4.5 KiB
4.5 KiB
Firmware Dumping
Summary
- Send a new firmware into the microcontroller using serial port
- Dump firmware using debug port
- Convert ihex to elf
- Over-the-air updates
- Explore firmware
- Type of firmware
- Check entropy
- Unsquashfs
- Encrypted firmware
Send a new firmware into the microcontroller using serial port
# send raw data firmware
$ avrdude -p m328p -c usbasp -P /dev/ttyUSB0 -b 9600 -U flash:w:flash_raw.bin
# send ihex firmware
$ avrdude -c usbasp -p m328p -F -U flash:r:dump.hex:i
# default
$ avrdude -c usbasp -p m328p -C /etc/avrdude.conf -U flash:w:hardcodedPassword.ino.arduino_standard.hex
Dump firmware using debug port
- avrdude
$ avrdude -p m328p -c usbasp -P /dev/ttyUSB0 -b 9600 -U flash:r:flash_raw.bin:r
$ avrdude -p m328p -c arduino -P /dev/ttyACM0 -b 115200 -U flash:r:flash_raw.bin:r
$ avrdude -p atmega328p -c arduino -P/dev/ttyACM0 -b 115200 -D -U flash:r:program.bin:r -F -v
- openocd
Determine code space in the microcontroller (for example nRF51822 - Micro:bit), save as dump_img.cfg:
init
reset init
halt
dump_image image.bin 0x00000000 0x00040000
exit
sudo openocd -f /home/maki/tools/hardware/openocd/tcl/interface/stlink-v2-1.cfg -f /home/maki/tools/hardware/openocd/tcl/target/nrf51.cfg -f dump_fw.cfg
Convert ihex to elf
The Intel HEX is a transitional file format for microcontrollers, (E)PROMs, and other devices. The documentation states that HEXs can be converted to binary files and programmed into a configuration device.
Each line in the ihex file starts with :
- a colon :
- followed by ONE BYTE = record length
- followed by TWO BYTES = offset to load
- followed by ONE BYTE = Record Type
- Last BYTE in the line = Checksum
Convert .hex(ihex format) to .elf file with avr-objcopy or with an online tool http://matrixstorm.com
$ avr-objcopy -I ihex -O elf32-avr dump.hex dump.elf
# or
$ objcopy -I ihex chest.hex -O binary chest.bin ; xxd chest.bin
Alternative with Python bincopy
import bincopy
import sys
f = bincopy.BinFile()
f.add_ihex_file(sys.argv[1])
print(f.as_binary())
Quick strings on .hex
cat defaultPassword.ino.arduino_standard.hex | tr -d ":" | tr -d "\n" | xxd -r -p | strings
Inspect the assembly with avr-objdump -m avr -D chest.hex.
Emulate : qemu-system-avr -S -s -nographic -serial tcp::5678,server=on,wait=off -machine uno -bios chest.bin
Over-the-air updates
TODO
Explore firmware
$ binwalk -Me file.bin
$ strings file.bin
$ strings -e l file.bin
The strings -e flag specifies the encoding of the characters. -el specifies little-endian characters 16-bits wide (e.g. UTF-16)
$ strings -tx file.bin
The -t flag will return the offset of the string within the file. -tx will return it in hex format, T-to in octal and -td in decimal.
$ dd if=firmware.bin of=firmware.chunk bs=1 skip=$((0x200)) count=$((0x400-0x200))
If we wanted to run it a little faster, we could increase the block size:
$ dd if=firmware.bin of=firmware.chunk bs=$((0x100)) skip=$((0x200/0x100)) count=$(((0x400-0x200)/0x100))
$ binwalk -Y dump.elf
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
3708 0xE7C ARM executable code, 16-bit (Thumb), little endian, at least 522 valid instructions
Type of firmware
- SREC - Motorola S-Record : All S-record file lines start with a capital S.
- Intel HEX lines all start with a colon.
- TI-TXT is a Texas Instruments format, usually for the MSP430 series. Memory addresses are prepended with an @, and data is represented in hex.
- Raw NAND dumps
Check entropy
High entropy = probably encrypted (or compressed). Low entropy = probably not
$ binwalk -E fw
Unsquashfs
sudo unsquashfs -f -d /media/seagate /tmp/file.squashfs
Encrypted firmware
