Ladies and gentlemen, start your engines
If you have ever been in a playground, you know there are different levels of difficulty in the equipment you can use. Our book is designed to help you figure out which is the best combination of exercises and tools to get your hands dirty with, without getting lost. In our case, the equipment will be different devices, made by different vendors, with different software. Given that we are working with embedded devices, we have had to carefully choose which hardware and software to play with so that you can have the most fun and get the most out of this book.
QEMU basic instrumentation
Instrumentation in computer science is a term that signals that some extra code has been added to an application to analyze or observe a particular behavior or a class of several behaviors. We will explain how it is possible to introduce a new CPU in QEMU and start to execute the first bits of firmware. The code will be almost entirely written in Python. Here, you will see how far this horizon can go, but immediately, you’ll understand the difficulties of running software that expects to interact with sensors, actuators, radio signals, and so on.
OpenWrt full system emulation
OpenWrt (https://openwrt.org/) is a Linux operating system dedicated to baseband routers. It’s a very powerful mod of the world’s favorite penguin software. It is quite easy to install on many old and recent routers and it brings them back to life with a smooth web UI and support for many features of the network. It also includes a package manager. For example, OpenWrt could be instrumented to eavesdrop on HTTPS and save it locally through USB storage if your router has such hardware. At the time of writing, OpenWrt supports almost 2,000 devices. This means that a vulnerability in this system can potentially expose millions of users. Since this firmware embeds an entire operating system, we will be able to perform full system emulation and plug in our harness to hunt for some vulnerabilities. We will show this harness for x86 and ARM32 architectures.
Samsung Exynos baseband
Shannon is the software that’s running within the Exynos chips of Samsung. In this book, we will use it to fuzz into the protocol stack to rediscover some nasty vulnerabilities. This research has been foundational to exploiting GSM and gaining root privileges within cellular phones’ radio chips and eventually escalating to the application processor through the kernel driver. In Android, this interface driver is called RILD (https://hernan.de/research/papers/firmwire-ndss22-hernandez.pdf).
iOS and Android
We will embark on a difficult journey and show how mobile operating systems and their libraries can be executed and fuzzed on your PC. Standing on the shoulders of many giants, we have taken the chance to explain the nuts and bolts of these gems, to empower everyone that has the will to access these precious resources. The final chapter will include a syscall fuzzer for iOS and a library fuzzer for Android.