Firmware Analysis Tutorial
Firmware Analysis Tutorial
Dimitrios-Georgios Akestoridis
D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 2
What is an embedded system?
• Most IoT devices are just embedded systems with networking capabilities,
such as:
• IP cameras
• Fitness trackers
• Smart locks
D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 3
How do embedded systems work?
D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 4
How do embedded systems work?
• Many vendors use flash memory in their devices to store their firmware,
which enables them to later:
• Improve the system’s functionality
• Fix security vulnerabilities
D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 4
How do embedded systems work?
• Many vendors use flash memory in their devices to store their firmware,
which enables them to later:
• Improve the system’s functionality
• Fix security vulnerabilities
D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 4
What does a firmware image look like?
• Possible methods for obtaining the firmware image of a device:
• Downloading it from the vendor’s website
• Capturing it during the device’s firmware update process
• Extracting it from the hardware
D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 5
What does a firmware image look like?
• Possible methods for obtaining the firmware image of a device:
• Downloading it from the vendor’s website
• Capturing it during the device’s firmware update process
• Extracting it from the hardware
• For illustration purposes, we will use a firmware image from the OpenWrt
project:
• https://downloads.openwrt.org/releases/18.06.0/targets/ar71xx/generic/
• https://git.openwrt.org/openwrt/openwrt.git/
D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 5
$ file
• The firmware image could be in a standard archive format that the file
command can identify
• If the file format of the provided firmware image is unknown, then file will
simply report that it contains binary data
D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 6
$ strings
• We can inspect sequences of printable characters in the firmware image with
the strings command
D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 7
$ hexdump
• We can examine the bytes of the firmware image with the hexdump
command
D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 8
$ hexdump
• 0x4e4c3136 (NL16) and 0x55324e44 (U2ND) correspond to the magic
number and ID number of the BIN header:
• https://git.openwrt.org/?p=openwrt/openwrt.git;a=blob_plain;f=tools/
firmware-utils/src/addpattern.c;hb=HEAD
D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 8
$ hexdump
• 0x48445230 (HDR0) corresponds to the magic number of the TRX header:
• https://git.openwrt.org/?p=openwrt/openwrt.git;a=blob_plain;f=package/
system/mtd/src/trx.c;hb=HEAD
D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 8
$ hexdump
• 0x27051956 corresponds to the magic number of the uImage header:
• https://git.denx.de/?p=u-boot.git;a=blob_plain;f=include/image.h;hb=HEAD
D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 8
$ hexdump
• 0x1f8b08 corresponds to the magic number of the gzip file format with the
“deflate” compression method:
• https://tools.ietf.org/html/rfc1952
D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 8
$ hexdump
D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 9
$ hexdump
• 0x68737173 (hsqs)
corresponds to the magic
number of the little-endian
SquashFS filesystem:
• https://sourceforge.net/
p/squashfs/code/ci/
master/tree/
squashfs-tools/
squashfs_fs.h
D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 9
$ hexdump
D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 9
$ binwalk
• https://github.com/
ReFirmLabs/binwalk
D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 10
$ binwalk
D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 11
$ binwalk
D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 11
$ binvis
• We can use binvis to generate a
visualization of the firmware image with
space-filling curves in order to identify
regions with non-random data
• Coloring scheme:
• 0x00: [0,0,0]
• 0xff: [255,255,255]
• Printable character: [55,126,184]
• Everything else: [228,26,28]
• https://github.com/cortesi/scurve
D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 12
$ binvis
• We can use binvis to generate a
visualization of the firmware image with
space-filling curves in order to identify
regions with non-random data
• Coloring scheme:
• 0x00: [0,0,0]
• 0xff: [255,255,255]
• Printable character: [55,126,184]
• Everything else: [228,26,28]
• https://github.com/cortesi/scurve
D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 12
$ binvis
• We can use binvis to generate a
visualization of the firmware image with
space-filling curves in order to identify
regions with non-random data
• Coloring scheme:
• 0x00: [0,0,0]
• 0xff: [255,255,255]
• Printable character: [55,126,184]
• Everything else: [228,26,28]
• https://github.com/cortesi/scurve
D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 12
$ dd
• We can duplicate regions of the firmware image with the dd command:
• if option: Input file
• bs option: Number of bytes in a block (in decimal notation)
• skip option: Number of blocks to skip (in decimal notation)
• count option: Number of blocks to copy (in decimal notation)
• of option: Output file
D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 13
Data extraction tools
D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 14
Inspecting the kernel image
D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 15
Inspecting the kernel image
D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 16
Decompressing the kernel
• We can extract LZMA compressed data
with the unlzma command
D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 17
Decompressing the kernel
• We can extract LZMA compressed data
with the unlzma command
D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 17
Inspecting the kernel
D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 18
Inspecting the filesystem
D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 19
Password files
• Usually, the system’s accounts can be found in the /etc/passwd file and
their hashed passwords are stored in the /etc/shadow file
D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 20
Encryption keys
• Many devices contain hard-coded private keys in their firmware in order to
support HTTPS:
• http://www.devttys0.com/2010/12/breaking-ssl-on-embedded-devices/
D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 21
Encryption keys
• Many devices contain hard-coded private keys in their firmware in order to
support HTTPS:
• http://www.devttys0.com/2010/12/breaking-ssl-on-embedded-devices/
• Multiple devices may be using the same encryption keys, sometimes even
devices of different vendors:
• https://www.usenix.org/conference/usenixsecurity14/technical-sessions/
presentation/costin
• https://www.sec-consult.com/en/blog/2016/09/
house-of-keys-9-months-later-40-worse/index.html
D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 21
Encryption keys
• Many devices contain hard-coded private keys in their firmware in order to
support HTTPS:
• http://www.devttys0.com/2010/12/breaking-ssl-on-embedded-devices/
• Multiple devices may be using the same encryption keys, sometimes even
devices of different vendors:
• https://www.usenix.org/conference/usenixsecurity14/technical-sessions/
presentation/costin
• https://www.sec-consult.com/en/blog/2016/09/
house-of-keys-9-months-later-40-worse/index.html
D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 21
Public key certificates
• We can process private keys, public keys, and X.509 certificates with the
openssl program
• For example, we can view the contents of an X.509 certificate in PEM format
with the following command:
• $ openssl x509 -in certificate.pem -text -noout
D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 22
Public key certificates
• We can process private keys, public keys, and X.509 certificates with the
openssl program
• For example, we can view the contents of an X.509 certificate in PEM format
with the following command:
• $ openssl x509 -in certificate.pem -text -noout
D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 22
Executable files
D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 23
QEMU user mode emulation
• We can use QEMU in user mode to execute binary files that were compiled
for a different computer architecture than that of our host system:
• https://www.qemu.org/
• We use the chroot command to execute the ELF file with the extracted
SquashFS filesystem as root directory
D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 24
QEMU full system emulation
• QEMU also supports full system emulation using prebuilt images:
• https://people.debian.org/~aurel32/qemu/
D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 25
QEMU full system emulation
• QEMU also supports full system emulation using prebuilt images:
• https://people.debian.org/~aurel32/qemu/
D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 25
QEMU full system emulation
• We can copy the extracted filesystem in the hard disk image and then initiate
a command interpreter (shell) with chroot
D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 26
General security concerns
D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 27
General security concerns
D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 27
General security concerns
D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 27
General security concerns
D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 27
General security concerns
D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 27
General security concerns
D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 27
General security concerns
D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 27