Writing a bFLT Loader for IDA

I was recently working on some uClinux-based devices and needed to disassemble some of the binaries in the firmware. Unfortunately, IDA doesn’t have a loader for the bFLT file format used by uClinux:

No bFLT Loader

Fortunately, I was able to find a bFLT loader over at rockbox.org. Unfortunately this bFLT loader doesn’t process the relocation or global offset tables, which means that string and data cross-references aren’t properly resolved in the disassembled code:

Rockbox bFLT Loader

Fortunately, writing our own IDA loader (especially for a simple file format like bFLT) is pretty easy. Let’s start by taking a look at the layout of a bFLT file.

Continue reading

School is in Session!

As some of you are aware, we’ve been working on creating an embedded systems hacking course. We’ve been busy lately putting together a few invitation-only classes and have gotten some great feedback from our students.

The two day beginner’s course is designed to introduce students to hardware and firmware analysis, reverse engineering tools, and embedded vulnerability discovery and exploitation. It all culminates with students finding 0-days in an actual embedded system and popping some remote root shells!

The classes have been a blast, and will be open to public registration once we find a proper venue. Until then, here’s a few pictures from our first ever class. Thanks to all the guinea pigs students that attended!

Discussing Hardware and Chip Identification

Demonstrating correct soldering technique while waving the soldering iron dangerously close to my face

Students soldering on UART headers

Students finding 0-days and popping shells

The aftermath

The open, unattended ATM machine at the coffee shop across the street

Emulating NVRAM in Qemu

Being able to emulate embedded applications in Qemu is incredibly useful, but not without pitfalls. Probably the most common issue that I’ve run into are binaries that try to read configuration data from NVRAM; since the binary is running in Qemu and not on the target device, there is obviously no NVRAM to read from.

Embedded applications typically interface with NVRAM through a shared library. The library in turn interfaces with the MTD partition that contains the device’s current configuration settings. Many programs will fail to run properly without the NVRAM configuration data, requiring us to intercept the NVRAM library calls and return valid data in order to properly execute the application in Qemu.

Here’s a Web server extracted from a firmware update image that refuses to start under Qemu:

It looks like httpd can’t start because it doesn’t know what IP address to bind to. The IP can’t be set via a command line argument, so it must be getting this data from somewhere else. Let’s fire up IDA and get cracking!

Continue reading