Skip to content

SMEG+I_5.43.A.R2

Víðarr Óðinsson edited this page Sep 15, 2020 · 3 revisions

Preliminary notes

  • Several of the files named *.out are ELF files for PowerPC, so our target architecture
  • Map files for the symbols exist in various places
  • A number of the *.bin files are actually .tar.gz archives

Directory structure

.
├── AUDIO_BT
│   └── AppBin
├── AUDIO_BT_256
│   └── AppBin
├── BSP
│   ├── SMEG_PLUS_256
│   └── SMEG_PLUS_512
├── HARMONY
│   ├── BigHarmony_1
│   ├── BigHarmony_2
│   ├── BigHarmony_3
│   ├── BigHarmony_4
│   └── BigHarmony_5
├── NAV
│   ├── AppBin
│   └── DB_DWNL
├── RENESAS
└── USERGUIDE
    ├── AUDIO_BT
    │   ├── B78
    │   ├── E3
    │   └── T9
    └── NAV
        ├── A9
        ├── B78
        ├── E3
        └── T9

Overview by size

Here is an overview of the firmware upgrade contents (inside SMEG_PLUS_UPG), courtesy of dust:

  12M   ┌── BSP                            │                                                          █ │   1%
  13M   │   ┌── f_BigQuick.bin             │                                                         ░█ │   1%
  13M   │ ┌─┴ AppBin                       │                                                         ░█ │   1%
  21M   ├─┴ AUDIO_BT_256                   │                                                         ██ │   2%
  13M   │   ┌── f_BigQuick.bin             │                                                         ░█ │   1%
  13M   │ ┌─┴ AppBin                       │                                                         ░█ │   1%
  23M   │ ├── system.bin                   │                                                         ██ │   2%
  36M   ├─┴ AUDIO_BT                       │                                                         ██ │   3%
  25M   │   ┌── BIG_HARMONY.bin            │                                                      ░░░██ │   2%
  25M   │ ┌─┴ BigHarmony_1                 │                                                      ░░░██ │   2%
  25M   │ │ ┌── BIG_HARMONY.bin            │                                                      ░░░██ │   2%
  26M   │ ├─┴ BigHarmony_3                 │                                                      ░░░██ │   2%
  26M   │ │ ┌── BIG_HARMONY.bin            │                                                      ░░░██ │   2%
  26M   │ ├─┴ BigHarmony_2                 │                                                      ░░░██ │   2%
  90M   ├─┴ HARMONY                        │                                                      █████ │   8%
  12M   │     ┌── UserGuide_AudioBT_E3.rcc │                                                     ░░░▒▒█ │   1%
  12M   │   ┌─┴ E3                         │                                                     ░░░▒▒█ │   1%
  16M   │   │ ┌── UserGuide_AudioBT_B78.rcc│                                                     ░░░▒▒█ │   1%
  16M   │   ├─┴ B78                        │                                                     ░░░▒▒█ │   1%
  40M   │ ┌─┴ AUDIO_BT                     │                                                     ░░░███ │   4%
  11M   │ │   ┌── UserGuide_NAV_T9.rcc     │                                                     ░░▒▒▒█ │   1%
  11M   │ │ ┌─┴ T9                         │                                                     ░░▒▒▒█ │   1%
  12M   │ │ │ ┌── UserGuide_NAV_E3.rcc     │                                                     ░░▒▒▒█ │   1%
  12M   │ │ ├─┴ E3                         │                                                     ░░▒▒▒█ │   1%
  16M   │ │ │ ┌── UserGuide_NAV_B78.rcc    │                                                     ░░▒▒▒█ │   1%
  16M   │ │ ├─┴ B78                        │                                                     ░░▒▒▒█ │   1%
  21M   │ │ ├── A9                         │                                                     ░░▒▒██ │   2%
  61M   │ ├─┴ NAV                          │                                                     ░░████ │   6%
 101M   ├─┴ USERGUIDE                      │                                                     ██████ │   9%
  15M   │   ┌── f_BigQuick.bin             │              ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░█ │   1%
  15M   │ ┌─┴ AppBin                       │              ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░█ │   1%
  23M   │ ├── system.bin                   │              ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░██ │   2%
 809M   │ ├── SD_DIR_TTS.bin               │              ░░███████████████████████████████████████████ │  72%
 854M   ├─┴ NAV                            │              █████████████████████████████████████████████ │  76%
 1.1G ┌─┴ .                                │███████████████████████████████████████████████████████████ │ 100%

Ghidra, the disassembler/decompiler

Ghidra is the binary analysis tool/framework used by the NSA and open-sourced recently. It also features a compiler and - unlike IDA Pro, with which we're more familiar - it allows us to share the work since anyone else can grab a copy of Ghidra. Another potential tool would be Cutter, based on r2.

vxWorks.bin

This is our primary target.

  • Our target processor is a PowerPC, 32-bit and Big Endian
    • We have no closer match from the analyzers provided in Ghidra
  • symbols_bsp.txt (actually symbols_bsp.txt.gz) contains the addresses of a number of the symbols (see AUDIO_BT/system.bin->Application/PKG/)
    • use the c++filt program to demangle the decorated C++ symbol names for uses outside Ghidra (Ghidra does know how to demangle them as well)
  • The main VxWorks file, i.e. the kernel, is named vxWorks.bin underneath BSP/SMEG_PLUS_512 (or BSP/SMEG_PLUS_256 for the 256 MB hardware version)
    • At this point analysis will focus on the 512 MB firmware as that matches the firmware used by the two SMEG+ units available in hardware
  • To use the nm-output-like map files, we can use ImportSymbolsScript.py via the Script Manager in Ghidra
    • Preprocess the files with for i in *symbols*.txt; do fromdos $i; cut -d ' ' -f 3,1 $i|awk '{gsub(/ /, "", $2); printf "%s 0x%s\n", $2, $1}'|tee ${i%.txt}.map; done, i.e.:
      • Convert from CRLF to LF line endings
      • Extract fields 1 and 3, using a blank space as field separator
      • Switching position of the two fields and adding 0x to the address
      • Piping that all into a file named .map instead of .txt

Components identified in VxWorks image

  • OpenSSL 0.9.8l 5 Nov 2009
    • CVE list #1
    • CVE list #2
    • We built the shared object on Ubuntu 14.04 with GCC 4.8.4 to get the symbol names and where they'd end up (obviously neither the addresses nor the opcodes would help for the VxWorks image):
      cd; rm -rf openssl-0.9.8l; tar -xf openssl-0.9.8l.tar.gz; cd ~/openssl-0.9.8l
      env CFLAGS=-m64 ./config no-asm shared --prefix=/usr/local --openssldir=/usr/local/openssl
      make
      make test
      make install
      strip --strip-unneeded lib*.so
      nm --defined -D lib*.so
      
  • Zlib 1.2.3:
    • No CVEs of value to us seem to exist
    • deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
    • inflate 1.2.3 Copyright 1995-2005 Mark Adler
  • Likely some version of the Dinkumware C/C++ runtime library
    This may actually be the default in VxWorks and we probably don't care either way