项目作者: guedou

项目描述 :
Tools to reverse the Toshiba FlashAir SD cards
高级语言: Python
项目地址: git://github.com/guedou/flashre.git
创建时间: 2018-07-24T15:57:50Z
项目社区:https://github.com/guedou/flashre

开源协议:GNU Lesser General Public License v3.0

下载


FlashRE tools

GitHub tag
Docker Automated buil
Twitter Follow

This repository contains a set of tools that ease reversing the Toshiba FlashAir
cards:

  • telnet: interact with the card
  • dump: get text dumps and convert them to binary
  • hints: identify functions that manipulates specific strings
  • naming: auto-name functions using error format strings
  • xref: explore functions call-graph
  • update: display firmware update, and build fake ones
  • demo: build a simple payload for demonstrations

The radare2 IO plugin located in tools/ ease interacting with the card:

  1. export R2M2_ARCH=mepl
  2. r2 -i io_flashair.py -qc 'e asm.arch=r2m2 ; o flashair:// ; px 16 ; pd 2' --
  3. - offset - 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
  4. 0x00000000 08d8 0100 18df 0800 0000 0000 0000 0000 ................
  5. ,=< 0x00000000 08d80100 JMP 0x100
  6. ,==< 0x00000004 18df0800 JMP 0x8E2

Some real usages are presented in the BlackHat USA 2018 briefing named
Reversing a Japanese Wireless SD Card - From Zero to Code
Execution
.

Installing flashre

flashre can easily be installed using the following commands. It is however
recommended to use a virtualenv.

  1. pip install -r requirements.txt
  2. python setup.py install

Docker

A Docker image is provided to ease using flashre. It
is based on the guedou/r2m2 image and contains
useful tools such as radare2, miasm2, binutils with MeP support, and Sibyl.

This image is built on Docker Hub and can easily be
pulled as follows:

  1. flashre$ docker pull guedou/flashre
  2. flashre$ $ docker run --rm -it -v $PWD:/data guedou/flashre flashre hints --offset 0xc00000 /data/dump_w03.bin update
  3. 0xc20580 0xc20c82 update -f %s
  4. ====
  5. 0xc3335a 0xc33478 propertyupdate
  6. ====
  7. 0xc96870 0xc969c6 FwUpdate error f_open(%s) ret=%d\n
  8. 0xc96870 0xc96a36 \nUpdate fail. Unexpected target name.\n
  9. 0xc96870 0xc96b3e \nUpdate reserved.\n
  10. ====
  11. 0xc9b502 0xc9b51a USAGE: sd update filename
  12. 0xc9b502 0xc9b65a \nUpdate fail. Unexpected target name.\n
  13. 0xc9b502 0xc9b722 \nUpdate success.\n
  14. 0xc9b502 0xc9b780 Update error.(checksum)\n
  15. ====
  16. 0xcfac98 0xcfacb4 dp_UpdateWinStart_O

Commands Examples

telnet

Open a Telnet session:

  1. flashre telnet
  2. Welcome to FlashAir
  3. ESC R4539 built 15:37:44, Aug 28 2015
  4. > dump -l 0x80
  5. dump -l 0x80
  6. address=0x00000000 length=0x80
  7. 0001d808 0008df18 00000000 00000000
  8. 00000000 00000000 00000000 00000000
  9. 00000000 00000000 00000000 00000000
  10. 00000000 00000000 00000000 00000000
  11. 00000000 00000000 00000000 00000000
  12. 00000000 00000000 00000000 00000000
  13. 00000000 00000000 00000000 00000000
  14. 00000000 00000000 00000000 00000000
  15. address=0x00000080

Send a single command:

  1. flashre telnet -c version
  2. version
  3. FA9CAW3AW3.00.01
  4. >

dump

Dump 2MB at address 0:

  1. flashre dump dump.log

The —begin and —end arguments can be used to adjust the dump size.

Convert a text dump to a binary

  1. flashre dump --convert dump.log > dump.bin

hints

The goal is to understand functions purposes based on the strings that they
manipulate. Somehow, it is a generic version of the auto-naming strategies.

  1. flashre hints dump.bin --offset 0xC00000 telnet
  2. 0xc15f4e 0xc16c04 TELNET
  3. ====
  4. 0xc6784c 0xc67852 TELNET start\n
  5. ====
  6. 0xc67936 0xc6794c telnet terminate\n
  7. ====
  8. 0xc7fa92 0xc7fb18 TELNET_CreateResHistory
  9. ====

The —reverse argument outputs strings manipulated by functions:

  1. flashre hints dump.bin --offset 0xc00000 --reverse <(echo 0xc67c4a)
  2. 0xc67c4a 0xccf586 ESC R4161 built 16:20:27, Oct 6 2014
  3. 0xc67c4a 0xce4fec Welcome to FlashAir\x0d
  4. 0xc67c4a 0xce5172 [TEL] (error) %s:%d
  5. 0xc67c4a 0xce5161 SendLoginMessage
  6. 0xc67c4a 0xce5187 cannot get memory(%d)
  7. 0xc67c4a 0xce519e %s%s%s
  8. 0xc67c4a 0xce4fec Welcome to FlashAir\x0d
  9. 0xc67c4a 0xccf586 ESC R4161 built 16:20:27, Oct 6 2014
  10. 0xc67c4a 0xce51a5 [TEL] (error) %s:%d
  11. 0xc67c4a 0xce5161 SendLoginMessage
  12. 0xc67c4a 0xce51ba send(%d)

naming

Two auto-naming strategies are implemented. In practice, the “error” strategy
find most of the functions. The “CamelCase” one only finds few more functions,
and some false positives.

  1. $ flashre naming --offset 0xc00000 dump.bin
  2. [..]
  3. af DP.dp_UpdateWinStart_O 0xcfac98
  4. af TEL.SendLoginMessage 0xc67c4a
  5. af WPS.WPS_SetSecInfo 0xc3959e
  6. af SDH.SD_HOST_TEST_Read 0xc9a78c
  7. af FAT.fat_remove_file 0xc2eac8
  1. $ flashre naming --offset 0xc00000 dump.bin --strategy camelcase
  2. [..]
  3. af SendDeauthMessageToAP 0xc393d4
  4. af InitializeWPS 0xc80624
  5. af WaitForTermination 0xc8019e
  6. af CntMeasure_Timeout_Frmblk 0xc97848
  7. af WlanWpsPin 0xc31242

xref

This commands helps exploring functions by printing their call-graph:

  1. $ flashre xref --offset 0xC00000 dump.bin 0xc67c4a
  2. 0xc67c4a,0xc7fb84,0xc12a8e,0xc7512e,0xc67bfa,0xc7517a,0xc12abe
  3. 0xc7fb84
  4. 0xc12a8e,0xc35960
  5. 0xc7512e,0xc12a8e
  6. 0xc67bfa,0xc7517a,0xc12a8e,0xc7512e
  7. 0xc7517a,0xc12a8e
  8. 0xc12abe,0xc35960
  9. 0xc35960,0xc47700,0xc36344,0xc79cc8,0xc362aa,0xc7fb84,0xc8083c
  10. 0xc7517a,0xc12a8e
  11. [..]

The —reverse argument return the functions that are calling the function given
as a parameter:

  1. $ flashre xref --offset 0xC00000 dump.bin --reverse 0xc67c4a
  2. 0xc6786a

update

Verify an update checksum:

  1. $ flashre update fwupdate.fbn
  2. ###[ FlashAir Update Header ]###
  3. card = 'FLASHAIR'
  4. type = 'MAIN2'
  5. unk0 = '\x01\x02\x03\x04'
  6. unk1 = 0x1c7e
  7. unk2 = 0x1f00250f
  8. checksum = 0xc2
  9. unk3 = 0x0
  10. length = 1047568

Build a fake update and verify the checksum:

  1. $ flashre update fake_update.bin --fake <(echo -n ABC) --type RF
  2. ###[ FlashAir Update Header ]###
  3. card = 'FLASHAIR'
  4. type = 'RF'
  5. unk0 = '\x01\x02\x03\x04'
  6. unk1 = 0x0
  7. unk2 = 0x0
  8. checksum = 0xc6
  9. unk3 = 0x0
  10. length = 3

demo

The fwupdate.fbn is used to automatically extract the address of the printf()
function:

  1. flashre demo fwupdate.fbn > calc.bin