Firmware dumping via SPI

I tried firmware dumping via SPI with Attify badge and Attify OS.

Target camera is this one..


This camera seems to be famous among the IoT hackers. You would find many IoT hacking blogs about this camera.

After the preview, I have extracted board.
This time, I'd like to focus on Flash memory.
It looks mxic mx25l12835f. From model number, we can find data-sheet.
MX25L12835F.

Now, let's connect flash memory pin and Attify Badge.
Attify badge pin layout is..

D0 : SCK
D1 : MISO 
D2 : MOSI 
D3 : CS 



I have connected flash memory and Attify badge like this.

D0 - SCLK(6)
D1 - SI(5) 
D2 - SO(2) 
D3 - CS(1) 
GND - GND(4) 
3.3V - VCC(8) 
3.3V - RESET(7) 
3.3V - WP(3) 

We dont need to connect power plug to camera. It is supplied via badge.

For testing, trying spiflash.py and -i parameter.
According to the python code, it returns ChipID.
This command can be used for connectivity tesingt.
"00 00 00" or "FF FF FF" seem to mean failed but I'm not sure.
➜  sudo python /home/oit/tools/libmpsse/src/examples/spiflash.py -i
FT232H Future Technology Devices International, Ltd initialized at 15000000 hertz
C2 20 18

Then, trying flash memory dumping.
➜  sudo python /home/oit/tools/libmpsse/src/examples/spiflash.py -s 20480000 -r firmware.bin
[sudo] password for oit: 
FT232H Future Technology Devices International, Ltd initialized at 15000000 hertz
Reading 20480000 bytes starting at address 0x0...saved to firmware.bin.

It contains some readable strings... but 
➜  strings firmware.bin |less
GM8136
U-BOOT
KERNEL
ROOTFS
(8D<'
 9A8#
(8M@
(8@<(8
8Hx"
 (q*h&
 (qz
pB A
Et O
P(qw
P(qw
 (qx
I(`O
p| ^
9<34
H#p6PO
PEp.
pGp"
"0Dr
!*8 
qDpF
u&8J
Bpx ^
u&(Ir
Ep#3
((qc
((qZ
((qR
((qK
((q6
u-`F
u,8F
((qc
q.`n
Y(Hp
 BpY
0Cq9

dumped firmware looks weird.. 
➜  binwalk firmware.bin 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
6695891       0x662BD3        MySQL ISAM compressed data file Version 2
8372566       0x7FC156        MySQL MISAM index file Version 1
8520120       0x8201B8        MySQL MISAM compressed data file Version 1
8618026       0x83802A        MySQL MISAM index file Version 9

That seem to be common thing in IoT hacking..
Then try again dumping.
Actually this is the 3rd time.
➜  strings firmware3.bin |less
GM8136
U-BOOT
KERNEL
ROOTFS
@ #!
0123456789
0123456789abcdef
0123456789ABCDEF
go...
GM8135S 
mode 4
Version 1.0.2A
SPI init fail! 
### ERROR ### Please RESET the board ###
SPI jump setting is %d bytes mode
SF: Failed to send command %02x: %d
SF: Failed to read data (%zu bytes): %d
SF: Failed to write data (%zu bytes): %d
SF: Failed to read response (%zu bytes): %d
SF: Failed to read response due to the mismatch of len and response (%zu bytes): %d
spi_xfer: command 0x%x is not supported! 
Failed to check status!
flash_set_quad_enable fail 1
flash_set_quad_enable fail 2
flash_set_quad_enable fail 3
flash_set_quad_enable fail 4
MSG: spi_pgrd fail
spi wait rxfifo time out
Not implement write
Not valid divider value %d
GM8136
SS_SIGNATURE not correct
<0x x="">
check 55AA fail
Boot image offset: 0x%x. size: 0x%x. Load Image and Booting .....
MSG: Load body fail
SS_SIGNATURE not correct:
<%x>
0x55AA not correct

looks fine.
➜  binwalk firmware3.bin 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
218040        0x353B8         CRC32 polynomial table, little endian
524288        0x80000         uImage header, header size: 64 bytes, header CRC: 0x4687D1AC, created: 2007-06-15 10:36:26, image size: 2217656 bytes, Data Address: 0x2000000, Entry Point: 0x2000040, data CRC: 0xA54D09E1, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "gm8136"
524352        0x80040         Linux kernel ARM boot executable zImage (little-endian)
542452        0x846F4         gzip compressed data, maximum compression, from Unix, last modified: 1970-01-01 00:00:00 (null date)
3670016       0x380000        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 6969972 bytes, 185 inodes, blocksize: 131072 bytes, created: 2007-06-30 03:29:34
11534336      0xB00000        JFFS2 filesystem, little endian
12452044      0xBE00CC        Zlib compressed data, compressed
12459440      0xBE1DB0        Zlib compressed data, compressed
12461496      0xBE25B8        Zlib compressed data, compressed
12463220      0xBE2C74        Zlib compressed data, compressed
12465716      0xBE3634        JFFS2 filesystem, little endian
12466256      0xBE3850        Zlib compressed data, compressed
12466424      0xBE38F8        Zlib compressed data, compressed
12466788      0xBE3A64        Zlib compressed data, compressed
12466956      0xBE3B0C        Zlib compressed data, compressed
12467124      0xBE3BB4        Zlib compressed data, compressed

12521304      0xBF0F58        Zlib compressed data, compressed
12521484      0xBF100C        Zlib compressed data, compressed
12521664      0xBF10C0        Zlib compressed data, compressed
12521844      0xBF1174        Zlib compressed data, compressed
12522024      0xBF1228        Zlib compressed data, compressed
12522204      0xBF12DC        Zlib compressed data, compressed
12522384      0xBF1390        Zlib compressed data, compressed
12522564      0xBF1444        Zlib compressed data, compressed
12522744      0xBF14F8        Zlib compressed data, compressed
12522924      0xBF15AC        Zlib compressed data, compressed
12523036      0xBF161C        JFFS2 filesystem, little endian
16995256      0x10353B8       CRC32 polynomial table, little endian
17301504      0x1080000       uImage header, header size: 64 bytes, header CRC: 0x4687D1AC, created: 2007-06-15 10:36:26, image size: 2217656 bytes, Data Address: 0x2000000, Entry Point: 0x2000040, data CRC: 0xA54D09E1, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "gm8136"
17301568      0x1080040       Linux kernel ARM boot executable zImage (little-endian)
17319668      0x10846F4       gzip compressed data, maximum compression, from Unix, last modified: 1970-01-01 00:00:00 (null date)
20447328      0x1380060       xz compressed data

And then extract contents. 
➜  binwalk -e firmware3.bin 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
218040        0x353B8         CRC32 polynomial table, little endian
524288        0x80000         uImage header, header size: 64 bytes, header CRC: 0x4687D1AC, created: 2007-06-15 10:36:26, image size: 2217656 bytes, Data Address: 0x2000000, Entry Point: 0x2000040, data CRC: 0xA54D09E1, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "gm8136"
524352        0x80040         Linux kernel ARM boot executable zImage (little-endian)
542452        0x846F4         gzip compressed data, maximum compression, from Unix, last modified: 1970-01-01 00:00:00 (null date)
3670016       0x380000        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 6969972 bytes, 185 inodes, blocksize: 131072 bytes, created: 2007-06-30 03:29:34
11534336      0xB00000        JFFS2 filesystem, little endian
12452044      0xBE00CC        Zlib compressed data, compressed
...


➜  ls _firmware3.bin.extracted
10846F4          BE6070.zlib  BE8FB8.zlib   BECED8.zlib   BEED28.zlib  BF0418.zlib
1380060          BE617C       BE906C        BECF8C        BEEDDC       BF04CC
1380060.xz       BE617C.zlib  BE906C.zlib   BECF8C.zlib   BEEDDC.zlib  BF04CC.zlib
380000.squashfs  BE67E0       BE9150        BED040        BEEE90       BF0580
846F4            BE67E0.zlib  BE9150.zlib   BED040.zlib   BEEE90.zlib  BF0580.zlib
B00000.jffs2     BE6EFC       BE925C        BED0F4        BEEF44       BF0634
BE00CC           BE6EFC.zlib  BE925C.zlib   BED0F4.zlib   BEEF44.zlib  BF0634.zlib

BE556C           BE8B80       BEBDBC.jffs2  BEE8F0        BEFF70       BF161C.jffs2
BE556C.zlib      BE8B80.zlib  BEBE74        BEE8F0.zlib   BEFF70.zlib  jffs2-root
BE56A4           BE8C34       BEBE74.zlib   BEE9A4        BF0094       jffs2-root-0
BE56A4.zlib      BE8C34.zlib  BEBEA0.jffs2  BEE9A4.zlib   BF0094.zlib  jffs2-root-1
BE5770           BE8CE8       BEC524        BEEA58        BF0148       jffs2-root-2
BE5770.zlib      BE8CE8.zlib  BEC524.zlib   BEEA58.zlib   BF0148.zlib  jffs2-root-3
BE5854           BE8D9C       BEC630        BEEB0C        BF01FC       jffs2-root-4
BE5854.zlib      BE8D9C.zlib  BEC630.zlib   BEEB0C.zlib   BF01FC.zlib  jffs2-root-5
BE5960           BE8E50       BEC770        BEEBC0        BF02B0       jffs2-root-6
BE5960.zlib      BE8E50.zlib  BEC770.zlib   BEEBC0.zlib   BF02B0.zlib  jffs2-root-7
BE5F8C           BE8F04       BEC854        BEEC74        BF0364       squashfs-root
BE5F8C.zlib      BE8F04.zlib  BEC854.zlib   BEEC74.zlib   BF0364.zlib
BE6070           BE8FB8       BECED8        BEED28        BF0418


➜  _firmware3.bin.extracted ls jffs2-root/fs_1
Certificate.bin        img             OnvifFile      version.txt
custom_setting_gm.ini  language        OnvifFileTemp  wpa_supplicant0.conf
dhcp.script            mac.ini         patch          wpa_supplicant1.conf
FileSetting.bin        minihttpd.conf  readme.txt     wpa_supplicant2.conf
ftp_config.ini         mtd             sound          wpa_supplicant3.conf
gwellipc               npc             upgfile_ok


➜  _firmware3.bin.extracted ls jffs2-root/fs_2
1080p                                    GetVideoSourceConfiguration.xml
960p                                     GetVideoSources.xml
alarm_1.amr                              gmlib.cfg
alarm_2.amr                              gpioi2c1.ko
alarm_3.amr                              gpioi2c2.ko
alarm_4.amr                              init.sh
alarm_5.amr                              isp328_ov9715.cfg
alarm_6.amr                              isp328_sc1035.cfg
alarm.amr                                isp328_sc1037.cfg
Authentication.xml                       isp328_sc1045.cfg
cf                                       isp328_sc1135.cfg
ch                                       isp328_sc1135_fisheye.cfg
clear.amr                                isp328_sc1145.cfg
cvbs                                     isp328_sc2035.cfg
Device.xml                               isp328_sc2045.cfg
di.amr                                   isp328_sc2135.cfg
di.pcm                                   isp328_soih42.cfg
en                                       key_press.amr
Fault.xml                                motor_drv.ko
fisheye                                  NetworkVideo.xml
fisp328.ko                               numbers_ch
fisp_algorithm.ko                        OnvifGetAttributes.xml
fisp_lens_ms41929.ko                     OnvifSetTimeTempFile.xml
fisp_lens_ms41929_small.ko               Reset_ch.amr
fisp_sc1035.ko                           Reset_en.amr
fisp_sc1037.ko                           s
fisp_sc1045.ko                           sar_adc.ko
fisp_sc1135.ko                           set.amr
fisp_sc2035.ko                           set_fail.amr
fisp_sc2045.ko                           set_ok.amr
fisp_sc2135.ko                           SetSystemDateAndTime.xml
fisp_soih42.ko                           SetTimeTempFile.xml
GetAudioEncoderConfigurationOptions.xml  SetVideoEncoderConfiguration.xml
GetAudioEncoderConfiguration.xml         ss
GetCapabilities.xml                      tempget.xml
GetDeviceInformation.xml                 tptz_ContinuousMove.xml
GetNetworkInterfaces.xml                 tptz_GetConfigurationOptions.xml
GetProfiles.xml                          Unlock.amr
GetServices.xml                          vg_boot_autofocus.sh
GetSnapshotUri.xml                       vg_boot_cvbs.sh
GetStreamUri.xml                         vg_boot.sh
GetSystemDateAndTime.xml                 WifiLink_ch
GetVideoEncoderConfigurationOptions.xml  WifiLink_en
GetVideoEncoderConfiguration.xml

There are many interesting files. 
➜  _firmware3.bin.extracted file jffs2-root/fs_1/
jffs2-root/fs_1/Certificate.bin:       data
jffs2-root/fs_1/custom_setting_gm.ini: ASCII text, with CRLF line terminators
jffs2-root/fs_1/dhcp.script:           POSIX shell script, ASCII text executable
jffs2-root/fs_1/FileSetting.bin:       data
jffs2-root/fs_1/ftp_config.ini:        ASCII text
jffs2-root/fs_1/gwellipc:              ELF 32-bit LSB  executable, ARM, EABI5 version 1 (SYSV), dynamically linked (uses shared libs), stripped
jffs2-root/fs_1/img:                   directory 
jffs2-root/fs_1/language:              directory 
jffs2-root/fs_1/mac.ini:               data
jffs2-root/fs_1/minihttpd.conf:        C source, ASCII text
jffs2-root/fs_1/mtd:                   directory 
jffs2-root/fs_1/npc:                   ELF 32-bit LSB  executable, ARM, EABI5 version 1 (SYSV), dynamically linked (uses shared libs), stripped
jffs2-root/fs_1/OnvifFile:             directory 
jffs2-root/fs_1/OnvifFileTemp:         directory 
jffs2-root/fs_1/patch:                 directory 
jffs2-root/fs_1/readme.txt:            empty 
jffs2-root/fs_1/sound:                 directory 
jffs2-root/fs_1/upgfile_ok:            empty 
jffs2-root/fs_1/version.txt:           ASCII text, with CRLF line terminators
jffs2-root/fs_1/wpa_supplicant0.conf:  ASCII text
jffs2-root/fs_1/wpa_supplicant1.conf:  ASCII text
jffs2-root/fs_1/wpa_supplicant2.conf:  ASCII text
jffs2-root/fs_1/wpa_supplicant3.conf:  ASCII text

If you are interested in IoT Hacking,

Have fun!!! :-)

Comments

Post a Comment

Popular posts from this blog

BLE sniffing with UbertoothOne

Image
This time, I'd like to try monitoring smartlock's BLE packets with Ubertooth One. Smartlock  use this dongle and Ubertooth One Find BLE device  check BLE dongle is connected. ➜ ~ sudo hciconfig hci0: Type: BR/EDR Bus: USB BD Address: 00:1A:7D:DA:71:13 ACL MTU: 310:10 SCO MTU: 64:8 UP RUNNING PSCAN RX bytes:622 acl:0 sco:0 events:38 errors:0 TX bytes:952 acl:0 sco:0 commands:38 errors:0 Let's find BLE devices ➜ ~ sudo hcitool lescan LE Scan ... 30:F8:3F:06:4F:6F (unknown) 30:F8:3F:06:4F:6F (unknown) 30:F8:3F:06:4F:6F (unknown) 18:62:E4:46:60:AB (unknown) Then, trying gatttool. Peripheral is defined by service and characteristic. Each service contains charateristics which contains data. ➜ ~ sudo gatttool -I -b 18:62:E4:46:60:AB [ ][18:62:E4:46:60:AB][LE]> connect [CON][18:62:E4:46:60:AB][LE]> primary [CON][18:62:E4:46:60:AB][LE]> attr handle: 0x0001, end grp handle: 0x0008 uuid: 0000fee7-0000-1000-8000-00805f9b34fb attr handle: 0x0009, en...
Read more

MOVAPS triggered ACCESS_VIOLATION....

Image
Hi, I met a malware which has a decryption code in it. I tried unpack on debugger but it is stucked in mid of decryption. movaps instruction triggered ACCESS_VIOLATION exception in decryption code. I doubted it might be a anti debugging technique but it seem to be not. (they are found in Windows shared libraries too) I searched about this issue.. movaps instruction is explained like this  but I don't understand the difference between the situations which can be passed or not. MOVAPS--Move Aligned Packed Single-Precision Floating-Point Values > the operand must be aligned on a 16-byte boundary http://qcd.phys.cmu.edu/QCDcluster/intel/vtune/reference/vc181.htm It is also,  > To move packed single-precision floating-point numbers to or from unaligned memory locations, use the MOVUPS instruction.    Anyway, the difference seem to be aligned/unaligned.  16 byte boundary alignment is the answer..   > which generally means...
Read more