»ARM IoT Firmware Emulation«
2018-10-16, 09:30–11:30, Hollenfels

Learn how to build your own testing and debugging environment for analysing IoT firmware images. Bug hunting in IoT firmware requires access to debugging, instrumentation and reverse engineering tools.

In this workshop, we shall learn how to extract firmware from a few ARM IoT devices, deploy the extracted filesystems on an ARM QEMU environment, and emulate the firmware as close to the original hardware environment as possible. We shall also learn how to intercept and emulate NVRAM access to faithfully reproduce the exact configuration available on the actual device. Participants are required to bring a laptop capable of running VMware Workstation/Fusion/Player. We shall distribute a virtual machine with ARM QEMU along with firmware images extracted on the spot from a few SoHo routers and IP Cameras.

The methodology discussed in this workshop is put together from the author's own beats. While we use ARM as the base platform, the same methodology can also work for MIPS or other embedded architectures.


PART 1 - A look inside a typical IoT device - Discovering UART interfaces on IoT devices - Extracting firmware via Serial Console exposed via UART - Extracting firmware via binwalking downloaded updates - Tour of IoT firmware - MTD partitions - Read Only compressed file system - Configuration settings in NVRAM - Boot Arguments

PART 2 - QEMU configuration - Uncompressing the firmware file system - Preparing a chroot'ed environment with the extracted file system - Discovering the initial startup script - Attempting to start up the userspace processes

PART 3 - Changing the device's default configuration - Discovering default configuration files - Dumping configuration entries from NVRAM - Overcoming difficulties with missing hardware - Faking the missing hardware - Emulating the missing hardware - Second attempt to start up userspace processes - Writing your own NVRAM interception routines - Wrapping the "nvram" command line utility - custom_nvram.so - injecting a shared library to intercept NVRAM calls - universal approach by hooking libnvram.so calls

Participant Requirements: - Laptop with 10GB free disk space - VMware Workstation/Fusion/Player (VMware, not VirtualBox) - Again, I said NOT VirtualBox, I don't care how free or OSS it is. - Working WiFi - USB ports enabled (workshop VMs will be distributed via USB thumb drives, most likely)