1. Introduction
The VxWorks operating system is an embedded real-time operating system (RTOS) designed and developed by Wind River in the United States in 1983, and it is a key component of embedded development environments.
2. Firmware Analysis
The common method for firmware extraction is to use the binwalk tool for analysis and extraction.
2.1 Extraction
Binwalk analysis shows that the firmware contains binary data compressed with lzma.
2.2 Decompression
You can use the lzma command or the binwalk command to decompress.
-
lzma
-
binwalk
This file is the VxWorks firmware we need to analyze.
3. Firmware Load Address
First, it is necessary to find the VxWorks system firmware load address; otherwise, the system will not run. The load address will affect some subsequent absolute address references, such as function tables and string references.
3.1 Check Device Architecture
-
ARM
3.2 IDA Analysis
-
Select ARM/little
-
Base address is 0
VxWorks uses usrInit for stack initialization, which is the first function that runs after the VxWorks system boots.
LDR R0,=0x40205000
BIC R0,R0,#3
SUB RO,RO,#4
MOV SP,RO #Stack initialization assignment R0=$sp+0 It can be seen that the loaded base address is 0x40205000
3.3 Using Symbol Table to Fix Function Names
Bzero is a function in VxWorks that is used to clear the data in the bss section during system startup. Therefore, we can use “grep -r bzero” to find the bzero function.
$ grep -r bzero
-
memset
3.3.1 Manual Location
Symbol Table
00 05 1B 29 00 00 34 E4
File size and symbol table size
8 bytes after is the symbol table
00 00 34 E4 => 13540 (decimal)
8 + 8 * 13540 = 108328 (symbol table offset) -> symbol table location
Function symbol offset
54 00 00 00 40 37 36 84
Type (function) 54
Symbol table offset 00 00 00 -> 0
Memory offset 40 37 36 84
Function name AES_CMAC
3.4 VxHunter Tool for Repairing
3.4.1 Automatic Function Name Repair
This tool automatically identifies function symbols.
Project address:
https://github.com/PAGalaxyLab/vxhunter.git
4. Conclusion
The analysis of VxWorks firmware mainly focuses on memory load addresses and symbol tables. Modifying the symbol table and determining the memory load address play a crucial role in subsequent vulnerability exploitation.
