Exploring Firmwares: Tools and Techniques for (New) Cartographers
2024-10-25 , Schengen 1 & 2

This workshop will introduce attendees to the world of firmware analysis. It will discuss only structured firmwares---i.e. firmware containing a file system---by opposition to monolithic firmwares also known as baremetal firmwares. Students will discover two major steps of this analysis workflow which are also the most firmware specific ones: extraction of the filesystem and its cartography. Various open-source tools will be introduced, including two developed by Quarkslab: Pyrrha, a mapper collection for firmware analysis, and its underlying API Numbat. Based on this latter, attendees will be able to develop their own cartography tools with a nice UI. All along this workshop, a strong focus will be made on the tasks that could be automated by some existing or future tools but also on the limits of this automatization.


Each section will start by a quick theoretical introduction, then attendees will practice a lot through guided
examples or real hands-on. The number of exercises done will depend of the workshop duration.

Extraction is the acquisition of the filesystem contained in the firmware. Classically, two types of
techniques could be employed, either using hardware access to dump its content or directly having the
firmware accessible as an archive file. This workshop will only discuss the second one. Firmware files
could have various formats, from the most classical ones which can be easily mount or extracted to the
undocumented handmade ones. In this case, a format reverse-engineering should be done to create the
appropriated unpacker.

Labs:
Using Binwalk[3]/Unblob[4] to extract a firmware.
- Extraction of a router firmware using binwalk or unblob, discussion of the limits of these tools.
- Create your own extractor using Kaitai Struct[4].

Cartography consists in gathering any information about the firmware and to identify points of interest
which will require deeper analysis to potentially find a vulnerability or assess the correct security of it.
First, we will introduce what we are usually looking for in a firmware:
- boot process and initialization system;
- attack surface;
- classic weaknesses like SSL NO_VERIFY_PEER option;
- deprecated OpenSSL options;
- strcpy calls;
- etc.

Lab:
- Navigation into the firmware executables and their imports with Pyrrha. Manipulation of the different views proposed by the UI to identify potential entrypoints that will lead to a given binary (identified as the "vulnerable" one). The router firmware extracted at the previous step will be used as an example.

Develop your own tools As seen in the previous sections, some steps of the analysis could be supported by some tools/scripts. This last part of the workshop tends to offer attendees tools to help this development. Two main ideas will be introduced: first, integrate a new mapper in Pyrrha based on a new heuristic or to handle a specific need. The second relies on Numbat, the API used by Pyrrha to create a
graph that could be rendered and looked in, in a user-friendly UI. The idea is to quickly develop a UI for
already existing tools


[1] Quarkslab. Pyrrha. 2023. url: https://github.com/quarkslab/pyrrha.
[2] Quarkslab. Numbat. 2024. url: https://github.com/quarkslab/numbat.
[3] ReFirm Labs. Binwalk. 2010. url: https://github.com/ReFirmLabs/binwalk.
[4] Onekey. Unblob. 2021. url: https://github.com/onekey-sec/unblob.
[5] Katai Struct. 2015. url: https://github.com/kaitai-io/kaitai_struct.

See also: Custom Format Lab: Student Material (115.0 KB)

Eloïse Brocas is a security researcher and reverse engineer at Quarkslab She has a strong interest in creating tooling that support security analysts in their day-to-day tasks, some of these tools have been open-sourced like Pyrrha.