0% found this document useful (0 votes)
230 views

Firmware Analysis Tutorial

The document discusses analyzing firmware images of embedded systems. It describes how embedded systems work using firmware stored in non-volatile memory. It then outlines various tools that can be used to analyze firmware images, such as hexdump to examine bytes, binwalk to scan for signatures, and binvis to generate visualizations to identify non-random data regions. Extraction tools like dd, gunzip, and unsquashfs are also covered. The document concludes by discussing inspecting and decompressing kernel images.

Uploaded by

Luke Skywalker
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
230 views

Firmware Analysis Tutorial

The document discusses analyzing firmware images of embedded systems. It describes how embedded systems work using firmware stored in non-volatile memory. It then outlines various tools that can be used to analyze firmware images, such as hexdump to examine bytes, binwalk to scan for signatures, and binvis to generate visualizations to identify non-random data regions. Extraction tools like dd, gunzip, and unsquashfs are also covered. The document concludes by discussing inspecting and decompressing kernel images.

Uploaded by

Luke Skywalker
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 50

Firmware Analysis of Embedded Systems

Dimitrios-Georgios Akestoridis

Carnegie Mellon University

14-829 / 18-638: Mobile and IoT Security (Fall 2018)


Reminders

• University Policies: https://www.cmu.edu/policies/index.html

• Course Policies: http://mews.sv.cmu.edu/teaching/14829/f18/policy.html

• Be aware of potential ethical and legal implications of your actions

• Use isolated networks for your assignments and research

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 2
What is an embedded system?

• An embedded system consists of special-purpose computer hardware and


software, often as part of a larger system and with limited resources

• Embedded systems can be found in a plethora of devices, including:


• Thermostats
• Washing machines
• Pacemakers

• Most IoT devices are just embedded systems with networking capabilities,
such as:
• IP cameras
• Fitness trackers
• Smart locks

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 3
How do embedded systems work?

• The special-purpose computer software that controls an embedded system


is often referred to as firmware and it is stored in non-volatile memory

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 4
How do embedded systems work?

• The special-purpose computer software that controls an embedded system


is often referred to as firmware and it is stored in non-volatile memory

• Many vendors use flash memory in their devices to store their firmware,
which enables them to later:
• Improve the system’s functionality
• Fix security vulnerabilities

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 4
How do embedded systems work?

• The special-purpose computer software that controls an embedded system


is often referred to as firmware and it is stored in non-volatile memory

• Many vendors use flash memory in their devices to store their firmware,
which enables them to later:
• Improve the system’s functionality
• Fix security vulnerabilities

• A firmware image may be provided in order to update the firmware of a


device, which can be done either manually or automatically

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 4
What does a firmware image look like?
• Possible methods for obtaining the firmware image of a device:
• Downloading it from the vendor’s website
• Capturing it during the device’s firmware update process
• Extracting it from the hardware

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 5
What does a firmware image look like?
• Possible methods for obtaining the firmware image of a device:
• Downloading it from the vendor’s website
• Capturing it during the device’s firmware update process
• Extracting it from the hardware

• For illustration purposes, we will use a firmware image from the OpenWrt
project:
• https://downloads.openwrt.org/releases/18.06.0/targets/ar71xx/generic/
• https://git.openwrt.org/openwrt/openwrt.git/

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 5
$ file

• The firmware image could be in a standard archive format that the file
command can identify

• If the file format of the provided firmware image is unknown, then file will
simply report that it contains binary data

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 6
$ strings
• We can inspect sequences of printable characters in the firmware image with
the strings command

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 7
$ hexdump
• We can examine the bytes of the firmware image with the hexdump
command

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 8
$ hexdump
• 0x4e4c3136 (NL16) and 0x55324e44 (U2ND) correspond to the magic
number and ID number of the BIN header:
• https://git.openwrt.org/?p=openwrt/openwrt.git;a=blob_plain;f=tools/
firmware-utils/src/addpattern.c;hb=HEAD

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 8
$ hexdump
• 0x48445230 (HDR0) corresponds to the magic number of the TRX header:
• https://git.openwrt.org/?p=openwrt/openwrt.git;a=blob_plain;f=package/
system/mtd/src/trx.c;hb=HEAD

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 8
$ hexdump
• 0x27051956 corresponds to the magic number of the uImage header:
• https://git.denx.de/?p=u-boot.git;a=blob_plain;f=include/image.h;hb=HEAD

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 8
$ hexdump
• 0x1f8b08 corresponds to the magic number of the gzip file format with the
“deflate” compression method:
• https://tools.ietf.org/html/rfc1952

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 8
$ hexdump

• If the -v option is not


provided, hexdump
replaces repeating lines
with a single asterisk (*)

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 9
$ hexdump

• 0x68737173 (hsqs)
corresponds to the magic
number of the little-endian
SquashFS filesystem:
• https://sourceforge.net/
p/squashfs/code/ci/
master/tree/
squashfs-tools/
squashfs_fs.h

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 9
$ hexdump

• 0xdeadc0de indicates the


start of the reformatted
JFFS2 partition:
• https://openwrt.org/
docs/techref/filesystems

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 9
$ binwalk

• We can use binwalk to


scan for known signatures

• Custom signatures can


easily be incorporated

• Wide variety of analysis


options available

• https://github.com/
ReFirmLabs/binwalk

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 10
$ binwalk

• Regions that contain compressed or


encrypted data tend to have high
values of entropy

• Useful for the inspection of regions that


contain data in an unknown format

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 11
$ binwalk

• Regions that contain compressed or


encrypted data tend to have high
values of entropy

• Useful for the inspection of regions that


contain data in an unknown format

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 11
$ binvis
• We can use binvis to generate a
visualization of the firmware image with
space-filling curves in order to identify
regions with non-random data

• Coloring scheme:
• 0x00: [0,0,0]
• 0xff: [255,255,255]
• Printable character: [55,126,184]
• Everything else: [228,26,28]

• https://github.com/cortesi/scurve

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 12
$ binvis
• We can use binvis to generate a
visualization of the firmware image with
space-filling curves in order to identify
regions with non-random data

• Coloring scheme:
• 0x00: [0,0,0]
• 0xff: [255,255,255]
• Printable character: [55,126,184]
• Everything else: [228,26,28]

• https://github.com/cortesi/scurve

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 12
$ binvis
• We can use binvis to generate a
visualization of the firmware image with
space-filling curves in order to identify
regions with non-random data

• Coloring scheme:
• 0x00: [0,0,0]
• 0xff: [255,255,255]
• Printable character: [55,126,184]
• Everything else: [228,26,28]

• https://github.com/cortesi/scurve

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 12
$ dd
• We can duplicate regions of the firmware image with the dd command:
• if option: Input file
• bs option: Number of bytes in a block (in decimal notation)
• skip option: Number of blocks to skip (in decimal notation)
• count option: Number of blocks to copy (in decimal notation)
• of option: Output file

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 13
Data extraction tools

• We can extract gzip compressed


data with gunzip and SquashFS
filesystems with unsquashfs
• Vendors often use non-standard
SquashFS filesystems that
unsquashfs is unable to extract:
• https://github.com/devttys0/
sasquatch

• With the --extract option,


binwalk uses common tools to
extract the files that it identified

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 14
Inspecting the kernel image

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 15
Inspecting the kernel image

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 16
Decompressing the kernel
• We can extract LZMA compressed data
with the unlzma command

• For recursive scanning and extraction of


known files, we can use binwalk with
the --extract and --matryoshka
options, or simply -eM

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 17
Decompressing the kernel
• We can extract LZMA compressed data
with the unlzma command

• For recursive scanning and extraction of


known files, we can use binwalk with
the --extract and --matryoshka
options, or simply -eM

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 17
Inspecting the kernel

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 18
Inspecting the filesystem

• What to look for in the filesystem?


• Password files
• Encryption keys
• Public key certificates
• Executable files
• Configuration files
• Interesting keywords

• We can use firmwalker to search


for some common files and
keywords in the filesystem:
• https://github.com/craigz28/
firmwalker

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 19
Password files

• Usually, the system’s accounts can be found in the /etc/passwd file and
their hashed passwords are stored in the /etc/shadow file

• For more information regarding the format of those files:


• $ man 5 passwd
• $ man 5 shadow
• $ man 3 crypt

• Traditional DES-based password hashes can be easily cracked with john:


• http://www.openwall.com/john/

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 20
Encryption keys
• Many devices contain hard-coded private keys in their firmware in order to
support HTTPS:
• http://www.devttys0.com/2010/12/breaking-ssl-on-embedded-devices/

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 21
Encryption keys
• Many devices contain hard-coded private keys in their firmware in order to
support HTTPS:
• http://www.devttys0.com/2010/12/breaking-ssl-on-embedded-devices/

• Multiple devices may be using the same encryption keys, sometimes even
devices of different vendors:
• https://www.usenix.org/conference/usenixsecurity14/technical-sessions/
presentation/costin
• https://www.sec-consult.com/en/blog/2016/09/
house-of-keys-9-months-later-40-worse/index.html

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 21
Encryption keys
• Many devices contain hard-coded private keys in their firmware in order to
support HTTPS:
• http://www.devttys0.com/2010/12/breaking-ssl-on-embedded-devices/

• Multiple devices may be using the same encryption keys, sometimes even
devices of different vendors:
• https://www.usenix.org/conference/usenixsecurity14/technical-sessions/
presentation/costin
• https://www.sec-consult.com/en/blog/2016/09/
house-of-keys-9-months-later-40-worse/index.html

• Datasets of private keys that were found in embedded systems:


• https://github.com/devttys0/littleblackbox
• https://github.com/sec-consult/houseofkeys

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 21
Public key certificates

• We can process private keys, public keys, and X.509 certificates with the
openssl program

• For example, we can view the contents of an X.509 certificate in PEM format
with the following command:
• $ openssl x509 -in certificate.pem -text -noout

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 22
Public key certificates

• We can process private keys, public keys, and X.509 certificates with the
openssl program

• For example, we can view the contents of an X.509 certificate in PEM format
with the following command:
• $ openssl x509 -in certificate.pem -text -noout

• We can estimate the number of Internet-connected devices that use the


same public key certificate by searching for its fingerprint on computer
search engines:
• https://www.shodan.io/
• https://censys.io/

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 22
Executable files

• We can examine executable


files in ELF format with the
readelf command

• For example, with the -h


option, readelf displays the
information that is contained
in the header of the ELF file

• We can disassemble ELF files


with tools like radare2:
• https://github.com/radare/
radare2

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 23
QEMU user mode emulation
• We can use QEMU in user mode to execute binary files that were compiled
for a different computer architecture than that of our host system:
• https://www.qemu.org/

• We use the chroot command to execute the ELF file with the extracted
SquashFS filesystem as root directory

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 24
QEMU full system emulation
• QEMU also supports full system emulation using prebuilt images:
• https://people.debian.org/~aurel32/qemu/

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 25
QEMU full system emulation
• QEMU also supports full system emulation using prebuilt images:
• https://people.debian.org/~aurel32/qemu/

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 25
QEMU full system emulation
• We can copy the extracted filesystem in the hard disk image and then initiate
a command interpreter (shell) with chroot

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 26
General security concerns

• Is there any information leakage from the device?

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 27
General security concerns

• Is there any information leakage from the device?

• Does the device accept unauthenticated commands?

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 27
General security concerns

• Is there any information leakage from the device?

• Does the device accept unauthenticated commands?

• Is the device susceptible to replay attacks?

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 27
General security concerns

• Is there any information leakage from the device?

• Does the device accept unauthenticated commands?

• Is the device susceptible to replay attacks?

• Is the firmware image digitally signed?

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 27
General security concerns

• Is there any information leakage from the device?

• Does the device accept unauthenticated commands?

• Is the device susceptible to replay attacks?

• Is the firmware image digitally signed?

• Is the device running any unnecessary services?

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 27
General security concerns

• Is there any information leakage from the device?

• Does the device accept unauthenticated commands?

• Is the device susceptible to replay attacks?

• Is the firmware image digitally signed?

• Is the device running any unnecessary services?

• Are there any backdoors in the firmware?

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 27
General security concerns

• Is there any information leakage from the device?

• Does the device accept unauthenticated commands?

• Is the device susceptible to replay attacks?

• Is the firmware image digitally signed?

• Is the device running any unnecessary services?

• Are there any backdoors in the firmware?

• Is the device using outdated software with known vulnerabilities?

D.-G. Akestoridis Firmware Analysis of Embedded Systems Mobile and IoT Security (Fall 2018) 27

You might also like