Week 10
Please sit on the right half of the room
--->
Firmware
What is firmware?
Broad term for low-level software that has direct access to a device's hardware.
- Common examples include
- BIOS/UEFI: Initializes hardware and loads the operating system
- IOT: Printer's, cameras, routers, switches
- Phone Components: GPS, sensors, or battery
- Appliances: Washing machines, refrigerators, microwaves
Firmware Types
There's a large diversity of firmware architecture since it's often customized to the hardware. Three broad categories include:
- Bare Metal: A single program built to run without an operating system (think arduino program)
- Real-time Operating System (RTOS): A lightweight operating system with memory management, scheduling
- Linux-based: Either a stripped-down linux distribution or the linux kernel embedded in a custom operating system
Since firmware is often developed for microprocessors, they often use the MIPS or ARM instruction sets.
Obtaining Firmware
Image may include
- Operating system
- File system
- User applications
Firmware Extraction
Firmware is often distributed as binary blobs (img files) and it's up to us to extract useful files from them.
00000000: AA BB CC DD EE FF 00 11 22 33 44 55 66 77 88 99 ........"3DUfw..
00000010: 00 11 22 33 44 55 66 77 88 99 AA BB CC DD EE FF .."3DUfw........
00000020: 07 07 07 09 09 08 0A 0C 14 0D 0C 0B 0B 0C 19 12 ................
00001000: 07 07 07 09 09 08 0A 0C 14 0D 0C 0B 0B 0C 19 12 ................
00001010: FF EE DD CC BB AA 99 88 77 66 55 44 33 22 11 00 ........wfUD3"..
00001020: 89 50 4E 47 0D 0A 1A 0A 00 00 00 0D 49 48 44 52 .PNG......IHDR
00002000: 00 00 02 80 00 00 01 E0 08 06 00 00 00 75 71 3C ..............uq<
00002010: 07 07 07 09 09 08 0A 0C 14 0D 0C 0B 0B 0C 19 12 ................
00002020: 07 07 07 09 09 08 0A 0C 14 0D 0C 0B 0B 0C 19 12 ................
00003000: 4C 00 00 00 04 67 41 4D 41 00 00 B1 8F 0B FC 61 L....gAMA......a
00003010: FF D8 FF E0 00 10 4A 46 49 46 00 01 02 01 00 60 ......JFIF.....`
00003020: 00 60 00 00 FF DB 00 43 00 08 06 06 07 06 05 08 .`.....C........
00004000: 07 07 07 09 09 08 0A 0C 14 0D 0C 0B 0B 0C 19 12 ................
00004010: 07 07 07 09 09 08 0A 0C 14 0D 0C 0B 0B 0C 19 12 ................
00004020: 07 07 07 09 09 08 0A 0C 14 0D 0C 0B 0B 0C 19 12 ................
00005000: 50 4B 03 04 14 00 06 00 08 00 00 00 21 00 B3 AC PK..........!...
00005010: 8D 4E 00 00 00 00 00 00 00 00 00 00 08 00 1C 00 .N..............
00005020: 07 07 07 09 09 08 0A 0C 14 0D 0C 0B 0B 0C 19 12 ................
00006000: 07 07 07 09 09 08 0A 0C 14 0D 0C 0B 0B 0C 19 12 ................
00006010: 74 65 73 74 2E 74 78 74 55 54 09 00 03 E8 3D 75 test.txtUT....=u
00006020: 07 07 07 09 09 08 0A 0C 14 0D 0C 0B 0B 0C 19 12 ................
00007000: 7F 45 4C 46 02 01 01 00 00 00 00 00 00 00 00 00 .ELF............
00007010: 02 00 3E 00 01 00 00 00 78 00 40 00 00 00 00 00 ..>.....x.@.....
00007020: 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 @...............
00008000: 07 07 07 09 09 08 0A 0C 14 0D 0C 0B 0B 0C 19 12 ................
00008010: 07 07 07 09 09 08 0A 0C 14 0D 0C 0B 0B 0C 19 12 ................
00008020: 07 07 07 09 09 08 0A 0C 14 0D 0C 0B 0B 0C 19 12 ................
dd if=<firmware> of=<outfile> bs=<block size> skip=<start> count=<size>dd if=file.bin of=out.png bs=1 skip=4128 count=8176dd if=file.bin of=out.jpg bs=1 skip=12304 count=4112dd if=file.bin of=out.zip bs=1 skip=20480 count=8192Firmware Extraction
There exist tools that attempt to automate this process
Binwalk
Unblob
Questions?
Lab 1
Firmware Extraction
Firmware Analysis
Linux Firmware Triage
When enumerating linux-based firmware, there's a variety of artifacts to look for.
- System Architecture: x86, ARM, MIPS
- Authentication: ssh keys, shadow file, etc.
- Versions: busybox, linux kernel version
-
User Applications: web server, ftp server
- Are there any known vulnerabilities for the user applications or OS version?
Emulation
It can also be helpful to run different files included on the file system. If the firmware architecture is different from your host machine, you must emulate the binaries you run. QEMU is the industry standard open-source emulator.
There are two main flavors of emulation:
- User Mode: Emulate individual processes
- Full System: Emulates the entire operating system with virtual hardware
