifs [...] $ ls ubifs-root/ -al total 76 drwxr-xr-x 19 virtualabs virtualabs 4096 mai 9 09:40 . drwxr-xr-x 3 virtualabs virtualabs 4096 mai 9 09:40 .. drwxr-xr-x 2 virtualabs virtualabs 4096 mai 9 09:40 bin drwxr-xr-x 2 virtualabs virtualabs 4096 mai 9 09:40 boot drwxr-xr-x 5 virtualabs virtualabs 4096 mai 9 09:40 Data [...] drwxr-xr-x 2 virtualabs virtualabs 4096 mai 9 09:40 tmp drwxr-xr-x 7 virtualabs virtualabs 4096 mai 9 09:40 usr drwxr-xr-x 2 virtualabs virtualabs 4096 mai 9 09:40 var
![Page 56: I.MX MEMORY MADNESS · 2019-05-15 · ACCESSING FILES STORED IN VARIOUS IMAGES $ ubireader_extract_files -iw img-xx_vol-iio_0633_0.ubifs [...] $ ls ubifs-root/ -al total 76 drwxr-xr-x](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed3d9bc06c58a42a1629d22/html5/thumbnails/56.jpg)
THAT'S A WINTHAT'S A WIN
![Page 57: I.MX MEMORY MADNESS · 2019-05-15 · ACCESSING FILES STORED IN VARIOUS IMAGES $ ubireader_extract_files -iw img-xx_vol-iio_0633_0.ubifs [...] $ ls ubifs-root/ -al total 76 drwxr-xr-x](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed3d9bc06c58a42a1629d22/html5/thumbnails/57.jpg)
SECURITY THROUGH OBSCURITYSECURITY THROUGH OBSCURITY
(Image: XKCD #257)
![Page 58: I.MX MEMORY MADNESS · 2019-05-15 · ACCESSING FILES STORED IN VARIOUS IMAGES $ ubireader_extract_files -iw img-xx_vol-iio_0633_0.ubifs [...] $ ls ubifs-root/ -al total 76 drwxr-xr-x](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed3d9bc06c58a42a1629d22/html5/thumbnails/58.jpg)
NOT SO OBSCURE AFTERALLNOT SO OBSCURE AFTERALL
Reference manuals describe how i.MX GPMI worksand how data is read/stored on NAND flash memory Publicly available code on Github provides a betterunderstanding of critical structures and how thingsare implemented
![Page 59: I.MX MEMORY MADNESS · 2019-05-15 · ACCESSING FILES STORED IN VARIOUS IMAGES $ ubireader_extract_files -iw img-xx_vol-iio_0633_0.ubifs [...] $ ls ubifs-root/ -al total 76 drwxr-xr-x](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed3d9bc06c58a42a1629d22/html5/thumbnails/59.jpg)
IMX KNOBS GITHUB REPOSITORYIMX KNOBS GITHUB REPOSITORY
![Page 60: I.MX MEMORY MADNESS · 2019-05-15 · ACCESSING FILES STORED IN VARIOUS IMAGES $ ubireader_extract_files -iw img-xx_vol-iio_0633_0.ubifs [...] $ ls ubifs-root/ -al total 76 drwxr-xr-x](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed3d9bc06c58a42a1629d22/html5/thumbnails/60.jpg)
IMX UBOOT GITHUB REPOSITORYIMX UBOOT GITHUB REPOSITORY
![Page 61: I.MX MEMORY MADNESS · 2019-05-15 · ACCESSING FILES STORED IN VARIOUS IMAGES $ ubireader_extract_files -iw img-xx_vol-iio_0633_0.ubifs [...] $ ls ubifs-root/ -al total 76 drwxr-xr-x](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed3d9bc06c58a42a1629d22/html5/thumbnails/61.jpg)
Y U NO ENCRYPT ?Y U NO ENCRYPT ?
i.MX systems support NAND flash encryption Most of the systems we have tested so far do not useencryption (what did you expect ?)
![Page 62: I.MX MEMORY MADNESS · 2019-05-15 · ACCESSING FILES STORED IN VARIOUS IMAGES $ ubireader_extract_files -iw img-xx_vol-iio_0633_0.ubifs [...] $ ls ubifs-root/ -al total 76 drwxr-xr-x](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed3d9bc06c58a42a1629d22/html5/thumbnails/62.jpg)
KNOWN VARIANTSKNOWN VARIANTS
Some i.MX dumps we made seemed to use adifferent ECC mechanism Various GPMI drivers mention different versions ofFreescale ROM and variants of FCB structure The current version of imx-nand-tools worked for allof our dumps but may fail with yours, so ...
![Page 63: I.MX MEMORY MADNESS · 2019-05-15 · ACCESSING FILES STORED IN VARIOUS IMAGES $ ubireader_extract_files -iw img-xx_vol-iio_0633_0.ubifs [...] $ ls ubifs-root/ -al total 76 drwxr-xr-x](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed3d9bc06c58a42a1629d22/html5/thumbnails/63.jpg)
INSTALL, TEST, AND CONTRIBUTE !INSTALL, TEST, AND CONTRIBUTE !
![Page 64: I.MX MEMORY MADNESS · 2019-05-15 · ACCESSING FILES STORED IN VARIOUS IMAGES $ ubireader_extract_files -iw img-xx_vol-iio_0633_0.ubifs [...] $ ls ubifs-root/ -al total 76 drwxr-xr-x](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed3d9bc06c58a42a1629d22/html5/thumbnails/64.jpg)
CONCLUSIONCONCLUSION
i.MX system uses a custom NAND flash layoutThis layout is documented in various documentsand publicly available codeimx-nand-tools provides a set of tools to handle thislayout and convert dumps into useable imagesi.MX systems should use NAND flash encryptionfeature to avoid key/password/IP leaks
![Page 65: I.MX MEMORY MADNESS · 2019-05-15 · ACCESSING FILES STORED IN VARIOUS IMAGES $ ubireader_extract_files -iw img-xx_vol-iio_0633_0.ubifs [...] $ ls ubifs-root/ -al total 76 drwxr-xr-x](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed3d9bc06c58a42a1629d22/html5/thumbnails/65.jpg)
Contact
THANKS FOR ATTENDING, ANYTHANKS FOR ATTENDING, ANYQUESTION ?QUESTION ?
[email protected] @virtualabs
![Page 66: I.MX MEMORY MADNESS · 2019-05-15 · ACCESSING FILES STORED IN VARIOUS IMAGES $ ubireader_extract_files -iw img-xx_vol-iio_0633_0.ubifs [...] $ ls ubifs-root/ -al total 76 drwxr-xr-x](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed3d9bc06c58a42a1629d22/html5/thumbnails/66.jpg)
RELATED LINKSRELATED LINKSPTP firmware extraction tips & tricks:
IMX28 Reference manual:
UBOOT NAND utility:
Freescale Linux driver:
https://www.pentestpartners.com/security-blog/howfirmware-analysis-tools-tips-and-tricks/
https://bootlin.com/~maxime/pub/datasheet/MCIMX2https://github.com/u-boot/u-
boot/blob/master/tools/mxsboot.chttps://github.com/Freescale/
fslc/tree/4.1-2.0.x-imx/drivers/mtd/nand/gpmi-nand