Tuesday, October 9, 2012

Emulating USB DFU to Capture Firmware

by Travis Goodspeed <travis at radiantmachines.com>,
to be presented at Breakpoint Melbourne 2012,
continuing Emulating USB Devices with Python,
with thanks Sergey Bratus and the Dartmouth Scooby Crew.

Ever since breaking the MSP430's UART BSL back in '07, I've loved attacking bootloaders, particularly those in Masked ROM. A good bootloader exploit exposes the firmware of anything using that chip, drastically reducing the amount of work I need to do on a given target. As an alternative when a bootloader exploit isn't available, I've found it handy to reverse engineer firmware updater applications to get firmware images.

Toward that end, I'm happy to announce that USB Device Firmware Update emulation is working on the Facedancer Board, so you can emulate DFU devices in order to catch firmware updates as they are sent from a USB host. In many cases, this will require a bit of patching for your specific target, but it's damned handy when you haven't got the time to reverse engineer a firmware updater.

Facedancer is an Ubertooth

In this brief article, I will explain how the Device Firmware Update (DFU) protocol works under the hood, by walking you through the one that I wrote for the Facedancer hardware. As an example target, we will be catching the firmware update for one of Mike Ossmann's Project Ubertooth boards by emulating one well enough to fool the ubertooth-dfu tool that Jared Boone has contributed to that project.

A Child's Guide to USB Device Firmware Updates, Suitable for Adults

USB DFU is a protocol for reflashing devices. By recording and replaying such an update, it is possible to port a firmware update utility to a second operating system, to patch a device's firmware, or to extract a copy of firmware for reverse engineering. If none of these things interest you, feel free to stop reading.

First and foremost, you should understand that the DFU mode is usually a secondary function of a USB device. In emulating such a device, you might need to emulate enough of its legitimate protocol that the host believes that (1) the device is the device that it intends to reprogram and that (2) the device's firmware is out of date and needs to be replaced. Exceptions include devices with a DFU recovery mode.

Second, you should know that the host might attempt to read back from the device, such as to verify that an erasure was successful. As every dialect of DFU seems to do this slightly differently, you might need to patch your implementation to support such features.

Facedancing as USB DFU

The Facedancer acts as a minimal USB Device Firmware Update emulator with the goodfet.maxusbdfu client. Typically, the command needs to be told which style of chip to emulate, where to save the output, and, optionally, what to use as the prior firmware for read attempts.

To emulate a typical victim with your Facedancer, just run 'goodfet.maxusbdfu foo bar' where foo is the hexadecimal Vendor ID and bar is the Product ID. Then plug the Victim end of your Facedancer into the target machine and order a firmware update, the blocks of which will be printed as hex to stdout.

First, we need to know the Vendor ID and Product ID of our target. These are given for the default firmware by 'lsusb' as FFFF:0004. If you are lucky, most commonly with low-volume devices, you'll find a VID/PID pair that comes from the chip manufacturer, such as 0483:DF11 for an STM32. Sometimes the device enumerates differently for DFU than for general use, so expect surprises here.

The default USB listing for the Ubertooth is below. Note that by default it doesn't show any DFU support. Support only appears when the device is put into flashing mode with 'ubertooth-util -f'.

Ubertooth lsusb

When switched into DFU mode, the device changes its USB device descriptor to indicate DFU support. Be sure to remember this when reverse engineering your own devices, as they might support DFU but not advertise it.

Ubertooth in DFU Mode

A Tourist's Phrasebook for DFU

In order to read the goodfet.maxusbdfu source code, it's handy to know at least the basics of the protocol. In this section, I'll give you an informal description of it.

DFU consists of SETUP queries, which have a standard set of header parameters. Some chips implement extra commands, particularly when they have too large an address space for the limited offsets allowed by the UPLOAD (2) and DNLOAD (1) commands. Generally, the bmRequestType will be 0xA1 and the bRequest will be one of the following.

bRequestwValuewIndexwLength
0x00 DETACH
0x01 DNLOADblocknumblocklen
0x02 UPLOAD
0x03 GETSTATUS0x0006
0x04 CLRSTATUS
0x05 GETSTATE0x0001
0x06 ABORT

The GETSTATE (0x05) command will often come first. The ten status from the Bluetooth's DFU client are as follows, but you can often get by with always returning the dfuIDLE (0x02) response. GETSTATE always wants a single byte as its reply, and as with the other DFU commands, all of this runs over the Setup endpoint as a Class request.

#From the ubertooth-dfu source code.
0: 'appIDLE'
1: 'appDETACH'
2: 'dfuIDLE'
3: 'dfuDNLOAD_SYNC'
4: 'dfuDNBUSY'
5: 'dfuDNLOAD_IDLE'
6: 'dfuMANIFEST_SYNC'
7: 'dfuMANIFEST'
8: 'dfuMANIFEST_WAIT_RESET'
9: 'dfuUPLOAD_IDLE'
10: 'dfuERROR'

Additionally, you'll need to support GETSTATUS (0x03) to let the host know the UPLOAD and DNLOAD requests have completed successfully. This one is really easy, just return six bytes of zeroes in response to any request.

The DNLOAD (0x01), like all others, is over Endpoint 0. Its data payload consists of the data to be written, but the address gets to be a bit complicated. Rather than give an absolute address, DFU clients merely provide a 16-bit block number in the wValue field of the Setup request. On the Ubertooth's NXP LPC1756 chip, the address is simply the base address of flash memory plus 256 times the block number. Other chips, such as the STM32, have an extra command that specifies the base address, but these commands are non-standard and will need to be implemented specific to the device.

Recap and Basic Usage

If you've followed along so far, don't worry about being a little lost. Let's step back a bit and actually capture a firmware image, using the default script. In the next section, we'll get back to the nuts and bolts in order to capture a slightly trickier update.

In one window, start the DFU emulator on your Facedancer with 'board=facedancer11 goodfet.maxusbdfu ffff 0004'. You'll see the device warm up and then appear on lsusb listings of the victim machine.

Finally, send a DFU update to our fake Ubertooth board by running 'sudo ./ubertooth-dfu --write bluetooth_rxtx.dfu'. You should see packets scroll across the screen that look like the ones below. Pipe them to a file and you'll have a record of everything that would've been written into the device, enough to make a patch or begin reverse engineering with IDA.

Facedancer DFU Emulator

Complications of Entering DFU Mode

Thus far, we've been emulating a device that is *already* in DFU mode, but in the real world, few devices ship that way.

For example, the following is an error message caused by using the naive DFU emulator script presented earlier with a VID:PID of 1d50:6000. The update script is failing because it orders the USB device to enter DFU mode, but the Facedancer doesn't know how to respond. When emulating closed-source devices, you'll run into the same issue.

Failure Entering DFU

In order to patch this issue, I looked at the emulator's log to see that it blindly accepted a vendor request without knowing what to do.

Unhandled Vendor Request in
USB

On a real Ubertooth device which appears as 1d50:6002, command 19 causes the board to disconnect and launch the DFU application, after which it reappears as ffff:0004. On more complicated devices, you might need to reply with a version number less than the one you wish to receive.

On many devices, such as those newfangled iPods and iPhones, a DFU recovery mode can be entered by holding a particular key combination. To emulate those devices, just hold the key combo and use lsusb to find the right settings for your Facedancer.

Complications of Non-Standard Extensions

If you've dealt with bootloaders before, you'll notice that quite a bit is missing from the DFU protocol as I've described it here. There's been no mention of any way to write to an address except by its block number, nor any mention of commands to erase the device or to enable protective modes. That's because these features are not standard; they are implemented differently for every host.

The STM32, for example, implements special features as writes to block 0000. If you see `BLOCK 0000 : 41' in your log, that means that the host has ordered the device to erase all of Flash memory, leaving only the bootloader that is in masked ROM. A write of 'BLOCK 0000 : 21 ef be ad de' orders the device to execute code at 0xdeadbeef.

Finally, you'll run into trouble with the DFU states, as some clients demand particular states at particular times. You can recognize this condition when goodfet.maxusbdfu repeatedly logs "Returning state of XX." Just patch the relevant code to provide the expected status, and all should be well.

Conclusion

In conclusion, I'd like to share a Cease and Desist letter that I recently received from Michael Ossmann at Great Scott Gadgets, the good neighbor who makes the Ubertooth One.

C&D from Great Scott
Gadgets

In keeping with Mr. Ossmann's strongly-worded request, I humbly ask you to solder up a Facedancer and join me in emulating all sorts of nifty devices.

Fake iPhone

As usual, patches should be sent to myself or the goodfet-devel mailing list. PCBs are available free or at cost, as described on the Ordering Page of the GoodFET Project. Assembly instructions can be found on the Facedancer11 Page.

55 comments:

Tormod said...

Thanks for a good read on DFU. It could maybe be made clearer that the "real" USB DFU is an open, well-documented standard and there is ideally no need for reverse engineering and hacking. Also the STM32 devices usually follow the documented DfuSe standard from ST. Finally I would like to throw in a bit of "advertisement" for the GPL-licensed dfu-util which can be used to upload and download firmware from DFU 1.0 and 1.1 and DfuSe compliant devices: http://dfu-util.gnumonks.org/

gua hu said...
This comment has been removed by a blog administrator.
Medison said...

The XM1000 is the new generation of mote modules, based on "TelosB" technical specifications, with upgraded 116Kb-EEPROM and 8Kb-RAM and integrated Temperature, Humidity and Light sensors.

Abolfazl kami said...

hi friend
i am a student . i am working with my friend on a Ethernet project . our processor unit is a micro controller . the Microcontroller is pic18f97j60 from microchip company . this Microcontroller has a built-in Ethernet module.
i am building the pcb but the program don't create .
my compiler is mplab c18 from microchip company but in But in programming we are facing to error . any erorr solved , another erorr occurs .
We're confused.Can you help us?
my email :

Abolfazl kami said...

my email : abolfazlk873@yahoo.com

Juno_okyo™ said...

Juno_okyo's Blog - About Information Technology, Hacking & Security, Tutorial and more Trick & Tips...

Leo Walker said...

It is an excellent article for this specific topic.
The failure of information almost always causes an end user to some a feeling of discontent.
In order to solve this matter, the gurus have designed a numerous files recovery alternatives.
If a loss of data situation is occured, individual have to know which software or software program to apply in order to handle this condition of personal information damage.
usb recovery software

Mark Bintuu said...
This comment has been removed by the author.
Mark Bintuu said...

I'm thoroughly enjoying the look and arrangement of your blog. It's extremely easy on my eyes which makes it a lot more pleasant for me to turn up here and pop in more often.

Automotive Patent Agent

muhammad ibraheem said...

Investment Plans to make money online, Online Jobs can make money online from home, Just Visit
www.jobzcorner.com

zahid ahmed said...

http://travisgoodspeed.blogspot.com/2012/10/emulating-usb-dfu-to-capture-firmware.html

Mike said...

Thanks for sharing the useful information in an innovative manner. Your experience will help people in getting great information on "Emulating USB DFU to Capture Firmware" Kudos to you!
insurance cards reader

Fahad Naseer said...

Which Car you want..? Here is a best list of Cars and Vehicles, Hot Vehicles, Strange Cars, Super Cars Model, Funny Cars, Car Latest Models, Cars with Girls, Cars like helicopter and Most Speed and Expensive Cars
WorldLatestVehicles.com

pc sharma said...

Thanks for sharing this interesting blog.and the information you have provided is very nice thanks for sharing such nice information.
Custom USB

James Franklin said...

Free Social Media Marketing where Every thing will be Free, Facebook Likes, Twitter Followers, Twitter Tweets, Twitter Re-Tweets, Twitter Favorites, Google Plus Followers, StumbleUpon Followers, Youtube Views, Youtube Likes, Youtube Subsribes, Pinterest Followers, Pinterest Likes, Pinterest PinIt, Free Website Visitors.
Just Join now and Free Increase your Social Media Networks.
GetLikeFast.com

Sagar Khattak said...

Entertainment for Fun... Entertainment Articles, Entertainment News, Entertainment Pictures, Bollywood, Hollywood and Lollywood Pictures and Videos, Entertainment Latest updates, Hot Entertainment News and Pictures Funny Entertainment Pictures, lol Pictures, Funny Pictures and Much More Fun Only on 1 Current Affairs Network
hotcurrentaffairs.com

shafique said...

Internet Users have very big Good News, Now you can earn with Just Share an add or picture on Facebook, Facebook is the Most popular Website in the World and you can make unlimited income with Just Facebook Posting Program.
Genuines Works of Data Entry, Facebook Posting, Copy Pasting, Add Posting, Clicking, Web Surfing, Website Visiting, Article Sharing, Data Sharing, Google Business Plan and Much More Business Plans.
www.jobzcorner.com

bilalpress said...

Latest cars and vehicles, Latest Mazda Models, Racing Cars, International Sport Cars, Concept Cars, PS-Pod, Strange Vehicles, Nissan, Royce Corniche, Ford Concept Cars, Strange Vehicles, Mercedes and More Sport Cars and Vehicles with Pictures and Info
WorldLatestVehicles.com

Ramesh chauhan said...

USB mouse using low carbon materials and have gone to great lengths, to source ethically produced.

Credit Card USB flash drives - You can customize any shapes of USB flash drive as you like at East Sky such as pen drive, mini USB drive, credit card USB, wristband USB etc.


daniyal raza said...

Genuines Works of Data Entry, Copy Pasting, Add Posting, Clicking, Web Surfing, Website Visiting, Article Sharing, Data Sharing, Google Business Plan and Much More Business Plans
www.jobzcorner.com

Sagheer said...

Online Jobs of Data Entry, Copy Pasting, Add Posting, Clicking, Web Surfing, Website Visiting, Article Sharing, Data Sharing, Google Business Plans, Investment Plans, Genuine earnings from home.
www.jobzcorner.com

www.hwainternational.com said...

Hello

I have read your blog and get more new information i am really impressed with it. we are also deliver comprehensive software products with full range of processing and reporting solutions for banks, trust companies, financial institutions etc. For more information visit us on:-www.hwainternational.com

Otmar said...

continuing Emulating USB Devices with Python, ... mercedesusb.blogspot.de

Michael Syaukas said...

Nice post, Thanks for your very useful Information, I will bookmark for next reference, I really liked this part of the article, with a nice and interesting topics have helped a lot of people who do not challenge things people should know, you need more publicize this so many people who know about it are rare for people to know this.Success for you

Blogger said...

You might be eligible to receive a Apple iPhone 7.

Blogger said...

If you want your ex-girlfriend or ex-boyfriend to come crawling back to you on their knees (even if they're dating somebody else now) you must watch this video
right away...

(VIDEO) Want your ex CRAWLING back to you...?

MRS IT said...

Thanks for your very useful Information, I will bookmark for next reference, I really liked this part of the article, with a nice and interesting topics have helped a lot of people who do not challenge things people should know, you need more publicize this so many people who know about it are rare for people to know this.Success for you or read more: Chia Sẻ Thủ Thuật Wapmaster, Đồ Họa, Facebook

Blogger said...

Want to join more affiliate programs?
Visit my affiliate directory to see the ultimate list of affiliate programs.

Blogger said...

QUANTUM BINARY SIGNALS

Get professional trading signals sent to your cell phone daily.

Start following our trades today & gain up to 270% daily.

Rajesh Kumar said...

Thanks for this wonderful blog. Posts like these are very useful for people who are into service work. Keep writing more so that our team at hp service centers can upgrade ourselves and learn.

Radha Sai said...

Nice post.Keep updating Artificial Intelligence Online Training

Shailesh Mehta said...

Hi, Good post regarding laptop usb port service. Posts like these are good for training ourselves and also to update ourselves in the laptop service field. We run a Laptop service center in Chennai and this post was extremely useful for us.

Michael Jones said...

All Assignment Help is a web portal where students get help in making assignments for all the subjects, with the help of our experts. You will get 100% plagiarism free assignment. Expert’s consultation is also available for students. If they have any query they can contact with our experts anytime.

Ava Lee said...

Get help from professional online coursework writer to ease your writing tasks if you are struggling hard. We are the only online coursework writing service in the UK that caters to your every need. We are the finest British online coursework help agency to help students for almost a decade now. We have obtained the place of being the best online coursework help service for our choicest and student-friendly benefits. We always keep ourselves a step further from rest of the .university coursework help. This has only been possible due to the hard work and dedication of the professionals associated with us

Robert Smith said...

Wow! Such an amazing and helpful post this is. I really really love it. It's so good and so awesome. I am just amazed. I hope that you continue to do your work like this in the future also... Do my homework for me

abcassignment help said...

Helpful post! Get immediate assignment help for engineering from online tutors well qualified in respective area.

MyAssignmentHelpAu said...

Your blogs are amazing and I am glad to read them. Thanks for sharing the tips and samples of our assignments. They are useful in knowing the key points that can increase the value of an assignment. And a special thanks to the Assignment Help Australia for helping the students 24/7. You can email us at Info@Myassignmenthelpau.Com or Phone Number: +61-2-8005-8227

prashant said...

matlab assignment

Unknown said...

Hello,Students
Welcome to Oz Paper Help. How may I help you?


If you have any assignment requirement then you are at the right place.
We will provide you supreme quality papers at cheapest price. Our prime features are-

Are you stuck up with your Financial Accounting, Audit, Managerial Accounting, Finance, Economics, Marketing, Statistics, Law, Taxation, Human Resource Management, Operations Management, Strategic Management, Business Management & Studies, Sociology, Literature, Tourism, Hospitality, Nursing, Healthcare, Phycology, Microbiology, Geology, Zoology, Biotechnology, Geography, Botany, History, Childcare, Cookery, Cloud Computing, Information Systems / Technology, and Networking Assignments?

You are in the right place. We are here to help you. We help students in assignments of all business subjects. We have more than 7 years of post-qualification experience in helping the students in solving their academic assignments.

Extra Feature
On time delivery
100% Plagiarism Free Content
Best Price in Industry
Services for all subjects
100% Money Back Guarantee
Unlimited Revisions
Top Quality Work
Attractive Discounts.

You can reach us at-
Email:- ozpaperhelp@gmail.com
https://www.ozpaperhelp.com/
https://www.cheapassignmenthelp.co.uk
https://www.freeassignmenthelp.com
http://assignmentscam.com/
www.assignmentresearch.net
www.htmltitan.com

Call US- +61-451-442-632
Whatsapp :+61-422447123,+44-7551749054

Thanks
Oz Paper Help

Lawrence Todd Maxwell said...

I admire people who keep sharing valuable stories through great writing. I'm glad to have read this blog. Thanks and hope to read more soon. Check out Lawrence Todd Maxwell's page to learn more about real estate.

Tokeny_pl said...

I am searching for some good site for learning. bitmex

Dylan Eales said...

Sample Assignment is a leading brand for Australian Students where students get best assignment help for all the subjects like, essay, nursing, marketing, case study, finance, economics, report writing, accounting and more, with the help of our experts. You will get 100% plagiarism free assignment. Expert’s consultation is also available for students. If they have any query they can contact with our experts anytime. If you buy assignment online get a touch with here now!

Unknown said...

Information you shared is nice. It might help me somewhere in my life. I am a blogger and a Matlab programmer. I keep on searching information. I also provide Matlab Assignment Help to students looking for Matlab Experts. Thanks for sharing..!

Megan Ryan said...

My career advice is helpful for everybody. I'm a very generous person and help for everyone.

Kate Evants said...

Wow i can say that this is another great article as expected of this blog How to Write a Lab Report.

Unknown said...

We are proud of our best assignment help Australia experts because of their dedication towards providing continuous support to students by helping them meet deadlines and scoring better grades. During higher studies in colleges, students often have to prepare multiple documents, quizzes and surprise tests. This is the main reason why most students search for assignment writing service over the internet and choose only the most proficient and trusted academic writing experts. An assignment of IT is a scope to dig out new information and uncover the facts which could be a parallel study along with implanting it by creating new area of IT application. But may come, he has to submit his assignment before the deadline, therefore he chooses to buy assignment online services available to him. To help students complete their assignments My Assignment Services is here to serve them with the best assignment help.

David Mark said...

Hello,Students
Welcome to Oz Paper Help. How may I help you?


If you have any assignment requirement then you are at the right place.
We will provide you supreme quality papers at cheapest price. Our prime features are-

Are you stuck up with your Financial Accounting, Audit, Managerial Accounting, Finance, Economics, Marketing, Statistics, Law, Taxation, Human Resource Management, Operations Management, Strategic Management, Business Management & Studies, Sociology, Literature, Tourism, Hospitality, Nursing, Healthcare, Phycology, Microbiology, Geology, Zoology, Biotechnology, Geography, Botany, History, Childcare, Cookery, Cloud Computing, Information Systems / Technology, and Networking Assignments?

You are in the right place. We are here to help you. We help students in assignments of all business subjects. We have more than 7 years of post-qualification experience in helping the students in solving their academic assignments.

Extra Feature
On time delivery
100% Plagiarism Free Content
Best Price in Industry
Services for all subjects
100% Money Back Guarantee
Unlimited Revisions
Top Quality Work
Attractive Discounts.

You can reach us at-
Email:- ozpaperhelp@gmail.com
https://www.ozpaperhelp.com/
https://www.cheapassignmenthelp.co.uk
https://www.freeassignmenthelp.com
http://assignmentscam.com/
www.assignmentresearch.net
www.htmltitan.com

Call US- +61-451-442-632.+917503070001
Whatsapp :+61-451-442-632.+917503070001,+61-422447123,+44-7551749054

Thanks
Oz Paper Help

TutorVersal - Assignment Help said...

Thank you for your valuable information. It's highly appreciated. Though, I would like to suggest an online Homework Help provider that has assisted thousands of students globally for over 10 years now. Tutorversal is a professional academic assignment helper that has its headquarters in Melbourne, Australia. The writers associated with TutorVersal are Ph.D. holders from renowned universities and have in-depth subject knowledge. They understand each and every university requirement and, therefore, offer various services like case study writing help, report writing help, essay writing help, and overall homework help. I highly recommended their academic writing services as they have never let any student down and they even guide students to understand each and every concept.

Online Assignment Expert said...

Online Assignment Help provided by the experts in the information management in Australia. For students of various Australian universities, we make available the expert assignment writing help in IT management, ICT management and mass communication.

Marketing Assignment Help gained recognition as a business process in the early 20th century. Since then, it has remained vital and central to organizational processes. Being central to both managerial as well as social process of an organization.

Daniel Steve said...

Thank you for a resourceful blog. Students often require an online assignment help provider who can assist them in completing lengthy and complex assessment tasks on time. There are a lot of academic services available on the internet but only a few provide them with what they want. TutorVersal has a team of highly qualified MYOB assignment help professionals who provide students with academic assistance. Our range of services include one-to-one subject consultation, plagiarism-checking, and fully-customized assignments right at the student’s doorstep. In the past five years, we have catered to thousands of students pursuing their education from the universities across Australia. The ProModel simulation assignment help experts are sure that with the help of our experienced academic writers, you will be able to overcome all your challenges in writing university assignments.

Abc assignmenthelp said...

ABC Assignment Help is an eminent Statistics assignment help benefit went for helping each understudy in meeting scholastic duties and scoring high in each subject. The nature of our administration depends on our exceptionally talented and experienced group of subject-explicit authors holding PhD accreditation in their subject of aptitude. We guarantee understudy bolster consistently while helping them to get to know the subject and related ideas.

Robert Smith said...

Amazing, pleasant post, you can discover diverse individual looking about that now they'll discover enough assets by your post. Thank you for sharing to us. do my essay

hermilie johnson said...


Being an academic writer from past 5 years providing assignment online help to college and university students also associated with Myassignmenthelp platform. I am dedicated in providing best online academic writing services to the college students at the affordable rates.

Mohib Sheikh said...

Assignment Studio provides :
Assignment Help Australia | Leadership Assignment | Case Study Help | MyAssignmenthelp | Finance Assignment Help | Online Assignment Help | Assignment Help Sydney
Assignment Help

William Lucas said...

Many students fail to answer this question, “How to write a college essay”. In order to work on it in an effective way, they must seek College Essay Help or hire Professionals Writers by visiting Assignment Help 4 Me.