Several breakthrough points in smart device vulnerability mining (there are ten firmware extraction methods and uboot firmware extraction methods)

Category: Tag:

This article mainly expands from the following four aspects.

1). Basic knowledge of smart devices

2). Ten ideas for extracting firmware

3). Ideas to discover vulnerabilities from firmware

4). Reinforcement suggestions for smart devices


I. Basic knowledge of smart devices

This is the composition of a smart device, which is divided into several parts. The smart device must have several things. For example, it must have a CPU, a memory, a flash equivalent to a hard disk, a network, a network port, a serial port, and sometimes an SD card Socket storage devices, and some have display interfaces.

CPU has many architectures, such as X86, MIPS, ARM, etc.; memory is divided into several types. There are also various kinds of storage, such as flash, TF card, mmc card, hard disk; general circuit boards will have serial ports, especially when debugging. The problem that manufacturers have to face when doing maintenance: If a problem occurs in the use of a smart device, the customer requires it to be solved immediately. If the developer does not have a maintenance interface, the developer may not be able to solve the problem when it comes to the site. So these are necessary; sometimes it is a serial port, sometimes it is a network port, and sometimes it is a USB port. The software running in the smart device is also called firmware. The firmware has a part to boot the system. Uboot is commonly used, which occupies a large market share. Linux operating system is used in many cases because it supports the network very well.

Let me introduce to you what a serial port is. Serial ports are generally divided into two types, mainly RS232 or TTL, TTL is 5V or 3.3V, which is equivalent to the voltage of the CPU. The lower left corner is the definition of the serial port. The serial port really refers to three lines, namely RXD, TXD, and DCD. During serial port transmission, when there are three wires, it is transmitted according to a certain timing. This timing has a certain period, and this period is generated asynchronously. Asynchronous transmission has a concept of baud rate: For example, the baud rate of 9600 is converted to about 1000 bytes per second. The higher the baud rate, the faster the transmission.

Flash is more important in the composition of smart devices. There are two types, one is Nor falsh, which is characterized by relatively expensive price, small capacity, separate address lines and data lines, and the advantage is that the CPU can be directly addressed , Because each address line on the circuit diagram is connected individually, and the data line is also connected separately. It is commonly used for code storage. The larger the storage capacity, the more address lines there will be.

Calculate the addressing range of the nor Flash address line in the above figure:

8MB = 0x800000 (hexadecimal)
Converted to binary: 100000000000000000000000
The address line happens to be from addr0-addr22. The maximum address is 22 ones.

There is also Nand Flash, which is cheap and has a large capacity. It is mainly used for data storage, but this thing is generally not addressable and requires a driver.

Let’s talk about Uboot and busybox in the software. Uboot has a function in the embedded boot program, which is used for booting when booting, and another function is used for updating. There are many types of CPUs supported, such as ARM, Linux, Both MIPS and PowerPC support, as well as simple network commands and the like. Busybox integrates more than 300 commonly used Linux commands and tool software. It is very compact, about 1-2 megabytes after compilation, but supports a lot of commands, and can be cut as needed. For example: some of the busybox commands nc, dd, tar, etc. are cropped.

This is the cooperative relationship between the software and hardware of the smart device. Taking the Linux operating system as an example, the upper part is the memory, the lower part is the storage flash, and the middle is the firmware. The Uboot in the firmware is used for booting at startup. It starts up as the kernel, followed by the file system, which includes RAMFS and FALSH FS.

(Maintenance interface for smart devices
Upgrade interface:
1) Download firmware interface (hardware interface: JTAG/SWD port, network protocol: TFTP/FTP, custom protocol)
2) BootLoader upgrade interface
3) SD/TF card upgrade interface
4) USB upgrade interface
Debug interface
1) Network/USB log interface
2) Debug interface (usually TTL serial port; there are also telnet/ssh network protocols, etc.))

The above is the upgrade interface. We must have a certain understanding of the maintenance interface. Why? Because the interface is very important, one is used for upgrading, the other is used for debugging, and the other is for upgrading firmware. The debugging interface basically has these functions.

I just gave a general introduction to the basics. For example, I want to extract its firmware, and its firmware is stored in the flash. I must have some understanding. There must be research on serial ports and interfaces. In addition, the firmware supports these programs. You must have a certain understanding of the file system and basic small commands. The knowledge and skills can be used to great effect.


II, ten ideas for extracting firmware

These ten ways of thinking are the ten methods I often use, and the other methods do not mean that they do not exist. Firmware extraction methods are simply divided into two types: hardware and software.

Ten ideas for extracting firmware from smart devices:

Here are nine firmware extraction methods, and the last method will give you a surprise!


1. Ask for an upgrade package on the official website or contact after-sales. Not much to say about this.

(Official website or contact after-sales service to get the upgrade package

>Applicable when the official website provides downloading smart device firmware

>Some manufacturers can only provide firmware from agents and official after-sales

risk point:

>The official website may not provide firmware; or old firmware

>For industrial control equipment, firmware or encrypted firmware is rarely provided


2. Extract the firmware through online upgrade. If there is a mobile phone application or a computer application, you can click “Upgrade”. When you upgrade the firmware, you can capture the firmware by capturing the package. If the download addresses of the old version and the new version of the firmware have a certain naming rule, if the new version is caught, the old version can also be guessed.

(Extract the firmware by online upgrade

>Tool: HUB

>Software: Wireshark

>Online upgrade, capture package, analyze firmware address, download firmware

> Both new and old firmware:

>Record the firmware version and name before upgrading

>After upgrading, splice the old firmware address according to the naming rules.


3. Reverse upgrade software, built-in unpacking and communication algorithms. If it is designed to be decrypted on the lower computer, it is slightly safer; if it is decrypted on the upper computer, it can be reversely cracked.

(Reverse upgrade software, software built-in unpacking and communication algorithm

>The manufacturer provides the upper computer to upgrade the software. Before upgrading the software, decrypt the firmware on the upper computer first, and then transfer the unencrypted firmware to the device for upgrade

Decrypt the upgraded firmware part; grab the data package


4. From the debugging interface: Obtain the firmware by JTAG/SWD and other methods.

From the debug interface: get firmware from hardware interfaces such as TAG/SWD

>If there is a ready-made JTAG interface on the circuit board, use JAC to establish a connection and read out the burned firmware.

>Business solutions: Ilink, Xitag>
Open source solutions: GDBs, OpenOCD

>Prerequisite: JTAG interface is required on the circuit board, disadvantages: There are not many circuit boards with JTAG
>Exception: The firmware is stored in the FLASH in the CPU, and encryption is not enabled


5. Disassemble flash, SD/TF card, hard disk, etc., and use programmer/card reader to obtain firmware.

Commonly used is to remove the flash chip, read the firmware with a programmer, and then solder the chip back after reading.

( Disassemble Flash, SD/TF card, hard disk, etc., use programmer to get firmware

Only three steps are required:

>Remove the flash chip

>Use the programmer to extract the firmware content

>Soldering the FLASH chip back to the circuit board

It should be noted that the chip has a direction. There is a dot on the first pin. When soldering or reading with a programmer, find out the direction of the chip.


6. Obtain the firmware from the serial port (UART) debug port.

(>Prerequisite: there is a city port debugging connection on the development board, we need to find out the hidden serial port
>The serial port has two standards according to voltage: RS232 standard and TL standard
RS232 standard: Voltage range: -12V, +12V (negative logic)
TTL standard: Voltage range: 0,5V
Serial port pin identification method: serial port generally has 4 pins
> vCc: The power supply voltage is 3.3V or 5V
>GND: Power supply voltage ground
>RXD: data receiving pin, the voltage measured by the multimeter is the bottom (it may be high if the hardware is pulled up)
>TXD: data sending pin, the voltage measured by the multimeter is generally high)

This method is summarized when I help customers test products in security testing.

During the security test, I found a loophole in uboot extracting firmware, and summed up a series of firmware extraction methods.

What I do most often is research on the security of industrial control equipment vulnerabilities. Basically, I can’t get the firmware. The firmware I get is also encrypted, which has troubled me for a long time. After a period of exploration, there are about 10 successful cases of extracting firmware. In terms of cameras this year, ordinary IoT routers, cameras and other similar devices, after practical research and 20 or 30 successful cases, found that the method of extracting firmware through the serial port is the safest and most reliable. Why do you say that? When I went to do a test for a customer, the customer said that it doesn’t matter if you break it, but the sample is only one! I want to remove the flash to extract the firmware, but this is the device. In case the soldering chip breaks the device, the vulnerability cannot be verified later. The key is that an industrial control device costs thousands or tens of thousands of dollars. Once the equipment is broken, it will be more embarrassing. So I slowly figured out some ways to share with you here.

Serial port identification: There are two standards for serial port identification. When the serial port is identified, it is usually after the device is disassembled. The serial port generally has four pins. The first step is to find the ground (GND), which is easy to find. The one connected to the power supply is the ground, or the chip is connected to the ground. After the ground is confirmed, we connect it to the USB interface. I first connect the receiving pin, both pins may be high-voltage, then connect the receiving pin to the ground, and then connect a pin randomly. Once the device is started, if there is output at this time, it is It is connected; then connect the other pin, and the three pins are connected. I usually find the serial port based on the above idea.

The following content is visible to members

You do not have permission to read this content, click here to become a member and refresh this page to read it


There are no reviews yet.

Be the first to review “Several breakthrough points in smart device vulnerability mining (there are ten firmware extraction methods and uboot firmware extraction methods)”

Your email address will not be published. Required fields are marked *