Embedded Firmware Exfiltration - The Easy Way

Recently, I’ve been obsessed with hacking on embedded QNX systems - inspired by my own car’s head unit!

As part of this, I’ve been looking to dump the device’s firmware for future static analysis. On other car head units, I’ve achieved this by simply plugging in a USB drive - mount it, dd over a disk images, and huzzah! You’re done! But this time, this system doesn’t have any USB ports… But it does have an ethernet interface!

It’s not often you look to extract an embedded device’s firmware over the network. Lucky for me, the device has an SSH daemon to support remote access. While it’s a bit hacky, you can actually use an SSH connection to extract a disk image from an embedded system!

Copying Disk Images over SSH

To do this, we’re going to need a few things. On the host computer, we need sshpass (for non-interactive login), ssh (our client), and dd (to write the bytes to a file). On the target device, we’ll need sshd (to facilitate the SSH connection) and dd. (Though, note: if your system lacks dd, you can actually just ‘cat’ a raw block device with this same technique!)

Effectively, what we’re going to do is use dd to read raw data from /dev/sda0, and pipe it directly back to an output file on our host system!

The command is as follows:

sshpass -p”password” ssh root@target “dd if=/dev/sda0” | dd of=target_sda0.img

How does it work?

With this command, we’re using sshpass to automatically log into the device. Next, we use dd to pipe out bytes from the target device’s sda0 storage. This output comes out of our ssh client’s stdout and is piped directly into our local dd, which writes it to target_sda0.img!

While it’s a silly workaround and an odd problem to have, I’ve found it to be a life saver when you’re having a hard time extracting an embedded filesystem or disk image for analysis. I wanted to share in hopes that others might find it useful!

If you don’t have SSH access…

If your system doesn’t have SSH, it’s time to get creative! Use your imagination! If you can cat a block device, the next step is just getting the bytes out - netcat, UART, telnet, there are tons of ways to facilitate this kind of disk image dumping.

On stripped-down embedded systems, it’s common to not have access to handy utilities that make it easy to transfer files off of the device. In situations where you’re truly out of tools but have UART or some form of shell access to the device, I highly recommend learning some scripting-fu to extract device firmware over UART or similar screen-type connections. After all - if you can type a command onto the device and see the output on any form of terminal or screen, you already have everything you need to extract the firmware! The rest is just making it less of a pain…

Heck, you could probably write a small script to play the disk image’s bytes as audio to transfer a disk image (albeit, very slowly) over a TRRS jack, lol. Or if you only have access to something like an infotainment screen that is displaying the bytes, maybe you can use a webcam + an OCR python script to read the device’s firmware out optically? So many possibilities…

Happy hacking!

(P.S. - please email me if you dump your device’s firmware over TRRS - I want to read that blog post lol)