Scribd
Upload
154 views22 pages

Intro To Hardware Firmware Hacking

This document provides an overview of hardware firmware hacking. It discusses embedded devices and MIPS processors. It then demonstrates analyzing the firmware of an embedded device by disassembling MIPS binaries, exploring the function stack, and triggering a stack buffer overflow to execute a shellcode and obtain a root shell. The document emphasizes analyzing firmware statically and dynamically using tools like IDA, online disassemblers, debuggers and Python scripts.

Uploaded by

kalimbalo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
154 views22 pages

Intro To Hardware Firmware Hacking

This document provides an overview of hardware firmware hacking. It discusses embedded devices and MIPS processors. It then demonstrates analyzing the firmware of an embedded device by disassembling MIPS binaries, exploring the function stack, and triggering a stack buffer overflow to execute a shellcode and obtain a root shell. The document emphasizes analyzing firmware statically and dynamically using tools like IDA, online disassemblers, debuggers and Python scripts.

Uploaded by

kalimbalo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 22

Intro to Hardware Firmware Hacking

Andrew Freeborn

1
Agenda
• The Wild West
• What’s MIPS
• Let’s break it
• Pictures!

2
Embedded Devices

3
Embedded Devices Are Awesome
• Cheap and everywhere
• Lots of options for home routers, modems, etc
• New models every year with new features
• No real regulation of the safety and strength of
the security of the device (CyberUL to help?)
• Krebs attack / Ukraine power grid
4
We get it, they’re bad

5
TLC?

6
They’re not bad, they just need TLC
• Easy to get into surprisingly
• Easier if you stick to the rivers and
lakes.... Software
• Like many problems, issues can be fixed
when there is attention on them
7
Embedded Device Solutions
• All software updated
• Kernel updates
• Kernel hardening
• Compiler protections
• Make updating easy and secure with little effort
• Scanned for vulnerabilities
8
When do we get to see dat MIPS
• DVRF
• MIPS CPU
• MIPS assembly >>
• ???
• Profit
• MIPS binaries
What the MIPS?
• hello.c • MIPS diassembly

https://www.onlinedisassembler.com/odaweb/
GzjLonX7
What about security?
•Anybody can do this
search and find this
information








• Source: https://www.shodan.io/search?query=netgear
Show me that MIPS again
• Prologue


• Middle-
logue?


• Epilogue
What’s a stack buffer overflow?
• Why do we care?


• Are there other buffer


overflows?

• Source: https://en.wikipedia.org/wiki/Call_stack

13
Stack buffer overflows in DVRF
• Why start here?
• How many challenges
are there?
Intro ShellCode_Required
•stack_bof_01 •stack_bof_02
•heap_overflow_01 •socket_bof
•uaf_01 •socket_cmd
14
stack_bof_01
• Let’s run it!

15
stack_bof_01
• Hulk smash!
Smashed the stack, now what
• Static analysis with floss (the new strings!)
Graph me like one of your French binaries
• Lots of ways to do this

• IDA
• Online Disassembler >>

www.onlinedisassembler.com/
odaweb/OXabeNP7
What’s on the menu?
• Functions
• main
• dat_shell
• other things we
don’t care about
Dynamic analysis
• Debugger like GDB
• Plain GDB is not pretty
• pwndbg makes it nice >>
• Use gdb-multiarch
• This really is helpful >>
Python to the rescue
• You just need the right amount of “As”
• Provide the memory address of dat_shell

21
Thanks!
[email protected]
• https://vivirytech.blogspot.com
• Twitter: @vivirytech

22

You might also like