Our next Embedded Device Exploitation class will be held on December 12th and 13th. Registration is open now!
Binwalk 0.4.5 is now available. This release includes a couple of bug fixes, including a (small) memory leak, and a signature parsing bug which prevented certain signatures from loading properly.
A new command line option has been added as well: –dd. This feature instructs Binwalk to extract embedded files that it finds automatically. For example, to extract all ‘gzip’ files and save them with the extension ‘gz’:
$ binwalk firmware.bin --dd=gzip:gz
To extract all gzip files but only the first JFFS2 entry:
$ binwalk firmware.bin --dd=gzip:gz --dd=jffs2:jffs2:1
To extract every file that Binwalk identifies, use the ‘all’ keyword:
$ binwalk firmware.bin --dd=all:dat
All string matches are case insensitive. Extracted files are named by their respective hexadecimal offsets in the original file. The extracted files will contain all data from the offset where the signature was found to EOF.
Get Binwalk 0.4.5 here.
If you’re going to be in Vegas for BlackHat/Defcon, be sure to check out Zach’s talk.
WNDR3700 Amazon Review
Working with embedded devices, I end up using TFTP quite a bit. While most operating systems offer TFTP clients, they tend to be a bit archaic and lack simple features that we hacker types might find useful. So of course, I rolled my own.
Tfcp is a TFTP client utility written in Python using the excellent tftpy module. Usage is simple and mimics that of scp:
Uploading file ‘foo’ to ‘/tmp/bar’:
$ tfcp ./foo.txt 192.168.1.1:/tmp/bar
Downloading ‘/tmp/bar’ to your current working directory:
$ tfcp 192.168.1.1:/tmp/bar .
There are two key features that I like about tfcp:
- It is non-interactive, which means it’s easily scriptable and all tfcp commands get stored in your command history
- It allows you to specify both the local and remote file names
Although these are simple, seemingly innocuous features, they are severely lacking in most TFTP client utilities, and as we’ll soon see, they can be key features when analyzing/exploiting embedded systems.
You can grab tfcp from the Google Code page; you’ll need to install tftpy first, either from source, or through apt-get (python-tftpy).
New Embedded Device Exploitation class dates have just been announced: August 14th and 15th, 2012. Sign up now!
We’ve just added a forums section to the devttyS0 site! Feel free to post your questions, ideas, projects, or anything else related to hardware, firmware, or embedded systems in general.
In preparation for our Embedded Device Exploitation classes, I’ve just released my latest project, the Gumbi board:
New Gumbi boards, fresh off the press
The Gumbi board provides a flexible USB interface to the real world in the form of 64 digital I/O pins – all controllable from the comfort of your Python shell, allowing you to rapidly prototype and create new tools for interfacing with external devices.
Take flashbin for example, an open source flash programmer I’ve written for working with external parallel flash chips.
Although popular for firmware storage, parallel NOR flash chips are particularly difficult for hobbyists/hackers to work with because their interface typically requires 30 to 40 I/O pins (or more!). This tends to result in error-prone wiring that has to be re-wired whenever you need to interface with a different chip:
Using the Gumbi board however, everything can be defined (and re-defined) in software. Just plug the chip in, create a flashbin config file that defines the pin configuration for your target chip, and you’re ready to go:
A 4MB NOR flash chip connected to the Gumbi board via a ZIF socket adapter
Dumping firmware from the 4MB flash chip with flashbin
Reaver Pro is now available in Hak5’s HakShop! Get ’em while they’re hot!
We just opened registration for our first embedded exploitation class on June 7th & 8th, 2012!
In addition to training attendees will receive plenty of goodies to take home, including a customized virtual machine, hardware hacking tools, and more.
More details are available on the registration page. See you there!
As some of you are aware, we’ve been working on creating an embedded systems hacking course. We’ve been busy lately putting together a few invitation-only classes and have gotten some great feedback from our students.
The two day beginner’s course is designed to introduce students to hardware and firmware analysis, reverse engineering tools, and embedded vulnerability discovery and exploitation. It all culminates with students finding 0-days in an actual embedded system and popping some remote root shells!
The classes have been a blast, and will be open to public registration once we find a proper venue. Until then, here’s a few pictures from our first ever class. Thanks to all the
guinea pigs students that attended!
Discussing Hardware and Chip Identification
Demonstrating correct soldering technique while waving the soldering iron dangerously close to my face
Students soldering on UART headers
Students finding 0-days and popping shells
The open, unattended ATM machine at the coffee shop across the street