Binwalk 0.4.5 Release

Binwalk 0.4.5 is now available. This release includes a couple of bug fixes, including a (small) memory leak, and a signature parsing bug which prevented certain signatures from loading properly.

A new command line option has been added as well: –dd. This feature instructs Binwalk to extract embedded files that it finds automatically. For example, to extract all ‘gzip’ files and save them with the extension ‘gz’:

$ binwalk firmware.bin --dd=gzip:gz

To extract all gzip files but only the first JFFS2 entry:

$ binwalk firmware.bin --dd=gzip:gz --dd=jffs2:jffs2:1

To extract every file that Binwalk identifies, use the ‘all’ keyword:

$ binwalk firmware.bin --dd=all:dat

All string matches are case insensitive. Extracted files are named by their respective hexadecimal offsets in the original file. The extracted files will contain all data from the offset where the signature was found to EOF.

Get Binwalk 0.4.5 here.

A Better Way to TFTP

Working with embedded devices, I end up using TFTP quite a bit. While most operating systems offer TFTP clients, they tend to be a bit archaic and lack simple features that we hacker types might find useful. So of course, I rolled my own.

Tfcp is a TFTP client utility written in Python using the excellent tftpy module. Usage is simple and mimics that of scp:

Uploading file ‘foo’ to ‘/tmp/bar’:

$ tfcp ./foo.txt

Downloading ‘/tmp/bar’ to your current working directory:

$ tfcp .

There are two key features that I like about tfcp:

  1. It is non-interactive, which means it’s easily scriptable and all tfcp commands get stored in your command history
  2. It allows you to specify both the local and remote file names

Although these are simple, seemingly innocuous features, they are severely lacking in most TFTP client utilities, and as we’ll soon see, they can be key features when analyzing/exploiting embedded systems.

You can grab tfcp from the Google Code page; you’ll need to install tftpy first, either from source, or through apt-get (python-tftpy).

Hardware Hacking With Python

In preparation for our Embedded Device Exploitation classes, I’ve just released my latest project, the Gumbi board:

New Gumbi boards, fresh off the press

The Gumbi board provides a flexible USB interface to the real world in the form of 64 digital I/O pins – all controllable from the comfort of your Python shell, allowing you to rapidly prototype and create new tools for interfacing with external devices.

Take flashbin for example, an open source flash programmer I’ve written for working with external parallel flash chips.

Although popular for firmware storage, parallel NOR flash chips are particularly difficult for hobbyists/hackers to work with because their interface typically requires 30 to 40 I/O pins (or more!). This tends to result in error-prone wiring that has to be re-wired whenever you need to interface with a different chip:

Using the Gumbi board however, everything can be defined (and re-defined) in software. Just plug the chip in, create a flashbin config file that defines the pin configuration for your target chip, and you’re ready to go:

A 4MB NOR flash chip connected to the Gumbi board via a ZIF socket adapter

Dumping firmware from the 4MB flash chip with flashbin

Continue reading

School is in Session!

As some of you are aware, we’ve been working on creating an embedded systems hacking course. We’ve been busy lately putting together a few invitation-only classes and have gotten some great feedback from our students.

The two day beginner’s course is designed to introduce students to hardware and firmware analysis, reverse engineering tools, and embedded vulnerability discovery and exploitation. It all culminates with students finding 0-days in an actual embedded system and popping some remote root shells!

The classes have been a blast, and will be open to public registration once we find a proper venue. Until then, here’s a few pictures from our first ever class. Thanks to all the guinea pigs students that attended!

Discussing Hardware and Chip Identification

Demonstrating correct soldering technique while waving the soldering iron dangerously close to my face

Students soldering on UART headers

Students finding 0-days and popping shells

The aftermath

The open, unattended ATM machine at the coffee shop across the street