Firmware Dumping Update

pull/23/head
Swissky 2023-07-02 14:26:27 +02:00
parent c6f7c2f5bd
commit 474eef06c9
1 changed files with 83 additions and 60 deletions

View File

@ -1,73 +1,90 @@
# Firmware Dumping # Firmware Dumping
### Summary ## Summary
* Send a new firmware into the microcontroller using serial port * [Send a new firmware into the microcontroller](#send-a-new-firmware-into-the-microcontroller)
* Dump firmware using debug port * [Dump firmware using debug port](#dump-firmware-using-debug-port)
* Convert ihex to elf * [Convert ihex to elf](#convert-ihex-to-elf)
* Over-the-air updates * [Over-the-air updates](#over-the-air-updates)
* Explore firmware * [Explore firmware](#explore-firmware)
* Type of firmware * [Type of firmware](#type-of-firmware)
* Check entropy * [Check entropy](#check-entropy)
* Unsquashfs * [Unsquashfs](#unsquashfs)
* Encrypted firmware * [Encrypted firmware](#encrypted-firmware)
### Send a new firmware into the microcontroller using serial port
- avrdude ## Send a new firmware into the microcontroller
```powershell * Using [avrdudes/avrdude](https://github.com/avrdudes/avrdude)
# send raw data firmware ```powershell
$ avrdude -p m328p -c usbasp -P /dev/ttyUSB0 -b 9600 -U flash:w:flash_raw.bin # send raw data firmware
$ avrdude -p m328p -c usbasp -P /dev/ttyUSB0 -b 9600 -U flash:w:flash_raw.bin
# send ihex firmware # send ihex firmware
$ avrdude -c usbasp -p m328p -F -U flash:r:dump.hex:i $ avrdude -c usbasp -p m328p -F -U flash:r:dump.hex:i
# default # default
$ avrdude -c usbasp -p m328p -C /etc/avrdude.conf -U flash:w:hardcodedPassword.ino.arduino_standard.hex $ avrdude -c usbasp -p m328p -C /etc/avrdude.conf -U flash:w:hardcodedPassword.ino.arduino_standard.hex
``` ```
* Using [raspberrypi/picotool](https://github.com/raspberrypi/picotool)
```ps1
# extension indicates the type (bin, uf2)
picotool load firmware.bin
```
- picotool
```bash ## Dump firmware using debug port
# extention indicates the type (bin, uf2)
picotool load firmware.bin
```
### Dump firmware using debug port * Using [avrdudes/avrdude](https://github.com/avrdudes/avrdude)
```powershell
$ avrdude -p m328p -c usbasp -P /dev/ttyUSB0 -b 9600 -U flash:r:flash_raw.bin:r
$ avrdude -p m328p -c arduino -P /dev/ttyACM0 -b 115200 -U flash:r:flash_raw.bin:r
$ avrdude -p atmega328p -c arduino -P/dev/ttyACM0 -b 115200 -D -U flash:r:program.bin:r -F -v
```
* avrdude * Using [openocd-org/openocd](https://github.com/openocd-org/openocd)
* Determine code space in the microcontroller (for example nRF51822 - Micro:bit), save as `dump_img.cfg`:
```powershell
init
reset init
halt
dump_image image.bin 0x00000000 0x00040000
exit
```
* Dump with openocd
```powershell
sudo openocd -f /home/maki/tools/hardware/openocd/tcl/interface/stlink-v2-1.cfg -f /home/maki/tools/hardware/openocd/tcl/target/nrf51.cfg -f dump_fw.cfg
```
* Using [raspberrypi/picotool](https://github.com/raspberrypi/picotool)
* Build PicoTool, you will need the pico-sdk
```ps1
# PicoSDK
git clone https://github.com/raspberrypi/pico-sdk.git
cd pico-sdk
git submodule update --init
```powershell # Picotool
$ avrdude -p m328p -c usbasp -P /dev/ttyUSB0 -b 9600 -U flash:r:flash_raw.bin:r cd ..
$ avrdude -p m328p -c arduino -P /dev/ttyACM0 -b 115200 -U flash:r:flash_raw.bin:r git clone https://github.com/raspberrypi/picotool.git
$ avrdude -p atmega328p -c arduino -P/dev/ttyACM0 -b 115200 -D -U flash:r:program.bin:r -F -v cd picotool
``` mkdir build
cd build
cmake -DPICO_SDK_PATH=../pico-sdk ..
make
```
* Dump the program or the whole flash memory
```ps1
sudo ./picotool save -F /tmp/out.bin
Saving file: [==============================] 100%
Wrote 73312 bytes to /tmp/out.bin
* openocd sudo ./picotool save --all -F /tmp/out2.bin
Saving file: [==============================] 100%
Wrote 2097152 bytes to /tmp/out2.bin
```
Determine code space in the microcontroller (for example nRF51822 - Micro:bit), save as `dump_img.cfg`:
```powershell ## Convert ihex to elf
init
reset init
halt
dump_image image.bin 0x00000000 0x00040000
exit
```
```powershell
sudo openocd -f /home/maki/tools/hardware/openocd/tcl/interface/stlink-v2-1.cfg -f /home/maki/tools/hardware/openocd/tcl/target/nrf51.cfg -f dump_fw.cfg
```
- picotool
```bash
# extention indicates the type (bin, uf2)
picotool save firmware.bin
```
### Convert ihex to elf
> The Intel HEX is a transitional file format for microcontrollers, (E)PROMs, and other devices. The documentation states that HEXs can be converted to binary files and programmed into a configuration device. > The Intel HEX is a transitional file format for microcontrollers, (E)PROMs, and other devices. The documentation states that HEXs can be converted to binary files and programmed into a configuration device.
@ -107,11 +124,13 @@ cat defaultPassword.ino.arduino_standard.hex | tr -d ":" | tr -d "\n" | xxd -r -
Inspect the assembly with `avr-objdump -m avr -D chest.hex`.\ Inspect the assembly with `avr-objdump -m avr -D chest.hex`.\
Emulate : `qemu-system-avr -S -s -nographic -serial tcp::5678,server=on,wait=off -machine uno -bios chest.bin` Emulate : `qemu-system-avr -S -s -nographic -serial tcp::5678,server=on,wait=off -machine uno -bios chest.bin`
### Over-the-air updates
## Over-the-air updates
TODO TODO
### Explore firmware
## Explore firmware
```powershell ```powershell
$ binwalk -Me file.bin $ binwalk -Me file.bin
@ -133,14 +152,16 @@ DECIMAL HEXADECIMAL DESCRIPTION
3708 0xE7C ARM executable code, 16-bit (Thumb), little endian, at least 522 valid instructions 3708 0xE7C ARM executable code, 16-bit (Thumb), little endian, at least 522 valid instructions
``` ```
### Type of firmware
## Type of firmware
* SREC - Motorola S-Record : All S-record file lines start with a capital S. * SREC - Motorola S-Record : All S-record file lines start with a capital S.
* Intel HEX lines all start with a colon. * Intel HEX lines all start with a colon.
* TI-TXT is a Texas Instruments format, usually for the MSP430 series. Memory addresses are prepended with an **@**, and data is represented in hex. * TI-TXT is a Texas Instruments format, usually for the MSP430 series. Memory addresses are prepended with an **@**, and data is represented in hex.
* Raw NAND dumps * Raw NAND dumps
### Check entropy
## Check entropy
High entropy = probably encrypted (or compressed). Low entropy = probably not High entropy = probably encrypted (or compressed). Low entropy = probably not
@ -148,13 +169,15 @@ High entropy = probably encrypted (or compressed). Low entropy = probably not
$ binwalk -E fw $ binwalk -E fw
``` ```
### Unsquashfs
## Unsquashfs
```powershell ```powershell
sudo unsquashfs -f -d /media/seagate /tmp/file.squashfs sudo unsquashfs -f -d /media/seagate /tmp/file.squashfs
``` ```
### Encrypted firmware
## Encrypted firmware
![](https://images.squarespace-cdn.com/content/v1/5894c269e4fcb5e65a1ed623/1581004558438-UJV08PX8O5NVAQ6Z8HXI/ke17ZwdGBToddI8pDm48kHSRIhhjdVQ3NosuzDMrTulZw-zPPgdn4jUwVcJE1ZvWQUxwkmyExglNqGp0IvTJZamWLI2zvYWH8K3-s\_4yszcp2ryTI0HqTOaaUohrI8PIYASqlw8FVQsXpiBs096GedrrOfpwzeSClfgzB41Jweo/Picture2.png?format=1000w) ![](https://images.squarespace-cdn.com/content/v1/5894c269e4fcb5e65a1ed623/1581004558438-UJV08PX8O5NVAQ6Z8HXI/ke17ZwdGBToddI8pDm48kHSRIhhjdVQ3NosuzDMrTulZw-zPPgdn4jUwVcJE1ZvWQUxwkmyExglNqGp0IvTJZamWLI2zvYWH8K3-s\_4yszcp2ryTI0HqTOaaUohrI8PIYASqlw8FVQsXpiBs096GedrrOfpwzeSClfgzB41Jweo/Picture2.png?format=1000w)