πŸ”§ FIRMWARE REVERSE ENGINEERING β€” Deep Dive: Dari Dump Flash Sampai Remote Code Execution

Firmware adalah lapisan kepercayaan paling dalam β€” berjalan sebelum OS, kontrol hardware langsung, sering luput dari perhatian. Satu backdoor di firmware memberikan persist melewati factory reset. Dokumen ini membedah setiap aspek firmware RE: ekstraksi firmware mentah dari chip fisik, filesystem extraction, reversing ARM/MIPS/RISC-V, vulnerability discovery, emulation, sampai exploit untuk sistem embedded.

Hubungan ke Vault

Firmware RE menghubungkan Hardware Hacking (akuisisi fisik), Embedded Systems (arsitektur target), Web Hacking (exploit chain dari firmware), Military SIGINT (CNA implant), dan Threat Directory (APT penarget firmware).


Daftar Isi


Mengapa Firmware RE

STACK: Aplikasi β†’ OS β†’ Hypervisor β†’ Firmware β†’ Hardware
Setiap lapisan bawah bisa mengkompromi lapisan di atas

Mengapa firmware target empuk:

FaktorDampak
Update jarangVulnerability bertahun-tahun tidak ditambal
Hardcoded secretRoot creds, API key, token di binary
Legacy codeFork codebase 10-20 tahun β€” pola tidak aman
Debug interface terbukaUART, JTAG tidak dilindungi di produksi
Boot rentanBootROM bug (silicon), verified boot bisa dilewati
Supply chain opaqueBlob pihak ketiga tanpa audit
Memory protection minimStack canary, ASLR, NX jarang diaktifkan

Siapa yang menarget firmware:

  • APT groups β€” Vault 7 (CIA), Equation Group, LiGhT β€” implant persisten
  • Peneliti IoT β€” CVE massal di router, kamera, smart home
  • Hardware hackers β€” custom firmware (OpenWRT, DD-WRT)
  • Bug bounty hunters β€” Synacktiv, Atredis Partners
  • Forensic analysts β€” recovery data dari device rusak

Tipe-Tipe Firmware

Setiap tipe punya karakteristik, toolchain, dan attack surface berbeda.

1. UEFI / BIOS Modern

AtributDetail
FormatFirmware Volume (FV), FFS, PEI/DXE/SMM modules
CPUx86-64 utama, ARM untuk server
ToolsCHIPSEC, UEFITool, Ghidra UEFI plugin
StorageSPI flash 8-32 MB
BootSEC β†’ PEI β†’ DXE β†’ BDS β†’ TSL β†’ RT
AttackSMM injection, NVRAM exploit, BootGuard bypass

2. BMC (Baseboard Management Controller)

AtributDetail
ContohASpeed AST2500/AST2600, AMI MegaRAC, HPE iLO
OSOpenBMC atau proprietary Linux
CPUARM Cortex-A, kadang x86
StorageSPI NOR 32-64 MB
AttackWeb RCE, IPMI RMCP+, serial-over-LAN, default creds

3. Embedded RTOS Firmware

AtributDetail
ContohFreeRTOS, VxWorks, ThreadX, Zephyr, ΞΌC/OS
StrukturSingle binary, linked statis, tanpa filesystem
CPUARM Cortex-M, RISC-V, Xtensa, ColdFire, SuperH
StorageFlash internal MCU (256KB-2MB), readout protection
AttackOverflow dari input sensor, UART shell, debug interface

4. SoC Boot ROM

AtributDetail
Ukuran4-64 KB, mask ROM β€” tidak bisa diubah (silicon bug)
PeranInisialisasi hardware, load bootloader dari flash/NAND
AttackUSB download mode overflow, header parsing bug
KasusBroadcom BCM2835, Qualcomm Sahara, Mediatek preloader

5. WiFi NIC Firmware

AtributDetail
ContohBroadcom BCM43xx, Atheros AR9xxx, Intel AXxxx
CPUXtensa, MIPS, ARC β€” independent processor di chip WiFi
Host interfacePCIe/SDIO/USB + DMA ke host memory
AttackFirmware load intercept, ioctl overflow, DMA host compromise

Arsitektur CPU Embedded

ARM: R0-R15 (32-bit), X0-X30 (64-bit). Little-endian. Thumb/Thumb-2 campuran 16/32-bit. Calling conv R0-R3 arg, R0 ret. IT block di Thumb-2. Link register (LR) untuk return address β€” kritis untuk ROP.

; ARM ROP β€” pop {r0, r3, pc}
0x0001234:   ldmia.w sp!, {r0, r1, pc}
; ARM64 gadget
0x0045678:   ldp x0, x19, [sp], #0x20
0x004567c:   ret

MIPS: 31 + HI/LO. Big/little endian. Delay slot β€” instruksi setelah branch/jump tetap dieksekusi. ra`. ROP lebih sulit tanpa pop-multiple.

; MIPS gadget
00401234:   lw   $ra, 0x1c($sp)      ; load return addr
00401238:   lw   $s0, 0x18($sp)
0040123c:   jr   $ra                  ; jump ke gadget
00401240:   addiu $sp, $sp, 0x20     ; delay slot tetap dieksekusi

RISC-V: RV32I/RV64I. x0=zero (seperti MIPS). Tidak ada delay slot. C extension = compressed 16-bit. Calling conv: x10-x17 (a0-a7), x10 return. Linker relaxation bisa ubah encoding instruksi. Penggunaan: ESP32-C3, Bouffalo Lab BL602.

; RISC-V function
func:
    addi    sp, sp, -16
    sw      ra, 12(sp)
    sw      a0, 8(sp)
    call    process
    lw      ra, 12(sp)
    addi    sp, sp, 16
    ret

Xtensa: Semi-custom β€” vendor konfigurasi instruksi sendiri. ESP8266 (LX106), ESP32 (LX6). Ghidra plugin. Set instruksi bervariasi antar implementasi.

ColdFire: Varisi M68k CISC. Register D0-D7, A0-A7, SR, PC. Printer, industrial, legacy aerospace.


Akuisisi Firmware β€” SPI, JTAG, Chip-Off

Level 0 β€” Software Dump

# Dari shell device
cat /dev/mtd0 > /tmp/fw.bin; cat /proc/mtd
# U-Boot: sf probe; sf read 0x82000000 0x0 0x100000
# flashrom: flashrom -p internal -r backup.bin

Level 1 β€” SPI Flash SOIC-8 Clip

Tools: CH341A (15-25), Bus Pirate (100-200)

Pinout SOIC-8:

PinSignalKe Programmer
1CS#CS
2DO (MISO)MISO
5DI (MOSI)MOSI
6CLKSCK
7VCC3.3V (JANGAN 5V)
8VCC (opsional)3.3V
4GNDGND
3/7WP#/HOLD#Pull-up 3.3V
flashrom -p ch341a_spi -r fw.bin
md5sum fw.bin; flashrom -p ch341a_spi -r fw2.bin; md5sum fw2.bin

Level 2 β€” JTAG / SWD

InterfacePinsMax Freq
JTAGTMS, TCK, TDI, TDO10-100 MHz
SWDSWDIO, SWCLK100 MHz+

Tools: OpenOCD (free), Segger J-Link (50)

openocd -f interface/ftdi/ft2232h.cfg -f target/stm32f4x.cfg \
  -c "init" -c "flash read_bank 0 dump.bin 0x08000000 0x100000" -c "shutdown"

Level 3 β€” Chip-Off (BGA)

Destructive β€” langkah terakhir. Hot air reflow (Quick 861DW) β†’ reball β†’ reader.

Readout Protection Bypass:

ProteksiBypass
STM32 RDP1Debugger read β€” mass erase enable = data hilang
STM32 RDP2Permanent lock β€” chip-off + voltage glitch
ATECC508A/608AVoltage/clock glitching
i.MX HABKnown vuln per versi (e.g. HAB 4.1.0)

Identifikasi Format & Entropy

Magic Bytes Kunci

1F 8F          β†’ gzip          42 5A 68       β†’ bzip2
5D 00 00 40    β†’ LZMA          7F 45 4C 46    β†’ ELF
48 53 51 53    β†’ SquashFS LE   73 71 71 73    β†’ SquashFS BE
59 41 46 46 53 β†’ YAFFS         55 42 49 2E 23 β†’ UBI# (UBIFS)
52 53 44 53... β†’ UEFI FV       1F 9D / 1F A0  β†’ LZSS (Broadcom)
EB 48 90       β†’ FAT16/32      55 2D 42 6F 6F 74 β†’ U-Boot legacy

Analisis Awal

# 1. Strings
strings fw.bin | head -100
# 2. Entropy
binwalk -E fw.bin
# 3. Signature scan
binwalk fw.bin
# 4. Extract
binwalk -Me fw.bin
# 5. Cek hasil
ls _fw.bin.extracted/
file _fw.bin.extracted/* | grep -v ASCII | grep -v empty

Entropy (0-8 bits/byte): 0-3 = uncomp/strings/padding, 3-6 = mixed/base64, 6-8 = compressed/encrypted. Pola khas firmware: low (header) β†’ high (kernel LZMA) β†’ low (SquashFS magic) β†’ high (filesystem data).


Filesystem Extraction

SquashFS β€” paling umum untuk router Linux:

unsquashfs rootfs.squashfs       # standard
sasquashfs firmware-squashfs.bin # vendor-variant (Broadcom, Huawei)

Superblock: magic hsqs (LE) / qsqs (BE), ukuran blok (default 131072), kompresi: 1=gzip, 2=lzma, 3=lzo, 4=xz, 5=lz4, 6=zstd.

JFFS2:

jefferson rootfs.jffs2
# Alternatif via kernel module: modprobe jffs2; mount -t jffs2 /dev/mtdblock0 /mnt

YAFFS: unyaffs firmware.yaffs2 atau python3 yaffshiv.py.

UBI/UBIFS:

ubireader_extract_images firmware.ubi
ubireader_dump_info firmware.ubi
# Via mtd-utils: ubiformat β†’ ubiattach β†’ mount -t ubifs ubi0:rootfs /mnt

CPIO (initramfs): dd if=fw.bin bs=1 skip=OFFSET | zcat | cpio -idmv (magic β€œ070701”/β€œ070702”).


Static Analysis & String Hunting

Approach

1. Identifikasi arsitektur β€” readelf -h, entry point
2. Strings recon β€” path, IP, keyword security
3. Function scanning β€” system, execve, memcpy, sprintf, gets
4. Cross-reference β€” dari string "password" β†’ XREF ke fungsi pembanding

String Hunting

# Hardcoded credentials
strings fw.bin | grep -iE '(password|passwd|pwd|secret|key|token|auth)' | grep -v '%s'
# Hardcoded IP/URL (C2, update server)
strings fw.bin | grep -E '([0-9]{1,3}\.){3}[0-9]{1,3}:[0-9]+'
strings fw.bin | grep -E 'https?://'
# Path interesting
strings fw.bin | grep -E '(/etc/|/var/|/tmp/|/dev/|/proc/|/factory/)'
# Default credentials
strings fw.bin | grep -iE '(admin|root|default|debug|backdoor|guest|support)'
# Format string vuln
strings fw.bin | grep -E '%.*[sdnx]' | grep -v '"%'

Vulnerability Pattern

Pattern di BinaryPotensi CVE
sprintf(buf, user_input)Stack buffer overflow
gets(buf)Classic stack overflow
system(β€œcmd %s”, input)Command injection
memcpy(buf, src, user_len)Heap overflow
strcmp(password, β€œbackdoor”)Backdoor account
hardcoded AES keyFirmware decryption

Ghidra Workflow

  1. Cari string β€œlogin”, β€œpassword”, β€œadmin” β†’ XREF
  2. Trace ke handler (httpd, loginHandler)
  3. Cek recv/read/gets β€” bandingkan length vs buffer size
  4. Cek format string: printf(buf) vs printf(β€œ%s”, buf)
  5. Cek stack canary (__stack_chk_fail): tidak ada β†’ exploit tanpa ROP
  6. Hitung offset via pattern cyclic β†’ ROP chain (system / mknod+telnetd)

Hardcoded Credentials & Backdoor

Backdoor Umum per Vendor:

VendorCredential
Linksysadmin:admin, root:admin
D-Linkadmin:airlive, super:super
TP-Linkadmin:admin, root:1234
Netgearadmin:password
ZTEroot:Zte521
Huaweiadmin:admin, root:admin
IPCameraadmin:123456, root:xc3511
SuperMicro BMCroot:admin
Ciscocisco:cisco, enable:cisco
ASUSadmin:admin

Auto-Scan Script

for f in $(find _extracted -type f -executable 2>/dev/null); do
  strings "$f" | grep -qiE '(system|popen|execve|fork|exec[lv]p?\()' && echo "[+] $f"
  strings "$f" | grep -qiE '(/bin/sh|bash -i|nc -e|mknod|telnetd)' && echo "[!] Backdoor: $f"
done

Hardcoded telnet credential admin:1234567890 ditemukan via strings. Remote attacker login via WAN-side telnet.

Parameter β€œexe” di ping process bisa di-inject command. Tidak ada otentikasi fungsi diagnostik. RCE tanpa auth.


Format String & Integer Overflow

Format string lebih berbahaya di embedded karena ASLR jarang:

// Vulnerable
snprintf(buf, 256, msg);  // msg dari user β†’ format string vuln
// Safe
snprintf(buf, 256, "%s", msg);
  • %n specifier β†’ write arbitrary memory (GOT overwrite)
  • %x/%p β†’ leak stack (canary, libc base, return address)

Integer overflow sering terjadi karena tipe 16/32-bit mapping ke register:

uint32_t calc_size(uint16_t w, uint16_t h, uint8_t bpp) {
    return w * h * bpp;  // overflow jika w*h > 0xFFFFFFFF
}
// w=0x10001, h=0x10001 β†’ small allocation β†’ loop copy dengan size asli β†’ overflow

Vulnerability Discovery β€” Buffer Overflow

Karakteristik embedded vs desktop:

AspekEmbedded
Stack canarySering tidak ada (-fno-stack-protector)
ASLRJarang diaktifkan β€” offset tetap
NXTidak selalu β€” heap/stack executable
PIEJarang β€” base address fixed
RelROSering tidak ada β€” GOT overwrite feasible
MemoryHeap kecil (4KB-1MB), malloc rawan

Contoh decompile dari Ghidra:

void login_handler(int sock) {
    char username[64];
    char password[64];
    char response[256];
    recv(sock, username, 0x100, 0);  // BUG: 256 byte β†’ 64 byte buffer
    recv(sock, password, 0x100, 0);  // BUG: sama
    sprintf(response, "Login: %s", username); // Format string vuln juga
    send(sock, response, strlen(response), 0);
}

Menghitung Offset:

pattern create 2000 > /tmp/pattern.txt
# Kirim ke proses β†’ crash β†’ GDB: info registers pc
pattern offset 0x6161616c  # β†’ "pattern found at offset 140"
# β†’ 140 bytes padding + 4 byte ra + ROP chain

Format String di Embedded

// Vulnerable
snprintf(buf, 256, msg);  // msg dari user = format string vuln
// Safe
snprintf(buf, 256, "%s", msg);

Impact: read arbitrary memory (leak canary/libc), write via %n (GOT overwrite). Lebih berbahaya di embedded karena ASLR jarang.


Heap Exploitation Embedded

Allocator: dlmalloc (uClibc), newlib, musl, FreeRTOS heap. Ukuran 4KB-1MB. Metadata inline tidak diproteksi.

TeknikCara
Heap overflowOverflow ke metadata β†’ ubah size β†’ arbitrary write
Use-after-freeFree tanpa null β†’ reuse corrupted object
Double freeFree 2Γ— β†’ corrupt freelist β†’ arbitrary alloc
Tcache poisoning(uClibc-ng 1.0.36+) β†’ arbitrary address allocation
House of ForceTop chunk overflow β†’ alokasi besar β†’ GOT overwrite
Unsorted bin attackUbah bk pointer β†’ arbitrary write global
dlmalloc chunk: [prev_size(4B)][size(4B)|flags(3b)][data...]
flags: PREV_INUSE=0x1, IS_MMAPPED=0x2, NON_MAIN_ARENA=0x4
 
Overflow A→B: ubah size B, set PREV_INUSE=0 → free(B) backward consolidation
β†’ Fake prev_size β†’ consolidate dengan chunk palsu β†’ overlap β†’ arbitrary write

Emulation β€” QEMU, Firmadyne, Fuzzware

QEMU User Mode

# Ekstrak filesystem dulu
binwalk -Me fw.bin; cd _fw.bin.extracted/squashfs-root
qemu-arm -L . ./bin/sh          # ARM LE
qemu-mips -L . ./bin/sh         # MIPS BE
qemu-mipsel -L . ./bin/sh       # MIPS LE
qemu-arm -g 1234 -L . ./bin/httpd  # debug via GDB

QEMU System Mode

qemu-system-arm -M virt \
  -kernel vmlinuz -initrd rootfs.squashfs \
  -append "console=ttyAMA0 root=/dev/ram rdinit=/sbin/init" -nographic

FirmAE

git clone https://github.com/pr0v3rbs/FirmAE
./run.sh -c <brand> firmware.bin   # infer + boot
./run.sh -r <brand> firmware.bin   # debug shell

Limitasi: Hanya Linux kernel, sering gagal (kernel modules proprietary), tidak support RTOS.

Fuzzware

pip install fuzzware
fuzzware init firmware.bin    # analisis + generate konfigurasi
fuzzware run                  # coverage-guided fuzzing

User-mode QEMU + symbolic execution + peripheral MMIO modeling. Hasil di crashes/.


Secure Boot Chain & Bypass

Boot Flow

BootROM (mask ROM) β†’ signed bootloader (RSA/ECDSA) β†’ verified kernel β†’ dm-verity fs

BootROM bug β€” tidak bisa di-patch (silicon):

CVEDeviceBug
CVE-2021-27886MediaTek MT7622USB header buffer overflow
CVE-2018-3639Qualcomm SnapdragonUSB download mode bypass
BCM2835Raspberry PiGPIO boot mode β†’ boot tanpa signature
CVE-2019-14192Qualcomm WLANBootROM NVRAM parsing overflow

TrustZone (ARM)

Normal World (Linux/Android) ──SMC──→ Secure World (OPTEE/Trusty)
  Secure boot, DRM (Widevine L1), key management, secure storage (RPMB)

Attack surface: SMC handler overflow, key leakage (side-channel power/EM), TZASC misconfig (secure DRAM accessible), OPTEE kernel CVEs.

Verified Boot Bypass

MetodeSyaratDetail
BootHole (CVE-2020-10713)GRUB2 menuOverflow di shim
BlackLotus (CVE-2023-24932)Physical/adminUEFI bootkit persist di NVRAM
Golden key leakSBK leakedSign arbitrary bootloader
Setup modePhysicalImport custom key
CMOS clearPhysicalReset Secure Boot state

Encrypted Firmware β€” Key Extraction

Sumber AES Key

1. HARDCODED DI BINARY β€” strings atau hex search di bootloader/SPL/driver
2. EFUSE/OTP β€” glitching saat boot untuk bypass read protection
3. DERIVED DARI CHIP UID β€” SHA256(chip_id || vendor_salt)
4. KEY FILE β€” /etc/key, /factory/enc_key, /mfg/keys
5. ON-THE-FLY β€” AES key di eFuse, decrypt saat boot
# Cari key
strings fw.bin | grep -E '^[0-9a-fA-F]{32}$'   # 128-bit hex
strings fw.bin | grep -E '^[0-9a-fA-F]{64}$'   # 256-bit hex
 
# Decrypt
openssl enc -d -aes-128-cbc -K "$KEY" -iv "$IV" -in enc.bin -out dec.bin
openssl enc -d -aes-256-cbc -K "$KEY" -iv "$IV" -in enc.bin -out dec.bin

RSA Key Recovery

  • Private key leak dari GitHub/source dump
  • Side-channel (timing analysis RSA)
  • Fault injection (glitching β†’ skip signature check β†’ logic error output)
  • 512-bit key factoring (CADO-NFS)
  • Shared key antar produk vendor
  • Extract dari ATECC608A via I2C probing

OTA Update β€” Attack Surface

Flow: Device β†’ check version β†’ download β†’ verify signature β†’ write flash β†’ reboot.

Attack Vectors:

VectorDetailContoh
DowngradeServer tidak enforce min versionRollback ke FW dengan CVE lama
MITMUpdate via HTTP β€” intercept + ganti binaryCVE-2019-12512 (Netgear)
Signature bypassTidak ada signature check atau public key hardcodedBerbagai IoT
Malicious serverDNS spoofing β†’ serve FW attackerVPNFilter
Partial updateUpdate hanya sebagian flashInject backdoor ke bootloader
Unsigned failsafeRecovery mode tanpa signature checkXiaomi IoT
# Sniff OTA
tcpdump -i eth0 host update-server.com -w ota.pcap
tshark -r ota.pcap -Y "http.response" -T fields -e http.file_data
 
# Cek header OTA: X-Firmware-Version, X-Signature, Content-MD5
hexdump -C downloaded_fw.bin | head -40

WiFi NIC Firmware β€” Reversing

Arsitektur:

Host (Linux) ──PCIe/SDIO──→ WiFi CPU (Xtensa/MIPS/ARC) β†’ MAC/BB β†’ RF

WiFi chip punya CPU independent + DMA ke host memory via bus mastering.

Attack Surface:

VectorMekanismeDampak
Host→firmware RCEOverflow di ioctl parsingCode exec di chip WiFi
DMA via PCIeWiFi chip baca/tulis host memoryFull host compromise
Frame injectionNo source MAC validationKernel exploit via wireless
Firmware load interceptGanti FW binary saat host transferBackdoor permanen
Spectre-likeBranch prediction leak di chip WiFiCross-process data leak

Nexmon: Open-source Broadcom firmware patching (BCM43xx). Monitor mode, frame injection, custom patches untuk chip yang tidak support.


UEFI Firmware Analysis

Boot phases: SEC β†’ PEI β†’ DXE β†’ BDS β†’ TSL β†’ RT.

ToolFungsi
UEFITool / UEFIExtractParse FV, extract FFS/PEI/DXE/SMM modules
CHIPSECScan UEFI config, SMM handlers, SPI flash
IFRExtractorExtract BIOS region dari Intel Flash Descriptor
VarCheckAnalisis NVRAM variable + Secure Boot policy
BinarlyAI-based UEFI vuln scanning (commercial)
UEFIExtract BIOS.bin output_dir/
chipsec_main -m common.bios_wp     # BIOS write protect?
chipsec_main -m common.spi_desc    # SPI descriptor locked?
chipsec_main -m common.uefi_s3     # S3 boot script vuln?

Common UEFI CVEs: SMM callout (buffer dari OS tanpa validasi β†’ overwrite SMRAM), NVRAM corruption, PEI injection, S3 boot script overflow.


BMC β€” Baseboard Management Controller

BMC = second computer: ARM Cortex-A, 256MB-2GB RAM, 32-64MB SPI flash, dedicated NIC. Connections: PCIe (DMA), LPC (flash access), I2C, serial (KVM), USB (virtual media), GPIO.

Attack Vectors:

VectorDetailContoh
IPMI RMCP+Auth bypass/weak cipherCVE-2013-4786
Web UI RCECGI buffer overflowCVE-2019-6260
Default credsroot:admin β€” massal di ShodanSuperMicro
DMA to hostBaca/tulis host memory via PCIe-
KVM injectionVirtual keyboard β†’ keystroke ke host-
Virtual mediaMount ISO β†’ boot OS attacker-
PixieFailRCE via PXE boot pathCVE-2024-0146

BMC Firmware Extraction:

binwalk -Me bmc_firmware.bin
unsquashfs _extracted/*rootfs*
ls squashfs-root/www/; ls squashfs-root/etc/; ls squashfs-root/usr/local/bin/

Real-World Case Studies

Jeep Cherokee 2014 (CVE-2015-6622, CVE-2015-6577)

WiFi→D-Bus→infotainment→CAN bus→ECU: Remote control brake/steering/transmission.
KEY: Firmware OTA tanpa signature proper, CAN bus no auth, no network segmentation.
Source: Miller & Valasek, Black Hat 2015.

VPNFilter (2018, APT28/GRU)

Stage 1: Backdoor firmware router (Linksys, Netgear, MikroTik, TP-Link, ASUS)
Stage 2: C2 via Tor+SSL, packet sniffer, traffic redirection
Stage 3: Self-destruct β€” overwrite flash partition β†’ device brick
KEY: Persist despite reboot dan factory reset. Deteksi via hash integrity check.

Mirai Botnet (2016)

Scan port 23/2323 β†’ brute force 60 default credentials β†’ download loader per arch
600K devices, 1.2 Tbps DDoS ke Dyn DNS β€” internet parsial down.
KEY: Bukan zero-day β€” semua dari credential default firmware.
Supported: ARM, ARM64, MIPS, MIPS64, x86, PowerPC, SPARC, m68k.

Stuxnet (2010)

PLC firmware reflash β†’ display status normal ke HMI, real: destroy centrifuges.
KEY: Firmware-level rootkit pertama. OS dan HMI lihat operasi normal.
PLC tanpa integrity check untuk firmware yang di-load (2007).

AMI MegaRAC β€” PixieFail (CVE-2024-0146)

Multiple BMC vuln via PXE boot path β€” RCE tanpa auth.
100K+ server exposed via BMC management interface di Shodan.
BMC compromise = full host compromise (DMA access).

IoT Botnets β€” Dari Mirai Sampai Downfall

Botnet Evolution

Mirai (2016) membuka pintu dengan menunjukkan betapa massalnya perangkat IoT yang vulnerable karena default credentials. Source code dirilis publik β€” varian bermunculan: MiraiOk, Satori, OMG, MaskedBot.

Perubahan signifikan per generasi:

  • 2016 (Mirai): Hanya brute force telnet dengan 60 credential
  • 2017-2019 (Satori, Mukashi): Fork Mirai + exploit CVE spesifik
  • 2022+ (RapperBot): Hybrid botnet β€” IoT + cloud server untuk DDoS resilience
  • 2024 (Downfall): Target firmware OTA mechanism, bukan credential
TahunBotnetMetode Masuk
2016MiraiDefault credential telnet
2017HajimeP2P DHT decentralized
2018VPNFilterFirmware implant + CVE
2022RapperBotSSH brute force
2023LuCI Lua BotRCE via Lua script injection
2024DownfallFirmware OTA abuse

Defense: No default credentials, disable telnet, signed firmware + anti-rollback, IoT VLAN restricted egress, bug bounty program.


Firmware Hardening & Defense

Build-Time

MitigasiFlag
Stack canary-fstack-protector-strong
PIE-fpie -pie
RELRO-Wl,-z,relro -Wl,-z,now
NX-Wl,-z,noexecstack
Fortify-D_FORTIFY_SOURCE=2
ASLRrandomize_va_space=2
CFI-fsanitize=cfi (Clang)

Runtime

  • Read-only SquashFS rootfs + dm-verity hash tree
  • Separate encrypted data partition (UBIFS + dm-crypt)
  • SELinux/AppArmor + seccomp syscall filter
  • JTAG/SWD/UART disabled di production (efuse)
  • /tmp with noexec,nosuid

TPM Remote Attestation

BootROM β†’ measure boot β†’ PCR[0]
Bootloader β†’ measure kernel β†’ PCR[1]
Kernel β†’ measure rootfs β†’ PCR[2]
Server: challenge signed PCR values via TPM
If mismatch β†’ quarantine from network

Toolkit Checklist

Hardware

AlatHargaPrioritas
CH341A + SOIC clip$5-15⭐ Wajib (SPI flash)
FTDI FT2232H$15-25⭐ Wajib (JTAG)
USB UART 3.3V$5-10⭐ Wajib (console)
Bus Pirate v3.6$30-50⭐⭐ Protocol debug
Logic Analyzer$10-400⭐⭐ I2C/SPI/UART
Hot Air Rework$100-300⭐⭐⭐ Chip-off
Oscilloscope$150-400⭐⭐ Signal analysis
Power supply var$50-150⭐⭐ Power injection

Software

Wajib: Ghidra, binwalk+unblob, QEMU, flashrom, OpenOCD, tcpdump/Wireshark, Python3 + FirmAE/angr.

Nice-to-have: IDA Pro, Saleae LA, ChipWhisperer, HackRF, JTAGulator.


Koneksi ke Vault

SkillHubungan
Hardware HackingAkuisisi fisik β€” SPI, JTAG, chip-off, oscilloscope
Embedded SystemsArsitektur target, RTOS, MMIO, peripheral
Web HackingExploit chain firmware β†’ web interface
Military SIGINTTLE/CNA, firmware implant, supply chain interdiction
Threat DirectoryAPT28 (VPNFilter), Equation (Stuxnet), CIA (Vault 7)
Underground KnowledgeIoT botnet economy, firmware dumping services

Dokumen ini adalah living note β€” diperbarui seiring muncul teknik baru, CVE signifikan, dan perubahan landscape ancaman firmware.