Comments (9)
Hello, thanks for your interest! It would be great to extend the work to other versions of iLO.
For the offsets, I extracted the task ConAppCLI
from a firmware update, which included a segment named libc.so.text
(ConAppCLI
is responsible for handling an interactive SSH session). The analysis of the code of ConAppCLI
led me to recover the name of several functions of libc.so
, including malloc
, free
, opendir
, etc.
from ilo4_toolbox.
Thanks for the reply! Could you post the re-assembled ConAppCLI.elf file or your idb file for ConAppCLI? I don't have IDA pro and ida free doesn't seem to support the necessary loading functions.
Alternatively, do you know how to get the offsets using Ghidra? I'm not sure how to do the necessary loading of ConAppCLI.elf from the various segments like is done for IDA.
from ilo4_toolbox.
Hi,
Sorry for the delay. In fact, I am not familiar with the unpacker/extractor which is present in this repository, as I wrote mine before this repository was open-sourced. It would take too much time for me to merge it properly, so instead I published it in https://github.com/fishilico/ilo4_toolbox/tree/ioonag_unpacker/scripts/iLO4/ioonag_unpacker if you want to give it a try. In order to extract ConAppCLI, here are the step:
- Download a firmware update (I mainly tested ilo4_250.bin.scexe)
- Clone my repository, change to
ioonag_unpacker
branch (for example withgit checkout ioonag_unpacker
) and got intoscripts/iLO4/ioonag_unpacker
- Unpack the firmware with
./unpack_firmware.py ilo4_250.bin.scexe
. If successful, this should print:
[INFO ] Found 'ilo4_250.bin' in ilo4_250.bin.scexe
[INFO ] ELF 23389.18 kB, kernel 769.26 kB, boot code 64.00 kB
[INFO ] Successfully loaded a big ELF file
[INFO ] Dumping process 'dvi' into ./iLO4-2.50.67/proc_dvi_4-2.50.67.elf
[INFO ] Dumping process 'tcpip_stack' into ./iLO4-2.50.67/proc_tcpip_stack_4-2.50.67.elf
[INFO ] Dumping process 'DHCPv6_client' into ./iLO4-2.50.67/proc_DHCPv6_client_4-2.50.67.elf
[INFO ] Dumping process 'rtc' into ./iLO4-2.50.67/proc_rtc_4-2.50.67.elf
[INFO ] Dumping process 'vrd' into ./iLO4-2.50.67/proc_vrd_4-2.50.67.elf
[INFO ] Dumping process 'spi' into ./iLO4-2.50.67/proc_spi_4-2.50.67.elf
[INFO ] Dumping process 'embmedia' into ./iLO4-2.50.67/proc_embmedia_4-2.50.67.elf
[INFO ] Dumping process 'health' into ./iLO4-2.50.67/proc_health_4-2.50.67.elf
[INFO ] Dumping process 'i2c' into ./iLO4-2.50.67/proc_i2c_4-2.50.67.elf
[INFO ] Dumping process 'chif' into ./iLO4-2.50.67/proc_chif_4-2.50.67.elf
[INFO ] Dumping process 'pjfs' into ./iLO4-2.50.67/proc_pjfs_4-2.50.67.elf
[INFO ] Dumping process 'fss' into ./iLO4-2.50.67/proc_fss_4-2.50.67.elf
[INFO ] Dumping process 'gpio' into ./iLO4-2.50.67/proc_gpio_4-2.50.67.elf
[INFO ] Dumping process 'usb.elf' into ./iLO4-2.50.67/proc_usb.elf_4-2.50.67.elf
[INFO ] Dumping process 'vsp.elf' into ./iLO4-2.50.67/proc_vsp.elf_4-2.50.67.elf
[INFO ] Dumping process 'svcsHost' into ./iLO4-2.50.67/proc_svcsHost_4-2.50.67.elf
[INFO ] Dumping process 'rbsu' into ./iLO4-2.50.67/proc_rbsu_4-2.50.67.elf
[INFO ] Dumping process 'secmgr' into ./iLO4-2.50.67/proc_secmgr_4-2.50.67.elf
[INFO ] Dumping process 'pwrmgr' into ./iLO4-2.50.67/proc_pwrmgr_4-2.50.67.elf
[INFO ] Dumping process 'ribcl' into ./iLO4-2.50.67/proc_ribcl_4-2.50.67.elf
[INFO ] Dumping process 'romchf' into ./iLO4-2.50.67/proc_romchf_4-2.50.67.elf
[INFO ] Dumping process 'fum' into ./iLO4-2.50.67/proc_fum_4-2.50.67.elf
[INFO ] Dumping process 'bmc' into ./iLO4-2.50.67/proc_bmc_4-2.50.67.elf
[INFO ] Dumping process 'svcsILO' into ./iLO4-2.50.67/proc_svcsILO_4-2.50.67.elf
[INFO ] Dumping process 'network' into ./iLO4-2.50.67/proc_network_4-2.50.67.elf
[INFO ] Dumping process 'ConAppCLI' into ./iLO4-2.50.67/proc_ConAppCLI_4-2.50.67.elf
[INFO ] Dumping process 'rdp' into ./iLO4-2.50.67/proc_rdp_4-2.50.67.elf
[INFO ] Dumping process 'snmp' into ./iLO4-2.50.67/proc_snmp_4-2.50.67.elf
[INFO ] Dumping process 'rckmgmt' into ./iLO4-2.50.67/proc_rckmgmt_4-2.50.67.elf
[INFO ] Dumping process 'sntp' into ./iLO4-2.50.67/proc_sntp_4-2.50.67.elf
[INFO ] Dumping process 'wol' into ./iLO4-2.50.67/proc_wol_4-2.50.67.elf
[INFO ] Dumping process 'beacon' into ./iLO4-2.50.67/proc_beacon_4-2.50.67.elf
[INFO ] Dumping process 'blackbox' into ./iLO4-2.50.67/proc_blackbox_4-2.50.67.elf
[INFO ] Dumping process 'ers' into ./iLO4-2.50.67/proc_ers_4-2.50.67.elf
[INFO ] Dumping process 'alertMail' into ./iLO4-2.50.67/proc_alertMail_4-2.50.67.elf
[INFO ] Dumping process 'rsyslog' into ./iLO4-2.50.67/proc_rsyslog_4-2.50.67.elf
[INFO ] Dumping process 'discovery_svcs' into ./iLO4-2.50.67/proc_discovery_svcs_4-2.50.67.elf
[INFO ] Dumping process 'drvsec' into ./iLO4-2.50.67/proc_drvsec_4-2.50.67.elf
[INFO ] Dumping process 'webserv' into ./iLO4-2.50.67/proc_webserv_4-2.50.67.elf
[INFO ] Dumping process 'restserver' into ./iLO4-2.50.67/proc_restserver_4-2.50.67.elf
[INFO ] Dumping process 'restevents' into ./iLO4-2.50.67/proc_restevents_4-2.50.67.elf
[INFO ] Dumping process 'restdirectory' into ./iLO4-2.50.67/proc_restdirectory_4-2.50.67.elf
[INFO ] Dumping process 'ssh' into ./iLO4-2.50.67/proc_ssh_4-2.50.67.elf
[INFO ] Dumping process 'json_dsp' into ./iLO4-2.50.67/proc_json_dsp_4-2.50.67.elf
[INFO ] Dumping process 'uefi' into ./iLO4-2.50.67/proc_uefi_4-2.50.67.elf
[INFO ] Dumping process 'nvdimm' into ./iLO4-2.50.67/proc_nvdimm_4-2.50.67.elf
[INFO ] Dumping process 'auxvideo' into ./iLO4-2.50.67/proc_auxvideo_4-2.50.67.elf
[INFO ] Dumping process 'pmci' into ./iLO4-2.50.67/proc_pmci_4-2.50.67.elf
[INFO ] Dumping process 'gpu' into ./iLO4-2.50.67/proc_gpu_4-2.50.67.elf
- Every file in
iLO4-2.50.67/
is an ELF file with symbols that were written from JSON files that are saved infw_symbols/
. This way, it should be possible to load them into any tool that support ELF files using ARM architecture. - For information, in my workflow, I open a file with IDA, rename some functions, export a
.map
file and use a command like./symbols.py -v 4-2.50 -p ConAppCli addmap proc_ConAppCli.map
to sync the file into my JSON database. This is how I saved the offset that are used inhp_ilo_4_250.h
.
In case someone is interested in porting the feature of "producing an ELF file with symbols from an iLO update" into the unpacker in this repository (which supports more iLO versions), feel free to reuse my code.
from ilo4_toolbox.
Thank you Nicolas for sharing you own extractor. Can't promise anything, but we'll look when we have some time how to merge on way or the other to unpack most of the fw.
from ilo4_toolbox.
@fishilico hi, do I need to import JSON files in fw_symbols
manually after ./unpack_firmware.py ilo4_250.bin.scexe
? The .idb file doesn't have all symbols which were written in json.
Thanks.
from ilo4_toolbox.
Hello, it has been a long time since I last studied HP iLO's firmware. From what I remember, my extractor tried to apply the known symbols from JSON files by creating ELF files with symbols, which could then be loaded in IDA/Ghidra/Binary Ninja/... If some symbols are missing from the .idb, it is probably because of a bug in the extractor to extract the symbols (for example IIRC it does not define any "symbol size", which could be something that IDA expects).
So to answer your question, normally you would not "need" to import the JSON files, but if there are some bugs, this could help define missing symbols already "known" in the JSON files.
from ilo4_toolbox.
Thanks for your reply, I found the JSON files have a lot of common symbols, so when ida renames, errors will be reported. I had attempted to modify duplicate symbols.
Thank you again^_^
from ilo4_toolbox.
@fishilico Hello, how do you recover the standard library function symbols table or all other symbols?
IDA can't recognize symbols such as strcmp
printf
...
Thanks.
from ilo4_toolbox.
@anotherpk I did this manually by recognizing the code in the functions. Other more automated approaches (such as using function databases from https://github.com/threatrack/ghidra-fidb-repo) could be more efficient.
from ilo4_toolbox.
Related Issues (20)
- dissection.rb fails on ilo4_101.bin HOT 4
- Add support for iLO moonshot HOT 3
- iLO 4 < 2.00 lacks of rest api
- Fan Speed Mod HOT 1
- Methods to recover broken firmware HOT 1
- Error in inserting backdoor in HPE ILO V 2.40 HOT 1
- insert_backdoor.sh did not work properly HOT 8
- linux_backdoor.S is missing HOT 1
- RSA key format is not supported HOT 2
- ILO crashed when 3G to 4G memory holes are read HOT 1
- how to recover symbols HOT 1
- MAC tag is not valid HOT 1
- iloscan error HOT 2
- Cannot Flash Backdoored Firmware HOT 1
- Flash checksum for iLO4 2.60 missing HOT 1
- iLO4 <= 2.73 reveals HW serial and model unauthenticated via /upnp/BasicDevice.xml HOT 7
- exploit_check_flash.py does not work with firmware versions other than 2.50 HOT 4
- dissection.rb fails on ilo5_135.bin HOT 3
- Error in patch_webserver_250.py when insert backdoor! HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ilo4_toolbox.