i.mx memory madnessconference.hitb.org/files/hitbsecconf2019ams...madness how to dump, parse, and...
TRANSCRIPT
![Page 1: I.MX MEMORY MADNESSconference.hitb.org/files/hitbsecconf2019ams...MADNESS HOW TO DUMP, PARSE, AND ANALYZE I.MX FLASH MEMORY CHIPS Damien Cauquil | HITB Amsterdam 2019 ( ) ... Integrated](https://reader036.vdocuments.us/reader036/viewer/2022062307/604a237316d22657b74bfdf2/html5/thumbnails/1.jpg)
I.MX MEMORYI.MX MEMORYMADNESSMADNESS
HOW TO DUMP, PARSE, AND ANALYZE I.MX FLASHHOW TO DUMP, PARSE, AND ANALYZE I.MX FLASH
MEMORY CHIPSMEMORY CHIPS
Damien Cauquil | HITB Amsterdam 2019 (🎂🎉)
![Page 2: I.MX MEMORY MADNESSconference.hitb.org/files/hitbsecconf2019ams...MADNESS HOW TO DUMP, PARSE, AND ANALYZE I.MX FLASH MEMORY CHIPS Damien Cauquil | HITB Amsterdam 2019 ( ) ... Integrated](https://reader036.vdocuments.us/reader036/viewer/2022062307/604a237316d22657b74bfdf2/html5/thumbnails/2.jpg)
WHO AM I ?WHO AM I ?
Head of R&D @ Econocom Digital.Security
Senior security researcher
Hardware hacker (or at least pretending)
![Page 3: I.MX MEMORY MADNESSconference.hitb.org/files/hitbsecconf2019ams...MADNESS HOW TO DUMP, PARSE, AND ANALYZE I.MX FLASH MEMORY CHIPS Damien Cauquil | HITB Amsterdam 2019 ( ) ... Integrated](https://reader036.vdocuments.us/reader036/viewer/2022062307/604a237316d22657b74bfdf2/html5/thumbnails/3.jpg)
AGENDAAGENDA
Firmware extraction 101Meet the i.MX architecturei.MX flash memory layoutimx-nand-tools FTWBest practices
![Page 4: I.MX MEMORY MADNESSconference.hitb.org/files/hitbsecconf2019ams...MADNESS HOW TO DUMP, PARSE, AND ANALYZE I.MX FLASH MEMORY CHIPS Damien Cauquil | HITB Amsterdam 2019 ( ) ... Integrated](https://reader036.vdocuments.us/reader036/viewer/2022062307/604a237316d22657b74bfdf2/html5/thumbnails/4.jpg)
FIRMWARE EXTRACTION 101FIRMWARE EXTRACTION 101
![Page 5: I.MX MEMORY MADNESSconference.hitb.org/files/hitbsecconf2019ams...MADNESS HOW TO DUMP, PARSE, AND ANALYZE I.MX FLASH MEMORY CHIPS Damien Cauquil | HITB Amsterdam 2019 ( ) ... Integrated](https://reader036.vdocuments.us/reader036/viewer/2022062307/604a237316d22657b74bfdf2/html5/thumbnails/5.jpg)
WHY DO WE WANT TO EXTRACT AWHY DO WE WANT TO EXTRACT ADEVICE'S FIRMWARE ?DEVICE'S FIRMWARE ?
Contains filesystems, applications, binary files May also contain VERY interesting data:encryption/decryption keys, certificates, passwords
![Page 6: I.MX MEMORY MADNESSconference.hitb.org/files/hitbsecconf2019ams...MADNESS HOW TO DUMP, PARSE, AND ANALYZE I.MX FLASH MEMORY CHIPS Damien Cauquil | HITB Amsterdam 2019 ( ) ... Integrated](https://reader036.vdocuments.us/reader036/viewer/2022062307/604a237316d22657b74bfdf2/html5/thumbnails/6.jpg)
WHY DO WE WANT TO EXTRACT AWHY DO WE WANT TO EXTRACT ADEVICE'S FIRMWARE ?DEVICE'S FIRMWARE ?
We need to understand everything about a device:
How it has been designed How it (really) works Where and how every bit of data is stored
![Page 7: I.MX MEMORY MADNESSconference.hitb.org/files/hitbsecconf2019ams...MADNESS HOW TO DUMP, PARSE, AND ANALYZE I.MX FLASH MEMORY CHIPS Damien Cauquil | HITB Amsterdam 2019 ( ) ... Integrated](https://reader036.vdocuments.us/reader036/viewer/2022062307/604a237316d22657b74bfdf2/html5/thumbnails/7.jpg)
METHOD #1: CLIPPING & READINGMETHOD #1: CLIPPING & READING
![Page 8: I.MX MEMORY MADNESSconference.hitb.org/files/hitbsecconf2019ams...MADNESS HOW TO DUMP, PARSE, AND ANALYZE I.MX FLASH MEMORY CHIPS Damien Cauquil | HITB Amsterdam 2019 ( ) ... Integrated](https://reader036.vdocuments.us/reader036/viewer/2022062307/604a237316d22657b74bfdf2/html5/thumbnails/8.jpg)
METHOD #2: CHIP-OFFMETHOD #2: CHIP-OFF
![Page 9: I.MX MEMORY MADNESSconference.hitb.org/files/hitbsecconf2019ams...MADNESS HOW TO DUMP, PARSE, AND ANALYZE I.MX FLASH MEMORY CHIPS Damien Cauquil | HITB Amsterdam 2019 ( ) ... Integrated](https://reader036.vdocuments.us/reader036/viewer/2022062307/604a237316d22657b74bfdf2/html5/thumbnails/9.jpg)
PROFESSIONAL FLASH PROGRAMMERPROFESSIONAL FLASH PROGRAMMER
![Page 10: I.MX MEMORY MADNESSconference.hitb.org/files/hitbsecconf2019ams...MADNESS HOW TO DUMP, PARSE, AND ANALYZE I.MX FLASH MEMORY CHIPS Damien Cauquil | HITB Amsterdam 2019 ( ) ... Integrated](https://reader036.vdocuments.us/reader036/viewer/2022062307/604a237316d22657b74bfdf2/html5/thumbnails/10.jpg)
![Page 11: I.MX MEMORY MADNESSconference.hitb.org/files/hitbsecconf2019ams...MADNESS HOW TO DUMP, PARSE, AND ANALYZE I.MX FLASH MEMORY CHIPS Damien Cauquil | HITB Amsterdam 2019 ( ) ... Integrated](https://reader036.vdocuments.us/reader036/viewer/2022062307/604a237316d22657b74bfdf2/html5/thumbnails/11.jpg)
![Page 12: I.MX MEMORY MADNESSconference.hitb.org/files/hitbsecconf2019ams...MADNESS HOW TO DUMP, PARSE, AND ANALYZE I.MX FLASH MEMORY CHIPS Damien Cauquil | HITB Amsterdam 2019 ( ) ... Integrated](https://reader036.vdocuments.us/reader036/viewer/2022062307/604a237316d22657b74bfdf2/html5/thumbnails/12.jpg)
NAND DUMP SIZENAND DUMP SIZE
Dump file is greater than 1 GB !
$ ls -alh camera.bin -rwx------ 1 virtualabs virtualabs 1,1G camera.bin
![Page 13: I.MX MEMORY MADNESSconference.hitb.org/files/hitbsecconf2019ams...MADNESS HOW TO DUMP, PARSE, AND ANALYZE I.MX FLASH MEMORY CHIPS Damien Cauquil | HITB Amsterdam 2019 ( ) ... Integrated](https://reader036.vdocuments.us/reader036/viewer/2022062307/604a237316d22657b74bfdf2/html5/thumbnails/13.jpg)
PAGES, BYTES AND OOBPAGES, BYTES AND OOB
Bytes are stored, erased, and modified in pages NAND flash chips are not 100% reliable and errorswhen storing bits may occur To avoid this, vendors usually provide more space tostore Error Correction Codes (ECC) in spare-bytearea (OOB)
![Page 14: I.MX MEMORY MADNESSconference.hitb.org/files/hitbsecconf2019ams...MADNESS HOW TO DUMP, PARSE, AND ANALYZE I.MX FLASH MEMORY CHIPS Damien Cauquil | HITB Amsterdam 2019 ( ) ... Integrated](https://reader036.vdocuments.us/reader036/viewer/2022062307/604a237316d22657b74bfdf2/html5/thumbnails/14.jpg)
PAGES, BYTES AND OOBPAGES, BYTES AND OOB
![Page 15: I.MX MEMORY MADNESSconference.hitb.org/files/hitbsecconf2019ams...MADNESS HOW TO DUMP, PARSE, AND ANALYZE I.MX FLASH MEMORY CHIPS Damien Cauquil | HITB Amsterdam 2019 ( ) ... Integrated](https://reader036.vdocuments.us/reader036/viewer/2022062307/604a237316d22657b74bfdf2/html5/thumbnails/15.jpg)
PAGES, BYTES AND OOBPAGES, BYTES AND OOB
![Page 16: I.MX MEMORY MADNESSconference.hitb.org/files/hitbsecconf2019ams...MADNESS HOW TO DUMP, PARSE, AND ANALYZE I.MX FLASH MEMORY CHIPS Damien Cauquil | HITB Amsterdam 2019 ( ) ... Integrated](https://reader036.vdocuments.us/reader036/viewer/2022062307/604a237316d22657b74bfdf2/html5/thumbnails/16.jpg)
REMOVING THE OOB DATAREMOVING THE OOB DATA
import sys PAGE, OOB = 4096, 224 BLOCK = PAGE + OOB orig_dump = open(sys.argv[1], 'rb').read() out_dump = open(sys.argv[2], 'wb') nblocks = int(len(orig_dump) / BLOCK) for i in range(nblocks): out_dump.write(orig_dump[i*BLOCK:(i+1)*PAGE + OOB]) out_dump.close() orig_dump.close()
![Page 17: I.MX MEMORY MADNESSconference.hitb.org/files/hitbsecconf2019ams...MADNESS HOW TO DUMP, PARSE, AND ANALYZE I.MX FLASH MEMORY CHIPS Damien Cauquil | HITB Amsterdam 2019 ( ) ... Integrated](https://reader036.vdocuments.us/reader036/viewer/2022062307/604a237316d22657b74bfdf2/html5/thumbnails/17.jpg)
![Page 18: I.MX MEMORY MADNESSconference.hitb.org/files/hitbsecconf2019ams...MADNESS HOW TO DUMP, PARSE, AND ANALYZE I.MX FLASH MEMORY CHIPS Damien Cauquil | HITB Amsterdam 2019 ( ) ... Integrated](https://reader036.vdocuments.us/reader036/viewer/2022062307/604a237316d22657b74bfdf2/html5/thumbnails/18.jpg)
CHECKING OUR DUMP WITH BINWALKCHECKING OUR DUMP WITH BINWALK
$ binwalk ipcam.fw.bin DECIMAL HEXADECIMAL DESCRIPTION ----------------------------------------------------------- 96188 0x177BC CRC32 polynomial table, [...] [...] 2490368 0x260000 Squashfs filesystem, [...] 4456448 0x440000 Squashfs filesystem, [...] 5505024 0x540000 Squashfs filesystem, [...] 6684672 0x660000 Squashfs filesystem, [...] 7208960 0x6E0000 JFFS2 filesystem, little endian 7643512 0x74A178 JFFS2 filesystem, little endian
![Page 19: I.MX MEMORY MADNESSconference.hitb.org/files/hitbsecconf2019ams...MADNESS HOW TO DUMP, PARSE, AND ANALYZE I.MX FLASH MEMORY CHIPS Damien Cauquil | HITB Amsterdam 2019 ( ) ... Integrated](https://reader036.vdocuments.us/reader036/viewer/2022062307/604a237316d22657b74bfdf2/html5/thumbnails/19.jpg)
EXTRACTING FILES FROM VARIOUSEXTRACTING FILES FROM VARIOUSFILESYSTEMSFILESYSTEMS
: compressed filesystem, one
partition/image: Yet Another Flash FS
: Journalized Flash FS version 2, onepartition/image
: Unsorted Block Image, multiple partitions withvarious FS
SquashFS
YAFFS2JFFS2
UBI
![Page 20: I.MX MEMORY MADNESSconference.hitb.org/files/hitbsecconf2019ams...MADNESS HOW TO DUMP, PARSE, AND ANALYZE I.MX FLASH MEMORY CHIPS Damien Cauquil | HITB Amsterdam 2019 ( ) ... Integrated](https://reader036.vdocuments.us/reader036/viewer/2022062307/604a237316d22657b74bfdf2/html5/thumbnails/20.jpg)
![Page 21: I.MX MEMORY MADNESSconference.hitb.org/files/hitbsecconf2019ams...MADNESS HOW TO DUMP, PARSE, AND ANALYZE I.MX FLASH MEMORY CHIPS Damien Cauquil | HITB Amsterdam 2019 ( ) ... Integrated](https://reader036.vdocuments.us/reader036/viewer/2022062307/604a237316d22657b74bfdf2/html5/thumbnails/21.jpg)
IT'S A DOCUMENTED PROCESSIT'S A DOCUMENTED PROCESS
PenTestPartners just published a blog entry:
http://bit.ly/HITB-PTPFW
![Page 22: I.MX MEMORY MADNESSconference.hitb.org/files/hitbsecconf2019ams...MADNESS HOW TO DUMP, PARSE, AND ANALYZE I.MX FLASH MEMORY CHIPS Damien Cauquil | HITB Amsterdam 2019 ( ) ... Integrated](https://reader036.vdocuments.us/reader036/viewer/2022062307/604a237316d22657b74bfdf2/html5/thumbnails/22.jpg)
AND WE STUMBLED UPON AN I.MX6AND WE STUMBLED UPON AN I.MX6SYSTEMSYSTEM
![Page 23: I.MX MEMORY MADNESSconference.hitb.org/files/hitbsecconf2019ams...MADNESS HOW TO DUMP, PARSE, AND ANALYZE I.MX FLASH MEMORY CHIPS Damien Cauquil | HITB Amsterdam 2019 ( ) ... Integrated](https://reader036.vdocuments.us/reader036/viewer/2022062307/604a237316d22657b74bfdf2/html5/thumbnails/23.jpg)
![Page 24: I.MX MEMORY MADNESSconference.hitb.org/files/hitbsecconf2019ams...MADNESS HOW TO DUMP, PARSE, AND ANALYZE I.MX FLASH MEMORY CHIPS Damien Cauquil | HITB Amsterdam 2019 ( ) ... Integrated](https://reader036.vdocuments.us/reader036/viewer/2022062307/604a237316d22657b74bfdf2/html5/thumbnails/24.jpg)
![Page 25: I.MX MEMORY MADNESSconference.hitb.org/files/hitbsecconf2019ams...MADNESS HOW TO DUMP, PARSE, AND ANALYZE I.MX FLASH MEMORY CHIPS Damien Cauquil | HITB Amsterdam 2019 ( ) ... Integrated](https://reader036.vdocuments.us/reader036/viewer/2022062307/604a237316d22657b74bfdf2/html5/thumbnails/25.jpg)
HEX ANALYSIS REVEALED WEIRD BYTESHEX ANALYSIS REVEALED WEIRD BYTES
![Page 26: I.MX MEMORY MADNESSconference.hitb.org/files/hitbsecconf2019ams...MADNESS HOW TO DUMP, PARSE, AND ANALYZE I.MX FLASH MEMORY CHIPS Damien Cauquil | HITB Amsterdam 2019 ( ) ... Integrated](https://reader036.vdocuments.us/reader036/viewer/2022062307/604a237316d22657b74bfdf2/html5/thumbnails/26.jpg)
A CRAPPY BYTE BEFORE UBI SIGNATUREA CRAPPY BYTE BEFORE UBI SIGNATURE
![Page 27: I.MX MEMORY MADNESSconference.hitb.org/files/hitbsecconf2019ams...MADNESS HOW TO DUMP, PARSE, AND ANALYZE I.MX FLASH MEMORY CHIPS Damien Cauquil | HITB Amsterdam 2019 ( ) ... Integrated](https://reader036.vdocuments.us/reader036/viewer/2022062307/604a237316d22657b74bfdf2/html5/thumbnails/27.jpg)
SAME 1-BYTE OFFSET IN BINWALKSAME 1-BYTE OFFSET IN BINWALKOUTPUTOUTPUT
UBI header is not aligned on page size (0x1000)
![Page 28: I.MX MEMORY MADNESSconference.hitb.org/files/hitbsecconf2019ams...MADNESS HOW TO DUMP, PARSE, AND ANALYZE I.MX FLASH MEMORY CHIPS Damien Cauquil | HITB Amsterdam 2019 ( ) ... Integrated](https://reader036.vdocuments.us/reader036/viewer/2022062307/604a237316d22657b74bfdf2/html5/thumbnails/28.jpg)
THAT'S WEIRD 😕THAT'S WEIRD 😕
Quick investigation revealed anomalies Our dump seems OK, but we still cannot extractdata from it It must be related to i.MX: maybe a custom storagemechanism
![Page 29: I.MX MEMORY MADNESSconference.hitb.org/files/hitbsecconf2019ams...MADNESS HOW TO DUMP, PARSE, AND ANALYZE I.MX FLASH MEMORY CHIPS Damien Cauquil | HITB Amsterdam 2019 ( ) ... Integrated](https://reader036.vdocuments.us/reader036/viewer/2022062307/604a237316d22657b74bfdf2/html5/thumbnails/29.jpg)
I.MX ARCHITECTURE ANDI.MX ARCHITECTURE ANDMEMORY LAYOUTMEMORY LAYOUT
![Page 30: I.MX MEMORY MADNESSconference.hitb.org/files/hitbsecconf2019ams...MADNESS HOW TO DUMP, PARSE, AND ANALYZE I.MX FLASH MEMORY CHIPS Damien Cauquil | HITB Amsterdam 2019 ( ) ... Integrated](https://reader036.vdocuments.us/reader036/viewer/2022062307/604a237316d22657b74bfdf2/html5/thumbnails/30.jpg)
I.MX ARCHITECTUREI.MX ARCHITECTURE
Integrated Multimedia Application processors Popular in automotive and home automationindustries Provides a lot of features including:
Secure/non-secure RAMSATA II supportSecure Boot ...
![Page 31: I.MX MEMORY MADNESSconference.hitb.org/files/hitbsecconf2019ams...MADNESS HOW TO DUMP, PARSE, AND ANALYZE I.MX FLASH MEMORY CHIPS Damien Cauquil | HITB Amsterdam 2019 ( ) ... Integrated](https://reader036.vdocuments.us/reader036/viewer/2022062307/604a237316d22657b74bfdf2/html5/thumbnails/31.jpg)
I.MX ARCHITECTUREI.MX ARCHITECTURE
![Page 32: I.MX MEMORY MADNESSconference.hitb.org/files/hitbsecconf2019ams...MADNESS HOW TO DUMP, PARSE, AND ANALYZE I.MX FLASH MEMORY CHIPS Damien Cauquil | HITB Amsterdam 2019 ( ) ... Integrated](https://reader036.vdocuments.us/reader036/viewer/2022062307/604a237316d22657b74bfdf2/html5/thumbnails/32.jpg)
I.MX ARCHITECTUREI.MX ARCHITECTURE
Can boot on various storage devices:NAND FlashParallel NOR FlashSD cardMMCSATA HDD
It also embeds a boot ROM (Freescale Inc.)
![Page 33: I.MX MEMORY MADNESSconference.hitb.org/files/hitbsecconf2019ams...MADNESS HOW TO DUMP, PARSE, AND ANALYZE I.MX FLASH MEMORY CHIPS Damien Cauquil | HITB Amsterdam 2019 ( ) ... Integrated](https://reader036.vdocuments.us/reader036/viewer/2022062307/604a237316d22657b74bfdf2/html5/thumbnails/33.jpg)
GENERAL-PURPOSE MULTIMEDIAGENERAL-PURPOSE MULTIMEDIAINTERFACEINTERFACE
controls how data is read/stored on NAND flashchips supports multiple NAND flash chips uses BCH to perform error control and correction
![Page 34: I.MX MEMORY MADNESSconference.hitb.org/files/hitbsecconf2019ams...MADNESS HOW TO DUMP, PARSE, AND ANALYZE I.MX FLASH MEMORY CHIPS Damien Cauquil | HITB Amsterdam 2019 ( ) ... Integrated](https://reader036.vdocuments.us/reader036/viewer/2022062307/604a237316d22657b74bfdf2/html5/thumbnails/34.jpg)
NAND FLASH STRUCTURENAND FLASH STRUCTURE
(image extracted from i.MX28 reference manual)
![Page 35: I.MX MEMORY MADNESSconference.hitb.org/files/hitbsecconf2019ams...MADNESS HOW TO DUMP, PARSE, AND ANALYZE I.MX FLASH MEMORY CHIPS Damien Cauquil | HITB Amsterdam 2019 ( ) ... Integrated](https://reader036.vdocuments.us/reader036/viewer/2022062307/604a237316d22657b74bfdf2/html5/thumbnails/35.jpg)
HOW IS DATA STORED ?HOW IS DATA STORED ?
Data is split in 512-byte chunks ECC bits are added at the end of each chunk Chunks are then grouped and stored in a pagepreceeded by one metadata block Bad block marker byte is swapped with firstmetadata byte !
![Page 36: I.MX MEMORY MADNESSconference.hitb.org/files/hitbsecconf2019ams...MADNESS HOW TO DUMP, PARSE, AND ANALYZE I.MX FLASH MEMORY CHIPS Damien Cauquil | HITB Amsterdam 2019 ( ) ... Integrated](https://reader036.vdocuments.us/reader036/viewer/2022062307/604a237316d22657b74bfdf2/html5/thumbnails/36.jpg)
WEIRD BYTE EXPLAINED !WEIRD BYTE EXPLAINED !
![Page 37: I.MX MEMORY MADNESSconference.hitb.org/files/hitbsecconf2019ams...MADNESS HOW TO DUMP, PARSE, AND ANALYZE I.MX FLASH MEMORY CHIPS Damien Cauquil | HITB Amsterdam 2019 ( ) ... Integrated](https://reader036.vdocuments.us/reader036/viewer/2022062307/604a237316d22657b74bfdf2/html5/thumbnails/37.jpg)
FIRMWARE CONFIGURATION BLOCKFIRMWARE CONFIGURATION BLOCK(FCB)(FCB)
This structure contains all the required informationabout how data is stored It must be present in the first 1MB Second field of this structure contains "FCB " inASCII
![Page 38: I.MX MEMORY MADNESSconference.hitb.org/files/hitbsecconf2019ams...MADNESS HOW TO DUMP, PARSE, AND ANALYZE I.MX FLASH MEMORY CHIPS Damien Cauquil | HITB Amsterdam 2019 ( ) ... Integrated](https://reader036.vdocuments.us/reader036/viewer/2022062307/604a237316d22657b74bfdf2/html5/thumbnails/38.jpg)
FCB SIGNATURE IN HEXDUMPFCB SIGNATURE IN HEXDUMP
![Page 39: I.MX MEMORY MADNESSconference.hitb.org/files/hitbsecconf2019ams...MADNESS HOW TO DUMP, PARSE, AND ANALYZE I.MX FLASH MEMORY CHIPS Damien Cauquil | HITB Amsterdam 2019 ( ) ... Integrated](https://reader036.vdocuments.us/reader036/viewer/2022062307/604a237316d22657b74bfdf2/html5/thumbnails/39.jpg)
FIRMWARE CONFIGURATION BLOCKFIRMWARE CONFIGURATION BLOCK(FCB)(FCB)
NAND page data sizeBlock N ECC typeBlock N sizeBlock 0 ECC typeBlock 0 sizeNumber of bytes in metadata of a page...
![Page 40: I.MX MEMORY MADNESSconference.hitb.org/files/hitbsecconf2019ams...MADNESS HOW TO DUMP, PARSE, AND ANALYZE I.MX FLASH MEMORY CHIPS Damien Cauquil | HITB Amsterdam 2019 ( ) ... Integrated](https://reader036.vdocuments.us/reader036/viewer/2022062307/604a237316d22657b74bfdf2/html5/thumbnails/40.jpg)
FCB SIGNATURE IN HEXDUMPFCB SIGNATURE IN HEXDUMP
Offset +0x3C: number of bytes of metadata block
![Page 41: I.MX MEMORY MADNESSconference.hitb.org/files/hitbsecconf2019ams...MADNESS HOW TO DUMP, PARSE, AND ANALYZE I.MX FLASH MEMORY CHIPS Damien Cauquil | HITB Amsterdam 2019 ( ) ... Integrated](https://reader036.vdocuments.us/reader036/viewer/2022062307/604a237316d22657b74bfdf2/html5/thumbnails/41.jpg)
1-BYTE OFFSET EXPLAINED !1-BYTE OFFSET EXPLAINED !
![Page 42: I.MX MEMORY MADNESSconference.hitb.org/files/hitbsecconf2019ams...MADNESS HOW TO DUMP, PARSE, AND ANALYZE I.MX FLASH MEMORY CHIPS Damien Cauquil | HITB Amsterdam 2019 ( ) ... Integrated](https://reader036.vdocuments.us/reader036/viewer/2022062307/604a237316d22657b74bfdf2/html5/thumbnails/42.jpg)
DISCOVERED BAD BLOCK TABLE (DBBT)DISCOVERED BAD BLOCK TABLE (DBBT)
Provides custom NAND bad block management Its headers provide information about the numberof bad blocks and impacted pages
![Page 43: I.MX MEMORY MADNESSconference.hitb.org/files/hitbsecconf2019ams...MADNESS HOW TO DUMP, PARSE, AND ANALYZE I.MX FLASH MEMORY CHIPS Damien Cauquil | HITB Amsterdam 2019 ( ) ... Integrated](https://reader036.vdocuments.us/reader036/viewer/2022062307/604a237316d22657b74bfdf2/html5/thumbnails/43.jpg)
ECCECC
(image extracted from i.MX28 reference manual)
![Page 44: I.MX MEMORY MADNESSconference.hitb.org/files/hitbsecconf2019ams...MADNESS HOW TO DUMP, PARSE, AND ANALYZE I.MX FLASH MEMORY CHIPS Damien Cauquil | HITB Amsterdam 2019 ( ) ... Integrated](https://reader036.vdocuments.us/reader036/viewer/2022062307/604a237316d22657b74bfdf2/html5/thumbnails/44.jpg)
ECCECC
Provides a way to dynamically fix errors, if possible Uses BCH (Bose, Ray-Chaudhuri and Hocquenghem)error-correcting code Data bytes may be shi�ed by a number of bits dueto BCH bits
![Page 45: I.MX MEMORY MADNESSconference.hitb.org/files/hitbsecconf2019ams...MADNESS HOW TO DUMP, PARSE, AND ANALYZE I.MX FLASH MEMORY CHIPS Damien Cauquil | HITB Amsterdam 2019 ( ) ... Integrated](https://reader036.vdocuments.us/reader036/viewer/2022062307/604a237316d22657b74bfdf2/html5/thumbnails/45.jpg)
SO, WHAT'S NEXT ?SO, WHAT'S NEXT ?
![Page 46: I.MX MEMORY MADNESSconference.hitb.org/files/hitbsecconf2019ams...MADNESS HOW TO DUMP, PARSE, AND ANALYZE I.MX FLASH MEMORY CHIPS Damien Cauquil | HITB Amsterdam 2019 ( ) ... Integrated](https://reader036.vdocuments.us/reader036/viewer/2022062307/604a237316d22657b74bfdf2/html5/thumbnails/46.jpg)
FROM NAND FLASH DUMP TOFROM NAND FLASH DUMP TOFILESYSTEMSFILESYSTEMS
![Page 47: I.MX MEMORY MADNESSconference.hitb.org/files/hitbsecconf2019ams...MADNESS HOW TO DUMP, PARSE, AND ANALYZE I.MX FLASH MEMORY CHIPS Damien Cauquil | HITB Amsterdam 2019 ( ) ... Integrated](https://reader036.vdocuments.us/reader036/viewer/2022062307/604a237316d22657b74bfdf2/html5/thumbnails/47.jpg)
RECOVER AND REMAP ALL THE BYTESRECOVER AND REMAP ALL THE BYTES
We first find an FCB structure and parse it to recoverall the critical parameters Then we remove every metadata and ECC bitsaccording to this FCB We use ECC bits to fix errors and save each block inan output file
![Page 48: I.MX MEMORY MADNESSconference.hitb.org/files/hitbsecconf2019ams...MADNESS HOW TO DUMP, PARSE, AND ANALYZE I.MX FLASH MEMORY CHIPS Damien Cauquil | HITB Amsterdam 2019 ( ) ... Integrated](https://reader036.vdocuments.us/reader036/viewer/2022062307/604a237316d22657b74bfdf2/html5/thumbnails/48.jpg)
![Page 49: I.MX MEMORY MADNESSconference.hitb.org/files/hitbsecconf2019ams...MADNESS HOW TO DUMP, PARSE, AND ANALYZE I.MX FLASH MEMORY CHIPS Damien Cauquil | HITB Amsterdam 2019 ( ) ... Integrated](https://reader036.vdocuments.us/reader036/viewer/2022062307/604a237316d22657b74bfdf2/html5/thumbnails/49.jpg)
IMX NAND TOOLSIMX NAND TOOLS
$ sudo pip install imx-nand-tools
https://github.com/DigitalSecurity/imx-nand-tools/
![Page 50: I.MX MEMORY MADNESSconference.hitb.org/files/hitbsecconf2019ams...MADNESS HOW TO DUMP, PARSE, AND ANALYZE I.MX FLASH MEMORY CHIPS Damien Cauquil | HITB Amsterdam 2019 ( ) ... Integrated](https://reader036.vdocuments.us/reader036/viewer/2022062307/604a237316d22657b74bfdf2/html5/thumbnails/50.jpg)
FCB PARSINGFCB PARSING
![Page 51: I.MX MEMORY MADNESSconference.hitb.org/files/hitbsecconf2019ams...MADNESS HOW TO DUMP, PARSE, AND ANALYZE I.MX FLASH MEMORY CHIPS Damien Cauquil | HITB Amsterdam 2019 ( ) ... Integrated](https://reader036.vdocuments.us/reader036/viewer/2022062307/604a237316d22657b74bfdf2/html5/thumbnails/51.jpg)
CONVERTING IMAGE TO USEABLE DUMPCONVERTING IMAGE TO USEABLE DUMP
![Page 52: I.MX MEMORY MADNESSconference.hitb.org/files/hitbsecconf2019ams...MADNESS HOW TO DUMP, PARSE, AND ANALYZE I.MX FLASH MEMORY CHIPS Damien Cauquil | HITB Amsterdam 2019 ( ) ... Integrated](https://reader036.vdocuments.us/reader036/viewer/2022062307/604a237316d22657b74bfdf2/html5/thumbnails/52.jpg)
ANALYZING THIS NEW DUMPANALYZING THIS NEW DUMP
![Page 53: I.MX MEMORY MADNESSconference.hitb.org/files/hitbsecconf2019ams...MADNESS HOW TO DUMP, PARSE, AND ANALYZE I.MX FLASH MEMORY CHIPS Damien Cauquil | HITB Amsterdam 2019 ( ) ... Integrated](https://reader036.vdocuments.us/reader036/viewer/2022062307/604a237316d22657b74bfdf2/html5/thumbnails/53.jpg)
UBI OVERVIEWUBI OVERVIEW
![Page 54: I.MX MEMORY MADNESSconference.hitb.org/files/hitbsecconf2019ams...MADNESS HOW TO DUMP, PARSE, AND ANALYZE I.MX FLASH MEMORY CHIPS Damien Cauquil | HITB Amsterdam 2019 ( ) ... Integrated](https://reader036.vdocuments.us/reader036/viewer/2022062307/604a237316d22657b74bfdf2/html5/thumbnails/54.jpg)
UBIREADERUBIREADER
Provides a set of tools to parse, analyze and extractvolumes and files from a UBI container Open-source and available on Github Written in Python Does not support fastboot mode
![Page 55: I.MX MEMORY MADNESSconference.hitb.org/files/hitbsecconf2019ams...MADNESS HOW TO DUMP, PARSE, AND ANALYZE I.MX FLASH MEMORY CHIPS Damien Cauquil | HITB Amsterdam 2019 ( ) ... Integrated](https://reader036.vdocuments.us/reader036/viewer/2022062307/604a237316d22657b74bfdf2/html5/thumbnails/55.jpg)
ACCESSING FILES STORED IN VARIOUSACCESSING FILES STORED IN VARIOUSIMAGESIMAGES
$ ubireader_extract_files -iw img-xx_vol-iio_0633_0.ubifs [...] $ ls ubifs-root/ -al total 76 drwxr-xr-x 19 virtualabs virtualabs 4096 mai 9 09:40 . drwxr-xr-x 3 virtualabs virtualabs 4096 mai 9 09:40 .. drwxr-xr-x 2 virtualabs virtualabs 4096 mai 9 09:40 bin drwxr-xr-x 2 virtualabs virtualabs 4096 mai 9 09:40 boot drwxr-xr-x 5 virtualabs virtualabs 4096 mai 9 09:40 Data [...] drwxr-xr-x 2 virtualabs virtualabs 4096 mai 9 09:40 tmp drwxr-xr-x 7 virtualabs virtualabs 4096 mai 9 09:40 usr drwxr-xr-x 2 virtualabs virtualabs 4096 mai 9 09:40 var
![Page 56: I.MX MEMORY MADNESSconference.hitb.org/files/hitbsecconf2019ams...MADNESS HOW TO DUMP, PARSE, AND ANALYZE I.MX FLASH MEMORY CHIPS Damien Cauquil | HITB Amsterdam 2019 ( ) ... Integrated](https://reader036.vdocuments.us/reader036/viewer/2022062307/604a237316d22657b74bfdf2/html5/thumbnails/56.jpg)
THAT'S A WINTHAT'S A WIN
![Page 57: I.MX MEMORY MADNESSconference.hitb.org/files/hitbsecconf2019ams...MADNESS HOW TO DUMP, PARSE, AND ANALYZE I.MX FLASH MEMORY CHIPS Damien Cauquil | HITB Amsterdam 2019 ( ) ... Integrated](https://reader036.vdocuments.us/reader036/viewer/2022062307/604a237316d22657b74bfdf2/html5/thumbnails/57.jpg)
SECURITY THROUGH OBSCURITYSECURITY THROUGH OBSCURITY
(Image: XKCD #257)
![Page 58: I.MX MEMORY MADNESSconference.hitb.org/files/hitbsecconf2019ams...MADNESS HOW TO DUMP, PARSE, AND ANALYZE I.MX FLASH MEMORY CHIPS Damien Cauquil | HITB Amsterdam 2019 ( ) ... Integrated](https://reader036.vdocuments.us/reader036/viewer/2022062307/604a237316d22657b74bfdf2/html5/thumbnails/58.jpg)
NOT SO OBSCURE AFTERALLNOT SO OBSCURE AFTERALL
Reference manuals describe how i.MX GPMI worksand how data is read/stored on NAND flash memory Publicly available code on Github provides a betterunderstanding of critical structures and how thingsare implemented
![Page 59: I.MX MEMORY MADNESSconference.hitb.org/files/hitbsecconf2019ams...MADNESS HOW TO DUMP, PARSE, AND ANALYZE I.MX FLASH MEMORY CHIPS Damien Cauquil | HITB Amsterdam 2019 ( ) ... Integrated](https://reader036.vdocuments.us/reader036/viewer/2022062307/604a237316d22657b74bfdf2/html5/thumbnails/59.jpg)
IMX KNOBS GITHUB REPOSITORYIMX KNOBS GITHUB REPOSITORY
![Page 60: I.MX MEMORY MADNESSconference.hitb.org/files/hitbsecconf2019ams...MADNESS HOW TO DUMP, PARSE, AND ANALYZE I.MX FLASH MEMORY CHIPS Damien Cauquil | HITB Amsterdam 2019 ( ) ... Integrated](https://reader036.vdocuments.us/reader036/viewer/2022062307/604a237316d22657b74bfdf2/html5/thumbnails/60.jpg)
IMX UBOOT GITHUB REPOSITORYIMX UBOOT GITHUB REPOSITORY
![Page 61: I.MX MEMORY MADNESSconference.hitb.org/files/hitbsecconf2019ams...MADNESS HOW TO DUMP, PARSE, AND ANALYZE I.MX FLASH MEMORY CHIPS Damien Cauquil | HITB Amsterdam 2019 ( ) ... Integrated](https://reader036.vdocuments.us/reader036/viewer/2022062307/604a237316d22657b74bfdf2/html5/thumbnails/61.jpg)
Y U NO ENCRYPT ?Y U NO ENCRYPT ?
i.MX systems support NAND flash encryption Most of the systems we have tested so far do not useencryption (what did you expect ?)
![Page 62: I.MX MEMORY MADNESSconference.hitb.org/files/hitbsecconf2019ams...MADNESS HOW TO DUMP, PARSE, AND ANALYZE I.MX FLASH MEMORY CHIPS Damien Cauquil | HITB Amsterdam 2019 ( ) ... Integrated](https://reader036.vdocuments.us/reader036/viewer/2022062307/604a237316d22657b74bfdf2/html5/thumbnails/62.jpg)
KNOWN VARIANTSKNOWN VARIANTS
Some i.MX dumps we made seemed to use adifferent ECC mechanism Various GPMI drivers mention different versions ofFreescale ROM and variants of FCB structure The current version of imx-nand-tools worked for allof our dumps but may fail with yours, so ...
![Page 63: I.MX MEMORY MADNESSconference.hitb.org/files/hitbsecconf2019ams...MADNESS HOW TO DUMP, PARSE, AND ANALYZE I.MX FLASH MEMORY CHIPS Damien Cauquil | HITB Amsterdam 2019 ( ) ... Integrated](https://reader036.vdocuments.us/reader036/viewer/2022062307/604a237316d22657b74bfdf2/html5/thumbnails/63.jpg)
INSTALL, TEST, AND CONTRIBUTE !INSTALL, TEST, AND CONTRIBUTE !
![Page 64: I.MX MEMORY MADNESSconference.hitb.org/files/hitbsecconf2019ams...MADNESS HOW TO DUMP, PARSE, AND ANALYZE I.MX FLASH MEMORY CHIPS Damien Cauquil | HITB Amsterdam 2019 ( ) ... Integrated](https://reader036.vdocuments.us/reader036/viewer/2022062307/604a237316d22657b74bfdf2/html5/thumbnails/64.jpg)
CONCLUSIONCONCLUSION
i.MX system uses a custom NAND flash layoutThis layout is documented in various documentsand publicly available codeimx-nand-tools provides a set of tools to handle thislayout and convert dumps into useable imagesi.MX systems should use NAND flash encryptionfeature to avoid key/password/IP leaks
![Page 65: I.MX MEMORY MADNESSconference.hitb.org/files/hitbsecconf2019ams...MADNESS HOW TO DUMP, PARSE, AND ANALYZE I.MX FLASH MEMORY CHIPS Damien Cauquil | HITB Amsterdam 2019 ( ) ... Integrated](https://reader036.vdocuments.us/reader036/viewer/2022062307/604a237316d22657b74bfdf2/html5/thumbnails/65.jpg)
Contact
THANKS FOR ATTENDING, ANYTHANKS FOR ATTENDING, ANYQUESTION ?QUESTION ?
[email protected] @virtualabs
![Page 66: I.MX MEMORY MADNESSconference.hitb.org/files/hitbsecconf2019ams...MADNESS HOW TO DUMP, PARSE, AND ANALYZE I.MX FLASH MEMORY CHIPS Damien Cauquil | HITB Amsterdam 2019 ( ) ... Integrated](https://reader036.vdocuments.us/reader036/viewer/2022062307/604a237316d22657b74bfdf2/html5/thumbnails/66.jpg)
RELATED LINKSRELATED LINKSPTP firmware extraction tips & tricks:
IMX28 Reference manual:
UBOOT NAND utility:
Freescale Linux driver:
https://www.pentestpartners.com/security-blog/howfirmware-analysis-tools-tips-and-tricks/
https://bootlin.com/~maxime/pub/datasheet/MCIMX2https://github.com/u-boot/u-
boot/blob/master/tools/mxsboot.chttps://github.com/Freescale/
fslc/tree/4.1-2.0.x-imx/drivers/mtd/nand/gpmi-nand