Hardware Security Series | ARM Cortex-M4 Firmware Reverse Engineering

Hello everyone, I am KEVIN2600 from the Silver Base Tiger-Team. Today I want to share an interesting case of how to use Ghidra for reverse engineering ARM firmware. I hope this article can provide you with more understanding of embedded system firmware reverse engineering.

Ghidra is a powerful and open-source reverse engineering tool released by the NSA. Users can analyze compiled code on various platforms. Its features include disassembly, assembly, decompilation, graphing, and scripting. Ghidra supports multiple processor instruction sets and executable formats, and can run in both interactive and automated modes. Users can also develop their own Ghidra plugins and scripts using the public API.

Let’s warm up by looking at a CTF warm-up question. The question is simple: just enter the correct password to get the flag.

Using the file command, we can see it’s in ELF format and not stripped, which is very beneficial for our reverse engineering work.

We can import it into Ghidra and use Ghidra’s decompilation feature to convert it into more understandable code.

Of course, we can also optimize the decompiled code slightly for better readability.

By analyzing the code, we can easily find that the correct password is a string of length 10, with the 5th character being “@”. Finally, by verification, we successfully obtained the flag.

After warming up, we step into the main goal of this session, Bare-Metal firmware analysis. First, we need to understand what Bare-Metal is. In simple terms, it refers to embedded products that run directly on hardware without an OS. This type of product covers various aspects of our lives, especially prominent in the field of IoT smart devices, such as smart wristbands or hardware wallets.

Currently, there are dozens of mainstream microprocessor architectures, among which the ARM series is one of the most common. In fact, 90% of mobile phone processors use ARM architecture, and the ARM family has many sub-architectures, deriving three architectures: Cortex A, Cortex M, and Cortex R, based on different application scenarios.

Cortex A’s A stands for Application, representing high-performance flagship products, and almost all mobile phones and tablets use this architecture. Cortex R’s R stands for RTOS, which is real-time operating systems, commonly found in automotive applications, such as airbags and engine systems. Finally, Cortex M’s M stands for MCU, which is a 32-bit processor characterized by high performance and low power consumption. The representative product of this series is ST’s STM32 series.

To reverse engineer the firmware of a certain chip, one needs to understand its architectural characteristics. Although the FLASH, RAM, and pin definitions of each chip vary, the overall architecture is the same. Typically, we can find the Datasheet on the manufacturer’s official website, for example, the STM32F446 chip series, which is also an ARM architecture.

In the Datasheet, we can find the pin definition diagram of the STM32F446, which helps us understand the position and function of each pin. In hardware CTF competitions, this is extremely important information.

Similarly, the memory mapping diagram can provide the firmware loading position and the memory address range of each peripheral.

First, the memory range of FLASH Memory is 0x08000000-0x081FFFFF, so we know the correct loading position. Next, the memory SRAM starts from 0X20000000, where the dynamically executed parts of the program will exist. Finally, the peripheral register address is 0x40000000.

We can also learn the addresses and functions of various registers from the datasheet.

When reverse engineering Bare-Metal firmware, we need to spend a lot of time annotating the memory-mapped peripherals to understand how the code interacts with the chip’s functions, but manually creating these peripheral mapping tables is a daunting task. Reading the data sheet and creating all different memory region structures and memory registers will take a long time. Therefore, major chip manufacturers provide the CMSIS system description (CMSIS-SVD), which specifies the description of the systems contained in microcontrollers, especially the memory-mapped register tables of peripherals.

German hacker Thomas Roth released an automated script for Ghidra called SVD-Loader, which automatically generates complete peripheral structures and memory mapping tables for over 650 different microcontrollers by parsing SVD files. SVD can automatically annotate all peripherals of the controller, greatly simplifying the reverse engineering process of ARM firmware. As shown in the figure below, after importing SVD-Loader, for example, _DAT_40000200 automatically becomes an easy-to-read and writable structure.

Here we use ST’s Nucleo-64 development board to solve a hardware CTF question provided by Thomas Roth, to experience the power of the SVD-Loader script. This development board uses the ARM Cortex M4 Core, with 512Kb of Flash memory and 128Kb of SRAM.

This hardware CTF question indicates that we need to press the button while entering the correct electronic signal to get the flag. Therefore, the correct signal input method can only be learned from reverse engineering the firmware.

First, we import the target firmware into Ghidra and input the Flash and RAM addresses according to the datasheet.

After successful import, we can confirm whether the address information is incorrect in the Memory Map.

Once everything is ready, we can click to analyze the firmware. After the analysis is complete, we can find the decompiled target code segment based on defined strings.

Of course, at this point, the code still needs to refer to the Datasheet to know its specific functions.

So we need to call upon the SVD-loader script and select the correct SVD chip model.

After running, we check the memory map table again and find that the memory mapping addresses have been automatically added.

The GPIO peripherals are also automatically annotated, greatly reducing our time searching through the chip manual. After further optimization and converting values to binary format, we obtain the final highly readable code.

After analyzing the code, we can easily determine that in order to exit the loop, we need to press the button while having GPIOC’s PIN 3 and PIN 1 set to HIGH. Here we can connect PIN3, PIN1, and the VDD pin using a breadboard to achieve this.

Finally, we obtain the flag: Kevin2600 Love You

Watch the recorded video:

The ARM architecture has a long history and is favored by the embedded industry. With the rise of IoT and vehicle networking devices in recent years, embedded system security has become an area that security researchers must pay attention to.

This article serves as a starting point to provide some ideas for those who want to learn hardware reverse engineering. Finally, I would like to thank Thomas Roth for his assistance during the research process. You can follow his hardware training courses and videos (links in the references). I also recommend the course “Introduction and Application of Reverse Tool Ghidra” by Zhu Wenzhe from Ping An Galaxy Laboratory, which includes hardcore content such as using Ghidra to analyze VxWorks firmware. Interested friends can check it out themselves.

Let’s learn from and pay tribute to these pioneers in the industry.

https://leveldown.de/blog/svd-loader

https://www.youtube.com/watch?v=q4CxE5P6RUE

https://www.ghidra-sre.org/releaseNotes_9.1.2.html

https://github.com/leveldown-security/SVD-Loader-Ghidra

https://advancedsecurity.training/training/live-hardware-intro

www.st.com/en/microcontrollers-microprocessors/stm32f446re.html

Hardware Security Series | ARM Cortex-M4 Firmware Reverse Engineering

New Books from Huaqing: Detailed Development Guide for ARM Processors and Embedded Linux System Development Tutorial

Understanding the ARM Cortex Processor Series

Introduction to ARM GIC and Cortex-A Processor Interrupts

Comprehensive Guide to ARM Cortex-M0 Fully Programmable SoC Principles and Implementation

Self-Diagnostic Library of Lingdong Co.’s Arm Cortex-M0 Microcontroller Certified by IEC 60730-1 and IEC 60335-1

Leave a Comment Cancel reply

Menu