The first step in finding vulnerabilities in some kind of IoT device is getting its firmware. 5–10 years ago, it was extremely easy: firmware of every device was available on the manufacturer’s website. And while it’s still true in some cases, now there’s no more a one-size-fits-all solution. Now we have several ways of getting firmware, ranging from very easy to very hard.
在某种物联网设备中查找漏洞的第一步是获取其固件。5-10 年前,这非常简单:每台设备的固件都可以在制造商的网站上找到。虽然在某些情况下仍然如此,但现在不再有一刀切的解决方案。现在我们有几种获取固件的方法,从非常容易到非常困难。
Download: Very Easy 下载: Very Easy
Maybe the manufacturer still offers firmware for download to everyone in need. Even if that’s not the case, sometimes firmware or some parts of it could be leaked or available somewhere else. So it’s worth searching (I recommend specifically searching Github alongside your usual search engines/Google dorks) and, if it doesn’t break your local laws, downloading.
也许制造商仍然向所有有需要的人提供固件下载。即使情况并非如此,有时固件或其某些部分也可能泄漏或在其他地方可用。因此,值得搜索(我建议专门搜索 Github 和您通常的搜索引擎/Google 傻瓜),如果它不违反您当地的法律,请下载。
MITMing Update Process: Easy to Moderate
MITMing 更新过程:易于审核
If the previous option didn’t work and your device has just one shiny button labeled “Install update,” it’s worth pressing it, but not before you’ve started a proper MITM with traffic capture. There are a variety of tool choices, from Bettercap to Mitm-proxy.
如果上一个选项不起作用,并且您的设备只有一个标有“安装更新”的闪亮按钮,则值得按下它,但在您开始使用流量捕获进行适当的 MITM 之前不要按下它。有多种工具选择,从 Bettercap 到 Mitm-proxy。
The idea here is that despite the widespread adoption of HTTPS, some developers may still use plain HTTP CDNs for distributing updates. Then, the update package can be easily extracted from the traffic, or you can capture the URL and follow it.
这里的想法是,尽管 HTTPS 被广泛采用,但一些开发人员可能仍然使用普通的 HTTP CDN 来分发更新。然后,可以很容易地从流量中提取更新包,或者您可以捕获 URL 并跟踪它。
But let’s say your target uses HTTPS. Then we have 2 different scenarios:
但是,假设您的目标使用 HTTPS。然后我们有 2 种不同的场景:
1. Standalone Target 1. 独立目标
If the target is self-sufficient and doesn’t have any mobile apps or desktop clients for control, you can still try to make it use your self-signed HTTPS certificate, with decent chances of success.
如果目标是自给自足的,并且没有任何用于控制的移动应用或桌面客户端,您仍然可以尝试使其使用自签名 HTTPS 证书,成功的机会很大。
2. Target with Mobile App
2. 使用移动应用程序定位
Many smart devices don’t have their own UI and require a smartphone app for control. In some cases, the firmware download may be implemented in the app itself. You can then install your own self-signed root certificate on the smartphone or emulator you’re using. If internet connectivity features in the app stop working, it indicates the use of SSL pinning. Of course, there are various techniques to bypass this, such as using Frida.
许多智能设备没有自己的用户界面,需要智能手机应用程序进行控制。在某些情况下,固件下载可以在应用程序本身中实现。然后,您可以在正在使用的智能手机或模拟器上安装自己的自签名根证书。如果应用程序中的 Internet 连接功能停止工作,则表示使用了 SSL 固定。当然,有多种技术可以绕过这一点,例如使用 Frida。
Here’s something to read on that topic:
以下是有关该主题的内容:
Hail Frida!! The Universal SSL pinning bypass for Android.
弗里达万岁!!适用于 Android 的通用 SSL 固定绕过。
In this article, I’ll explain how to bypass SSL pinning of any android application using frida framework.
在本文中,我将解释如何使用 frida 框架绕过任何 android 应用程序的 SSL 固定。
infosecwriteups.com
https://redfoxsec.com/blog/ssl-pinning-bypass-android-frida/
https://infosecwriteups.com/hail-frida-the-universal-ssl-pinning-bypass-for-android-e9e1d733d29
If those aren’t enough, you’re in for some reverse engineering, my friend. Try to find and understand how they implement SSL pinning, or even better — how they download the update itself (sometimes dumping strings can go a long way).
如果这些还不够,你还需要进行一些逆向工程,我的朋友。尝试查找并了解他们如何实现 SSL 固定,或者更好的是 – 他们如何下载更新本身(有时转储字符串可能会有很长的路要走)。
Dumping Firmware through a Vulnerability: Moderate — ???
通过漏洞转储固件:中 — ???
Some targets can be very special: either in-development devices, devices with no software update feature, or devices that require a highly paid technician certified by the manufacturer using special tools to update them. In either case, playtime is over.
有些目标可能非常特殊:开发中的设备、没有软件更新功能的设备,或者需要制造商认证的高薪技术人员使用特殊工具进行更新的设备。无论哪种情况,游戏时间都结束了。
If you’re in luck, your device might have an unpatched older vulnerability that allows you to get a root shell (or any other kind of code execution) and dump the damn thing. If there’s also a public exploit for the bug, I’d tell you to go buy a lottery ticket. Otherwise, you have to develop an exploit yourself, but that’s already much easier when you have even a basic vulnerability description.
如果幸运的话,您的设备可能有一个未修补的旧漏洞,允许您获取 root shell(或任何其他类型的代码执行)并转储该死的东西。如果这个漏洞也被公开利用,我会告诉你去买彩票。否则,您必须自己开发漏洞利用,但是当您拥有基本的漏洞描述时,这已经容易得多。
New, but Low Hanging Fruit
新的,但唾手可得的果实
In most cases, you’ll have to find a vulnerability yourself. You might be thinking now: “What are you talking about? We need the firmware to search for vulnerabilities in the first place.” Well, I’m gonna tell you that they haven’t canceled black box testing so far. Of course, it’s harder without the firmware, so we’re gonna make things a bit easier for us.
在大多数情况下,您必须自己找到漏洞。你现在可能在想:“你在说什么?我们首先需要固件来搜索漏洞。好吧,我要告诉你,到目前为止,他们还没有取消黑匣子测试。当然,没有固件会更难,所以我们要让事情变得更容易一些。
The most dangerous, feared, and valuable vulnerabilities are those that can be exploited without authentication. The majority of security researchers look for these, and the majority of manufacturers focus on securing their devices against them. But then we have vulnerabilities that can be exploited after authentication, let’s say even with admin rights. In that case, we have a wider attack surface paired with softer targets. It gives us an opportunity to find a lower hanging code execution, dump the firmware, and then use it to find something more interesting.
最危险、最可怕和最有价值的漏洞是那些无需身份验证即可被利用的漏洞。大多数安全研究人员都在寻找这些,而大多数制造商则专注于保护他们的设备免受它们的侵害。但是,我们有一些漏洞可以在身份验证后被利用,比如说即使具有管理员权限。在这种情况下,我们有更宽的攻击面和更软的目标配对。它让我们有机会找到一个较低的代码执行,转储固件,然后用它来找到更有趣的东西。
The Hardware Way: Moderate — Very Hard
硬件方式:中等 – 非常困难
The hardware way is generally harder but still could be easier than the previous option, in some cases.
硬件方式通常更难,但在某些情况下仍然可能比以前的选项更容易。
It falls into two categories: trying to find and exploit hardware vulnerabilities and reading firmware directly from flash storage.
它分为两类:尝试查找和利用硬件漏洞以及直接从闪存中读取固件。
Hardware Vulnerabilities 硬件漏洞
There are various types of hardware vulnerabilities out there, but here we’re mostly interested in exposed debug interfaces like UART shells or JTAG/SWD.
市面上有各种类型的硬件漏洞,但在这里,我们最感兴趣的是暴露的调试接口,如UART shell或JTAG/SWD。
UART Shells UART 外壳
UART interfaces are a common sight in IoT devices, often left accessible for diagnostics. By tapping into these UART ports, you can sometimes gain console access (and I’m talking about root/bootloader shell). The key lies in identifying the TX, RX, and GND pins, and then using a serial-to-USB converter and a terminal emulator to communicate with the device. This method can be a straightforward and effective way to start unraveling the inner workings of an IoT device.
UART接口在物联网设备中很常见,通常可用于诊断。通过利用这些 UART 端口,您有时可以获得控制台访问权限(我说的是 root/bootloader shell)。关键在于识别 TX、RX 和 GND 引脚,然后使用串口转 USB 转换器和终端仿真器与器件通信。这种方法可以成为开始解开物联网设备内部工作原理的一种直接有效的方法。
Some links on the topic:
有关该主题的一些链接:
https://voidstarsec.com/blog/uart-uboot-and-usb
JTAG/SWD Interfaces JTAG/SWD接口
Designed for testing and debugging at the chip level, these interfaces offer low-level access to a device’s CPU. Pinpointing the JTAG or SWD pins on a packed PCB is the first step (assuming those are exposed at all, hehe), followed by interfacing with a debugger like J-Link or ST-Link. Once connected, these interfaces allow for stopping firmware execution, inspecting memory, and so on. Some manufacturers know about this and try to disable or hide these interfaces, protect them with passwords, etc. But, of course, some don’t. And we wouldn’t be hackers if we didn’t try, right?
这些接口专为芯片级测试和调试而设计,提供对设备 CPU 的低级访问。第一步是精确定位封装PCB上的JTAG或SWD引脚(假设这些引脚完全暴露,呵呵),然后与J-Link或ST-Link等调试器连接。连接后,这些接口允许停止固件执行、检查内存等。一些制造商知道这一点,并试图禁用或隐藏这些接口,用密码保护它们等。但是,当然,有些人没有。如果我们不尝试,我们就不会成为黑客,对吧?
Those post may help you to figure out JTAG:
这些帖子可能会帮助您了解 JTAG:
https://sergioprado.blog/2020-02-20-extracting-firmware-from-devices-using-jtag/
https://wrongbaud.github.io/posts/jtag-hdd/
Fun with Flash Chips 闪存芯片的乐趣
This sweet-sweet firmware we’re looking for has to be stored somewhere. For the majority of smart devices out there, this somewhere will be a flash chip. If it’s stored there, it can be read from there. In fact, this is what the CPU of your target is doing when it boots up! But we don’t have access to the CPU, so we have to find another way, which is interfacing with the chip directly or desoldering the flash chip from the PCB and reading it out using a special device.
我们正在寻找的这种甜蜜的固件必须存储在某个地方。对于大多数智能设备来说,这将是一个闪存芯片。如果它存储在那里,则可以从那里读取它。事实上,这就是目标的 CPU 在启动时所做的事情!但是我们无法访问CPU,因此我们必须找到另一种方法,即直接与芯片连接或从PCB上拆焊闪存芯片并使用特殊设备将其读取出来。
Flash Sniffing/Controlling Through SPI/I2C/etc.
通过SPI/I2C等进行闪存嗅探/控制
Flash chips communicate with CPUs, MCUs, and SoCs using protocols like SPI. These protocols are standard, so we can use them too. When a device powers up, its CPU reads the flash memory, the perfect time for sniffing data using a logical analyzer. But here’s the catch: depending on your device, it can read just a portion of the firmware. So you might need to get a full control of the chip to read it out.
闪存芯片使用 SPI 等协议与 CPU、MCU 和 SoC 进行通信。这些协议是标准的,所以我们也可以使用它们。当设备通电时,其 CPU 会读取闪存,这是使用逻辑分析器嗅探数据的最佳时机。但这里有一个问题:根据您的设备,它只能读取固件的一部分。因此,您可能需要完全控制芯片才能将其读出。
Here’s a selection of posts going into a deep dive in that:
以下是一些深入探讨的帖子:
https://ivanorsolic.github.io/post/hardwarehacking1/
https://securityboulevard.com/2023/02/exploiting-embedded-apis-by-dumping-firmware/
https://jcjc-dev.com/2016/06/08/reversing-huawei-4-dumping-flash/
https://www.nsideattacklogic.de/en/dumping-spi-flash-memory-of-embedded-devices-2/
Of source, a flash chip needs power to function. Without desoldering it and giving power to one leg of the chip, it might wake up the entire PCB, leading to a tug-of-war over the flash between you and the CPU. A workaround? Desolder the VCC leg — less work, but more potential to damage the chip. Another approach is to desolder the whole chip; it will also make it more comfortable to use it in a flash programmer.
当然,闪存芯片需要电源才能运行。如果不拆焊并为芯片的一条腿供电,它可能会唤醒整个 PCB,导致您和 CPU 之间的闪存拉锯战。解决方法?拆焊 VCC 支路 — 工作量更少,但损坏芯片的可能性更大。另一种方法是对整个芯片进行拆焊;它还将使在 Flash 编程器中使用它更加舒适。
Flash Chips in QFP, TSOP and Other Non-BGA Packages
采用QFP、TSOP和其他非BGA封装的闪存芯片
For a flash in a QFP (Quad Flat Package), the process involves carefully heating the solder to remove the chip without damaging the PCB or the chip itself. Once the chip is removed, you can read its contents using a flash programmer.
对于 QFP(四方扁平封装)中的闪存,该过程涉及小心加热焊料以移除芯片,而不会损坏 PCB 或芯片本身。取出芯片后,您可以使用闪存编程器读取其内容。
One of the tricks is to use an alloy with a low melting point. This technique involves applying a special alloy to the chip’s legs. This alloy mixes with the standard solder, reducing its overall melting point. It allows you to lift the chip off the board without turning the whole area into a miniature inferno.
诀窍之一是使用熔点低的合金。该技术涉及在芯片的支腿上涂上特殊合金。这种合金与标准焊料混合,降低其整体熔点。它允许您将芯片从电路板上抬起,而不会将整个区域变成微型地狱。
Some reading on dumping firmware with desoldering:
一些关于使用拆焊转储固件的阅读:
https://astrid.tech/2022/07/13/0/blink-mini-dumping/
https://fastcall.medium.com/dumping-firmware-from-a-router-5d7e819199fd
eMMC/SPI Flash in BGA Package
采用BGA封装的eMMC/SPI闪存
eMMC flash in BGA (Ball Grid Array) packages presents its own set of challenges. Desoldering a BGA package requires precision and skill, as the solder balls are underneath the chip, making it difficult to heat them evenly without damaging the chip or the board. After removal, a BGA socket adapter or a direct solder method on a flash reader is used to interface with the chip. This approach requires specialized equipment and a steady hand, but it’s a reliable way to access the firmware directly.
采用BGA(球栅阵列)封装的eMMC闪存面临着一系列挑战。拆焊 BGA 封装需要精度和技巧,因为焊球位于芯片下方,因此很难在不损坏芯片或电路板的情况下均匀加热它们。移除后,使用闪存读卡器上的BGA插座适配器或直接焊接方法与芯片连接。这种方法需要专门的设备和稳定的手,但它是直接访问固件的可靠方式。
Further reading if you’re brave enough to tackle BGA:
如果您有足够的勇气解决 BGA,请进一步阅读:
https://blog.quarkslab.com/flash-dumping-part-i.html
https://riverloopsecurity.com/blog/2020/03/hw-101-emmc/
UFS Flash in BGA Package
采用 BGA 封装的 UFS 闪存
This is even harder than the previous one. But if the previous case was hard for your hands, this will also be hard for your wallet. Thing is, UFS is a new, much faster protocol for flash memory. And that makes UFS flash programmers much more rare and much more expensive. I wouldn’t be surprised if somebody DIYs some crazy low-cost UFS programmer in their garage, but for now, we have what we have. Or maybe there’s a way to repurpose a USB stick with UFS flash chip on board into a makeshift flash reader?
这比前一个更难。但是,如果之前的情况对你的手来说很难,这对你的钱包来说也很难。问题是,UFS是一种新的、更快的闪存协议。这使得 UFS 闪存程序器更加稀有和昂贵。如果有人在他们的车库里DIY一些疯狂的低成本UFS程序员,我不会感到惊讶,但就目前而言,我们拥有我们所拥有的。或者,也许有一种方法可以将带有 UFS 闪存芯片的 U 盘重新用作临时闪存读卡器?
I don’t have personal experience with dumping UFS nor was I able to find a decent source for it, but here’s a link to a flash programmer that claims it supports UFS:
我没有转储 UFS 的个人经验,也无法找到像样的来源,但这里有一个指向声称它支持 UFS 的 Flash 程序员的链接:
https://evision-webshop.eu/dediprog/nuprog-e2-engineering-universal-programmer
Edge Cases 边缘案例
In some scenarios, manufacturers implement additional security measures like read-out protection, encryption of firmware at rest, or unique protection mechanisms. These measures require a more nuanced approach. Each of these edge cases requires a unique approach, often involving a combination of hardware and software reverse engineering skills to bypass these protections. But that’s the fun of it, right?
在某些情况下,制造商会实施额外的安全措施,例如读出保护、静态固件加密或独特的保护机制。这些措施需要采取更细致入微的方法。这些边缘情况中的每一个都需要一种独特的方法,通常涉及硬件和软件逆向工程技能的组合,以绕过这些保护。但这就是它的乐趣,对吧?
Image sources: 图片来源:
https://ethicalhacs.com/dvwa-command-injection/
https://www.darknet.org.uk/2016/03/bettercap-modular-portable-mitm-framework/
https://mcuoneclipse.com/2014/07/21/terminal-connection-to-the-riot-board/
https://hackaday.com/2016/12/15/the-many-faces-of-jtag/
https://jcjc-dev.com/2016/05/23/reversing-huawei-3-sniffing/
https://www.tarlogic.com/blog/hardware-hacking-chip-off-for-beginners/
https://www.eetimes.com/jedec-adds-ufs-card-spec/
原文始发于Path Cybersec [Slava Moskvin]:Extracting Firmware: Every Method Explained
相关文章
