Exploiting DFU mode to snag a copy of firmware upgrades

[Travis Goodspeed] continues his work at educating the masses on how to reverse engineer closed hardware devices. This time around he’s showing us how to exploit the Device Firmware Updates protocol in order to get your hands on firmware images. It’s a relatively easy technique that uses a man-in-the-middle attack to dump the firmware image directly to a terminal window. This way you can get down to the nitty-gritty of decompiling and hex editing as quickly as possible.

For this hack he used his Facedancer board. We first saw the hardware used to emulate a USB device, allowing the user to send USB commands via software. Now it’s being used to emulate your victim hardware’s DFU mode. This is done by supplying the vendorID and productID of the victim, then pushing the firmware update as supplied by the manufacturer. In most cases this shouldn’t even require you to have the victim hardware on hand.

AVR programmer made without a programmer

[blueHash] uses this cheap development board as an AVR programmer. What’s interesting to us is that it solves the chicken-or-egg problem that is usually encountered when bootstrapping a programmer. We’ve written about this issue before. Most programmers use microcontrollers, which first need to be flashed using a programmer. But it turns out the chip on this dev board has a DFU mode which gets around that conundrum.

He grabbed a uSD dev board for about $6. It’s got a crystal, an ATmega32u4 chip, and on the other side there’s a MicroSD card slot. We looked around and found an Atmel Datasheet (PDF) which describes the Device Firmware Upgrade mechanism. The AVR devices which support DFU are factory configured to use it. This dev board is designed to use DFU so all [blueHash] needed to do is find and configure a ISP firmware package that worked with this chip.

Follow

Get every new post delivered to your Inbox.

Join 91,896 other followers