Establishing the goals for doing firmware analysis is important, ask yourself the following:
- Are you looking for modify functionality?
- Are you looking for vulns?
- Are you looking for sensitive info?
- Are you looking for protocols?
- Do you just want to understand how it works?
Here is a good set of basic questions to try and answer throughout analysis.
Basic Questions
- What is the target device used for?
- What is the underlying processor arch
- What features does it support?
- What type of operating system runs on the device?
- Is it embedded Linux/Windows?
- Is it an RTOS?
- Is it some bare bones application code?
- What other chips are onboard?
- What type of programs run on it?
Getting a hold of firmware
- Vendor Websites
- OSINT
- Analyzing fw updater apps
- PCAPS
- Directly interfacing with hardware
Firmware File
- How is firmware updated?
- What is the file format of the firmware?
- Is it encrypted?
- Is the firmware a full image, or just a sort of patch?
Interaction
- How do you interact with the device as a user?
- How would you interact with the device as a developer?
- What inputs and outputs might this device have?
- How does the device firmware interact with hardware devices and non-volatile memory?
Vulns and Prior Research
- Are there known vulnerabilities for this device or any of technologies used?
- Are there any write ups / blog posts / data sheets about this device?
Techniques
Binary Information and RE
File Carving
- binwalk + all the filesystem unpackers
Emulation
Binary Diffing
Firmware used in this talk:
Further Resources
- Introduction to Firmware Reversing
- Backdooring a smart camera by creating a malicious firmware upgrade
- Sheila Ayelen Berta - Backdooring Hardware by Injecting Malicious Payloads
- Dennis Giese - How to modify ARM Cortex M based firmware
- Using Static Binary Analysis To Find Vulnerabilities And Backdoors In Firmware
Inspiration
Previous:
GDB Cheatsheet
GDB Cheatsheet
Next:
Modern PE Mangling
Modern PE Mangling