SMEG+I_5.43.A.R2
- Several of the files named
*.outare ELF files for PowerPC, so our target architecture - Map files for the symbols exist in various places
- A number of the
*.binfiles are actually.tar.gzarchives
.
├── AUDIO_BT
│ └── AppBin
├── AUDIO_BT_256
│ └── AppBin
├── BSP
│ ├── SMEG_PLUS_256
│ └── SMEG_PLUS_512
├── HARMONY
│ ├── BigHarmony_1
│ ├── BigHarmony_2
│ ├── BigHarmony_3
│ ├── BigHarmony_4
│ └── BigHarmony_5
├── NAV
│ ├── AppBin
│ └── DB_DWNL
├── RENESAS
└── USERGUIDE
├── AUDIO_BT
│ ├── B78
│ ├── E3
│ └── T9
└── NAV
├── A9
├── B78
├── E3
└── T9
Here is an overview of the firmware upgrade contents (inside SMEG_PLUS_UPG), courtesy of dust:
12M ┌── BSP │ █ │ 1%
13M │ ┌── f_BigQuick.bin │ ░█ │ 1%
13M │ ┌─┴ AppBin │ ░█ │ 1%
21M ├─┴ AUDIO_BT_256 │ ██ │ 2%
13M │ ┌── f_BigQuick.bin │ ░█ │ 1%
13M │ ┌─┴ AppBin │ ░█ │ 1%
23M │ ├── system.bin │ ██ │ 2%
36M ├─┴ AUDIO_BT │ ██ │ 3%
25M │ ┌── BIG_HARMONY.bin │ ░░░██ │ 2%
25M │ ┌─┴ BigHarmony_1 │ ░░░██ │ 2%
25M │ │ ┌── BIG_HARMONY.bin │ ░░░██ │ 2%
26M │ ├─┴ BigHarmony_3 │ ░░░██ │ 2%
26M │ │ ┌── BIG_HARMONY.bin │ ░░░██ │ 2%
26M │ ├─┴ BigHarmony_2 │ ░░░██ │ 2%
90M ├─┴ HARMONY │ █████ │ 8%
12M │ ┌── UserGuide_AudioBT_E3.rcc │ ░░░▒▒█ │ 1%
12M │ ┌─┴ E3 │ ░░░▒▒█ │ 1%
16M │ │ ┌── UserGuide_AudioBT_B78.rcc│ ░░░▒▒█ │ 1%
16M │ ├─┴ B78 │ ░░░▒▒█ │ 1%
40M │ ┌─┴ AUDIO_BT │ ░░░███ │ 4%
11M │ │ ┌── UserGuide_NAV_T9.rcc │ ░░▒▒▒█ │ 1%
11M │ │ ┌─┴ T9 │ ░░▒▒▒█ │ 1%
12M │ │ │ ┌── UserGuide_NAV_E3.rcc │ ░░▒▒▒█ │ 1%
12M │ │ ├─┴ E3 │ ░░▒▒▒█ │ 1%
16M │ │ │ ┌── UserGuide_NAV_B78.rcc │ ░░▒▒▒█ │ 1%
16M │ │ ├─┴ B78 │ ░░▒▒▒█ │ 1%
21M │ │ ├── A9 │ ░░▒▒██ │ 2%
61M │ ├─┴ NAV │ ░░████ │ 6%
101M ├─┴ USERGUIDE │ ██████ │ 9%
15M │ ┌── f_BigQuick.bin │ ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░█ │ 1%
15M │ ┌─┴ AppBin │ ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░█ │ 1%
23M │ ├── system.bin │ ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░██ │ 2%
809M │ ├── SD_DIR_TTS.bin │ ░░███████████████████████████████████████████ │ 72%
854M ├─┴ NAV │ █████████████████████████████████████████████ │ 76%
1.1G ┌─┴ . │███████████████████████████████████████████████████████████ │ 100%
Ghidra is the binary analysis tool/framework used by the NSA and open-sourced recently. It also features a compiler and - unlike IDA Pro, with which we're more familiar - it allows us to share the work since anyone else can grab a copy of Ghidra. Another potential tool would be Cutter, based on r2.
This is our primary target.
- Our target processor is a PowerPC, 32-bit and Big Endian
- We have no closer match from the analyzers provided in Ghidra
-
symbols_bsp.txt(actuallysymbols_bsp.txt.gz) contains the addresses of a number of the symbols (seeAUDIO_BT/system.bin->Application/PKG/)- use the
c++filtprogram to demangle the decorated C++ symbol names for uses outside Ghidra (Ghidra does know how to demangle them as well)
- use the
- The main VxWorks file, i.e. the kernel, is named
vxWorks.binunderneathBSP/SMEG_PLUS_512(orBSP/SMEG_PLUS_256for the 256 MB hardware version)- At this point analysis will focus on the 512 MB firmware as that matches the firmware used by the two SMEG+ units available in hardware
- To use the
nm-output-like map files, we can useImportSymbolsScript.pyvia the Script Manager in Ghidra- Preprocess the files with
for i in *symbols*.txt; do fromdos $i; cut -d ' ' -f 3,1 $i|awk '{gsub(/ /, "", $2); printf "%s 0x%s\n", $2, $1}'|tee ${i%.txt}.map; done, i.e.:- Convert from CRLF to LF line endings
- Extract fields 1 and 3, using a blank space as field separator
- Switching position of the two fields and adding
0xto the address - Piping that all into a file named
.mapinstead of.txt
- Preprocess the files with
- OpenSSL 0.9.8l 5 Nov 2009
- CVE list #1
- CVE list #2
- We built the shared object on Ubuntu 14.04 with GCC 4.8.4 to get the symbol names and where they'd end up (obviously neither the addresses nor the opcodes would help for the VxWorks image):
cd; rm -rf openssl-0.9.8l; tar -xf openssl-0.9.8l.tar.gz; cd ~/openssl-0.9.8l env CFLAGS=-m64 ./config no-asm shared --prefix=/usr/local --openssldir=/usr/local/openssl make make test make install strip --strip-unneeded lib*.so nm --defined -D lib*.so
- Zlib 1.2.3:
- No CVEs of value to us seem to exist
- deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
- inflate 1.2.3 Copyright 1995-2005 Mark Adler
-
Likely some version of the Dinkumware C/C++ runtime library
This may actually be the default in VxWorks and we probably don't care either way
The contents of this Wiki are dedicated to the public domain. For jurisdictions which do not allow public domain dedications or don't know public domain, content can be assumed to be licensed under CC0.
Note: for this (Wiki) repository I will also use forced pushes. Use git reset, if you encounter inconsistencies.