Exploiting DFU Mode To Snag A Copy Of Firmware Upgrades

[Travis Goodspeed] continues his work at educating the masses on how to reverse engineer closed hardware devices. This time around he’s showing us how to exploit the Device Firmware Updates protocol in order to get your hands on firmware images. It’s a relatively easy technique that uses a man-in-the-middle attack to dump the firmware image directly to a terminal window. This way you can get down to the nitty-gritty of decompiling and hex editing as quickly as possible.

For this hack he used his Facedancer board. We first saw the hardware used to emulate a USB device, allowing the user to send USB commands via software. Now it’s being used to emulate your victim hardware’s DFU mode. This is done by supplying the vendorID and productID of the victim, then pushing the firmware update as supplied by the manufacturer. In most cases this shouldn’t even require you to have the victim hardware on hand.

11 thoughts on “Exploiting DFU Mode To Snag A Copy Of Firmware Upgrades

  1. Why not use the Linux USB debug options?

    Similar to capturing packets using wireshark, the USB debug interface allows one to capture all the packets on the USB bus, with handy decoding built in.

    For “Windows Only” peripherals, fire up your favourite VM [VirtualBox, VMWARE, etc], export the USB peripheral, and you are good to go.

    1. Cuts out most of the software hassle, and gives you a dedicated hardware device that’s MUCH more flexible.
      Not to mention when you’re dealing with devices where the software for them is only available/executable on windows platforms (example)

      All this is mentioned in the article one or two times.

      1. I don’t think you get what this is good for. The Facedancer is only useful if the target uses a known DFU protocol. It’s not a general purpose USB snooper. For supported devices Facedancer makes snagging firmware stupid easy.

        Anne Nonymous said to run Windows in a VM on Linux… This is the canonical way of snooping Windows USB IO for free.

    1. Any encryption is removed before it’s transferring to the device, and that’s why this is a man-in-the-middle attack, it grabs after the decryption when the firmware updater think it’s OK since it’s out of the box. That’s the point of this setup, else you would not need to do this at all and you’d just use the firmware package.

      Normal hardware doesn’t have decryption on the hardware itself, that’s highly unusual I would think since it adds cost to it and increases complexity.
      Although I guess they could do some very simple low cost bit flipper of some sort.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.