Note: To ensure that all training kits are delivered to the attendees before the start of the training, we encourage everyone to register for the Reverse Engineering Firmware with Ghidra Training before Friday, 1 April 2021. After this day, we cannot ensure that all kits are delivered in time.
This hands-on course teaches the concepts, tools, and techniques required to reverse engineer firmware and assess embedded devices. To ensure the tools taught are available to all, we will make use of Ghidra, a powerful open-source reverse engineering tool developed by the National Security Agency. This free, capable tool eliminates the high cost of entry of expensive commercial tools that are currently used for these tasks.
Labs attacking an embedded Linux system and a bare-metal Bluetooth Low Energy device will be used to deliver a hands-on experience. You can expect to leave this course with the skills to reverse firmware for a variety of embedded targets. You'll also take home a target board to continue building your skills after the course.
The global embedded system market is predicted to be worth over $200 billion by 2020. An embedded system is a combination of software (called firmware) and hardware which together facilitate the accurate functioning of a target device. These increasingly popular devices are not only found in the home, but automotive, telecommunications, healthcare, industrial, and military & aerospace.
Working with firmware requires skills beyond ordinary binary reversing. This course begins with an introduction to reverse engineering ARM binaries, then moves into skills for various types of firmware. We will use Ghidra, the NSA's open-source reverse engineering tool, throughout the course. This highly extensible tool supports many different processor architectures, making it well suited for firmware reversing. Ghidra's featureset is comparable to costly tools such as IDA Pro.
Two targets will be explored in the course: an embedded Linux device and a bare-metal ARM device with Bluetooth Low Energy. These types of devices represent what's inside many products in the wild.
This course is divided into four half-day modules. Each course module adopts a Mission Essential Task List (METL) approach where students are taught a list of tasks required in order to successfully implement the skills in the hands on section. We will follow this agenda:
Day 1 - Introduction to Embedded Reverse Engineering & Hello Ghidra
Day 2 - Embedded Linux Device
Day 3 - Bare-Metal Device 1: Device Peripherals and Interrupts
Day 4 - Bare-Metal Device 2: RTOS, System Calls, Bluetooth Low Energy
This course is aimed at students who have some experience with software development and/or binary reverse engineering, but want to learn more about binary reverse engineering, attacking embedded systems, and Ghidra.
If you are comfortable reading and writing writing C, you should have the background knowledge required for this course.
To help students before the course, we will provide recommended pre-course materials. This will help less experienced students get up to speed before the course.
Eric EVENCHICK has worked in development and reverse engineering roles for hardware and software companies. He now specializes in embedded device security, automotive security, and bespoke tool development. Eric's work with embedded systems began with development of research vehicles at the University of Waterloo, in partnership with General Motors and the US Environmental Protection Agency. This experience lead to roles in developing automotive firmware and reverse engineering vehicle systems at companies including Tesla Motors and Faraday Future. Eric is currently a Technical Director at NCC Group where he performs security testing on a wide variety of targets. In 2014, Eric founded Linklayer Labs, which provided consulting services and develops open source hardware tools for the information security community. Since 2012, he has been a contributor to Hackaday, a blog covering hardware and software "hacks." Eric holds a Bachelor of Applied Science in Electrical Engineering from the University of Waterloo. He has presented at numerous software and security conferences including Black Hat events in USA, Asia, and Europe, SecTor, ToorCon, and PyCon USA. His work has been featured by several publications, including Wired and Forbes.