-
Firmware
-
Encrypted
-
Possible XOR?
Identify by Hexdump and look for repetitive strings
- Use XOR decryption script to get the decrypted firmware
- Non-XOR?
Manual Analysis using a disassembler
- Dump from the flash memory while the firmware is in decrypted state
-
Non-Encrypted
-
Extract file system using Binwalk
(binwalk -e firmware.bin)
- Analyze configuration files and hardcoded sensitive values and certificates (manually + automated tool - Firmwalker)
-
Disassemble individual binaries using Hopper/Binary Ninja/IDA Pro
- Identify vulnerabilities such as command injection and backdoors in the disassemblers
- Analyze strings present in the binary
- Analyze the function list
- Look for Xrefs to system()
-
Emulate individual binaries using qemu
(sudo chroot . ./qemu-arch -L optional-lib-path -g gdb-port binary-to-emulate)
- Attach GDB-Multiarch (or IDA Pro) to the emulated binary
- Set breakpoints at functions like strcmp and analyze the context (registers, stack and disassembly) at that point.
- Identify overflow based vulnerabilities (pass a large string and see if the program crashes)
- Exploit the overflow by forming a ROP chain (use ROPGadget to find useful gadgets)
-
Modify firmware image using FMK (Firmware-Mod-Kit)
-
./extract-firmware.sh to extract the firmware
- Add backdoor or bindshell to the extracted firmware and ensure that it starts at bootup.
Build the firmware using build-firmware.sh with the flags -nopad -min
-
Upload the modified version of the firmware to the target device
- If the DUT accepts the new firmware, it is missing firmware integrity verification
- If it does not accept, look for code sample in the firmware (or other components) where it's checking for signature verification.
-
Obtaining the firmware
- Vendor website and support forums
- Sniffing the package during OTA update
- Reversing mobile application
- Dumping from the device using H/W Exploitation tactics
-
Hardware
-
Recon
-
FCC-ID database : Look up the FCC ID of the DUT on fccid.io
- Identify the chipsets being used
- What frequency does the device operates on
- Internal/External pictures
-
Public searching of previous accessible resources of the device
- Look for research done on previous versions of the device if that's available to get an idea of the process
-
Teardown
-
Identify the kind of enclosure holding the packaging together and use appropriate tools to open it
- Look for screws beneath the rubber pads
- Pry open the device
- Apply heat (make sure to not damage the device)
- Cut/Remove the enclosure (as the last option)
- XRays/Focused Ion Beam Workstation
-
Exploitation
-
What does the PCB Reveal
-
Identify different chips and part numbers
- Look for datasheet to figure out more information about a given chip
- What protocol does it work on
- Data storage size
- Support for communication interfaces
-
Can you see any possible interfaces?
- UART - usually in pair of 3 or 4 with one of the pins being GND
- Identify GND using continuity test
- Identify Tx and Rx with voltage fluctuations (Tx will have more fluctuations during bootup due to device bootup messages)
- Connect to Attify Badge once pinouts are identified
Run "sudo python baudrate.py"
Hit Ctrl+C once you see readable characters
Save conf
Hit enter to get shell
- SPI - presence of a flash chip
- Once pinout is identified from the datasheet, connect the pins to Attify Badge either using Mini Test Probes or pulling out the chip and putting on an adapter
- You can use tools like spiflash.py or flashrom to dump the entire flash image / firmware
(sudo python spiflash.py -r firmware.bin -s size-to-dump)
- JTAG - set of 6,12,13,20 pin headers (or could also be scattered across the board)
- Use JTAGulator to identify the pinouts
- Connect to all possible JTAG pins
Run "sudo screen /dev/ttyUSBx 115200"
Set target voltage (using "V")
Hit "B" to start the scan
- Use Attify Badge once pinouts are known
- TDI => TDI
TDO => TDO
TCK => TCK
TMS => TMS
- Run openocd with the configuration file obtained from openocd github repo (or on your local system)
sudo openocd -f badge.cfg -f target-device-chip.cfg
- Run GDB and connect to :3333 to gain debugging access to the target device
- hbreak strcmp
or break interesting-function
You can even use memory manipulation commands to change the contents of memory at any given address (this could be used to change boot args)
- Unfamiliar protocol
- Research the chip to identify the possible communication protocols
- Use a logic sniffer to see what data is being communicated (can use different analyzers and see which one shows something meaningful)
- External interfaces like USB (can plug in a keyboard and brute force with special key combinations)
-
Backdooring
- Upload malicious firmware to the device using Flash re-write or using JTAG
- Add your own new component for persistent hardware backdooring on the device
-
Conventional
-
Mobile
- Find out information such as how the firmware is downloaded from the remote endpoint and flashed to the device
- Protocol and encryption (key could be found here or by dumping the flash contents in h/w) used for communication
- Reverse the API communication
- What kind of data is being stored on the mobile device
- Use Frida to perform runtime manipulation and analysis
- Automated mobile application security tools
- Replay based attacks
- Insufficient authentication and authorization checks when communication with the device
-
Web
- IDOR (Insecure Direct Object Reference)
- Check for permission level bugs (admin, user, superadmin)
- Typical bugs - XSS, SQLi, XXE, XSRF etc.
-
Network
- Check for running services on the device
- Outdated services
- Password brute-forcing and cracking
- Unfamiliar port open?
- Sniff the network communication
-
Thick Clients
- RE the Thick Client to find vulnerabilities such as Command Injection and Overflows
- Communication to the remote endpoint
- Reversing the APIs
- Exploiting Trust components of the Thick Client
-
Radio
-
Raw Radio Communication protocol
-
Identify the frequency using HackRF / RTL-SDR (Notice the spikes in GQRX when device sends bursts of data)
- Capture the data being transmitted at that frequency and process it in GNURadio to obtain meaningful information
- Use hackrf_transfer to replay the captured data
-
BLE
-
Identify the BLE devices around you and their addresses (using a BLE dongle)
- Identify characteristics and services of the target device
-
Capture the BLE traffic while interacting with the target device using Ubertooth One (Or with 2 BLE dongles with projects like BTLEJuice)
- Clear-text traffic
- Relay based attacks
- Write data to the target devices's BLE Characteristics using Gatttool
- Capture the initial pairing packets and use crackle to decrypt traffic (if encrypted)
-
ZigBee
-
Find the ZigBee channel on which the DUT is operating on
- Capture communication using zb_dump and analyze in wireshark
- Perform replay based attacks using zb_replay
- Identify keys in the captured communication