# Reversing FreeRTOS on embedded devices

Vitor Ventura & Vladan Nikolic IBM X-Force Red EMEA Team

27<sup>th</sup> January 2017



### Vitor Ventura

Senior Managing Security Consultant IBM X-Force Red EMEA

Malware reverse Engineer Penetration Tester Blah Blah blah Blah blah

Twiter: @\_\_\_VVentura



### About us - Vladan



- Senior Managing Security Consultant in IBM EMEA • XFR team
- 20+ years of experience with electronics and IT •
- Embedded development, reverse engineering and • ethical hacking





Information Systems Security Professional









### Disclamer

- This presentation represents our own views on the topics discussed and doesn't represent IBM position.
- All trademarks and copyrights are acknowledged.

### Why?

- Recent project challenges
- Interesting findings
- We believe it will be useful for community to share

### From the desktop...

- Desktop Intel based platform is around for a very long time
- A lot of skills, tools and techniques developed for it
- 2 major flavors x86 and x64 with some extensions(MMX, SSE, AVS...)
- Hardware is abstracted by OS and drivers



### ...To Embedded

- Usually around some micro CPU
- There are a lot of choices(PIC, AVR, Intel, MIPS, ESP...)
- Very common cores are ARM Cortex M0, M3 and M4 based
- Those devices comes with a lot of peripherals to support virtually any need
- Need to develop both hardware and software side



### Everywhere

- IoT devices are massively deployed
- Previously isolated devices becomes connected
- With expanded capabilities
- Like SCADA systems
- Even cars

### Tools of choice

- IDA Pro
- Capstone
- Hex editors



### IDA Pro for embedded

- Excellent tool... but with some quirks •
- Firmware loading custom loader or manual •
- Incomplete disassembly •
- Problem with modes and instructions •

| 👚 Load a new file            |                    |                    | 👚 IBM PC specific an                       | alyzer options    |                    | ×     |
|------------------------------|--------------------|--------------------|--------------------------------------------|-------------------|--------------------|-------|
| Load fileoads\FreeRTOSv9.0.( | 0\FreeRTOS\Demo\CC | RTEX_M0_STM        |                                            |                   |                    |       |
| Binary file                  |                    |                    | Convert immediate                          | operand of "pus   | h" to offset       |       |
|                              |                    |                    | Convert db 90h aft                         | er "jmp" to "nop' |                    |       |
|                              |                    |                    | Convert immediate                          | operand of "mov   | reg," to offset    |       |
| Processor type               |                    | _                  | Convert immediate                          |                   |                    | et    |
| ARM Little-endian [ARM]      |                    |                    | Disassemble zero o                         | pcode instructior | IS                 |       |
| Ann Little-Gradar [Arth]     | Analy              | cic                | Advanced analysis                          |                   |                    |       |
| Loading segment 0x00000000   |                    | _                  | Check 'unknown_libname' for Borland's RTTI |                   |                    |       |
|                              |                    | nabled             | Advanced analysis                          |                   |                    |       |
| Loading offset 0x00000000    |                    | ndicator enable(   | Allow references w                         |                   |                    |       |
| Options                      |                    |                    | Don't display redun                        |                   | prefixes           |       |
| Loading options              |                    | Load reso          | ✓ Interpret int 20 as                      |                   |                    |       |
| I Fill segment gaps          |                    | Enable FPU emulati |                                            |                   |                    |       |
| Create segments              |                    | 🔄 Manual Io        | Explicit RIP-addres                        | sing              |                    |       |
| 🗌 Create FLAT group  🕅       | Disassembly mer    | nory organiz       | ation                                      | ×                 |                    |       |
| RAN                          | 4                  |                    |                                            |                   |                    |       |
|                              |                    |                    |                                            |                   |                    |       |
|                              | 🗹 Create RAM sec   | ction              |                                            |                   |                    |       |
|                              |                    |                    |                                            |                   |                    |       |
| R+                           | AM start address   | 0×2000000          | U                                          |                   |                    |       |
| RA                           | AM size            | 0×1fff             |                                            | ~                 |                    |       |
|                              |                    |                    |                                            | 👷 Segmen          | : Default Register | Value |
| ROM                          | м                  |                    |                                            |                   |                    |       |
|                              |                    |                    |                                            | 🖲 т               |                    |       |
|                              | 🗹 Create ROM se    | ction              |                                            | 🔿 ds              |                    |       |
| RC                           | OM start address   | 0×0800000          | n                                          |                   |                    |       |
|                              |                    |                    |                                            | Value 0x0         | 01l ~              |       |
| RC                           | OM size            | 0×FFFF             |                                            | _                 |                    |       |
|                              |                    |                    |                                            |                   |                    |       |
| Inpu                         | ut file            |                    |                                            | Apply to          | ) all segments     |       |
| Lo                           | ading address      | 0×08000000         |                                            |                   |                    |       |
| Fil                          | e offset           | 0x0                |                                            | ~                 |                    |       |
|                              |                    |                    |                                            | -                 |                    |       |
|                              | ading size         | 0x1F15             |                                            |                   |                    |       |

### Main constraints

- Limited amount of memory and resources
- Power consumption awareness
- Real time responses
- Self sustainable and resilient



### Common hardware issues

- JTAG & UART ports available
- Exposed busses (I<sup>2</sup>C, IIS, Serial)
- Unprotected external storages (FLASH, sdcard...)
- Unprotected radio interfaces (WiFi, Bluetooth, microwaves...)
- Debugging consoles left active
- Unprotected bootloader and fw updates
- Fuses not set to make internal flash unreadable

### Software Requirements

- Needs to be tailored to fit the hardware
- CPU speed, memory constrains, available storage
- Power consumption
- Error handling and bugs resilience
- Software developer needs to be versatile with the platform hardware developers designed.
- Common solution choose some of numerous existing frameworks and RTOS which enables some level of hardware abstraction.

### Introducing Free RTOS

- Small and very lean RTOS developed by Real Time Engineers Ltd
- Free and open source environment (there is a commercial version)
- Runs on almost everything (30+ platform supported oob)
- Yes, even Arduino
- Easy to customize for new platforms
  - port.c, portasm.s and portmacro.h needs to be ported for a new platform
- Widely supported by open source community
- Preemptive and cooperative multitasking
- Tickles mode of operation supported
- Tiny footprint
- More details: www.freertos.org

### Supported high level functionalities

- Custom developed TCP and UDP IP stack
- FAT FS
- CLI
- I/O support including GPIO



# User Code

# FreeRTOS core

# HW dependent code

## Hardware

16 RECON 2017 Brussels

### FreeRTOS main components

- Task Scheduler
- Tasks
  - independent piece of code which runs in its own context and with a separate stack under the Task Scheduler
- Co-routines
  - Not commonly used. All co-routines share the same stack with prioritized cooperative multitasking
- Data queues
- Semaphores & Mutexes
- Timers

### Internals

- Heavily relies on double linked circular lists
- pxTaskReadyList contains a list of tasks that needs to be executed
- Every task has its own Task Control Block. TCB has a pointer to the stack allocated for the task.
- Queue is a list with additional pointers indicating where is the next read or write address.
- Semaphore is a specific instance of queue which doesn't track the data but the number of used elements in uxMessageWaiting field.
- Mutex is similar to semaphore, but head pointer is always 0 indicating it is a mutex and pointer to the task owning it is in the tail pointer.

```
typedef struct tskTaskControlBlock
        volatile StackType t
                                 *pxTopOfStack; /*< Points to the location of</pre>
        #if ( portUSING MPU WRAPPERS == 1 )
                xMPU SETTINGS
                                xMPUSettings;
                                                          /*< The MPU settings a
        #endif
        ListItem t
                                         xStateListItem: /*< The list that the
        ListItem t
                                         xEventListItem;
                                                                  /*< Used to re
        UBaseType t
                                         uxPriority;
                                                                          /*< Th
                                                                          /*< Po
        StackType t
                                         *pxStack;
                                         pcTaskName[ configMAX_TASK_NAME_LEN ];
        char
        #if ( portSTACK_GROWTH > 0 )
                StackType t
                                                                  /*< Points to
                                         *pxEndOfStack;
        #endif
        #if ( portCRITICAL NESTING IN TCB == 1 )
                UBaseType t
                                         uxCriticalNesting;
                                                                  /*< Holds the
        #endif
        #if ( configUSE TRACE FACILITY == 1 )
                                                                  /*< Stores a n
                UBaseType t
                                         uxTCBNumber;
                UBaseType_t
                                         uxTaskNumber;
                                                                  / < Stores a n
        #endif
```

### Security Features overview

- By design, not much of them
- Since it is not designed as multitenant environment it lacks security controls we're used to on the desktop
- It supports:
  - Tasks with different privilege levels (only on ARM Cortex M3 with MPU enabled)
  - Stack overflow protection
  - SSL library as an add-on

### Security issues

- These are not real bugs in FreeRTOS, this is just observation from the point of adversary who wants to do some exploitation!
  - TCP/IP stack is not very resilient
  - Stack overflow protection is rudimentary
  - MPU usage is not very common (supported only on ARM M3 platforms anyway)
    - Unprivileged task can spawn privileged task, if MPU is used; or
    - Everything runs in the same context otherwise
  - It is developed in C inheriting all possible security problems as any other C programs (buffer overflows, heap corruptions...)

### Sample application

- Sample => simple
- Goals
  - Get the button state
  - Toggle the LED if button is pushed
- Idea is to create a simple firmware for a device which will have MCU, a button and a LED.
- When button is pressed, LED will change its state.

### **Basic architecture**



### Application architecture



### Initialize

int main( void ){

```
/* Setup hardware */
STM_EVAL_LEDInit( LED1 );
STM_EVAL_PBInit( BUTTON_KEY, BUTTON_MODE_EXTI );
```

```
/* Create Semaphore */
vSemaphoreCreateBinary( xLedSemaphore );
```

```
/* Create Tasks */
xTaskCreate(xLedSemaphoreHandler, "LedSemaphoreHandlerTask",
configMINIMAL_STACK_SIZE, NULL, 3, NULL );
```

```
/* Start Scheduler */
vTaskStartScheduler();
```

```
return 1;
```

### Run

```
// LED connected to GPIO port PC10
static void xLedSemaphoreHandler(void *pvParameters){
  for (;; ) {
     xSemaphoreTake( xLedSemaphore, portMAX DELAY );
     STM_EVAL_LEDToggle( LED1 );
     //GPIOWriteBit(GPIOC,GPIOPin10,Bit SET); // turn on LED
// Button connected to GPIO port PB8
static void EXTI4 15 IRQHandler(void ){
if( EXTI GetITStatus( KEY BUTTON EXTI LINE ) != RESET ) {
  long IHigherPriorityTaskWoken;
  IHigherPriorityTaskWoken = pdFALSE;
  xSemaphoreGiveFromISR (xLedSemaphore,&IHigherPriorityTaskWoken);
  portEND_SWITCHING_ISR( lHigherPriorityTaskWoken );
  EXTI_ClearITPendingBit( KEY_BUTTON_EXTI_LINE );
```

### From source to hardware

- Wire up the platform button and led must be where expected
- Compile for the specific platform
- Upload resulting image to the target MCU
- On reset, led should remain off
- Push the button, led should lit
- Push the button again and led should shut
- With minor changes in imports and ensuring button and led are on known positions as defined we can compile for any other platform

### What is next?

- Now we have created our first embedded device
- ...
- Profit 🙂



### Bad stuff will happen

- Somewhere in the world, dark forces are at works...
- Some people are trying to do some bad stuff to our valued product
- Since we made a hardware mistake, it was possible to dump the firmware from our device...



### Reverse engineering on embedded systems

The good thing about embedded systems firmware:

It is that it's deeply tied to the MCU

The bad thing about embedded systems firmware:

It is that it's deeply tied to the MCU

### Reverse engineering on Embedded

- String analysis does not help
- There are no syscalls on FreeRTOS
- There is no memory protection
- IDA by default will not detect the Entry point.

## ..... can we find the Entry point ?



# The entry point

- STM32 has some default interrupts which are controlled by handlers.
- In order to know where is each handler there is table called Interrupt Vector Table, which holds the address for each interrupt.
- One of these interrupts is the reset.
- What is boot rather then a reset interrupt?!

### The entry point - Interrupt Vector Table (IVT)

This table contains the addresses of the routines that will handle some of the interrupts.

This table is located at offset 0x00.



http://www.st.com/content/ccc/resource/technical/document/programming\_manual/fc/90/c7/17/a1/44/43/89/DM00051352.pdf/files/DM00051352.pdf/icr:content/translations/en\_DM00051352.pdf

# The entry point – IVT raw

#### • Contents of the 0x00 offset of a FreeRTOS image

```
ROM:08000000 ; Segment type: Pure code
ROM:08000000
                             AREA ROM, CODE, READWRITE, ALIGN=0
ROM:0800000
                             : ORG 0x8000000
ROM:0800000
                             CODE32
                             DCD 0x20000438, 0x8002085, 0x8001C5F, 0x8001DC3, 0, 0
ROM:08000000
ROM:0800000
                             DCD 0, 0, 0, 0, 0
ROM:0800002C
                             DCD locret 8001238+1
ROM: 08000030
                             DCD 0, 0
ROM:08000038
                             DCD 0x80011FB, 0x8000D01, 0x800216F, 0x800217B, 0x8002235
ROM:08000038
                             DCD 0x8002237, 0x8002239, 0x800223B, 0x800223D, 0x8001131
ROM:08000038
                             DCD 0x800223F, 0x8002241, 0x8002243, 0x8002245, 0x8002247
ROM:08000038
                             DCD 0x8002249, 0x800224B, 0x800224D, 0x800224F, 0x8002251
ROM:08000038
                             DCD 0
ROM:0800008C
                             DCD 0x8002253, 0x8002255, 0x8002257, 0x8002259, 0x800225B
                             DCD 0x800225D, 0x800225F, 0x8002261, 0x8002263, 0x8002265
ROM:0800008C
ROM:0800008C
                             DCD 0
ROM:080000B8
                             DCD 0x8002267, 0
ROM: 080000C0
                             CODE16
DOM - 00 00000 0
```

# The entry point – IVT decoded

- The plugin packs the data into a table format
- And adds the comment for what is reserved

|   | KUM: 08 000000                      | DOD | 0       |
|---|-------------------------------------|-----|---------|
|   | ROM: 08 00 00 00                    | DCD |         |
| • | ROM: 08 00 0004<br>ROM: 08 00 00 08 | DCD |         |
| • | ROM: 0800000C                       | DCD | 0x8001C |
|   | ROM: 08000010                       | DCD | 0280010 |
|   | ROM: 08000014                       | DCD | 0       |
|   | ROM: 08 00 0018                     | DCD | 0       |
| • | ROM: 0800001C                       | DCD | 0       |
| • | ROM: 08 00 002 0                    | DCD | 0       |
|   | ROM: 08 00 002 4                    | DCD | 0       |
|   | ROM: 08 000028                      | DCD | 0       |
| • | ROM: 08 00 002C                     | DCD | 0x80012 |
| • | ROM: 08 00 003 0                    | DCD | 0.00012 |
| • | ROM: 08 00 0034                     | DCD | 0       |
| • | ROM: 08 00 0038                     | DCD | 0x80011 |
|   | ROM: 08 00 003C                     | DCD | 0x8000D |
|   | ROM: 08 00 004 0                    | DCD | 0x80021 |
|   | ROM: 08 00 0044                     | DCD | 0x80021 |
|   | ROM: 08 000048                      | DCD | 0x80022 |
|   | ROM: 08 00 004C                     | DCD | 0x80022 |
|   | ROM: 08 00 005 0                    | DCD | 0x80022 |
|   | ROM: 08 00 0054                     | DCD | 0x80022 |
|   | ROM: 08000058                       | DCD | 0x80022 |
| ٠ | ROM: 0800005C                       | DCD | 0x80011 |
|   | ROM: 08000060                       | DCD | 0x80022 |
| • | ROM: 08000064                       | DCD | 0x80022 |
| • | ROM: 08000068                       | DCD | 0x80022 |
|   | ROM: 0800006C                       | DCD | 0x80022 |
|   | ROM: 08000070                       | DCD | 0x80022 |
| ٠ | ROM:08000074                        | DCD | 0x80022 |
| • | ROM: 08000078                       | DCD | 0x80022 |
| • | ROM: 0800007C                       | DCD | 0x80022 |
| • | ROM:08000080                        | DCD | 0x80022 |
| • | ROM: 08000084                       | DCD | 0x80022 |
|   | ROM:08000088                        | DCD | 0       |
|   | ROM: 0800008C                       | DCD | 0x80022 |
|   | ROM: 0800090                        | DCD | 0x80022 |
|   | ROM: 08000094                       | DCD | 0x80022 |
| 1 | ROM: 08000098                       | DCD | 0x80022 |
| 1 | ROM:0800009C                        | DCD | 0x80022 |
| 1 | ROM:080000A0                        | DCD | 0x80022 |
| 1 | ROM:080000A4                        | DCD | 0x80022 |
| 1 | ROM:080000A8                        | DCD | 0x80022 |
| • | ROM:080000AC                        | DCD | 0x80022 |
|   |                                     |     |         |

| 00438        | ; Initial SP value                                           |
|--------------|--------------------------------------------------------------|
| 2085         | ; Reset Interrupt handler                                    |
| 1651         | ; Non maskaple incerrupt nanuler                             |
| 1DC3         | ; Hard Fault handler                                         |
|              | ; Reserved                                                   |
|              | ; Reserved<br>: Reserved                                     |
| 1239         |                                                              |
| 1239         | ; SVC_Handler<br>; Reserved                                  |
|              | ; Reserved                                                   |
| 11FB         | ; PendSV_Handler                                             |
| 0D 01        | ; SysTick_Handler                                            |
| 216F         | ; Reserved                                                   |
| 217B         | ; al Interrupts                                              |
| 2235         | ; WWDG_IRQHandler                                            |
| 2237         | ; PVD_IRQHandler                                             |
| 2239         | ; RTC_IRQHandler                                             |
| 2238<br>2238 | ; FLASH_IRQHandler                                           |
| 223D         | ; RCC_IRQHandler                                             |
| 1131         | ; EXTIReserved_1_IRQHandler                                  |
| 223F         | ; EXTI2_3_IRQHandler                                         |
| 2241         | ; EXTI4_15_IRQHandler                                        |
| 2243         | ; TS_IRQHandler                                              |
| 2245         | ; DMA1_Channel1_IRQHandler                                   |
| 2247         | ; DMA1_Channel2_3_IRQHandler                                 |
| 2249         | ; DMA1_Channel2_3_IRQHandler<br>; DMA1_Channel4_5_IRQHandler |
| 224B         | ; ADC1_COMP_IRQHandler                                       |
| 224D         | ; TIM1_BRK_UP_TRG_COM_IRQHandler                             |
| 224F         | ; TIM1_CC_IRQHandler                                         |
| 2251         | ; TIM2_IRQHandler                                            |
|              | ; TIM3 IRQHandler                                            |
| 2253         | ; TIM3_IRQHandler<br>; TIM6_DAC_IRQHandler                   |
| 2255         | ; Reserved                                                   |
| 2257         | ; TIM14_IRQHandler                                           |
| 2259         | ; TIM15_IRQHandler                                           |
| 225B         | ; TIM16_IRQHandler                                           |
| 225D         | ; TIM16_IRQHandler<br>; TIM17_IRQHandler                     |
| 225F         | ; I2C1_IRQHandler                                            |
| 2261         | ; I2C2_IRQHandler                                            |
| 2263         | ; SPI1_IRQHandler                                            |
|              | ·                                                            |

# The entry point – Reset Handler

| 2011 00 00 7001          |       | e de la companya de l |
|--------------------------|-------|-----------------------------------------------------------------------------------------------------------------|
| ROM:080273C4 ;           |       |                                                                                                                 |
| ROM:080273C4             | LDR   | R0, = <mark>0x200007B0</mark>                                                                                   |
| ROM: 08 0273C6           | MSR.W | MSP, RO                                                                                                         |
| ROM: 080273CA            | 1010  |                                                                                                                 |
| R0M:080273CC             | LDR   | R1, [R0]                                                                                                        |
| R0M:080273CE             | LSRS  | R1, Ř1, #0x18                                                                                                   |
| R0M:080273D0             | MOUS  | R2, #0x1F                                                                                                       |
| R0M:080273D2             | CMP   | R1, R2                                                                                                          |
| R0M:080273D4             | BNE   | 1oc 80273E2                                                                                                     |
| R0M:080273D6             | LDR   | R0, = <mark>0x40021018</mark>                                                                                   |
| ROM: 08 0273D8           | MOUS  | R1, #1                                                                                                          |
| ROM: 08 0273DA           | STR   | R1, [R0]                                                                                                        |
| ROM: 08 0273DC           | LDR   | R0, = <mark>0x40010000</mark>                                                                                   |
| ROM: 08 0273DE           | MOUS  | R1, #0                                                                                                          |
| ROM: 08 0273E 0          | STR   | R1, [R0]                                                                                                        |
| ROM: 08 0273E2           |       |                                                                                                                 |
| ROM:080273E2 loc_80273E2 |       | ; CODE XREF: ROM:080273D4†j                                                                                     |
| ROM: 08 0273E2           | LDR   | R0, =(sub_8024ED8+1)                                                                                            |
| ROM:080273E4             | BLX   | R0 ; sub_8024ED8                                                                                                |
| ROM:080273E6             | LDR   | R0, =(loc_802C1E8+1)                                                                                            |
| ROM:080273E8             | BX    | R0 ; loc_802C1E8                                                                                                |
| ROM:080273E8 ;           |       |                                                                                                                 |

### Now we have an entry point

### Reverse engineering on Embedded

- Now we have an entry point.
- all peripheral access is done by reading and writing into specific memory addresses.
  - Address ranges and offsets are mapped to the MCU buses.

# ..... so can these ranges and offsets be useful?



Reverse engineering on STM32F0

- The MCU documentation will contain the registers addresses and their functions.
- How does the plugin help?
- It:
  - Lists the registers manipulated
  - Lists functions that manipulate each register
  - Adds comments to the code with description of each register

### **IDA Plugin - Registers descriptions**

001DC4 08001DC4: SUD\_8001DC4

```
Registers and peripheral ranges in use from the MCU
0x40010008 [SYSCFG EXTICR1] External interrupt configuration register 1
0x40022000 [FLASH ACR] Flash access control register
0x40010414 [EXTI PR] Pending register
0x4002102C address is not known
0x40021014 [RCC AHBENR] AHB peripheral clock enable register
0x40021030 address is not known
0x40021034 address is not known
0x40021018 [RCC APB2ENR] APB peripheral clock enable register 2
0x4001040C [EXTI FTSR] Falling trigger selection register
0x40010408 [EXTI RTSR] Rising trigger selection register
0x40010400 [EXTI IMR] Interrupt mask register
0x40010404 [EXTI EMR] Event mask register
AutoAccic is a
0x40021000 [RCC CR] Clock control register
0x40021004 [RCC CFGR] Clock configuration register
ARM/CPU Internal peripherals used by this firmware
0xE000ED04 [SCB:RW] Interrupt Control and State Register
0xE000E180 [NVI:RW] NVIC Interrupt Clear-Enable register
AVEAGAFIAG INUL-RUI NUIC Interrunt Set-Enable register
OxE000E010 [SYT:RW] SysTick Control and Status Register
0xE000E014 [SYT:RW] SysTick reload value register
UXEUUUE4UU [NVI.NW] INCERTUPE FRIDELUS REQISCERS
0xE000ED20 [SCB:RW] System handler priority register 3
```

### IDA Plugin – Functions manipulating registers

#### 

Functions that call CPU Internal peripherals

Function: sub\_8000D20

-> Register: 0xE000E014 [SYT:RW] SysTick reload value register

-> Register: 0xE000E010 [SYT:RW] SysTick Control and Status Register Function: sub 8001E20

-> Register: 0xE000E400 [NVI:RW] Interrupt Priority Registers

-> Register: 0xE000E400 [NVI:RW] Interrupt Priority Registers

-> Register: 0xE000E100 [NVI:RW] NVIC Interrupt Set-Enable register

-> Register: 0xE000E180 [NVI:RW] NVIC Interrupt Clear-Enable register Function: sub\_80001E4

-> Register: 0xE000ED04 [SCB:RW] Interrupt Control and State Register Function: sub\_8000C7E

-> Register: 0xE000ED20 [SCB:RW] System handler priority register 3

-> Register: 0xE000ED20 [SCB:RW] System handler priority register 3

-> Register: 0xE000ED20 [SCB:RW] System handler priority register 3

-> Register: 0xE000ED20 [SCB:RW] System handler priority register 3

Functions changing SYSCONF + COMP registers

Function: sub\_8001DC4

-> Register: 0x40010008 [SYSCFG\_EXTICR1] External interrupt configuration register 1

Functions accessing flash interface registers

Function: sub\_8001F06
 -> Register: 0x40022000 [FLASH\_ACR] Flash access control register

### IDA Plugin – Comments on the code

| <pre>f sub_80013E4 f sub_800140C f sub_800155C f sub_800160C f sub_80016A0 f sub_8001810 f sub_80018AE f sub_80018DE</pre> | ROM<br>ROM<br>ROM<br>ROM<br>ROM<br>ROM<br>ROM<br>ROM | ROM: 08 001DE4<br>ROM: 08 001DE4<br>ROM: 08 001DE6<br>ROM: 08 001DE8<br>ROM: 08 001DEA<br>ROM: 08 001DEC<br>ROM: 08 001DEE<br>ROM: 08 001DF 0<br>ROM: 08 001DF 2<br>ROM: 08 001DF 4 |
|----------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| ine 75 of 89 Output window                                                                                                 | 4                                                    | 00001DF4 08001DF                                                                                                                                                                    |

#### 

unctions that call CPU Internal peripherals

#### unction: sub\_8000D20

-> Register: 0xE000E014 [SYT:RW] SysTick reload value register

-> Register: 0xE000E010 [SYT:RW] SysTick Control and Status Register unction: sub\_8001E20

-> Register: 0xE000E400 [NVI:RW] Interrupt Priority Registers

-> Register: 0xE000E400 [NVI:RW] Interrupt Priority Registers

-> Register: 0xE000E100 [NVI:RW] NVIC Interrupt Set-Enable register

-> Register: 0xE000E180 [NVI:RW] NVIC Interrupt Clear-Enable register unction: sub\_80001E4

-> Register: 0xE000ED04 [SCB:RW] Interrupt Control and State Register unction: sub\_8000C7E

-> Register: 0xE000ED20 [SCB:RW] System handler priority register 3

-> Register: 0xE000ED20 [SCB:RW] System handler priority register 3

-> Register: 0xE000ED20 [SCB:RW] System handler priority register 3

-> Register: 0xE000ED20 [SCB:RW] System handler priority register 3

| 🗾 🚄 🖳  |                                                                                   |
|--------|-----------------------------------------------------------------------------------|
|        |                                                                                   |
|        |                                                                                   |
| sub 80 | 00D20                                                                             |
| PUSH   | {LR}                                                                              |
| LDR    | R0, =dword_20000034                                                               |
| LDR    | R0, [R0]                                                                          |
| MOUS   | R1, #0x3E8                                                                        |
| BL     | sub_8001270                                                                       |
| SUBS   | R0, R0, #1                                                                        |
| LDR    | R1, = <mark>0xE000E014</mark> ; 0xE000E014 [SYT:RW] SysTick reload value register |
| STR    | R0, [R1]                                                                          |
| MOVS   | R0, #7                                                                            |
| LDR    | R1, =0xE000E010 ; 0xE000E010 [SYT:RW] SysTick Control and Status Regist           |
| STR    | R0, [R1]                                                                          |
| POP    | {PC}                                                                              |
| : End  | of function sub 8000D20                                                           |

100.00% (-489,-61) (578,3) 00000D20 08000D20: sub\_8000D20

### Reverse engineering on STM32F0

- Generically RTOS need to define critical code areas where the interrupts cannot break the execution flow.
- This is done by using the ARM CPSID and CPSIE instructions.
- So a good place to start looking in your code is before CPSIE instruction.

### Critical code decoding and listing



-> sub 80006A0

### Critical code decoding and listing



### Interesting registers

- External interrupts where activated using SYSCFGEXT register.
- External interrupts are manipulated using EXTI registers
- Clock source and reload values configured using the SysTick registers
  - Used on all kind of timers if the clock is given by the CPU
- Nested Vector Interrupt control can be clear or set using the NVI registers
- Real Clock Controller can be manipulated with the RCC registers
  - crucial for input/output operations on peripherals

### Interesting registers

#### 

Functions that call CPU Internal peripherals

#### Function: sub\_8000D20

-> Register: 0xE000E014 [SYT:RW] SysTick reload value register

-> Register: 0xE000E010 [SYT:RW] SysTick Control and Status Register Function: sub\_8001E20

- -> Register: 0xE000E400 [NVI:RW] Interrupt Priority Registers
- -> Register: 0xE000E400 [NVI:RW] Interrupt Priority Registers

-> Register: 0xE000E100 [NVI:RW] NVIC Interrupt Set-Enable register

-> Register: 0xE000E180 [NVI:RW] NVIC Interrupt Clear-Enable register Function: sub\_80001E4

-> Register: 0xE000ED04 [SCB:RW] Interrupt Control and State Register Function: sub\_8000C7E

-> Register: 0xE000ED20 [SCB:RW] System handler priority register 3

- -> Register: 0xE000ED20 [SCB:RW] System handler priority register 3
- -> Register: 0xE000ED20 [SCB:RW] System handler priority register 3
- -> Register: 0xE000ED20 [SCB:RW] System handler priority register 3

#### 

Functions changing SYSCONF + COMP registers

Function: sub\_8001DC4

-> Register: 0x40010008 [SYSCFG\_EXTICR1] External interrupt configuration register 1

#### 

Functions accessing flash interface registers

Function: sub\_8001F06

-> Register: 0x40022000 [FLASH\_ACR] Flash access control register

#### 

Functions accessing exti registers

Function: sub\_8001ACA

-> Register: 0x40010414 [EXTI\_PR] Pending register

Function: sub\_8001A14

- -> Register: 0x4001040C [EXTI\_FTSR] Falling trigger selection register
- -> Register: 0x40010400 [EXTI\_IMR] Interrupt mask register
- -> Register: 0x40010408 [EXTI\_RTSR] Rising trigger selection register
- -> Register: 0x40010404 [EXTI\_EMR] Event mask register

Function: sub\_8001A9E

- -> Register: 0x40010414 [EXTI\_PR] Pending register
- -> Register: 0x40010400 [EXTI\_IMR] Interrupt mask register

#### 

Functions accessing rcc registers

Function: sub\_8001E98

- -> Register address not known: 0x40021030
- -> Register address not known: 0x40021034
- -> Register address not known: 0x4002102C
- -> Register address not known: 0x40021008
- -> Register: 0x40021000 [RCC\_CR] Clock control register
- -> Register: 0x40021004 [RCC\_CFGR] Clock configuration register

Function: sub\_8001CDC

-> Register: 0x40021018 [RCC\_APB2ENR] APB peripheral clock enable register 2 Function: sub\_8001CBC

-> Register: 0x40021014 [RCC\_AHBENR] AHB peripheral clock enable register Function: sub\_8001F06

- -> Register: 0x40021000 [RCC\_CR] Clock control register
- -> Register: 0x40021004 [RCC\_CFGR] Clock configuration register

### Future work

- Implement heuristics to find registers dynamically addressed
- Automatically re-analyse the interrupt handlers based on the decoded IVT
- Comment calls that will ReEnable Interrupts
- Improve analysis on registers manipulation and identification
- Identification of the Realtime operating system

# THANK YOU