RTFC.org.uk

Read The Fucking Code


Embedded Tool Kit

With the proliferation of the Internet of Things, there is a need to properly test the security of devices that you create or buy. On the one hand, embedded penetration testing presents a sizeable challenge, due to the lack of user interfaces, the extensive use of bespoke code, and the small filesystem footprint. On the other hand, embedded devices often represent an outdated perspective of security and often many of the modern defences found on production servers are not present on embedded devices.

This website presents the beginnings of an embedded tool kit that details, and in some cases provides, tools that may be useful when attempting a penetration test of an embedded device.

Tools for download

Jackal

SSL certificate cloner - jackal
Jackal clones SSL certificates for use in man-in-the-middle testing.

Cliapi

Command Line Interface / Application Programming Interface - cliapi
Cliapi lets you run functions in executables and libraries from the command line.

BPS

Breakpoint Shenanigans - bps
Bps is a non-interactive debugger that prints out useful information on breakpoints.

Useful hardware

Bus Pirate

The Bus Pirate is an open source hacker multi-tool that talks to electronic stuff. With embedded hacking it is often used to interface with 5v or 3.3v serial connections, such as UART. Finding and connecting to a serial port on an embedded device often gives you root without needing to do anything else.

Logic Analysers

Logic analysers are like digital oscilloscopes with multiple channels. Simply connect the leads to an interesting looking bus and examine the signals; this could be useful to find serial protocols.

Useful software

Minicom / cutecom

Minicom and cutecom are terminal emulators that are useful in communicating with serial consoles. Minicom is very much like a standard TTY of old, whereas cutecom is a GUI app that separates the input from the output and allows either to be independently set to ascii or hex.

Firmware unpacking

Firmware images are packed in a variety of formats, but often they are either squashfs or cpio, often they are compressed, and often they are packed into a container. Use binwalk to find sections within the containers, dd to extract, xz/gzip/bzip2 to decompress, and unsquashfs/cpio to unpack. With the final step, you may get some joy out of using 7zip as it seems to support a variety of squashfs formats.

Dynamic analysis

gdb is the de facto interactive debugger, but see bps above.

Static analysis

objdump and Ida Pro are both disassemblers. There is a reason why Ida is commercial; it is very very good.

Cantor Dust

Only seen a talk and a demo so far but this approach/concept looks very useful for analysing binary files.

Crypto tools

Openssl command line provides functionality but there is a lack of decent crypto-hacking tools available.




Support the project by buying me beer.
Quality/Volume

        888     .d888                      888                .d8888888b.                                       d8b 888                                    
        888    d88P"                       888               d88P"   "Y88b                                      Y8P 888                                    
        888    888                         888               888  d8b  888                                          888                                    
888d888 888888 888888 .d8888b .d88b.   .d88888  .d88b.       888  888  888       .d88b.  88888b.d88b.   8888b.  888 888      .d8888b .d88b.  88888b.d88b.  
888P"   888    888   d88P"   d88""88b d88" 888 d8P  Y8b      888  888bd88P      d88P"88b 888 "888 "88b     "88b 888 888     d88P"   d88""88b 888 "888 "88b 
888     888    888   888     888  888 888  888 88888888      888  Y8888P"       888  888 888  888  888 .d888888 888 888     888     888  888 888  888  888 
888     Y88b.  888   Y88b.   Y88..88P Y88b 888 Y8b.          Y88b.     .d8      Y88b 888 888  888  888 888  888 888 888 d8b Y88b.   Y88..88P 888  888  888 
888      "Y888 888    "Y8888P "Y88P"   "Y88888  "Y8888        "Y88888888P"       "Y88888 888  888  888 "Y888888 888 888 Y8P  "Y8888P "Y88P"  888  888  888 
                                                                                     888                                                                   
                                                                                Y8b d88P                                                                   
                                                                                 "Y88P"