Binbloom reloaded
Action | Key |
---|---|
Play / Pause | K or space |
Mute / Unmute | M |
Toggle fullscreen mode | F |
Select next subtitles | C |
Select next audio track | A |
Toggle automatic slides maximization | V |
Seek 5s backward | left arrow |
Seek 5s forward | right arrow |
Seek 10s backward | shift + left arrow or J |
Seek 10s forward | shift + right arrow or L |
Seek 60s backward | control + left arrow |
Seek 60s forward | control + right arrow |
Seek 1 frame backward | alt + left arrow |
Seek 1 frame forward | alt + right arrow |
Decrease volume | shift + down arrow |
Increase volume | shift + up arrow |
Decrease playback rate | < |
Increase playback rate | > |
Seek to end | end |
Seek to beginning | beginning |
Share this media
HLS video stream
You can use an external player to play this stream (like VLC).
HLS video streamWhen subscribed to notifications, an email will be sent to you for all added annotations.
Your user account has no email address.
Information on this media
memory, be it from an internal Flash of a SoC, an external NAND or SPI
flash chip. Extracting memory content is part of the job, but once done we still
need to analyze it and face the inevitable truth : we may be in front of an
unknown memory dump or just have no idea of how information is stored in it,
or even how it is loaded into the SoC or MCU memory.
In this talk we will introduce Binbloom version 2, a tool able to identify the base address of any firmware code and also some specific structures such as UDS databases (often encountered in ECUs), no matter what the architecture (32 or 64 bits).
Detailed outline
I. Introduction (5 minutes)
I.1. Quick introduction and demo of the tool
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I will start the talk by introducing the main reason why this new version of Binbloom has been developed and will show it live on various firmwares (on 32-bit and 64-bit firmwares). I will also insist on the fact this tool implements a new method that will be detailed in this talk, and that other tools exist too.
I.3. How existing tools work
~~~~~~~~~~~~~~~~~~~~~
I then talk about how I came to improve Binbloom, the fact that other tools do exist that are able to guess a firmware base address (like rbasefind for instance), and I will detail their internals (basically, they try every possible base address and compute a score based on some heuristics).
I.4. Actual limitations (64-bit architecture)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I will then talk about the actual limitations of these existing tools, the lack of support for 64-bit architecture.
II. Bruteforce vs. Inference (7 minutes)
In this part of the talk, I will detail the algorithm implemented in Binbloom v2, which does not rely on bruteforce but try to infer the base address based on data found in the firmware.
II.1. Entropy
~~~~~~~~~
I present the first interesting metric other tools are lacking: entropy. Firmware entropy can be useful to tell code and data apart, based on thresholds that have to be determined.
II.2. Introducing Binbloom v2 internals
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
It is time to go into the details with a focus on the inference mechanism implemented in Binbloom v2. This mechanism allows Binbloom to deduce a set of potential base address rather than bruteforcing any possible values, that is more efficient on 64-bit architecture firmware files but also backward-compatible with 32-bit architectures.
II.3. Implementation constraints (memory usage, performances and firmware file size)
I will then talk about some technical constraints I faced during the development of Binbloom, especially memory usage issues or how I had to deal with a huge number of candidate addresses. I will also talk about performances issues and code optimization.
II.4. 32-bit and 64-bit architectures support
Again, I will insist in this part of the talk on the fact that this method is generic and may be used for 32-bit and 64-bit based firmware files, with the same efficiency.
III. Binbloom v2 (3 minutes)
III.1. Comparison between Binbloom v2, rbasefind and Binbloom v1
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I will present in this section the result of a comparative analysis performed on Binbloom v1 and v2 and rbasefind, aiming at evaluating the efficiency of these three toos on a set of firmware files gathered on Internet (thanks Twitter !) and internally at Quarkslab.
III.2. Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I will then present some improvements (in our todo list) for Binbloom v2, and what they may bring to the tool. It is also a good time to ask the audience to contribute to this project ! I will give the repository URL and invite attendees to give it a try (and report issues as well) =)
Damien Cauquil is a Security Researcher at Quarkslab who loves reverse-engineering hardware devices, firmwares and protocols.
Other media in the channel "2022"
21 views, 2 this yearClosingJuly 6th, 2022
59 views, 13 this year, 1 this monthkdigger: A Context Discovery Tool for Kubernetes Penetration TestingJuly 6th, 2022
45 views, 2 this yearDissecting NTLM EPA & building a MitM proxyJuly 6th, 2022
90 views, 30 this year, 4 this monthFinding Java deserialization gadgets with CodeQLJuly 6th, 2022
84 views, 4 this year, 1 this monthMobSF for penetration testersJuly 6th, 2022
82 views, 7 this yearImprove your Malware Recipes with CyberchefJuly 6th, 2022