Streamlining Firmware Analysis with Inter-Image Call Graphs and Decompilation

This talk addresses challenges related to cartography and executable interdependencies often encountered in firmware analysis or in structured formats like the MacOS/iOS dylib shared cache. We introduce the term "inter-image" call graph, representing the calls relationship across an entire filesystem as a single graph. Instead of relying on the import/export relationships in dynamically linked binaries, we use the call graph obtain by disassembly, mapping precisely which functions call others. This graph, enables more efficient testing and resolution of graph-reachability queries across binaries. We show how to compute this graph using several open-source libraries we've developed such as Quokka for exporting disassembly data in an easy-to-process structure and Numbat, which interfaces with Sourcetrail's graph database. Originally developed for source code navigation, Sourcetrail's database can be adapted to accommodate various graph structures. We further illustrate how to integrate decompiled code for enhanced navigation. However, adding the entire decompiled code from each firmware executable into a single database is not scalable due to Sourcetrail's underlying SQLite limitations. To address this, we present a "fractal firmware analysis" methodology. This approach allows for traversal of the inter-image call graph, then zooming into a specific executable to explore decompiled code (still represented as a graph), and finally, accessing more detailed information through preferred disassemblers for data structure and everything that can't fit in a graph database. Finally, we provide a glimpse into bridging the gap between binary/assembly and source code tools by assembling open-source libraries. We conclude with an open discussion showing that there are rooms for more advanced analyses and data representations that could ease reverser's life.

Making sense of your car: Reverse engineering AUTOSAR Classic firmware

Have you ever wondered how the firmware running in the ECUs (Electronic Control Units) of your car works? Have you ever dared to investigate one of these firmware files? Were you scared by the sheer number of functions for a seemingly simply device? Welcome in the AUTOSAR world, a “standard“ for building software that runs in your car. A software that you trust to protect your life every day. This talk will guide you through a process of reverse engineering a firmware file that was built using the AUTOSAR Classic standard. The talk will start by explaining what the AUTOSAR platform is, and it will leverage live demonstrations performed on a real-life example file to demonstrate techniques that can be used to identify points of interest inside the firmware running in every car that you can meet on the street. You will learn about some purely manual techniques as well as points that can be fully automated (plugin for Binary Ninja will be released as part of this talk so you don’t have to bother automating these yourself). At the end of this session, you should be equipped with a tools and techniques that will lower the pain and suffering that you may have felt while diving into the secrets of the automotive industry.

Advent Of Radare2