During my time with Cisco Portcullis, I wanted to learn more about reverse engineering embedded device firmware.
This six-part series was written both during my time with Cisco Portcullis, as well in my spare time (if the tagline of this blog didn’t give that away). This series intends to detail my analysis of an embedded device’s firmware, in this case, the ESP8266’s, present a methodology for analysing firmware more generally and of course, solve the challenge presented. It will be one of many series with a focus on firmware reverse engineering and security assessment of ‘smart’ devices.
We will cover the initial analysis, writing an IDA loader and recovering function symbols (names) via IDA’s FLAIR tools. Finally, we’ll reverse engineer the functionality required to solve the challenge, for extra points, without reliance upon string references.
I chose an ESP8266 firmware image supplied by a colleague as a contrived reversing challenge. Mainly because this target made a good starting point due to the simplicity of the firmware format.
The challenge was described as follows:
We managed to obtain the firmware of an unknown device connected to our wireless access point. We’ve been told it’s connecting to a service and retrieving secrets, but we can’t reach the service. Can you?
Update: You can find the a slightly modified version of the supplied binary here (within the zip archive).
This series has been broken down into the following parts:
- Part 1:
- Introduction (you’re here now)
- Part 2:
- Initial analysis
- Questions we need to answer
- Part 3:
- What is it?
- Understanding the firmware format
- Understanding the boot process
- Understanding the physical memory layout
- Part 4:
- Writing an IDA loader
- Performing library recognition
- Fixing IDB2PAT
- Generating our pattern file
- Part 5:
- Recognising VTABLE’s
- Finding the port knock sequence
- Understanding the Xtensa instruction set
- Understanding the Xtensa calling convention
- Part 6:
- Reversing the loop function
- Getting the secrets!