swisskyrepo
/
HardwareAllTheThings
mirror of https://github.com/swisskyrepo/HardwareAllTheThings.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
HardwareAllTheThings/firmware/firmware-reverse-engineering/index.html

2548 lines
71 KiB
HTML
Raw Permalink Blame History

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

<!doctype html>
<html lang="en" class="no-js">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<meta name="description" content="Hardware/IOT Pentesting Wiki">
<link rel="canonical" href="https://swisskyrepo.github.io/HardwareAllTheThings/firmware/firmware-reverse-engineering/">
<link rel="prev" href="../firmware-dumping/">
<link rel="next" href="../../gadgets/arduino/">
<link rel="icon" href="../../assets/images/favicon.png">
<meta name="generator" content="mkdocs-1.6.1, mkdocs-material-9.5.44">
<title>Firmware Reverse Engineering - Hardware All The Things</title>
<link rel="stylesheet" href="../../assets/stylesheets/main.0253249f.min.css">
<link rel="stylesheet" href="../../assets/stylesheets/palette.06af60db.min.css">
<style>
.social-container {
float: right;
}
</style>
<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,300i,400,400i,700,700i%7CRoboto+Mono:400,400i,700,700i&display=fallback">
<style>:root{--md-text-font:"Roboto";--md-code-font:"Roboto Mono"}</style>
<link rel="stylesheet" href="../../custom.css">
<script>__md_scope=new URL("../..",location),__md_hash=e=>[...e].reduce(((e,_)=>(e<<5)-e+_.charCodeAt(0)),0),__md_get=(e,_=localStorage,t=__md_scope)=>JSON.parse(_.getItem(t.pathname+"."+e)),__md_set=(e,_,t=localStorage,a=__md_scope)=>{try{t.setItem(a.pathname+"."+e,JSON.stringify(_))}catch(e){}}</script>
<meta property="og:type" content="website" >
<meta property="og:title" content="Firmware Reverse Engineering - Hardware All The Things" >
<meta property="og:description" content="Hardware/IOT Pentesting Wiki" >
<meta property="og:image" content="https://swisskyrepo.github.io/HardwareAllTheThings/assets/images/social/firmware/firmware-reverse-engineering.png" >
<meta property="og:image:type" content="image/png" >
<meta property="og:image:width" content="1200" >
<meta property="og:image:height" content="630" >
<meta property="og:url" content="https://swisskyrepo.github.io/HardwareAllTheThings/firmware/firmware-reverse-engineering/" >
<meta name="twitter:card" content="summary_large_image" >
<meta name="twitter:title" content="Firmware Reverse Engineering - Hardware All The Things" >
<meta name="twitter:description" content="Hardware/IOT Pentesting Wiki" >
<meta name="twitter:image" content="https://swisskyrepo.github.io/HardwareAllTheThings/assets/images/social/firmware/firmware-reverse-engineering.png" >
</head>
<body dir="ltr" data-md-color-scheme="default" data-md-color-primary="indigo" data-md-color-accent="indigo">
<input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off">
<input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
<label class="md-overlay" for="__drawer"></label>
<div data-md-component="skip">
<a href="#firmware-reverse-engineering" class="md-skip">
Skip to content
</a>
</div>
<div data-md-component="announce">
</div>
<header class="md-header md-header--shadow" data-md-component="header">
<nav class="md-header__inner md-grid" aria-label="Header">
<a href="../.." title="Hardware All The Things" class="md-header__button md-logo" aria-label="Hardware All The Things" data-md-component="logo">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54"/></svg>
</a>
<label class="md-header__button md-icon" for="__drawer">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 6h18v2H3zm0 5h18v2H3zm0 5h18v2H3z"/></svg>
</label>
<div class="md-header__title" data-md-component="header-title">
<div class="md-header__ellipsis">
<div class="md-header__topic">
<span class="md-ellipsis">
Hardware All The Things
</span>
</div>
<div class="md-header__topic" data-md-component="header-topic">
<span class="md-ellipsis">
Firmware Reverse Engineering
</span>
</div>
</div>
</div>
<form class="md-header__option" data-md-component="palette">
<input class="md-option" data-md-color-media="(prefers-color-scheme: light)" data-md-color-scheme="default" data-md-color-primary="indigo" data-md-color-accent="indigo" aria-label="Switch to dark mode" type="radio" name="__palette" id="__palette_0">
<label class="md-header__button md-icon" title="Switch to dark mode" for="__palette_1" hidden>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a4 4 0 0 0-4 4 4 4 0 0 0 4 4 4 4 0 0 0 4-4 4 4 0 0 0-4-4m0 10a6 6 0 0 1-6-6 6 6 0 0 1 6-6 6 6 0 0 1 6 6 6 6 0 0 1-6 6m8-9.31V4h-4.69L12 .69 8.69 4H4v4.69L.69 12 4 15.31V20h4.69L12 23.31 15.31 20H20v-4.69L23.31 12z"/></svg>
</label>
<input class="md-option" data-md-color-media="(prefers-color-scheme: dark)" data-md-color-scheme="slate" data-md-color-primary="indigo" data-md-color-accent="indigo" aria-label="Switch to light mode" type="radio" name="__palette" id="__palette_1">
<label class="md-header__button md-icon" title="Switch to light mode" for="__palette_0" hidden>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 18c-.89 0-1.74-.2-2.5-.55C11.56 16.5 13 14.42 13 12s-1.44-4.5-3.5-5.45C10.26 6.2 11.11 6 12 6a6 6 0 0 1 6 6 6 6 0 0 1-6 6m8-9.31V4h-4.69L12 .69 8.69 4H4v4.69L.69 12 4 15.31V20h4.69L12 23.31 15.31 20H20v-4.69L23.31 12z"/></svg>
</label>
</form>
<script>var palette=__md_get("__palette");if(palette&&palette.color){if("(prefers-color-scheme)"===palette.color.media){var media=matchMedia("(prefers-color-scheme: light)"),input=document.querySelector(media.matches?"[data-md-color-media='(prefers-color-scheme: light)']":"[data-md-color-media='(prefers-color-scheme: dark)']");palette.color.media=input.getAttribute("data-md-color-media"),palette.color.scheme=input.getAttribute("data-md-color-scheme"),palette.color.primary=input.getAttribute("data-md-color-primary"),palette.color.accent=input.getAttribute("data-md-color-accent")}for(var[key,value]of Object.entries(palette.color))document.body.setAttribute("data-md-color-"+key,value)}</script>
<label class="md-header__button md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.52 6.52 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5"/></svg>
</label>
<div class="md-search" data-md-component="search" role="dialog">
<label class="md-search__overlay" for="__search"></label>
<div class="md-search__inner" role="search">
<form class="md-search__form" name="search">
<input type="text" class="md-search__input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" required>
<label class="md-search__icon md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.52 6.52 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5"/></svg>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11z"/></svg>
</label>
<nav class="md-search__options" aria-label="Search">
<a href="javascript:void(0)" class="md-search__icon md-icon" title="Share" aria-label="Share" data-clipboard data-clipboard-text="" data-md-component="search-share" tabindex="-1">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M18 16.08c-.76 0-1.44.3-1.96.77L8.91 12.7c.05-.23.09-.46.09-.7s-.04-.47-.09-.7l7.05-4.11c.54.5 1.25.81 2.04.81a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3c0 .24.04.47.09.7L8.04 9.81C7.5 9.31 6.79 9 6 9a3 3 0 0 0-3 3 3 3 0 0 0 3 3c.79 0 1.5-.31 2.04-.81l7.12 4.15c-.05.21-.08.43-.08.66 0 1.61 1.31 2.91 2.92 2.91s2.92-1.3 2.92-2.91A2.92 2.92 0 0 0 18 16.08"/></svg>
</a>
<button type="reset" class="md-search__icon md-icon" title="Clear" aria-label="Clear" tabindex="-1">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12z"/></svg>
</button>
</nav>
<div class="md-search__suggest" data-md-component="search-suggest"></div>
</form>
<div class="md-search__output">
<div class="md-search__scrollwrap" tabindex="0" data-md-scrollfix>
<div class="md-search-result" data-md-component="search-result">
<div class="md-search-result__meta">
Initializing search
</div>
<ol class="md-search-result__list" role="presentation"></ol>
</div>
</div>
</div>
</div>
</div>
<div class="md-header__source">
<a href="https://github.com/swisskyrepo/HardwareAllTheThings" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 496 512"><!--! Font Awesome Free 6.6.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2024 Fonticons, Inc.--><path d="M165.9 397.4c0 2-2.3 3.6-5.2 3.6-3.3.3-5.6-1.3-5.6-3.6 0-2 2.3-3.6 5.2-3.6 3-.3 5.6 1.3 5.6 3.6m-31.1-4.5c-.7 2 1.3 4.3 4.3 4.9 2.6 1 5.6 0 6.2-2s-1.3-4.3-4.3-5.2c-2.6-.7-5.5.3-6.2 2.3m44.2-1.7c-2.9.7-4.9 2.6-4.6 4.9.3 2 2.9 3.3 5.9 2.6 2.9-.7 4.9-2.6 4.6-4.6-.3-1.9-3-3.2-5.9-2.9M244.8 8C106.1 8 0 113.3 0 252c0 110.9 69.8 205.8 169.5 239.2 12.8 2.3 17.3-5.6 17.3-12.1 0-6.2-.3-40.4-.3-61.4 0 0-70 15-84.7-29.8 0 0-11.4-29.1-27.8-36.6 0 0-22.9-15.7 1.6-15.4 0 0 24.9 2 38.6 25.8 21.9 38.6 58.6 27.5 72.9 20.9 2.3-16 8.8-27.1 16-33.7-55.9-6.2-112.3-14.3-112.3-110.5 0-27.5 7.6-41.3 23.6-58.9-2.6-6.5-11.1-33.3 2.6-67.9 20.9-6.5 69 27 69 27 20-5.6 41.5-8.5 62.8-8.5s42.8 2.9 62.8 8.5c0 0 48.1-33.6 69-27 13.7 34.7 5.2 61.4 2.6 67.9 16 17.7 25.8 31.5 25.8 58.9 0 96.5-58.9 104.2-114.8 110.5 9.2 7.9 17 22.9 17 46.4 0 33.7-.3 75.4-.3 83.6 0 6.5 4.6 14.4 17.3 12.1C428.2 457.8 496 362.9 496 252 496 113.3 383.5 8 244.8 8M97.2 352.9c-1.3 1-1 3.3.7 5.2 1.6 1.6 3.9 2.3 5.2 1 1.3-1 1-3.3-.7-5.2-1.6-1.6-3.9-2.3-5.2-1m-10.8-8.1c-.7 1.3.3 2.9 2.3 3.9 1.6 1 3.6.7 4.3-.7.7-1.3-.3-2.9-2.3-3.9-2-.6-3.6-.3-4.3.7m32.4 35.6c-1.6 1.3-1 4.3 1.3 6.2 2.3 2.3 5.2 2.6 6.5 1 1.3-1.3.7-4.3-1.3-6.2-2.2-2.3-5.2-2.6-6.5-1m-11.4-14.7c-1.6 1-1.6 3.6 0 5.9s4.3 3.3 5.6 2.3c1.6-1.3 1.6-3.9 0-6.2-1.4-2.3-4-3.3-5.6-2"/></svg>
</div>
<div class="md-source__repository">
GitHub
</div>
</a>
</div>
</nav>
</header>
<div class="md-container" data-md-component="container">
<main class="md-main" data-md-component="main">
<div class="md-main__inner md-grid">
<div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--primary" aria-label="Navigation" data-md-level="0">
<label class="md-nav__title" for="__drawer">
<a href="../.." title="Hardware All The Things" class="md-nav__button md-logo" aria-label="Hardware All The Things" data-md-component="logo">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54"/></svg>
</a>
Hardware All The Things
</label>
<div class="md-nav__source">
<a href="https://github.com/swisskyrepo/HardwareAllTheThings" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 496 512"><!--! Font Awesome Free 6.6.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2024 Fonticons, Inc.--><path d="M165.9 397.4c0 2-2.3 3.6-5.2 3.6-3.3.3-5.6-1.3-5.6-3.6 0-2 2.3-3.6 5.2-3.6 3-.3 5.6 1.3 5.6 3.6m-31.1-4.5c-.7 2 1.3 4.3 4.3 4.9 2.6 1 5.6 0 6.2-2s-1.3-4.3-4.3-5.2c-2.6-.7-5.5.3-6.2 2.3m44.2-1.7c-2.9.7-4.9 2.6-4.6 4.9.3 2 2.9 3.3 5.9 2.6 2.9-.7 4.9-2.6 4.6-4.6-.3-1.9-3-3.2-5.9-2.9M244.8 8C106.1 8 0 113.3 0 252c0 110.9 69.8 205.8 169.5 239.2 12.8 2.3 17.3-5.6 17.3-12.1 0-6.2-.3-40.4-.3-61.4 0 0-70 15-84.7-29.8 0 0-11.4-29.1-27.8-36.6 0 0-22.9-15.7 1.6-15.4 0 0 24.9 2 38.6 25.8 21.9 38.6 58.6 27.5 72.9 20.9 2.3-16 8.8-27.1 16-33.7-55.9-6.2-112.3-14.3-112.3-110.5 0-27.5 7.6-41.3 23.6-58.9-2.6-6.5-11.1-33.3 2.6-67.9 20.9-6.5 69 27 69 27 20-5.6 41.5-8.5 62.8-8.5s42.8 2.9 62.8 8.5c0 0 48.1-33.6 69-27 13.7 34.7 5.2 61.4 2.6 67.9 16 17.7 25.8 31.5 25.8 58.9 0 96.5-58.9 104.2-114.8 110.5 9.2 7.9 17 22.9 17 46.4 0 33.7-.3 75.4-.3 83.6 0 6.5 4.6 14.4 17.3 12.1C428.2 457.8 496 362.9 496 252 496 113.3 383.5 8 244.8 8M97.2 352.9c-1.3 1-1 3.3.7 5.2 1.6 1.6 3.9 2.3 5.2 1 1.3-1 1-3.3-.7-5.2-1.6-1.6-3.9-2.3-5.2-1m-10.8-8.1c-.7 1.3.3 2.9 2.3 3.9 1.6 1 3.6.7 4.3-.7.7-1.3-.3-2.9-2.3-3.9-2-.6-3.6-.3-4.3.7m32.4 35.6c-1.6 1.3-1 4.3 1.3 6.2 2.3 2.3 5.2 2.6 6.5 1 1.3-1.3.7-4.3-1.3-6.2-2.2-2.3-5.2-2.6-6.5-1m-11.4-14.7c-1.6 1-1.6 3.6 0 5.9s4.3 3.3 5.6 2.3c1.6-1.3 1.6-3.9 0-6.2-1.4-2.3-4-3.3-5.6-2"/></svg>
</div>
<div class="md-source__repository">
GitHub
</div>
</a>
</div>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../.." class="md-nav__link">
<span class="md-ellipsis">
🔌 Hardware All The Things
</span>
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_2" >
<label class="md-nav__link" for="__nav_2" id="__nav_2_label" tabindex="0">
<span class="md-ellipsis">
Debug interfaces
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_2_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_2">
<span class="md-nav__icon md-icon"></span>
Debug interfaces
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../debug-interfaces/jtag/" class="md-nav__link">
<span class="md-ellipsis">
JTAG
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../debug-interfaces/swd/" class="md-nav__link">
<span class="md-ellipsis">
SWD
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../debug-interfaces/uart/" class="md-nav__link">
<span class="md-ellipsis">
UART
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_3" >
<label class="md-nav__link" for="__nav_3" id="__nav_3_label" tabindex="0">
<span class="md-ellipsis">
Enumeration
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_3_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_3">
<span class="md-nav__icon md-icon"></span>
Enumeration
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../enumeration/chip-identification/" class="md-nav__link">
<span class="md-ellipsis">
Chip identification
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../enumeration/fcc-id/" class="md-nav__link">
<span class="md-ellipsis">
FCC ID
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../enumeration/jtag/" class="md-nav__link">
<span class="md-ellipsis">
JTAG
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--active md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4" checked>
<label class="md-nav__link" for="__nav_4" id="__nav_4_label" tabindex="0">
<span class="md-ellipsis">
Firmware
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_4_label" aria-expanded="true">
<label class="md-nav__title" for="__nav_4">
<span class="md-nav__icon md-icon"></span>
Firmware
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../firmware-dumping/" class="md-nav__link">
<span class="md-ellipsis">
Firmware Dumping
</span>
</a>
</li>
<li class="md-nav__item md-nav__item--active">
<input class="md-nav__toggle md-toggle" type="checkbox" id="__toc">
<label class="md-nav__link md-nav__link--active" for="__toc">
<span class="md-ellipsis">
Firmware Reverse Engineering
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<a href="./" class="md-nav__link md-nav__link--active">
<span class="md-ellipsis">
Firmware Reverse Engineering
</span>
</a>
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#loading-bare-metal-binaries-into-ida" class="md-nav__link">
<span class="md-ellipsis">
Loading bare-metal binaries into IDA
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#loading-bare-metal-binaries-into-radare2" class="md-nav__link">
<span class="md-ellipsis">
Loading bare-metal binaries into Radare2
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#loading-bare-metal-binaries-into-ghidra" class="md-nav__link">
<span class="md-ellipsis">
Loading bare-metal binaries into Ghidra
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#esptool" class="md-nav__link">
<span class="md-ellipsis">
ESPTool
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#nrf5x-firmware-disassembly-tools" class="md-nav__link">
<span class="md-ellipsis">
nRF5x Firmware disassembly tools
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#pure-disassemblers" class="md-nav__link">
<span class="md-ellipsis">
Pure disassemblers
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#simulating-avr" class="md-nav__link">
<span class="md-ellipsis">
Simulating AVR
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#uefi-firmware" class="md-nav__link">
<span class="md-ellipsis">
UEFI Firmware
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#references" class="md-nav__link">
<span class="md-ellipsis">
References
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_5" >
<label class="md-nav__link" for="__nav_5" id="__nav_5_label" tabindex="0">
<span class="md-ellipsis">
Gadgets
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_5_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_5">
<span class="md-nav__icon md-icon"></span>
Gadgets
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../gadgets/arduino/" class="md-nav__link">
<span class="md-ellipsis">
Arduino
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../gadgets/bruschetta-board/" class="md-nav__link">
<span class="md-ellipsis">
Bruschetta
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../gadgets/bus-pirate/" class="md-nav__link">
<span class="md-ellipsis">
Bus Pirate
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../gadgets/ch341a/" class="md-nav__link">
<span class="md-ellipsis">
CH341A
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../gadgets/esp32/" class="md-nav__link">
<span class="md-ellipsis">
ESP32
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../gadgets/flipper-zero/" class="md-nav__link">
<span class="md-ellipsis">
Flipper Zero
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../gadgets/goodfet/" class="md-nav__link">
<span class="md-ellipsis">
GoodFET
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../gadgets/hydrabus/" class="md-nav__link">
<span class="md-ellipsis">
HydraBus
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../gadgets/hydraflash/" class="md-nav__link">
<span class="md-ellipsis">
HydraFlash
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../gadgets/hydranfc/" class="md-nav__link">
<span class="md-ellipsis">
HydraNFC
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../gadgets/hydrausb3/" class="md-nav__link">
<span class="md-ellipsis">
HydraUSB3
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../gadgets/icopy-x/" class="md-nav__link">
<span class="md-ellipsis">
iCopy-X
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../gadgets/logic-analyzer/" class="md-nav__link">
<span class="md-ellipsis">
Logic Analyzer
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../gadgets/m5stack/" class="md-nav__link">
<span class="md-ellipsis">
Evil M5Core2
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../gadgets/memory-programmer/" class="md-nav__link">
<span class="md-ellipsis">
Memory Programmer
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../gadgets/micro-bit/" class="md-nav__link">
<span class="md-ellipsis">
Micro::bit
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../gadgets/proxmark/" class="md-nav__link">
<span class="md-ellipsis">
Proxmark
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../gadgets/pwnagotchi/" class="md-nav__link">
<span class="md-ellipsis">
Pwnagotchi
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../gadgets/raspberry-pi/" class="md-nav__link">
<span class="md-ellipsis">
Raspberry Pi
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_6" >
<label class="md-nav__link" for="__nav_6" id="__nav_6_label" tabindex="0">
<span class="md-ellipsis">
Other
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_6_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_6">
<span class="md-nav__icon md-icon"></span>
Other
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../other/default-iot-passwords/" class="md-nav__link">
<span class="md-ellipsis">
Default IoT Passwords
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../other/electronic-components/" class="md-nav__link">
<span class="md-ellipsis">
Electronic Components
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../other/links-and-hardware-kits/" class="md-nav__link">
<span class="md-ellipsis">
Links &amp; Hardware Kits
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_7" >
<label class="md-nav__link" for="__nav_7" id="__nav_7_label" tabindex="0">
<span class="md-ellipsis">
Protocols
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_7_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_7">
<span class="md-nav__icon md-icon"></span>
Protocols
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../protocols/bluetooth/" class="md-nav__link">
<span class="md-ellipsis">
Bluetooth
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../protocols/can/" class="md-nav__link">
<span class="md-ellipsis">
CAN Bus
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../protocols/dnp3/" class="md-nav__link">
<span class="md-ellipsis">
DNP3
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../protocols/gps/" class="md-nav__link">
<span class="md-ellipsis">
GPS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../protocols/http/" class="md-nav__link">
<span class="md-ellipsis">
HTTP
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../protocols/i2c/" class="md-nav__link">
<span class="md-ellipsis">
I2C
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../protocols/lora/" class="md-nav__link">
<span class="md-ellipsis">
LoRa
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../protocols/mms/" class="md-nav__link">
<span class="md-ellipsis">
MMS (IEC 61850)
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../protocols/modbus/" class="md-nav__link">
<span class="md-ellipsis">
Modbus
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../protocols/mqtt/" class="md-nav__link">
<span class="md-ellipsis">
MQTT
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../protocols/ntag215-amiibo/" class="md-nav__link">
<span class="md-ellipsis">
NFC - Amiibo
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../protocols/signaling-system-7/" class="md-nav__link">
<span class="md-ellipsis">
SS7 - Signaling System No. 7
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../protocols/spi/" class="md-nav__link">
<span class="md-ellipsis">
SPI
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../protocols/upnp/" class="md-nav__link">
<span class="md-ellipsis">
UPnP
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../protocols/usb/" class="md-nav__link">
<span class="md-ellipsis">
USB
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../protocols/zigbee/" class="md-nav__link">
<span class="md-ellipsis">
ZigBee
</span>
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_7_17" >
<label class="md-nav__link" for="__nav_7_17" id="__nav_7_17_label" tabindex="0">
<span class="md-ellipsis">
Rfid nfc
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_7_17_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_7_17">
<span class="md-nav__icon md-icon"></span>
Rfid nfc
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../protocols/rfid-nfc/hf-mifare-classic/" class="md-nav__link">
<span class="md-ellipsis">
HF - Mifare Classic
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../protocols/rfid-nfc/hf-mifare-desfire/" class="md-nav__link">
<span class="md-ellipsis">
HF - Mifare DESFire
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../protocols/rfid-nfc/hf-mifare-ultralight/" class="md-nav__link">
<span class="md-ellipsis">
HF - Mifare UltraLight
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../protocols/rfid-nfc/hf-vigik/" class="md-nav__link">
<span class="md-ellipsis">
HF - Vigik
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../protocols/rfid-nfc/lf-hid-indala/" class="md-nav__link">
<span class="md-ellipsis">
LF - HID &amp; Indala
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../protocols/rfid-nfc/readme/" class="md-nav__link">
<span class="md-ellipsis">
NFC - RFID
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_7_18" >
<label class="md-nav__link" for="__nav_7_18" id="__nav_7_18_label" tabindex="0">
<span class="md-ellipsis">
Wifi
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_7_18_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_7_18">
<span class="md-nav__icon md-icon"></span>
Wifi
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../protocols/wifi/wifi-basics/" class="md-nav__link">
<span class="md-ellipsis">
Wifi - Basics
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../protocols/wifi/wifi-corporate/" class="md-nav__link">
<span class="md-ellipsis">
Wifi - Enterprise Network
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../protocols/wifi/wifi-other/" class="md-nav__link">
<span class="md-ellipsis">
Wifi - Additional Tricks and Tools
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../protocols/wifi/wifi-wep/" class="md-nav__link">
<span class="md-ellipsis">
Wifi - WEP Cracking
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../protocols/wifi/wifi-wpa/" class="md-nav__link">
<span class="md-ellipsis">
Wifi - WPA Cracking
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_8" >
<label class="md-nav__link" for="__nav_8" id="__nav_8_label" tabindex="0">
<span class="md-ellipsis">
Radio frequency
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_8_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_8">
<span class="md-nav__icon md-icon"></span>
Radio frequency
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../radio-frequency/limesdr-bts/" class="md-nav__link">
<span class="md-ellipsis">
GSM Network: LimeSDR
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../radio-frequency/sdr/" class="md-nav__link">
<span class="md-ellipsis">
SDR
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_9" >
<label class="md-nav__link" for="__nav_9" id="__nav_9_label" tabindex="0">
<span class="md-ellipsis">
Secure boot
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_9_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_9">
<span class="md-nav__icon md-icon"></span>
Secure boot
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../secure-boot/" class="md-nav__link">
<span class="md-ellipsis">
Secure Boot
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_10" >
<label class="md-nav__link" for="__nav_10" id="__nav_10_label" tabindex="0">
<span class="md-ellipsis">
Side channel
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_10_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_10">
<span class="md-nav__icon md-icon"></span>
Side channel
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../side-channel/fault-injection/" class="md-nav__link">
<span class="md-ellipsis">
Fault Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-sidebar md-sidebar--secondary" data-md-component="sidebar" data-md-type="toc" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#loading-bare-metal-binaries-into-ida" class="md-nav__link">
<span class="md-ellipsis">
Loading bare-metal binaries into IDA
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#loading-bare-metal-binaries-into-radare2" class="md-nav__link">
<span class="md-ellipsis">
Loading bare-metal binaries into Radare2
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#loading-bare-metal-binaries-into-ghidra" class="md-nav__link">
<span class="md-ellipsis">
Loading bare-metal binaries into Ghidra
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#esptool" class="md-nav__link">
<span class="md-ellipsis">
ESPTool
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#nrf5x-firmware-disassembly-tools" class="md-nav__link">
<span class="md-ellipsis">
nRF5x Firmware disassembly tools
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#pure-disassemblers" class="md-nav__link">
<span class="md-ellipsis">
Pure disassemblers
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#simulating-avr" class="md-nav__link">
<span class="md-ellipsis">
Simulating AVR
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#uefi-firmware" class="md-nav__link">
<span class="md-ellipsis">
UEFI Firmware
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#references" class="md-nav__link">
<span class="md-ellipsis">
References
</span>
</a>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-content" data-md-component="content">
<article class="md-content__inner md-typeset">
<a href="https://github.com/swisskyrepo/HardwareAllTheThings/blob/main/docs/firmware/firmware-reverse-engineering.md" title="Edit this page" class="md-content__button md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M10 20H6V4h7v5h5v3.1l2-2V8l-6-6H6c-1.1 0-2 .9-2 2v16c0 1.1.9 2 2 2h4zm10.2-7c.1 0 .3.1.4.2l1.3 1.3c.2.2.2.6 0 .8l-1 1-2.1-2.1 1-1c.1-.1.2-.2.4-.2m0 3.9L14.1 23H12v-2.1l6.1-6.1z"/></svg>
</a>
<a href="https://github.com/swisskyrepo/HardwareAllTheThings/raw/main/docs/firmware/firmware-reverse-engineering.md" title="View source of this page" class="md-content__button md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M17 18c.56 0 1 .44 1 1s-.44 1-1 1-1-.44-1-1 .44-1 1-1m0-3c-2.73 0-5.06 1.66-6 4 .94 2.34 3.27 4 6 4s5.06-1.66 6-4c-.94-2.34-3.27-4-6-4m0 6.5a2.5 2.5 0 0 1-2.5-2.5 2.5 2.5 0 0 1 2.5-2.5 2.5 2.5 0 0 1 2.5 2.5 2.5 2.5 0 0 1-2.5 2.5M9.27 20H6V4h7v5h5v4.07c.7.08 1.36.25 2 .49V8l-6-6H6a2 2 0 0 0-2 2v16a2 2 0 0 0 2 2h4.5a8.2 8.2 0 0 1-1.23-2"/></svg>
</a>
<h1 id="firmware-reverse-engineering">Firmware Reverse Engineering</h1>
<h2 id="loading-bare-metal-binaries-into-ida">Loading bare-metal binaries into IDA</h2>
<p>Requirements:</p>
<ul>
<li>The <strong>load address</strong> is the address in memory that the binary is being executed from.</li>
<li>The <strong>entry point</strong> is the location within the binary where the processor starts executing.</li>
</ul>
<p>⚠️ For ARM Arduino firwmare the entry point is located at <strong>_RESET</strong> interruption.</p>
<blockquote>
<p>To load it properly in IDA, open the file, select ATMEL AVR and then select ATmega323_L.</p>
</blockquote>
<ul>
<li>ESP8266 : <a href="https://github.com/themadinventor/ida-xtensa">https://github.com/themadinventor/ida-xtensa</a></li>
</ul>
<h2 id="loading-bare-metal-binaries-into-radare2">Loading bare-metal binaries into Radare2</h2>
<p>Radare2 can disassemble <code>avr</code>, <code>arduino</code> natively</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-0-1" name="__codelineno-0-1" href="#__codelineno-0-1"></a><span class="p">$</span> <span class="n">radare2</span> <span class="n">-A</span> <span class="n">-a</span> <span class="n">arm</span> <span class="n">-b</span> <span class="n">32</span> <span class="n">ihex</span><span class="p">://</span><span class="n">Challenge_v3</span><span class="p">.</span><span class="n">hex</span>
<a id="__codelineno-0-2" name="__codelineno-0-2" href="#__codelineno-0-2"></a><span class="no">[x]</span> <span class="n">Analyze</span> <span class="n">all</span> <span class="n">flags</span> <span class="n">starting</span> <span class="n">with</span> <span class="n">sym</span><span class="p">.</span> <span class="n">and</span> <span class="n">entry0</span> <span class="p">(</span><span class="n">aa</span><span class="p">)</span>
<a id="__codelineno-0-3" name="__codelineno-0-3" href="#__codelineno-0-3"></a><span class="no">[x]</span> <span class="n">Analyze</span> <span class="k">function</span> <span class="n">calls</span> <span class="p">(</span><span class="n">aac</span><span class="p">)</span>
<a id="__codelineno-0-4" name="__codelineno-0-4" href="#__codelineno-0-4"></a><span class="no">[x]</span> <span class="n">find</span> <span class="n">and</span> <span class="n">analyze</span> <span class="k">function</span> <span class="n">preludes</span> <span class="p">(</span><span class="n">aap</span><span class="p">)</span>
<a id="__codelineno-0-5" name="__codelineno-0-5" href="#__codelineno-0-5"></a><span class="no">[x]</span> <span class="n">Analyze</span> <span class="n">len</span> <span class="n">bytes</span> <span class="n">of</span> <span class="n">instructions</span> <span class="k">for</span> <span class="n">references</span> <span class="p">(</span><span class="n">aar</span><span class="p">)</span>
<a id="__codelineno-0-6" name="__codelineno-0-6" href="#__codelineno-0-6"></a><span class="no">[x]</span> <span class="n">Check</span> <span class="k">for</span> <span class="n">objc</span> <span class="n">references</span>
<a id="__codelineno-0-7" name="__codelineno-0-7" href="#__codelineno-0-7"></a><span class="no">[x]</span> <span class="n">Check</span> <span class="k">for</span> <span class="n">vtables</span>
<a id="__codelineno-0-8" name="__codelineno-0-8" href="#__codelineno-0-8"></a><span class="no">[x]</span> <span class="n">Finding</span> <span class="n">xrefs</span> <span class="k">in</span> <span class="n">noncode</span> <span class="n">section</span> <span class="n">with</span> <span class="n">anal</span><span class="p">.</span><span class="k">in</span><span class="p">=</span><span class="n">io</span><span class="p">.</span><span class="n">maps</span>
<a id="__codelineno-0-9" name="__codelineno-0-9" href="#__codelineno-0-9"></a><span class="no">[x]</span> <span class="n">Analyze</span> <span class="n">value</span> <span class="n">pointers</span> <span class="p">(</span><span class="n">aav</span><span class="p">)</span>
<a id="__codelineno-0-10" name="__codelineno-0-10" href="#__codelineno-0-10"></a><span class="no">[x]</span> <span class="n">Value</span> <span class="n">from</span> <span class="n">0x00000000</span> <span class="n">to</span> <span class="n">0x10001018</span> <span class="p">(</span><span class="n">aav</span><span class="p">)</span>
<a id="__codelineno-0-11" name="__codelineno-0-11" href="#__codelineno-0-11"></a><span class="no">[x]</span> <span class="n">0x00000000</span><span class="p">-</span><span class="n">0x10001018</span> <span class="k">in</span> <span class="n">0x0</span><span class="p">-</span><span class="n">0x10001018</span> <span class="p">(</span><span class="n">aav</span><span class="p">)</span>
<a id="__codelineno-0-12" name="__codelineno-0-12" href="#__codelineno-0-12"></a><span class="no">[x]</span> <span class="n">Emulate</span> <span class="n">code</span> <span class="n">to</span> <span class="n">find</span> <span class="n">computed</span> <span class="n">references</span> <span class="p">(</span><span class="n">aae</span><span class="p">)</span>
<a id="__codelineno-0-13" name="__codelineno-0-13" href="#__codelineno-0-13"></a><span class="no">[x]</span> <span class="nb">Type </span><span class="n">matching</span> <span class="n">analysis</span> <span class="k">for</span> <span class="n">all</span> <span class="n">functions</span> <span class="p">(</span><span class="n">aaft</span><span class="p">)</span>
<a id="__codelineno-0-14" name="__codelineno-0-14" href="#__codelineno-0-14"></a><span class="no">[x]</span> <span class="n">Propagate</span> <span class="n">noreturn</span> <span class="n">information</span>
<a id="__codelineno-0-15" name="__codelineno-0-15" href="#__codelineno-0-15"></a><span class="no">[x]</span> <span class="n">Use</span> <span class="n">-AA</span> <span class="n">or</span> <span class="n">aaaa</span> <span class="n">to</span> <span class="n">perform</span> <span class="n">additional</span> <span class="n">experimental</span> <span class="n">analysis</span><span class="p">.</span>
<a id="__codelineno-0-16" name="__codelineno-0-16" href="#__codelineno-0-16"></a>
<a id="__codelineno-0-17" name="__codelineno-0-17" href="#__codelineno-0-17"></a><span class="p">[</span><span class="n">0x565e8640</span><span class="p">]&gt;</span> <span class="n">aaaa</span>
<a id="__codelineno-0-18" name="__codelineno-0-18" href="#__codelineno-0-18"></a><span class="p">[</span><span class="n">0xf7723a20</span><span class="p">]&gt;</span> <span class="n">afl</span>
<a id="__codelineno-0-19" name="__codelineno-0-19" href="#__codelineno-0-19"></a><span class="p">[</span><span class="n">0xf7723a20</span><span class="p">]&gt;</span> <span class="n">e</span> <span class="n">asm</span><span class="p">.</span><span class="n">describe</span> <span class="p">=</span> <span class="n">true</span>
<a id="__codelineno-0-20" name="__codelineno-0-20" href="#__codelineno-0-20"></a><span class="p">[</span><span class="n">0xf7723a20</span><span class="p">]&gt;</span> <span class="n">s</span> <span class="n">main</span>
<a id="__codelineno-0-21" name="__codelineno-0-21" href="#__codelineno-0-21"></a><span class="p">[</span><span class="n">0x0804873b</span><span class="p">]&gt;</span> <span class="n">pdf</span>
<a id="__codelineno-0-22" name="__codelineno-0-22" href="#__codelineno-0-22"></a>
<a id="__codelineno-0-23" name="__codelineno-0-23" href="#__codelineno-0-23"></a><span class="n">To</span> <span class="n">perform</span> <span class="n">a</span> <span class="n">case-insensitive</span> <span class="n">search</span> <span class="k">for</span> <span class="n">strings</span> <span class="n">use</span> <span class="p">/</span><span class="n">i</span><span class="p">:</span>
<a id="__codelineno-0-24" name="__codelineno-0-24" href="#__codelineno-0-24"></a><span class="p">[</span><span class="n">0x0001d62c</span><span class="p">]&gt;</span> <span class="p">/</span><span class="n">i</span> <span class="n">Exploding</span>
<a id="__codelineno-0-25" name="__codelineno-0-25" href="#__codelineno-0-25"></a><span class="n">Searching</span> <span class="n">9</span> <span class="n">bytes</span> <span class="k">in</span> <span class="p">[</span><span class="n">0x0</span><span class="p">-</span><span class="n">0x10001018</span><span class="p">]</span>
<a id="__codelineno-0-26" name="__codelineno-0-26" href="#__codelineno-0-26"></a><span class="n">hits</span><span class="p">:</span> <span class="n">1</span>
<a id="__codelineno-0-27" name="__codelineno-0-27" href="#__codelineno-0-27"></a><span class="n">0x0003819e</span> <span class="n">hit1_0</span> <span class="p">..</span> <span class="n">N</span><span class="c"># NExploding Firmware ! N.</span>
<a id="__codelineno-0-28" name="__codelineno-0-28" href="#__codelineno-0-28"></a>
<a id="__codelineno-0-29" name="__codelineno-0-29" href="#__codelineno-0-29"></a><span class="p">$</span> <span class="n">r2</span> <span class="n">-a</span> <span class="n">avr</span> <span class="p">/</span><span class="n">tmp</span><span class="p">/</span><span class="n">flash</span>
<a id="__codelineno-0-30" name="__codelineno-0-30" href="#__codelineno-0-30"></a><span class="p">[</span><span class="n">0x000000c4</span><span class="p">]&gt;</span> <span class="n">afr</span>
<a id="__codelineno-0-31" name="__codelineno-0-31" href="#__codelineno-0-31"></a><span class="p">[</span><span class="n">0x000000c4</span><span class="p">]&gt;</span> <span class="n">pd</span> <span class="n">17</span>
<a id="__codelineno-0-32" name="__codelineno-0-32" href="#__codelineno-0-32"></a>
<a id="__codelineno-0-33" name="__codelineno-0-33" href="#__codelineno-0-33"></a><span class="p">$</span> <span class="n">rasm2</span> <span class="n">-a</span> <span class="n">avr</span> <span class="n">-d</span> <span class="s2">&quot;0c94 751b 0c94 9d1b 0c94 d72c&quot;</span>
<a id="__codelineno-0-34" name="__codelineno-0-34" href="#__codelineno-0-34"></a><span class="n">jmp</span> <span class="n">0x36ea</span>
<a id="__codelineno-0-35" name="__codelineno-0-35" href="#__codelineno-0-35"></a><span class="n">jmp</span> <span class="n">0x373a</span>
<a id="__codelineno-0-36" name="__codelineno-0-36" href="#__codelineno-0-36"></a><span class="n">jmp</span> <span class="n">0x59ae</span>
</code></pre></div>
<h2 id="loading-bare-metal-binaries-into-ghidra">Loading bare-metal binaries into Ghidra</h2>
<p>SVD-Loader for Ghidra automates the entire generation of peripheral structs and memory maps for over 650 different microcontrollers</p>
<ul>
<li>SVD-Loader for Ghidra: Simplifying bare-metal ARM reverse engineering - <a href="https://leveldown.de/blog/svd-loader/">svd-loader/</a></li>
</ul>
<p><strong>Usage</strong></p>
<ul>
<li>Load a binary file</li>
<li>Open it in the code-browser, do not analyze it</li>
<li>Run the SVD-Loader Script</li>
<li>Select an SVD file</li>
<li>Analyze the file</li>
</ul>
<h2 id="esptool">ESPTool</h2>
<p>ESP8266 and ESP32 serial bootloader utility : <a href="https://github.com/espressif/esptool">espressif/esptool</a></p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-1-1" name="__codelineno-1-1" href="#__codelineno-1-1"></a><span class="n">josh</span><span class="nv">@ioteeth</span><span class="p">:/</span><span class="n">tmp</span><span class="p">/</span><span class="n">reversing</span><span class="p">$</span> <span class="p">~/</span><span class="n">esptool</span><span class="p">/</span><span class="n">esptool</span><span class="p">.</span><span class="n">py</span> <span class="n">image_info</span> <span class="n">recovered_file</span>
<a id="__codelineno-1-2" name="__codelineno-1-2" href="#__codelineno-1-2"></a><span class="n">esptool</span><span class="p">.</span><span class="n">py</span> <span class="n">v2</span><span class="p">.</span><span class="n">4</span><span class="p">.</span><span class="n">0-dev</span>
<a id="__codelineno-1-3" name="__codelineno-1-3" href="#__codelineno-1-3"></a><span class="n">Image</span> <span class="n">version</span><span class="p">:</span> <span class="n">1</span>
<a id="__codelineno-1-4" name="__codelineno-1-4" href="#__codelineno-1-4"></a><span class="n">Entry</span> <span class="n">point</span><span class="p">:</span> <span class="n">4010f29c</span>
<a id="__codelineno-1-5" name="__codelineno-1-5" href="#__codelineno-1-5"></a><span class="n">1</span> <span class="n">segments</span>
<a id="__codelineno-1-6" name="__codelineno-1-6" href="#__codelineno-1-6"></a><span class="n">Segment</span> <span class="n">1</span><span class="p">:</span> <span class="n">len</span> <span class="n">0x00568</span> <span class="n">load</span> <span class="n">0x4010f000</span> <span class="n">file_offs</span> <span class="n">0x00000008</span>
</code></pre></div>
<h2 id="nrf5x-firmware-disassembly-tools">nRF5x Firmware disassembly tools</h2>
<ul>
<li><a href="https://github.com/DigitalSecurity/nrf5x-tools">DigitalSecurity/nrf5x-tools</a></li>
</ul>
<div class="highlight"><pre><span></span><code><a id="__codelineno-2-1" name="__codelineno-2-1" href="#__codelineno-2-1"></a><span class="p">$</span> <span class="n">python3</span> <span class="n">nrfident</span><span class="p">.</span><span class="n">py</span> <span class="n">bin</span> <span class="n">firmwares</span><span class="p">/</span><span class="n">s132</span><span class="p">.</span><span class="n">bin</span>
<a id="__codelineno-2-2" name="__codelineno-2-2" href="#__codelineno-2-2"></a><span class="n">Binary</span> <span class="n">file</span> <span class="n">provided</span> <span class="n">firmwares</span><span class="p">/</span><span class="n">s132</span><span class="p">.</span><span class="n">bin</span>
<a id="__codelineno-2-3" name="__codelineno-2-3" href="#__codelineno-2-3"></a><span class="n">Computing</span> <span class="n">signature</span> <span class="n">from</span> <span class="n">binary</span>
<a id="__codelineno-2-4" name="__codelineno-2-4" href="#__codelineno-2-4"></a><span class="n">Signature</span><span class="p">:</span> <span class="n">d082a85351ee18ecfdc9dcb01352f5df3d938a2270bcadec2ec083e9ceeb3b1e</span>
<a id="__codelineno-2-5" name="__codelineno-2-5" href="#__codelineno-2-5"></a><span class="p">=========================</span>
<a id="__codelineno-2-6" name="__codelineno-2-6" href="#__codelineno-2-6"></a><span class="n">SDK</span> <span class="n">version</span><span class="p">:</span> <span class="n">14</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">0</span>
<a id="__codelineno-2-7" name="__codelineno-2-7" href="#__codelineno-2-7"></a><span class="n">SoftDevice</span> <span class="n">version</span><span class="p">:</span> <span class="n">s132</span>
<a id="__codelineno-2-8" name="__codelineno-2-8" href="#__codelineno-2-8"></a><span class="n">NRF</span><span class="p">:</span> <span class="n">nrf52832</span>
<a id="__codelineno-2-9" name="__codelineno-2-9" href="#__codelineno-2-9"></a><span class="p">=========================</span>
<a id="__codelineno-2-10" name="__codelineno-2-10" href="#__codelineno-2-10"></a><span class="n">SDK</span> <span class="n">version</span><span class="p">:</span> <span class="n">14</span><span class="p">.</span><span class="n">1</span><span class="p">.</span><span class="n">0</span>
<a id="__codelineno-2-11" name="__codelineno-2-11" href="#__codelineno-2-11"></a><span class="n">SoftDevice</span> <span class="n">version</span><span class="p">:</span> <span class="n">s132</span>
<a id="__codelineno-2-12" name="__codelineno-2-12" href="#__codelineno-2-12"></a><span class="n">NRF</span><span class="p">:</span> <span class="n">nrf52832</span>
<a id="__codelineno-2-13" name="__codelineno-2-13" href="#__codelineno-2-13"></a><span class="n">SoftDevice</span> <span class="p">:</span> <span class="n">s132</span>
<a id="__codelineno-2-14" name="__codelineno-2-14" href="#__codelineno-2-14"></a><span class="n">Card</span> <span class="n">version</span> <span class="p">:</span> <span class="n">xxaa</span>
<a id="__codelineno-2-15" name="__codelineno-2-15" href="#__codelineno-2-15"></a> <span class="p">*****</span>
<a id="__codelineno-2-16" name="__codelineno-2-16" href="#__codelineno-2-16"></a><span class="n">RAM</span> <span class="n">address</span> <span class="p">:</span> <span class="n">0x20001368</span>
<a id="__codelineno-2-17" name="__codelineno-2-17" href="#__codelineno-2-17"></a><span class="n">RAM</span> <span class="n">length</span> <span class="p">:</span> <span class="n">0xec98</span>
<a id="__codelineno-2-18" name="__codelineno-2-18" href="#__codelineno-2-18"></a><span class="n">ROM</span> <span class="n">address</span> <span class="p">:</span> <span class="n">0x23000</span>
<a id="__codelineno-2-19" name="__codelineno-2-19" href="#__codelineno-2-19"></a><span class="n">ROM</span> <span class="n">length</span> <span class="p">:</span> <span class="n">0x5d000</span>
</code></pre></div>
<h2 id="pure-disassemblers">Pure disassemblers</h2>
<ul>
<li>Vavrdisasm -- vAVRdisasm will auto-recognize Atmel Generic, Intel HEX8, and Motorola S-Record files - <a href="https://github.com/vsergeev/vavrdisasm">vsergeev/vavrdisasm</a></li>
<li><a href="https://www.onlinedisassembler.com/odaweb/">ODA - The Online Disassembler</a></li>
<li>
<p>avr-objdump gcc kit standard tool</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-3-1" name="__codelineno-3-1" href="#__codelineno-3-1"></a><span class="p">$</span> <span class="n">avr-objdump</span> <span class="n">-l</span> <span class="n">-t</span> <span class="n">-D</span> <span class="n">-S</span> <span class="n">main</span><span class="p">.</span><span class="n">bin</span> <span class="p">&gt;</span> <span class="n">main</span><span class="p">.</span><span class="n">bin</span><span class="p">.</span><span class="n">dis</span>
<a id="__codelineno-3-2" name="__codelineno-3-2" href="#__codelineno-3-2"></a><span class="p">$</span> <span class="n">avr-objdump</span> <span class="n">-m</span> <span class="n">avr</span> <span class="n">-D</span> <span class="n">main</span><span class="p">.</span><span class="n">hex</span> <span class="p">&gt;</span> <span class="n">main</span><span class="p">.</span><span class="n">hex</span><span class="p">.</span><span class="n">dis</span>
</code></pre></div>
</li>
</ul>
<h2 id="simulating-avr">Simulating AVR</h2>
<blockquote>
<p>Programs compiled for Arduino can be simulated using AVR Studio or the newer Atmel Studio. I have used the former along with hapsim. Hapsim works by hooking into AVR Studio and can simulate peripherals like the UART, LCD etc.</p>
</blockquote>
<div class="highlight"><pre><span></span><code><a id="__codelineno-4-1" name="__codelineno-4-1" href="#__codelineno-4-1"></a><span class="p">$</span> <span class="n">simulavr</span> <span class="n">-P</span> <span class="n">atmega128</span> <span class="o">-F</span> <span class="n">16000000</span> <span class="err"></span><span class="n">f</span> <span class="n">build-crumbuino128</span><span class="p">/</span><span class="n">ex1</span><span class="p">.</span><span class="n">1</span><span class="p">.</span><span class="n">elf</span>
</code></pre></div>
<h2 id="uefi-firmware">UEFI Firmware</h2>
<p>Parse BIOS/Intel ME/UEFI firmware related structures: Volumes, FileSystems, Files, etc - <a href="https://github.com/theopolis/uefi-firmware-parser">theopolis/uefi-firmware-parser</a></p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-5-1" name="__codelineno-5-1" href="#__codelineno-5-1"></a><span class="n">sudo</span> <span class="n">pip</span> <span class="n">install</span> <span class="n">uefi_firmware</span>
<a id="__codelineno-5-2" name="__codelineno-5-2" href="#__codelineno-5-2"></a><span class="p">$</span> <span class="n">uefi-firmware-parser</span> <span class="p">-</span><span class="n">-test</span> <span class="p">~/</span><span class="n">firmware</span><span class="p">/*</span>
<a id="__codelineno-5-3" name="__codelineno-5-3" href="#__codelineno-5-3"></a><span class="p">~/</span><span class="n">firmware</span><span class="p">/</span><span class="n">970E32_1</span><span class="p">.</span><span class="n">40</span><span class="p">:</span> <span class="n">UEFIFirmwareVolume</span>
<a id="__codelineno-5-4" name="__codelineno-5-4" href="#__codelineno-5-4"></a><span class="p">~/</span><span class="n">firmware</span><span class="p">/</span><span class="n">CO5975P</span><span class="p">.</span><span class="n">BIO</span><span class="p">:</span> <span class="n">EFICapsule</span>
<a id="__codelineno-5-5" name="__codelineno-5-5" href="#__codelineno-5-5"></a><span class="p">~/</span><span class="n">firmware</span><span class="p">/</span><span class="n">me</span><span class="p">-</span><span class="n">03</span><span class="p">.</span><span class="n">obj</span><span class="p">:</span> <span class="n">IntelME</span>
<a id="__codelineno-5-6" name="__codelineno-5-6" href="#__codelineno-5-6"></a><span class="p">~/</span><span class="n">firmware</span><span class="p">/</span><span class="n">O990-A03</span><span class="p">.</span><span class="n">exe</span><span class="p">:</span> <span class="n">None</span>
<a id="__codelineno-5-7" name="__codelineno-5-7" href="#__codelineno-5-7"></a><span class="p">~/</span><span class="n">firmware</span><span class="p">/</span><span class="n">O990-A03</span><span class="p">.</span><span class="n">exe</span><span class="p">.</span><span class="n">hdr</span><span class="p">:</span> <span class="n">DellPFS</span>
</code></pre></div>
<h2 id="references">References</h2>
<ul>
<li><a href="https://github.com/chrisrdlg/gh22_SecureDuo">GreHack22 - SecureDUO - chrisrdlg</a></li>
<li><a href="https://thanat0s.trollprod.org/2014/01/loader-un-binaire-arduino-dans-ida/">Loader un binaire Arduino dans IDA - Posted on January 26, 2014 by thanatos</a></li>
<li><a href="https://youtu.be/nTPfKT61730">REcon 2014 - Reverse Engineering Flash Memory For Fun and Benefit - Matt Oh</a></li>
<li><a href="https://www.blackhat.com/docs/us-14/materials/us-14-Oh-Reverse-Engineering-Flash-Memory-For-Fun-And-Benefit-WP.pdf">Reverse Engineering Flash Memory for Fun and Benefit - Jeong Wook (Matt) Oh</a></li>
</ul>
<aside class="md-source-file">
<span class="md-source-file__fact">
<span class="md-icon" title="Last update">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M21 13.1c-.1 0-.3.1-.4.2l-1 1 2.1 2.1 1-1c.2-.2.2-.6 0-.8l-1.3-1.3c-.1-.1-.2-.2-.4-.2m-1.9 1.8-6.1 6V23h2.1l6.1-6.1zM12.5 7v5.2l4 2.4-1 1L11 13V7zM11 21.9c-5.1-.5-9-4.8-9-9.9C2 6.5 6.5 2 12 2c5.3 0 9.6 4.1 10 9.3-.3-.1-.6-.2-1-.2s-.7.1-1 .2C19.6 7.2 16.2 4 12 4c-4.4 0-8 3.6-8 8 0 4.1 3.1 7.5 7.1 7.9l-.1.2z"/></svg>
</span>
<span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-date">November 13, 2024</span>
</span>
</aside>
<div class="social-container">
<b>Share this content</b>
<div class="a2a_kit a2a_kit_size_32 a2a_default_style">
<a class="a2a_dd" href="https://www.addtoany.com/share"></a>
<a class="a2a_button_x"></a>
<a class="a2a_button_telegram"></a>
<a class="a2a_button_linkedin"></a>
<a class="a2a_button_email"></a>
<a class="a2a_button_microsoft_teams"></a>
</div>
<br>
<script async src="https://static.addtoany.com/menu/page.js"></script>
<script defer src="https://cloud.umami.is/script.js" data-website-id="49aad71c-7d98-4635-8bd5-b6799c8874f8"></script>
</div>
</article>
</div>
<script>var target=document.getElementById(location.hash.slice(1));target&&target.name&&(target.checked=target.name.startsWith("__tabbed_"))</script>
</div>
<button type="button" class="md-top md-icon" data-md-component="top" hidden>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M13 20h-2V8l-5.5 5.5-1.42-1.42L12 4.16l7.92 7.92-1.42 1.42L13 8z"/></svg>
Back to top
</button>
</main>
<footer class="md-footer">
<div class="md-footer-meta md-typeset">
<div class="md-footer-meta__inner md-grid">
<div class="md-copyright">
Made with
<a href="https://squidfunk.github.io/mkdocs-material/" target="_blank" rel="noopener">
Material for MkDocs
</a>
</div>
</div>
</div>
</footer>
</div>
<div class="md-dialog" data-md-component="dialog">
<div class="md-dialog__inner md-typeset"></div>
</div>
<script id="__config" type="application/json">{"base": "../..", "features": ["content.code.copy", "content.action.edit", "content.action.view", "content.tooltips", "navigation.tracking", "navigation.top", "search.share", "search.suggest"], "search": "../../assets/javascripts/workers/search.6ce7567c.min.js", "translations": {"clipboard.copied": "Copied to clipboard", "clipboard.copy": "Copy to clipboard", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.placeholder": "Type to start searching", "search.result.term.missing": "Missing", "select.version": "Select version"}}</script>
<script src="../../assets/javascripts/bundle.83f73b43.min.js"></script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink