슬라이드 1

Flash Memory Dump 실습 mongii@grayhash

개요 임베디드장비가사용하는운영체제및어플리케이션코드들은대부분 Flash Memory 에저장된다. Flash Memory Dumper 구현을통해작동방식을이해하고, CPU 주변의 IC 들을자유롭게제어할수있는개발능력을향상시킨다. IC 의 Datasheet 를이해하고활용하는방법을습득한다.

목차 대상기기 (IPTIME 공유기 ) 분해 Flash Memory 기초설명 Flash Memory Desoldering 실습 Flash Memory IDCODE 읽기실습 Flash Memory DATA 덤프실습 덤프한 Firmware 분석

IPTIME N104p 의 HW 구조

IPTIME N104p 의 HW 구조 CPU Realtek RTL8196E (MIPS 400MHz) Flash Memory Winbond S02157 2 Mbytes 무선네트워크칩 RealTek RTL8188ER Wireless LAN (WLAN) network interface

Flash Memory 란? 전기적으로데이터를지우거나기록할수있는비휘발성기억장치 Flash( 일순간에번쩍 ) 하게삭제 ( 혹은읽기 / 쓰기 ) 가능한저장장치 1984 년도시바의마스오카후지오박사가발명 1988 년인텔에서최초의상용제품출시 소형저장장치의발전단계 ROM (Read Only Memory) PROM (Programmable ROM) EPROM (Erasable PROM) EEPROM (Electrically Erasable Programmable Read-Only Memory) Flash Memory (Flash EEPROM)

Flash Memory 속도 DRAM, SRAM 에비해매우느림 일반자기하드디스크에비해서도느림 SSD 가빠른이유는? 다수의 Flash Memory 를병렬로연결 이론상 N 개를연결할수록속도는 N 배가된다

Flash memory 에데이터쓰고읽기 ROM Writer Firmware Writing 전용장비 JTAG Hardware Debugging 장비

Flash Memory Dump 절차 1. Flash Memory Chip Desoldering 2. Datasheet 획득및학습 3. Flash Memory Dumper 제작 4. Flash Memory Data 추출 5. Data(Hex) -> Binary 변환 6. Firmware 코드분석

Flash Memory Desoldering

Hot air gun 사용 방법 1

Hot Air Gun 사용 https://www.youtube.com/watch?v=dbzqwnlp_yk

방법 2 인두기사용 https://www.youtube.com/watch?v=ogd3kffe0cg

플래시모델명알아내기

Logo 로알아보는제조사

Desoldering 실습

데이터시트찾기

데이터시트찾기

Winbond W25Q16BV Serial Flash Memory

Spec 요약 통신방식 : SPI Serial Peripheral Interface Clock 에맞추어데이터송수신 용량 : 16Mbit (2MB) 패키지방식 : SOIC 작동전압 : 3.3v Cell 저장방식 : NAND

NAND vs NOR NAND 각메모리 Cell 이직렬형태로이루어짐 Read 속도는느리고, Write/Erase 는속도는빠름 데이터영역으로적합 (ex. Data 파티션, 이동식장치 ) NOR 각메모리 Cell 이병렬형태로이루어짐 Read 속도는빠르고, Write/Erase 속도는느림 코드영역으로적합 (ex. OS 파티션 ) NAND 보다비쌈

총 8 개의핀사용 PIN 목록

PIN 목록 VCC, GND : 전원제공 /CS : 대상 Flash Memory 선택 DO : Data Out ( 칩으로부터데이터출력 ) DI : Data In ( 칩으로데이터입력 ) CLK : Clock 제공 WP# : 쓰기방지기능 HOLD# : Pause 기능

각 PIN 에케이블연결

Flash 아두이노핀연결구성 1 번핀 (/CS) 2 번 : HIGH->LOW 변경 2 번핀 (DO) 3 번 : Data Out 3 번핀 (/WP) 4 번 : 항상 HIGH 4 번핀 (GND) 5 번 : 항상 LOW 5 번핀 (DI) 6 번 : Data In 6 번핀 (CLK) 7 번 : CLOCK 7 번핀 (/HOLD) 8 번 : 항상 HIGH 8 번핀 (VCC) 3.3v

W25Q16BV 제어기본규칙 COMMAND + ADDRESS + DATA

ID 코드읽기 제조사의 ID 를읽을수있다. 이값이잘읽힌다면회로에문제가없는것이다.

ID 코드읽기 0x90 instruction == ID 코드읽기 24bit 의 0 이다음으로이어진다. 다음으로 DO 핀에 ID 가 shift 된다.

ID 코드읽기

Rising/Falling Edge MCU 가 DATA 를보낼때 (DI) : Rising Edge MCU 가 DATA 를받을때 (DO) : Falling Edge

실습 ID 코드를읽어서 UART 로출력해보세요. 제조사 ID, 디바이스 ID 11101111(HHHLHHHH), 00010100(LLHLHLL)

Flash Memory Data 읽기

읽기커맨드 기본적인방식인 Read Data 로실습진행 최대주소 : 3 바이트 ==0xFFFFFF==16,777,215

읽기커맨드타이밍차트

실습 IPTIME 의펌웨어를획득해보세요!

Flash Memory 덤프화면

쓰기, 삭제커맨드 Write 기능활성화 + 쓰기순서로진행된다. Write Enable + Page Program

Write Enable 의타이밍차트 모든쓰기 / 삭제명령전에 Write Enable 이필요하다.

Page Program 타이밍차트

전체삭제 Flash Memory 의데이터를전체삭제한다.

Flash Memory 의초기데이터 초기구매플래시엔 1 로가득차있음 데이터프로그래밍은 AND 연산으로이루어짐 1 & 1 = 1 1 & 0 = 0 그렇기때문에새로운값을쓰기위해서는우선해당 Block 을 1 로초기화 (Erase) 해야함 데이터는최소 Block 단위로만삭제가능 삭제횟수에제한있음 (ex. 10 만회 )

ITEM1 : Hook Cable (test hook clip)

ITEM2 : SOIC Test-Clip

Hex -> Binary 변환 # hex2bin.py import os fp = open("firm_dump.log") fp2 = open("firmware.bin", "wb") while 1: ch = fp.read(2).decode('hex') if ch == "": break fp2.write(ch) fp.close() fp2.close()

공유기 Firmware 분석하기

Embedded Linux 의구조 Bootloader OS Kernel Root File System

Firmware 자동분석툴 Binwalk (Firmware Analysis Tool) 펌웨어파일의구성분석 펌웨어분석의원리 Signature 탐색 Ex> squashfs == hsqs http://binwalk.org/ apt-get install binwalk FMK (Firmware Mod Kit) 펌웨어파일내에서각종파일추출 혹은수정된파일을기반으로새펌웨어빌드 https://code.google.com/p/firmware-mod-kit/

binwalk root@ip-172-31-4-170:~/mongii/iptime# binwalk g104_kr_7_60.bin DECIMAL HEX DESCRIPTION ------------------------------------------------------------------ ------------------------------------- 65592 0x10038 gzip compressed data, was "i.tmp", from Unix, last modified: Tue Apr 12 07:55:31 2011 720896 0xB0000 Squashfs filesystem, little endian, version 3.0, size: 1201395 bytes, 243 inodes, blocksize: 65536 bytes, created: Tue Apr 12 07:55:31 2011 root@ip-172-31-4-170:~/mongii/iptime#

Bootloader 분석

Binwalk 결과재확인 root@ip-172-31-4-170:~/mongii/iptime# binwalk g104_kr_7_60.bin DECIMAL HEX DESCRIPTION ------------------------------------------------------------------ ------------------------------------- 65592 0x10038 gzip compressed data, was "i.tmp", from Unix, last modified: Tue Apr 12 07:55:31 2011 720896 0xB0000 Squashfs filesystem, little endian, version 3.0, size: 1201395 bytes, 243 inodes, blocksize: 65536 bytes, created: Tue Apr 12 07:55:31 2011 root@ip-172-31-4-170:~/mongii/iptime# * Offset 이 65592 라는말은그앞에무언가가더있다라는것을의미함

펌웨어의시작부분

Bootloader 분석 root@ip-172-31-4-170:~/mongii/iptime# dd if=./g104_kr_7_60.bin of=./bootloader count=65592 bs=1 65592+0 records in 65592+0 records out 65592 bytes (66 kb) copied, 0.07132 s, 920 kb/s root@ip-172-31-4-170:~/mongii/iptime# root@ip-172-31-4-170:~/mongii/iptime# xxd bootloader 0000000: d7f0 29e3 01d4 a0e3 dbf0 29e3 dcd1 9fe5..)...)... 0000010: d2f0 29e3 d8d1 9fe5 d841 9fe5 0159 a0e3..)...a...y.. 0000020: 0450 85e0 d081 9fe5 0080 85e5 cc51 9fe5.P...Q.. 0000030: 0450 85e0 c881 9fe5 0080 85e5 c451 9fe5.P...Q.. 000fff0: 0000 0000 0000 0000 0000 0000 0000 0000... 0010000: 6731 3034 0000 0000 372e 3630 0000 0000 g104...7.60... 0010010: 5475 6520 4170 7220 3132 2031 363a 3535 Tue Apr 12 16:55 0010020: 3a33 3120 3230 3131 0a00 0000 0000 0b00 :31 2011... 0010030: c85f 1c00 b1f0 860e._... root@ip-172-31-4-170:~/mongii/iptime#

Bootloader 분석

IDA 로 Bootloader 확인

Kernel 분석

Kernel 의구조 출처 : http://bmfrog.tistory.com/m/post/view/id/101

Binwalk 결과재확인 root@ip-172-31-4-170:~/mongii/iptime# binwalk g104_kr_7_60.bin DECIMAL HEX DESCRIPTION ------------------------------------------------------------------ ------------------------------------- 65592 0x10038 gzip compressed data, was "i.tmp", from Unix, last modified: Tue Apr 12 07:55:31 2011 720896 0xB0000 Squashfs filesystem, little endian, version 3.0, size: 1201395 bytes, 243 inodes, blocksize: 65536 bytes, created: Tue Apr 12 07:55:31 2011 root@ip-172-31-4-170:~/mongii/iptime#

Extraction root@ip-172-31-4-170:~/mongii/iptime# dd skip=65592 if=./g104_kr_7_60.bin of=./i.tmp.gz bs=1 1859720+0 records in 1859720+0 records out 1859720 bytes (1.9 MB) copied, 2.05117 s, 907 kb/s root@ip-172-31-4-170:~/mongii/iptime# root@ip-172-31-4-170:~/mongii/iptime# file i.tmp.gz i.tmp.gz: gzip compressed data, was "i.tmp", from Unix, last modified: Tue Apr 12 07:55:31 2011 root@ip-172-31-4-170:~/mongii/iptime# root@ip-172-31-4-170:~/mongii/iptime# ls -al total 3780 drwxr-xr-x 2 root root 4096 Jun 25 15:11. drwxr-xr-x 26 root root 4096 Jun 25 14:52.. -rw-r--r-- 1 root root 65592 Jun 25 15:09 bootloader -rw-r--r-- 1 root root 1925312 Jun 25 14:47 g104_kr_7_60.bin -rw-r--r-- 1 root root 1859720 Jun 25 15:11 i.tmp.gz root@ip-172-31-4-170:~/mongii/iptime#

-e : extraction root@ubuntu:~/iptime_firmware# binwalk --help Binwalk v1.0 Craig Heffner, http://www.devttys0.com Usage: binwalk [OPTIONS] [FILE1] [FILE2] [FILE3]... -o, --offset=<int> Start scan at this file offset -l, --length=<int> Number of bytes to scan -b, --align=<int> Set byte alignment [default: 1] -m, --magic=<file> Specify an alternate magic file to use -i, --include=<filter> Include matches that are normally excluded and that have <filter> in their description -x, --exclude=<filter> Exclude matches that have <filter> in their description -y, --search=<filter> Only search for matches that have <filter> in their description -g, --grep=<text> Grep results for the specified text -R, --raw-bytes=<string> Search for a sequence of raw bytes instead of using the default magic signatures -f, --file=<file> Log results to file -D, --dd=<type:ext[:cmd]> Extract entries whose descriptions match <type>, give them file extension <ext>, and execute <cmd> -e, --extract=[file] Automatically extract known file types. Load rules from file, if specified. -r, --rm Cleanup extracted files and zero-size files -d, --delay Delay file extraction for files with known footers -a, --all Include all short signatures -I, --show-invalid Show results marked as invalid -A, --opcodes Scan for executable code -C, --cast Cast file contents as various data types -k, --keep-going Show all matching results at a given offset, not just the first one -q, --quiet Supress output to stdout -v, --verbose Be verbose (specify twice for very verbose) -u, --update Update magic signature files -h, --help Show help output root@ubuntu:~/iptime_firmware#

i.tmp.gz 분석

i.tmp.gz 분석 http://andromedarabbit.net/project/zip/gzipfileformat.html

gzip d i.tmp.gz i.tmp 분석

문자열확인 gzip 해제코드가들어있는것을알수있음 misc.c

헤더로추정되는값삭제

IDA 로확인 piggy.gz 압축해제코드

i.tmp 의구조 root@ip-172-31-4-170:~/mongii/iptime# binwalk i.tmp DECIMAL HEX DESCRIPTION ------------------------------------------------------------------------------------ ------------------- 11936 0x2EA0 gzip compressed data, from Unix, last modified: Thu Apr 15 01:49:36 2010, max compression 655664 0xA0130 gzip compressed data, was "initrd", from Unix, last modified: Tue Apr 12 07:55:27 2011, max compression root@ip-172-31-4-170:~/mongii/iptime#

i.tmp 의구조 Iptime 의부트로더에서사용하는이미지파일 kernel 과 initrd 를포함하고있다.

Root File System 파일추출

Initrd 추출 binwalk -e i.tmp # file initrd initrd: Linux rev 1.0 ext2 filesystem data (mounted or unclean), UUID=fbc0cc35-5c72-4ef0-bc05-5d6b9bdc8e50 mkdir FILE_SYSTEM mount initrd./file_system

Initrd 추출 root@ip-172-31-4-170:~/mongii/iptime# cd FILE_SYSTEM/ root@ip-172-31-4-170:~/mongii/iptime/file_system# ls -al total 26 drwxr-xr-x 12 root root 1024 Apr 12 2011. drwxr-xr-x 3 root root 4096 Jun 25 15:22.. lrwxrwxrwx 1 root root 11 Apr 12 2011 bin -> /cramfs/bin drwxr-xr-x 2 510 504 1024 Apr 12 2011 cramfs drwxr-xr-x 3 510 504 1024 Apr 12 2011 dev drwxr-xr-x 5 510 504 1024 Apr 12 2011 etc drwxr-xr-x 3 510 504 1024 Apr 12 2011 home lrwxrwxrwx 1 root root 11 Apr 12 2011 lib -> /cramfs/lib drwx------ 2 root root 12288 Apr 12 2011 lost+found lrwxrwxrwx 1 root root 13 Apr 12 2011 ndbin -> /cramfs/ndbin drwxr-xr-x 2 510 504 1024 Apr 12 2011 proc drwxr-xr-x 2 510 504 1024 Apr 12 2011 save lrwxrwxrwx 1 root root 12 Apr 12 2011 sbin -> /cramfs/sbin drwxr-xr-x 2 510 504 1024 Apr 12 2011 tmp drwxr-xr-x 2 510 504 1024 Apr 12 2011 upgrade-bin lrwxrwxrwx 1 root root 11 Apr 12 2011 usr -> /cramfs/usr drwxr-xr-x 5 510 504 1024 Apr 12 2011 var root@ip-172-31-4-170:~/mongii/iptime/file_system#

Binwalk 결과재확인 root@ip-172-31-4-170:~/mongii/iptime# binwalk g104_kr_7_60.bin DECIMAL HEX DESCRIPTION ------------------------------------------------------------------ ------------------------------------- 65592 0x10038 gzip compressed data, was "i.tmp", from Unix, last modified: Tue Apr 12 07:55:31 2011 720896 0xB0000 Squashfs filesystem, little endian, version 3.0, size: 1201395 bytes, 243 inodes, blocksize: 65536 bytes, created: Tue Apr 12 07:55:31 2011 root@ip-172-31-4-170:~/mongii/iptime#

Extraction root@ip-172-31-4-170:~/mongii/iptime# dd skip=720896 if=./g104_kr_7_60.bin of=./rfs.bin bs=1 1204416+0 records in 1204416+0 records out 1204416 bytes (1.2 MB) copied, 1.33462 s, 902 kb/s root@ip-172-31-4-170:~/mongii/iptime# root@ubuntu:~/iptime_firmware# file RFS.bin RFS.bin: Squashfs filesystem, little endian, version 3.0, 1201395 bytes, 243 inodes, blocksize: 65536 bytes, created: Tue Apr 12 07:55:31 2011 root@ubuntu:~/iptime_firmware# root@ubuntu:~/iptime_firmware# root@ubuntu:~/iptime_firmware# ls -al RFS.bin -rw-r--r-- 1 root root 1204416 Jun 25 15:24 RFS.bin root@ubuntu:~/iptime_firmware# root@ubuntu:~/iptime_firmware#

Firmware-mod-kit https://storage.googleapis.com/google-code-archivedownloads/v2/code.google.com/firmware-mod-kit/fmk_099.tar.gz

FMK 설치 # apt-get install git build-essential zlib1g-dev liblzma-dev python-magic tar xvfz fmk_099.tar.gz cd fmk/src./configure make cd..

Squashfs 추출 root@ip-172-31-4-170:~/mongii/fmk/fmk#./unsquashfs_all.sh RFS.bin (B0000.squashfs) Attempting to extract SquashFS.X file system... Trying./src/squashfs-2.1-r2/unsquashfs-lzma... Trying./src/squashfs-2.1-r2/unsquashfs... Trying./src/squashfs-3.0/unsquashfs-lzma... created 173 files created 17 directories created 53 symlinks created 0 devices created 0 fifos File system sucessfully extracted! MKFS="./src/squashfs-3.0/mksquashfs-lzma" root@ip-172-31-4-170:~/mongii/fmk/fmk#

파일시스템추출결과 root@ip-172-31-4-170:~/mongii/fmk/fmk# cd squashfs-root/ root@ip-172-31-4-170:~/mongii/fmk/fmk/squashfs-root# ls -al total 40 drwxr-xr-x 10 root root 4096 Apr 12 2011. drwxrwxr-x 5 ubuntu ubuntu 4096 Jun 25 15:28.. drwxr-xr-x 3 510 504 4096 Apr 12 2011 bin drwxr-xr-x 2 510 504 4096 Apr 12 2011 help drwxr-xr-x 2 root root 4096 Apr 12 2011 images2 drwxr-xr-x 2 510 504 4096 Apr 12 2011 js drwxr-xr-x 3 510 504 4096 Apr 12 2011 lib drwxr-xr-x 2 510 504 4096 Apr 12 2011 ndbin drwxr-xr-x 2 510 504 4096 Apr 12 2011 sbin drwxr-xr-x 4 510 504 4096 Apr 12 2011 usr root@ip-172-31-4-170:~/mongii/fmk/fmk/squashfs-root#

Iptime 펌웨어의구조 압축해제및부트로더이미지참조 Boot Loader i.tmp.gz Squashfs kernel (zimage) Initrd (ext2) /cramfs/ 에마운트 Root File System

파일시스템복원 initrd 마운트 mount initrd FILE_SYSTEM Squashfs 파일추출 unsquashfs_all.sh B0000.squashfs 합치기 mkdir ALL_FILE_SYSTEM cd ALL_FILE_SYSTEM - cp XXX/FILE_SYSTEM/*. Rfpd - cp YYY/squashfs-root/*./cramfs/ -Rfpd

파일시스템복원

Qemu 로돌리기 root@ip-172-31-4-170:~/mongii/fmk/fmk/squashfs-root/bin# qemu-arm -L.././busybox BusyBox v0.60.4 (2011.04.12-07:54+0000) multi-call binary Usage: busybox [function] [arguments]... or: [function] [arguments]... BusyBox is a multi-call binary that combines many common Unix utilities into a single executable. Most people will create a link to busybox for each function they wish to use, and BusyBox will act like whatever it was invoked as. Currently defined functions: busybox, cat, chmod, cp, df, echo, gunzip, gzip, ifconfig, insmod, kill, lash, ln, ls, lsmod, mkdir, mknod, mount, mv, ps, reboot, rm, rmmod, route, sh, sync, umount, zcat root@ip-172-31-4-170:~/mongii/fmk/fmk/squashfs-root/bin#

Qemu 로돌리기 root@ubuntu:~/iptime_firmware/squashfs-root/bin# qemu-arm -L.././busybox ifconfig eth0 Link encap:ethernet HWaddr 00:0C:29:9A:54:2E inet addr:192.168.0.100 Bcast:192.168.0.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:469580 errors:0 dropped:0 overruns:0 frame:0 TX packets:529023 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:82662221 (78.8 MiB) TX bytes:170072676 (162.1 MiB) Interrupt:19 Base address:0x2000 lo Link encap:local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 ib) TX bytes:0 (0.0 ib) root@ubuntu:~/iptime_firmware/squashfs-root/bin#

Qemu 로돌리기 root@ip-172-31-4-170:~/mongii/fmk/fmk/squashfs-root/bin# qemu-arm -L.././timepro.cgi Content-type: text/html; charset=euc-kr <html> <script> if( ipstr == '151.35583.255.199') { return document.getelementsbyname(ip+4)[0]; } return 0; } </script> <head><title> </title> <style></style></head> </html> root@ip-172-31-4-170:~/mongii/fmk/fmk/squashfs-root/bin#

가상 IPTIME 시스템 cd 구성한 IPTIME 파일시스템경로 # find. cpio -o --format=newc >../rootfs.img gzip -c../rootfs.img > rootfs.img.gz zimage : 앞서실습을통해만든 zimage 파일 iptime 펌웨어에서추출한 zimage 는보드호환이되지않음 qemu-system-arm -M versatilepb -m 128M -kernel zimage -initrd rootfs.img.gz -append "root=/dev/ram rdinit=/bin/sh console=ttyama0,115200" -nographic mount -t proc /proc /proc ps -aux

가상 IPTIME 시스템 Uncompressing Linux... done, booting the kernel. Booting Linux on physical CPU 0x0 Linux version 4.1.6 (root@ubuntu) (gcc version 4.4.1 (Sourcery G++ Lite 2009q3-67) ) #1 Thu Aug 20 17:46:08 KST 2015 CPU: ARM926EJ-S [41069265] revision 5 (ARMv5TEJ), cr=00093177 CPU: VIVT data cache, VIVT instruction cache Machine: ARM-Versatile PB Memory policy: Data cache writeback sched_clock: 32 bits at 24MHz, resolution 41ns, wraps every 89478484971ns Built 1 zonelists in Zone order, mobility grouping on. Total pages: 32512 Kernel command line: root=/dev/ram rdinit=/bin/sh console=ttyama0,115200 PID hash table entries: 512 (order: -1, 2048 bytes) Dentry cache hash table entries: 16384 (order: 4, 65536 bytes) Inode-cache hash table entries: 8192 (order: 3, 32768 bytes) Memory: 121596K/131072K available (3209K kernel code, 139K rwdata, 796K rodata, 120K init, 119K bss, 9476K reserved, 0K cma-reserved) Virtual kernel memory layout: vector : 0xffff0000-0xffff1000 ( 4 kb) fixmap : 0xffc00000-0xfff00000 (3072 kb) vmalloc : 0xc8800000-0xff000000 ( 872 MB) lowmem : 0xc0000000-0xc8000000 ( 128 MB) modules : 0xbf000000-0xc0000000 ( 16 MB).text : 0xc0008000-0xc03f1944 (4007 kb).init : 0xc03f2000-0xc0410000 ( 120 kb).data : 0xc0410000-0xc0432e00 ( 140 kb).bss : 0xc0432e00-0xc0450d04 ( 120 kb) NR_IRQS:224... BusyBox v0.60.4 (2015.08.11-09:18+0000) Built-in shell (lash) Enter 'help' for a list of built-in commands. input: AT Raw Set 2 keyboard as /devices/fpga:06/serio0/input/input0 / # input: ImExPS/2 Generic Explorer Mouse as /devices/fpga:07/serio1/input/input2 / #

Network 활성화 root@grayhash:~/all_file_system# qemu-system-arm -M versatilepb -m 128M -kernel zimage - initrd rootfs.img.gz -append "root=/dev/ram rdinit=/bin/sh console=ttyama0,115200" -nographic - redir tcp:8080::80 / # / # busybox ifconfig eth0 10.0.2.15 netmask 255.255.255.0 smc91x smc91x.0 eth0: link up / # busybox route add default gw 10.0.2.2 / # / # cd /sbin /cramfs/sbin #./httpd /cramfs/sbin #

관리자페이지접속

결론 Flash Memory Dump 를통해임베디드기기내의 Firmware 를추출하고 binary 들의취약점을분석할수있다. Flash Memory 도결국개발자가다루는주변장치중하나에불과하기때문에우리가마음대로다루는것이가능하다.

감사합니다.