I was recently working on some uClinux-based devices and needed to disassemble some of the binaries in the firmware. Unfortunately, IDA doesn’t have a loader for the bFLT file format used by uClinux:
No bFLT Loader
Fortunately, I was able to find a bFLT loader over at rockbox.org. Unfortunately this bFLT loader doesn’t process the relocation or global offset tables, which means that string and data cross-references aren’t properly resolved in the disassembled code:
Rockbox bFLT Loader
Fortunately, writing our own IDA loader (especially for a simple file format like bFLT) is pretty easy. Let’s start by taking a look at the layout of a bFLT file.
As some of you are aware, we’ve been working on creating an embedded systems hacking course. We’ve been busy lately putting together a few invitation-only classes and have gotten some great feedback from our students.
The two day beginner’s course is designed to introduce students to hardware and firmware analysis, reverse engineering tools, and embedded vulnerability discovery and exploitation. It all culminates with students finding 0-days in an actual embedded system and popping some remote root shells!
The classes have been a blast, and will be open to public registration once we find a proper venue. Until then, here’s a few pictures from our first ever class. Thanks to all the
guinea pigs students that attended!
Discussing Hardware and Chip Identification
Demonstrating correct soldering technique while waving the soldering iron dangerously close to my face
Students soldering on UART headers
Students finding 0-days and popping shells
The open, unattended ATM machine at the coffee shop across the street
Being able to emulate embedded applications in Qemu is incredibly useful, but not without pitfalls. Probably the most common issue that I’ve run into are binaries that try to read configuration data from NVRAM; since the binary is running in Qemu and not on the target device, there is obviously no NVRAM to read from.
Embedded applications typically interface with NVRAM through a shared library. The library in turn interfaces with the MTD partition that contains the device’s current configuration settings. Many programs will fail to run properly without the NVRAM configuration data, requiring us to intercept the NVRAM library calls and return valid data in order to properly execute the application in Qemu.
Here’s a Web server extracted from a firmware update image that refuses to start under Qemu:
It looks like httpd can’t start because it doesn’t know what IP address to bind to. The IP can’t be set via a command line argument, so it must be getting this data from somewhere else. Let’s fire up IDA and get cracking!