IoT Reverse Engineering Workshop: Attaching a GNU Debugger to a Live IoT System
The workshop will describe some possible ways to attach a GDB Debugger, using gdbserver, to a live IoT system with the purpose to reverse engineer some interesting processes.
It will start with an introduction to the steps needed to hack the device and gain access to a root shell and will focus on how to attach a Gnu Debugger ta a live system.
- Information Gathering of hardware and software, to identify main device components, to locate UART and JTAG interfaces and to get access to a system shell and download the firmware file or the EPROM content and the root file system
- Building a debugging friendly Emulation Environment, able to compile gdbserver for the target IoT and able to run IoT binaries, using QEMU, with a root file system built with “BuildRoot”
- Load the gdbserver binary into the IoT device using the easiest approach (USB file system, temproary file system, NFS, firmware modification):
- Overcome the issues related to possible incompatible libraries between live environment and emulation environment used to build the gdbserver binary
- How to use the gdb to reverse interesting processes and how to select interesting breakpoints.
This workshop proposal has been inspired by my YouTube channel about Hardware Hacking (youtube.com/makemehack), where this argument has not been discussed yet. In the workshop I will use some parts of the router reverse engineering project documented in my GitHub repo https://github.com/digiampietro/hacking-gemtek.
The process described is based on:
- Fast introduction to how to access a root shell in the device – identify main device components (CPU, Flash, SDRAM, main components) – locate UART and JTAG interfaces with the help of hardware like Jtagulator, Bus Pirate and software like OpenOCD – Get the OS image file or firmware file, identify the system and extract the root file system using linux commands and tools like strings, file, binwalk, dd, jefferson etc. – Identification of CPU, Flash, RAM, kernel version, C library, toolchain used etc. – Identification of Original Manufacturer and Original Firmware Manufacturer
- Emulation Environment using QEMU – Select a QEMU board and CPU reasonably similar to the IoT device (same CPU, able to run IoT binaries) similar kernel version, similar modules and libraries) – Select a tool to build the kernel and the root file system reasonably similar to the IoT device using Buildroot – Buildroot and kernel configuration, generation of root file system with binaries and libraries with debugging information – Discuss the two available approaches: – build a system with same library versions as the IoT device able to run unmodified IoT binary – build a simplified system with different library versions but able to compile the gdbserver binary for the target IoT – how to deal with issues related to possible incompatible libraries between live environment and emulation environment used to build the gdbserver binary
- Analyze how the device works – The firmware upgrade process – Discuss possibilities to “install” gdbserver on the target IoT device – Use gdb to reverse engineer the most interesting binaries in the IoT device itself – How to use gdb effectively (where to put breakpoints, how to automate) – CLI and Web interface analisys – Main processes analisys – Finding vulnerabilities – Hack the firmware upgrade process – Replace the original firmware – Create a Firmware Modification Kit to simplify the firmware modification process overcoming obstacles created by the firmware manufacturer.
About the Speaker
Valerio Di Giampietro is a distinguished IT Infrastructure Manager and Cloud Solution Architect renowned for his extensive technical expertise and experience across diverse domains within IT infrastructures. With a profound proficiency spanning Cloud Infrastructures, Kubernetes, Linux, VMWare, Open Source technologies, Oracle, MySQL, LAN/WAN networking, Storage Area Networking, IoT, and embedded systems. Valerio’s fervor for Linux ignited from its inception – his initiation being the installation of Linux on his modest 486 PC, equipped with a mere 4 MB of RAM, back in 1993. Just a year later, in 1994, he managed a Linux-based Fidonet BBS, and by 1999, he was pioneering the introduction of Linux within his workplace. An inquisitive mind at heart, Valerio’s fascination with understanding the inner workings of devices.