Bare-metal ARM firmware reverse engineering with Ghidra and SVD-Loader
Vložit
- čas přidán 26. 02. 2020
- In this video we look at reverse engineering a bare metal ARM firmware using Ghidra and SVD-Loader!
- SVD-Loader: github.com/leveldown-security...
- Crackmes from the video: github.com/ghidraninja/arm-ba...
- SVD Files: github.com/posborne/cmsis-svd...
Chip details:
- STM32F446RE: www.st.com/en/microcontroller...
- Datasheet: www.st.com/resource/en/datash...
- Reference manual: www.st.com/content/ccc/resour...
- Nucleo-F446RE: www.st.com/en/evaluation-tool...
More resources:
- Pull-Ups & Pull-Downs: • Electronics 201: Pull-...
- STM32 GPIOs: • HAL: #1 How to - GPIO - Věda a technologie
The signal-to-noise ratio of your channel is off the charts! Congrats - keep it up.
As a mostly embedded programmer this is great, much easier to follow when there's no complicated OS to worry about.
also an embedded programmer here just wanted to say c is unreplaceable
@@asafcohen3562 i have no idea and 0 experience in C nor embedded programming however I am interested as to why C is irreplaceable when it comes to embedded programming
As a beginner in coding this really helps me understand what I’m learning so much better.
@@BRUHItsABunny c is basically the only option if you want to do effective embedded programming
@@asafcohen3562 Id say rust is another great rising option too right now.
I've legit been looking for so long for content creators who just explain such things in detail without all the bs
Thanks :)
@@stacksmashing though it did take off very fast at the middle ahaha
Great video! Would love to see some more embedded FW reverse engineering like this :D
One thing I'd suggest with regards to memory mapping is to clear the write flag in the flash regions. That way Ghidra automatically dereferences constants and show strings as quoted strings rather than a pointer to a string. Do keep in mind it also removes what it considers to be extraneous reads and writes and unreachable code based on constants, so if there's some configurable options in the firmware, it may remove code from the decompilation for other options that it sees as unreachable.
great editing its cool that you dont pass on the technical aspects and not just the theoretical concepts
Excellent upload timing, my STM32 blue pill arrived but a couple days ago. Keep up the good work!
I am really impressed and grateful. This was the most useful jump start I've gotten.
Excellent thanks for writing the SVD loader script. This video popped into my feed and ironically I am just waiting on some details of cortex M3 project which may require some reversing (although hopefully not from a work POV).
I just started to reverse some code for STM32F2 and you just make my life easier, ty
Thank you sir. As a beginner in reverse engineering that's starting with a bare metal firmware, this video is very helpful. Please do more
Would just like to say, your videos inspired me to have a go at reverse engineering something, so I grabbed a Cisco 2501 router off ebay (because its got a Motorola 68030 in it), and used Ghidra to explore the boot ROMs (was amazed that it supported the m68k architecture!), figured out the memory map, and managed to get FreeRTOS running on it after creating a m68k port for it. :-)
Love your channel!
That’s awesome to hear! And sounds like a super interesting project - you should do a write up! :)
@@stacksmashing Ive put notes of what I have found so far up on github, including my FreeRTOS port. I dont know if I can post links here (sometimes works, sometimes doesnt), but you can find it by searching users for my name as one word (the one that doesnt end in sn).
Theres more I would like to find out about it, including a couple more registers within two proprietary chips, but its a monumental task!
Now I ask myself why I didn't know this channel before. Great work!
These videos are an absolute goldmine. Incredible work
Outstanding! Thanks for continuing to share your dedicated work
Thank you mate your videos are the greatest in this field.
Very good information. This is the exact microcontroller we used in our embedded systems courses in university!
IOT reversing from Ghidra Ninja? I absolutely love it!! 😍
Please do more of this, it's fantastic!
I watched a video and subscribed right away! Amazing content 😊
Great Channel man. You explain so well.
Good Job.
I don't have this device nor do RE for a living. But damn this is getting me close to trying this out. Always found integrated boards and chipsets fascinating
16 Bucks, Amazon or else where. Search for "NUCLEO stm32f446re". Use Ghidra Ninja's links in the description to ST-Microelectronics to get an overview for this bugger or discover many more different types. These are great to begin with. What are you waiting for? :))
Great video, keep them coming, thnx!
Quality content, as always.
it's 2023 and again im coming back to this video! epic!
some advice for memory map:
Set 'flash' and 'flash_mirror' sections as non-writable (only read 'R' and executable 'X'). This may fix a lot of decompiler wierdness.
Very impressive and educational, thanks!
interesting topic and really well made video!
Great thanks for creating the video
Top quality explanation and skills
Love this explanation vid!
Bless the day i discovered this channel
This is an absolute amazing video!!!!
super video.. danke dir
I swear. You give better lectures than all my CA teachers together!
Thank you for sharing this❤
Excellent tutorial
GREAT JOB!!!
Please keep sharing RE videos
Ill be back for this stuff..
thank you!
Nice Video, thanks:)
Be careful with the 5V. Not all pins are tolerant. See "FT" specification in data-sheet, Table 9 for this MCU (Depends on the series). To avoid this: There is 3.3V right next to the 5V supply pin on the NUCLEO. Up to 112 5 V-tolerant I/Os on max 114 I/O for the LQFP144 part. So the chances are good to not release the magic smoke:)
Yours is a LQFP64, so better look that up folks. At all, don't rely on chance. It's a 3.3V part and best practice is to treat it like one. While experimenting, only use the 5V-tolerance functionality if absolutely necessary. This protects against nasty surprises
If you watch closely you'll see that I used the pin NEXT to the 5V pin, which is 3.3V 😉
@@stacksmashing Good boy;)
Thank you :)
Nice info, thanks :)
I can't wait for next wannacry inverse engineering
Omg this video brings up memories, I used ARM to build a robot. And oh boy, it's mind consuming to read the datasheet -.-
but you are a better programer for it.
This is the best tutorial of reverse engineering embedded systems with ghidra I've seen so far. Some days ago I wanted to RE an STM board but didn't know how to proceed. Could you please do something like this with the nRF51 or nRF52 processors?
Unfortunately, most Nordic nRF-series micros are built on top of their Softdevice middleware, which, while technically not an OS, is pretty close to being one. It's also notoriously bad and can obfuscate alot of behaviours. The whole experience can be summarized as one colleague put it: "you don't own the chip, you rent it". I think it would be a huge challenge to reverse-engineer. I've done 15 years of bare metal development and that chip was one of the biggest pain-in-the-ass I ever experienced.
@@Kotesu Yeah I somewhat got it to work and managed to seperate the parts of the firmware (softdevice, app, etc.), but ghidra still has some control flow detection issues on arm, which makes everything complicated. It really is a PITA
Hi thanks for this awesome video, do you know any other device on which we can improve our knowledges, like a device where you need to extract the firmware with jtag ?
Really enjoy your videos :D
Thank you for this very informative video. Would it also be possible with Ghidra to sniff out the binary that has already been loaded into the flash? We only know the MCU part number and are hooked into the JTAG/SWD port and nothing else. If you get time could you also please make a video on it. Thank you.
Incredible!
Reverse engineering bare-metal code sounds difficult, but it's actually easier since you can find pretty much every address and function you need in the datasheet for the processor!
omg man.. please do tutorial series and teach us how to use Ghidra :)
top quality. i was wondering about custom ARM ASIC without datasheet. how to guess base adress ? Now days they are everywhere they enable to reduce PCB size & cost & make reverse-engenring harder. ARM ASIC includes custom IP modules inside the SOC.
nice. good talk.
Nice explanation, I'm surprised at how fast you were able to go through that in Ghidra, it still takes me quite a while to create names and clean up decompiled output. Seems like a good goal.
Great video really very helpful and short. Can you please tell me why did you set RAM memory block with start addr at 20000000 (one additional 0) and end at 2007FFFF if in the datasheet it starts from 2000000 and ends at 2001FFFF (128kB of sram).
Im subscribed to this channel cz the dragon looks cool
Thanks for the video! Curious, but how did you get the baremetal firmware (example.bin)?
I wrote the firmware in C
The fact that STM calls their mode register MODER in their docs which loosely translates to mold in german, always cracks me up.
I'm sorry but how did you figure out the SRAM lenght to that you put in the memory map? The SRAM blocks on the MCU I'm trying go from 0x20000000 to 0x40000000, also at the start of the Memory section in the datasheet says the chip has 256 kB RAM, so do I just put 0x40000 or could that be a different length since there are separate RAM and SRAM blocks and I see you are putting the SRAM's starting address
how did you get the display out that prints the crackme messages? the cable connected is a usb cable to power the microcontroller, right?
It's a serial terminal, the USB cable provides power and also a virtual serial port (and also access to the integrated ST-Link programmer)
Hey, in 5:22 you mentioned a video about determining whether an binary image is big/little endian... Can you link it? Couldn't find it on your channel..
Good video! Is there a way to identify the microcontroller without opening a device? I have a device with an ARM v7 but I would like to know the exact version
I actually wrote a script to identify microcontrollers: github.com/nezza/chipfinder :)
@@stacksmashing I get three errors when running it against my .bin file: line 87, in
for line in f.readlines(): second error: line 23, in decode
return codecs.charmap_decode(input,self.errors,decoding_table)[0] and third: UnicodeDecodeError: 'charmap' codec can't decode byte 0x8f in position 13: character maps to Any suggestions?
Would a reasonable way to be able to tell the endianness just be trial and error?
as a beginner in RE, where should I start if I want to learn? I have a cyber security background, just not an RE background
is it possible to flash a customized board firmware?
I've always thought that a computer was defined by both hardware AND an operating system. For a bare metal, does the application assume the role of operating system, how does the hardware "communicate" with the app ? Thanks
The app has to do everything an OS does, just that you don't write code for what you don't need. The app can do everything an os does, if you write it, but most bare metal code tends to be simpler.
Hi, sorry for my English, isn't my first language. This video is a tutorial about STM32. The same process could be abblied for a bin file writed for GD32F305 chip?
Your english is great!
A similar process can be applied to the GD32F305! You can find a GD32F3x0.svd file online
@@stacksmashing Thank you for quickly answer, and obivesly for your kindness
@@stacksmashing Hello we are working together with Riccardo in trying to make some custom stm32 firmware to work with gd32, but it's a GD32F3xx and not GD32F3x0, do you think it's ok ? thanks in advance
@@stacksmashingI understand it's a bit of a risky question....but wouldn't you be kind enough to give us a hand if we pass you the.bin file?
Please on your previous video on creating back door to a camera. I am having issue using the mkimage. It is not working for me. Is it not part of tools in Kali? Do I need to install it. I am not getting direct link on how to go about it. Can you help please?
I don't know if it's part of Kali, but on Ubuntu it's part of the "u-boot-tools" package
Just use firmware mod toolkit. It's easier that way. Btw. @GhidraNinja, you might wanna try firmware-mod-toolkit too. It's got sources for all versions of squash fs (even industrial versions).
Edit: I mean squash fs tools.
@resync cyberwatch. Thank you
I will search for it and try it. Many thanks
Coming from the Bare-Metal world, I often wonder how OSes actually do their thing on microcontrollers, and how to develop for them.
And how do you get the binary from a flashed device?
Pls show how to include SVD scripts in ghidra environment I tried hard but can't find SVD scripts in script manager pls help
When I do it with a firmware I'm trying to RE, the disassemble of the reset vector says "/* WARNING: Control flow encountered bad instruction data */" and calls the function "void UndefinedFunction_08032ad6(undefined4 param_1,undefined4 param_2,undefined2 param_3)"... Any pointers?
What's happen between 6:59 and 7:00? The disassembled has been changed but dont understand how...
Thanks! Any hints from you how to reverse engineer BOSH BHI160 sensor firmware? www.bosch-sensortec.com/products/smart-sensors/bhi160-firmware/ I believe they may use Zephyr. In any case `binwalk` kept silent, Ghidra doesn't help much seems...
Tip: leave the address on the end of an unknown name. Eg usart_fn08000752. Then you don't have to worry about having a dozen different functions named usart_fn3 scattered around.
Good idea, I should try that
Can someone give me a list of prior knowledge do i need to do these things, roughly
Much more comfortable watching this at 0.75 speed lol
Not sure where to find the ghidra python module ? Python reports that I am missing this. Any idea where to find that ?
You need to run the script from within Ghidra, then it should be fine
Thank you ! I didn't understand how it all went together at first. Found Ghidra at ghidra-sre.org and also downloaded the SDK from aws.amazon.com/corretto/ and things are up and running ! The biggie for me was understanding what ghidra itself was. I am using this same STM32F446 except for it being 100 pin so may be helpful to me ! Also fun to play with the other processors. Now if there is a .elf import too, I might be able to include source code comments ? Not sure if it does that or not
I'm having trouble finding the link to download example.bin. Can anyone help me out?
Hi, pic18f series code protect Hack?
The flash memory region is " 0x08000000 - 0x081FFFFF". The length of flash while loading the binary is specified as "0x2e0". Can you specify how the length is calculated?
The loaded binary is that small, as it's just the compiled object, not the entire flash-region.
Brilliant I have a challenge I know some brilliant mind like you Will solve it I need help with a Korean nintendo wii Locked on error 003 after update there is way to fix it but it's a painful and I can't find a modchip if there any way through software please and a lot of thanks to you for your time and work
Which DevOps Engineers also thought this would be a bare metal tutorial for Kubernetes 😆
Bro which IDE is that
yeet
yes i have refreshed but dont work
I didn't find decompiler for stm32f103c4 elf file to c code error
With ghidra tool
Not sure what you mean?
@@stacksmashing I used elf file of microcontroller STM 32f103c4 and I installed ghidra on Ubuntu 18 running of Jetson nano Nvidia board (GPU micro pc) and iam getting error as "decompiler missing__could not find decompiler excutable decompile"
When I try to do analysis and c code is not generated 😭I tryed on virtual box with Ubuntu 20 now I got c code generated 😀👍✌️👌
The main reason why I clicked on this video was that I was hoping to learn how to export binary from mcu :(
Notification squad. Lol, I'm a nerd.
brain.exe has stopped working
Hmm. Just made something in messing with a bit easier.
Please, do a similar video but now with the most popular MCU: atmega328 (Arduino UNO)
LiveOverflow did a couple on them: czcams.com/video/D0VKuZuuvW8/video.html
So... Yikes... Looks like I'm too 👂ly here.
Add script folder to script directories in script manager but dont show scripts in script list
Have you clicked the refresh button? Otherwise something else is wrong, the SVD-Loader.py script will get detected by Ghidra once it's in the search path.
Pls reply fast because I have a project to complete
You have to add the script folder to the paths Ghidra searches for scripts in
Add folder script folder to script directories in script manager but no effect and don't show in script list
Sorry, but way too much base and I can hardy make out what you are saying.
I'm sorry - I cannot get past you referring to 0x20000000 as hex two thousand etc. A hard pass on what could potentially have been an interesting video.
Okay :)