44CON

The UK's Best Cybersecurity Event Series

44CON
Saumil Shah

The ARM IoT Firmware Laboratory 2020 Preview

Extract, Emulate and Exploit ARM IoT in this exclusive 2020 Preview

The world of ARM IoT devices is growing rapidly. Routers, IP cameras, Network video recorders, VoIP systems and several other “smart” appliances are now running on ARM SoCs. While the hardware is the latest and greatest, the software running on it is a different story.

The ARM IoT Firmware Laboratory is a brand new class, beginning where the ARM IoT Exploit Laboratory left off. This class takes a closer look at the hardware and the firmware running on it. Learn how to extract firmware from IoT hardware, accurately emulate it with the Saumil’s latest unreleased ARM-X framework and cover new hardware targets including Network video recorders, IP cameras, routers and more.

This 4-day course takes place at the Novotel London West, Hammersmith from the 2nd – 5th of December, 2019.


Book Now

Saumil Shah

Who Should Take This Course

  • Students wanting to learn ARM exploitation.
  • Technical staff responsible for IoT security.
  • Penetration testers wanting to learn how to exploit IoT.

“Extract, Emulate and Exploit IoT at scale with this course”

Going Beyond The ARM IoT Exploit Lab With An Exclusive 2020 Preview

This class takes a closer look at the hardware and the firmware running on IoT. Students shall learn how to analyse, emulate and exploit the firmware on a variety of ARM IoT devices. The class starts with extracting the firmware directly from the devices, moves on to creating an emulated test environment for fuzzing and debugging, and writing end to end exploits for the devices. The class shall feature an array of hardware targets of varying complexity. Students shall have ample time for hands on exercises to sharpen their exploitation skills. Students will be provided with all the lab images used in the class. The ARM IoT Exploit Laboratory uses a “Live Notes” system that provides a running transcript of the instructor’s system to all the students. Our lab environment, plus about 800MB of curated reading material, will be made available to all attendees to take with them and continue learning after the training ends. New For 2020:

  • Hardware level firmware extraction from IoT devices.
  • ARM-X: A new firmware emulation framework for accurate emulation of IoT devices, including nvram.
  • New hardware targets: Network video recorders, multiple IP cameras, multiple routers, and more.

Pre-requisites:

  • A conceptual understanding of how functions work in C programming
  • Knowledge of how a stack works, basic stack operations
  • Familiarity with debuggers (gdb, WinDBG, OllyDBG or equivalent)
  • Not be allergic to command line tools.
  • Have a working knowledge of shell scripts, cmd scripts or Perl.
  • If none of the above apply, then enough patience to go through the pre-class tutorials.
  • Skill Level: Intermediate (leaning towards advanced)

What You’ll Learn

  • Understanding what’s under the hood – circuit boards, pins, interfaces and flash chips
  • Hardware-level firmware extraction over UART and flash memory
  • Emulating IoT Hardware, including nvram and library patching
  • Emulation workarounds for missing components
  • Real-world practical ARM exploitation tools and techniques
  • ARM ROP Exploit mastery
  • Bypassing ARM exploitation restrictions and constraints


Book Now

Course Outline

Day 1 – Reversing ARM-based IoT

  • ARM architecture and assembly language intro.
  • Learn ARM assembly by compiling and reverse engineering binaries.
  • Using GDB for debugging ARM ELF binaries.
  • An introduction to ARM IoT devices.
  • Lunch
  • Under the hood – a tour of the circuit boards, pins, interfaces and flash chips.
  • Obtaining the firmware via UART console.
  • Obtaining the firmware using an EEPROM programmer device, directly from the memory.
  • Unpacking the firmware and static analysis.
  • Bug hunting via static reverse engineering and decompilation.

Day 2 – Emulating IoT Devices

  • Introducting the ARM-X Firmware Emulation Framework.
  • How to emulate an IoT device in ARM-X.
  • Matching the device – choosing the right CPU to emulate.
  • Matching the device – compiling a custom kernel.
  • Emulating a home router in ARM-X.
  • Lunch
  • Filling in the blanks – dealing with missing hardware in the emulator.
  • Working with nvram.
  • Emulate an IP camera in ARM-X.
  • Complexities in emulation – hotpatching and hooking functions.
  • Emulate a compilcated IoT device.

Day 3 – Attacking and Exploiting IoT

  • Debugging the emulated IoT device.
  • Dynamic tracing of the emulated IoT device.
  • Bug hunting by fuzzing.
  • Bug hunting by reverse engineering.
  • Writing exploits for the bugs discovered.
  • Writing customised ARM shellcode.
  • Lunch
  • Bypassing exploit mitigation technologies – DEP and ASLR.
  • Practical ARM ROP chains.
  • Attacking the actual hardware.
  • Overcoming cache coherency issues.

Day 4 – Advanced Exploitation

  • Overcoming limitations in the exploit payloads – size, bad characters and encodings.
  • Three hardware targets to emulate and exploit.
  • Lunch
  • Bonus challenges for those hungry for more.

What To Bring

  • A Laptop with 8GB of RAM, i3, wifi, appropriate dongles and 40GB of Free hard disk space
  • Administrator access to aforementioned laptop
  • VMWare Player/Workstation/Fusion – not Virtualbox

What Students Are Provided With

  • Copies of all lab images used in class
  • Running Live Notes training transcription
  • 800MB of Curated reading material to continue learning

4 Days of Training at a Premium London Venue.
Book Now at only £2600 Inc. VAT!


Book Now!

4 Reasons Why You’ll Want To Train With 44CON

Classrooms

Venue

Focus on learning with our spacious, air-conditioned rooms. The comfort doesn’t stop there, with incredible food at lunch and in breaks.

Serious Savings

Save over 50% with us compared to the same courses at other events in London. Get the Vegas experience without the cost.

44CONnect

44CONnect

Get exclusive invites to 44CONnect – our quarterly event with talks and more. Invites run for 12 months after your last course.

44CON

44CON Discounts

You’ll receive an exclusive £50 discount code for standard tickets to the next main 44CON event: the UK’s best security conference.

Meet The Trainer: Saumil Shah

Saumil Shah is the founder and CEO of Net-Square, providing cutting edge information security services to clients around the globe. Saumil is an internationally recognized speaker and instructor, having regularly presented at awesome conferences like Deepsec, Blackhat, RSA, CanSecWest, PacSec, EUSecWest, Hack.lu, Hack-in-the-box and others. He has authored two books titled “Web Hacking: Attacks and Defense” and “The Anti-Virus Book”.

Saumil graduated with an M.S. in Computer Science from Purdue University, USA and a B.E. in Computer Engineering from Gujarat University. He spends his leisure time breaking software, flying kites, traveling around the world and taking pictures.


Book Now For December!

Saumil Shah

44CON December Bonus: Hootenanny Tickets Included!

Hootenanny

The 44CONnect Hootenanny is an end-of-year one day event on the 6th of December.

The Hootenanny has a single talk track, a workshop track and an escape room track. We’ll have workshops from our trainers so you can get a taste of their courses, and a bunch of invited talks at the level of quality you’ve come to expect from a full 44CON. The event is fully catered, of course.

All December training attendees automatically receive a Hootenanny ticket as part of their booking. Those who’ve attended training at any time in 2019 can join our wait list. Tickets will be issued to the wait list two weeks before the Hootenanny event.


Book Now

Watch Saumil Talk

ARM Assembly and Shellcode Basics – 2 Hour 44CON Workshop

A two hour workshop on writing ARM Shellcode from scratch. The workshop covers simple ARM assembly, and then two shellcode examples: A simple execve() shell and a fully working Reverse Shell. The shellcode will be tested in an ARM QEMU Emulator as well as on actual ARM hardware.

https://www.youtube.com/watch?v=BhjJBuX0YCUhttps://www.youtube.com/watch?v=zyLxYfGlGZE

Stegosploit – Drive by Browser Exploits using only Images

“A good exploit is one that is delivered with style”. Saumil creates a new method to encode “drive-by” browser exploits and deliver them through image files using steganography and polyglots.

Stay In Touch

Like the NSA, our newsletter will be in your inbox every Tuesday. Unlike the NSA, you can unsubscribe at any time.