Read The Fucking Code
Embedded Tool Kit
With the proliferation of the Internet of Things, there is a need to properly test the security of devices
that you create or buy. On the one hand, embedded penetration testing presents a sizeable challenge, due
to the lack of user interfaces, the extensive use of bespoke code, and the small filesystem footprint. On
the other hand, embedded devices often represent an outdated perspective of security and often many of the
modern defences found on production servers are not present on embedded devices.
This website presents the beginnings of an embedded tool kit that details, and in some cases provides, tools
that may be useful when attempting a penetration test of an embedded device.
Tools for download
SSL certificate cloner - jackal
Jackal clones SSL certificates for use in man-in-the-middle testing.
Command Line Interface / Application Programming Interface - cliapi
Cliapi lets you run functions in executables and libraries from the command line.
Breakpoint Shenanigans - bps
Bps is a non-interactive debugger that prints out useful information on breakpoints.
The Bus Pirate is an open source hacker
multi-tool that talks to electronic stuff. With embedded hacking it is often used to interface with
5v or 3.3v serial connections, such as UART. Finding and connecting to a serial port on an embedded
device often gives you root without needing to do anything else.
Logic analysers are like digital oscilloscopes with multiple channels. Simply connect the leads to
an interesting looking bus and examine the signals; this could be useful to find serial protocols.
Minicom / cutecom
Minicom and cutecom are terminal emulators that are useful in communicating with serial consoles.
Minicom is very much like a standard TTY of old, whereas cutecom is a GUI app that separates the input
from the output and allows either to be independently set to ascii or hex.
Firmware images are packed in a variety of formats, but often they are either squashfs or cpio,
often they are compressed, and often they are packed into a container. Use binwalk to find sections
within the containers, dd to extract, xz/gzip/bzip2 to decompress, and unsquashfs/cpio to unpack. With
the final step, you may get some joy out of using 7zip as it seems to support a variety of squashfs
gdb is the de facto interactive debugger, but see bps above.
objdump and Ida Pro are both disassemblers. There is a reason why Ida is commercial; it is very very good.
Only seen a talk and a demo so far but this approach/concept looks very useful for analysing binary files.
Openssl command line provides functionality but there is a lack of decent crypto-hacking tools available.
Support the project by buying me beer.
888 .d888 888 .d8888888b. d8b 888
888 d88P" 888 d88P" "Y88b Y8P 888
888 888 888 888 d8b 888 888
888d888 888888 888888 .d8888b .d88b. .d88888 .d88b. 888 888 888 .d88b. 88888b.d88b. 8888b. 888 888 .d8888b .d88b. 88888b.d88b.
888P" 888 888 d88P" d88""88b d88" 888 d8P Y8b 888 888bd88P d88P"88b 888 "888 "88b "88b 888 888 d88P" d88""88b 888 "888 "88b
888 888 888 888 888 888 888 888 88888888 888 Y8888P" 888 888 888 888 888 .d888888 888 888 888 888 888 888 888 888
888 Y88b. 888 Y88b. Y88..88P Y88b 888 Y8b. Y88b. .d8 Y88b 888 888 888 888 888 888 888 888 d8b Y88b. Y88..88P 888 888 888
888 "Y888 888 "Y8888P "Y88P" "Y88888 "Y8888 "Y88888888P" "Y88888 888 888 888 "Y888888 888 888 Y8P "Y8888P "Y88P" 888 888 888