Reverse Engineering Bare Metal Firmware Images — Part 2

Dissecting Firmware Images Only Knowing The Target Device

Hardware Reversing Raspberry Pi (not done in this article)

If you have not read part 1, you can view it here: https://medium.com/codex/reverse-engineering-bare-metal-low-level-kernel-images-with-qemu-getting-started-c705b7b14d35

Now that we have our environment set up, we are now ready to reverse the binary! For this, I will be demonstrating how to do a basic ret2text exploit using a CTF challenge I wrote for UMDCTF, Furor. You can download a copy of this here: https://github.com/UMD-CSEC/UMDCTF-2021-Public-Challenges/tree/master/Pwnables/furor

Since there are a lot of concepts to cover just with solving this CTF challenge, we are going to break this into two articles: one focused on initial high-level reversing and another focused on in-depth reversing of ARM and exploitation.

More specifically, what we will demonstrate in this challenge is:

• Figuring out how to find crucial information about bare-metal firmware images
• Understanding how to find information about the target device
• How to set up Ghidra such that it understands how to find information (e.g., making it easier to find our target functions).