DVID Writeup 02 - Firmware - Hardcoded password

3-minute read
writeup
dvid firmware iot
Table of contents :

If you’re not yet familiar with the Damn Vulnerable Iot Device (DVID) project, I encourage you to read the project presentation page.

Goal of this challenge

A confidential message is stored on the firmware but protected by a password.

Flashing the board

First things first, we are going to flash the firmware for this challenge onto the DVID board. In order to do this, we will use avrdude and an USB AVR programmer. If you’re not familiar with avrdude options I encourage you to read the flashing the board section of the first DVID writeup of this series. We will flash the board using this nice flash.sh script :

#!/bin/bash

if [[ ! -d "./DVID/" ]]; then
    git clone https://github.com/vulcainreo/DVID
fi

pushd ./DVID/trainings/firmware/hardcodedPassword/
avrdude -F -v -p atmega328p -P /dev/ttyUSB0 -c usbasp -u -U flash:w:hardcodedPassword.ino.with_bootloader.arduino_standard.hex
popd

Now, we will connect the DVID board to our computer using the USB AVR programmer, and start the script. When the AVR programming has completed, the board should restart and you should see this :

Boot screen

Solving the challenge : dumping the firmware

Now that we have flashed the firmware, we can start the challenge. The first step of an attacker wanting to analyze the firmware would be to try and extract it. Therefore, let’s learn how to extract it !

As we have seen in a previous article DVID Writeup 01 - Hardware - Find the Datasheet, the avrdude utility can do multiple things ! For extracting the firmware, the command differs only a little from the command to flash the firmware. We will only change the Memory operation mode in the -U option.

  • We used -U flash:w:findTheDatasheet.ino.arduino_standard.hex to install the firmware on the board.

  • We will use -U flash:r:firmware.bin to dump the firmware from the board. (We could have also dumped it in hex format with -U flash:r:firmware.hex)

The command becomes :

avrdude -F -v -p atmega328p -P /dev/ttyUSB0 -c usbasp -u -U flash:r:firmware.bin

Now that we have our extracted firmware in binary format, let’s try something simple. The strings command can be used to extract ASCII strings from the raw binary file, which is a pretty useful first step in reversing something.

strings -a firmware.bin

And in the extracted strings, we find some interesting informations :

Extracted strings

Now that we have the password, we can send it to the DVID board using the UART USB reader and this python script :

#!/usr/bin/env python3

import serial

s = serial.Serial("/dev/ttyUSB0", 9600)
s.write(b'sup3rp4ssw0rd\r\n')

We now check the screen on the DVID board :

Win

And we won !

We also could have solved the challenge by analyzing the firmware source code.

Solving the challenge : analyzing the firmware source code

We also could have solved the challenge another way if we consider we can access the firmware source code. In this case, we can look for hardcoded variables in the code of the file hardcodedPassword.ino :

Firmware source code

We easily find the hardcoded password on line 18 of the file hardcodedPassword.ino. Of course, the idea here is to learn about realistic attacks, you might not always have the source code of the firmware !

Additional references