Exploiting DFU mode to snag a copy of firmware upgrades

[Travis Goodspeed] continues his work at educating the masses on how to reverse engineer closed hardware devices. This time around he’s showing us how to exploit the Device Firmware Updates protocol in order to get your hands on firmware images. It’s a relatively easy technique that uses a man-in-the-middle attack to dump the firmware image directly to a terminal window. This way you can get down to the nitty-gritty of decompiling and hex editing as quickly as possible.

For this hack he used his Facedancer board. We first saw the hardware used to emulate a USB device, allowing the user to send USB commands via software. Now it’s being used to emulate your victim hardware’s DFU mode. This is done by supplying the vendorID and productID of the victim, then pushing the firmware update as supplied by the manufacturer. In most cases this shouldn’t even require you to have the victim hardware on hand.

Comments

  1. Anne Nonymous says:

    Why not use the Linux USB debug options?

    Similar to capturing packets using wireshark, the USB debug interface allows one to capture all the packets on the USB bus, with handy decoding built in.

    For “Windows Only” peripherals, fire up your favourite VM [VirtualBox, VMWARE, etc], export the USB peripheral, and you are good to go.

    • Ratix says:

      Cuts out most of the software hassle, and gives you a dedicated hardware device that’s MUCH more flexible.
      Not to mention when you’re dealing with devices where the software for them is only available/executable on windows platforms (example)

      All this is mentioned in the article one or two times.

      • chango says:

        I don’t think you get what this is good for. The Facedancer is only useful if the target uses a known DFU protocol. It’s not a general purpose USB snooper. For supported devices Facedancer makes snagging firmware stupid easy.

        Anne Nonymous said to run Windows in a VM on Linux… This is the canonical way of snooping Windows USB IO for free.

  2. rasz says:

    Why build a hardware for something software could do?

  3. ejonesss says:

    will this mean you can get the updates for ios device from apple?

  4. TechByTom says:

    Why is there an ubertooth in the picture?

  5. AC says:

    When I saw DFU, the first thing I thought of was it standing for “Don’t F**K UP!”. HA!

  6. doragasu says:

    Lots of times firmware images sent through USB are encrypted. So sniffing them is not a very good deal.

    • Whatnot says:

      Any encryption is removed before it’s transferring to the device, and that’s why this is a man-in-the-middle attack, it grabs after the decryption when the firmware updater think it’s OK since it’s out of the box. That’s the point of this setup, else you would not need to do this at all and you’d just use the firmware package.

      Normal hardware doesn’t have decryption on the hardware itself, that’s highly unusual I would think since it adds cost to it and increases complexity.
      Although I guess they could do some very simple low cost bit flipper of some sort.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 96,770 other followers