airbus-seclab
Offsets in libc.so
I'd like to extend the functionality. How did you come up with the offsets in hp_ilo_4_250.h for libc.so?
/* libc.so */ static void *(*malloc)(size_t size) = (const void *)0x017B85E8;
etc...
@fishilico
Hello, thanks for your interest! It would be great to extend the work to other versions of iLO.
For the offsets, I extracted the task ConAppCLI from a firmware update, which included a segment named libc.so.text (ConAppCLI is responsible for handling an interactive SSH session). The analysis of the code of ConAppCLI led me to recover the name of several functions of libc.so, including malloc, free, opendir, etc.
Thanks for the reply! Could you post the re-assembled ConAppCLI.elf file or your idb file for ConAppCLI? I don't have IDA pro and ida free doesn't seem to support the necessary loading functions.
Alternatively, do you know how to get the offsets using Ghidra? I'm not sure how to do the necessary loading of ConAppCLI.elf from the various segments like is done for IDA.
Hi, Sorry for the delay. In fact, I am not familiar with the unpacker/extractor which is present in this repository, as I wrote mine before this repository was open-sourced. It would take too much time for me to merge it properly, so instead I published it in https://github.com/fishilico/ilo4_toolbox/tree/ioonag_unpacker/scripts/iLO4/ioonag_unpacker if you want to give it a try. In order to extract ConAppCLI, here are the step:
- Download a firmware update (I mainly tested ilo4_250.bin.scexe)
- Clone my repository, change to
ioonag_unpackerbranch (for example withgit checkout ioonag_unpacker) and got intoscripts/iLO4/ioonag_unpacker - Unpack the firmware with
./unpack_firmware.py ilo4_250.bin.scexe. If successful, this should print:
[INFO ] Found 'ilo4_250.bin' in ilo4_250.bin.scexe
[INFO ] ELF 23389.18 kB, kernel 769.26 kB, boot code 64.00 kB
[INFO ] Successfully loaded a big ELF file
[INFO ] Dumping process 'dvi' into ./iLO4-2.50.67/proc_dvi_4-2.50.67.elf
[INFO ] Dumping process 'tcpip_stack' into ./iLO4-2.50.67/proc_tcpip_stack_4-2.50.67.elf
[INFO ] Dumping process 'DHCPv6_client' into ./iLO4-2.50.67/proc_DHCPv6_client_4-2.50.67.elf
[INFO ] Dumping process 'rtc' into ./iLO4-2.50.67/proc_rtc_4-2.50.67.elf
[INFO ] Dumping process 'vrd' into ./iLO4-2.50.67/proc_vrd_4-2.50.67.elf
[INFO ] Dumping process 'spi' into ./iLO4-2.50.67/proc_spi_4-2.50.67.elf
[INFO ] Dumping process 'embmedia' into ./iLO4-2.50.67/proc_embmedia_4-2.50.67.elf
[INFO ] Dumping process 'health' into ./iLO4-2.50.67/proc_health_4-2.50.67.elf
[INFO ] Dumping process 'i2c' into ./iLO4-2.50.67/proc_i2c_4-2.50.67.elf
[INFO ] Dumping process 'chif' into ./iLO4-2.50.67/proc_chif_4-2.50.67.elf
[INFO ] Dumping process 'pjfs' into ./iLO4-2.50.67/proc_pjfs_4-2.50.67.elf
[INFO ] Dumping process 'fss' into ./iLO4-2.50.67/proc_fss_4-2.50.67.elf
[INFO ] Dumping process 'gpio' into ./iLO4-2.50.67/proc_gpio_4-2.50.67.elf
[INFO ] Dumping process 'usb.elf' into ./iLO4-2.50.67/proc_usb.elf_4-2.50.67.elf
[INFO ] Dumping process 'vsp.elf' into ./iLO4-2.50.67/proc_vsp.elf_4-2.50.67.elf
[INFO ] Dumping process 'svcsHost' into ./iLO4-2.50.67/proc_svcsHost_4-2.50.67.elf
[INFO ] Dumping process 'rbsu' into ./iLO4-2.50.67/proc_rbsu_4-2.50.67.elf
[INFO ] Dumping process 'secmgr' into ./iLO4-2.50.67/proc_secmgr_4-2.50.67.elf
[INFO ] Dumping process 'pwrmgr' into ./iLO4-2.50.67/proc_pwrmgr_4-2.50.67.elf
[INFO ] Dumping process 'ribcl' into ./iLO4-2.50.67/proc_ribcl_4-2.50.67.elf
[INFO ] Dumping process 'romchf' into ./iLO4-2.50.67/proc_romchf_4-2.50.67.elf
[INFO ] Dumping process 'fum' into ./iLO4-2.50.67/proc_fum_4-2.50.67.elf
[INFO ] Dumping process 'bmc' into ./iLO4-2.50.67/proc_bmc_4-2.50.67.elf
[INFO ] Dumping process 'svcsILO' into ./iLO4-2.50.67/proc_svcsILO_4-2.50.67.elf
[INFO ] Dumping process 'network' into ./iLO4-2.50.67/proc_network_4-2.50.67.elf
[INFO ] Dumping process 'ConAppCLI' into ./iLO4-2.50.67/proc_ConAppCLI_4-2.50.67.elf
[INFO ] Dumping process 'rdp' into ./iLO4-2.50.67/proc_rdp_4-2.50.67.elf
[INFO ] Dumping process 'snmp' into ./iLO4-2.50.67/proc_snmp_4-2.50.67.elf
[INFO ] Dumping process 'rckmgmt' into ./iLO4-2.50.67/proc_rckmgmt_4-2.50.67.elf
[INFO ] Dumping process 'sntp' into ./iLO4-2.50.67/proc_sntp_4-2.50.67.elf
[INFO ] Dumping process 'wol' into ./iLO4-2.50.67/proc_wol_4-2.50.67.elf
[INFO ] Dumping process 'beacon' into ./iLO4-2.50.67/proc_beacon_4-2.50.67.elf
[INFO ] Dumping process 'blackbox' into ./iLO4-2.50.67/proc_blackbox_4-2.50.67.elf
[INFO ] Dumping process 'ers' into ./iLO4-2.50.67/proc_ers_4-2.50.67.elf
[INFO ] Dumping process 'alertMail' into ./iLO4-2.50.67/proc_alertMail_4-2.50.67.elf
[INFO ] Dumping process 'rsyslog' into ./iLO4-2.50.67/proc_rsyslog_4-2.50.67.elf
[INFO ] Dumping process 'discovery_svcs' into ./iLO4-2.50.67/proc_discovery_svcs_4-2.50.67.elf
[INFO ] Dumping process 'drvsec' into ./iLO4-2.50.67/proc_drvsec_4-2.50.67.elf
[INFO ] Dumping process 'webserv' into ./iLO4-2.50.67/proc_webserv_4-2.50.67.elf
[INFO ] Dumping process 'restserver' into ./iLO4-2.50.67/proc_restserver_4-2.50.67.elf
[INFO ] Dumping process 'restevents' into ./iLO4-2.50.67/proc_restevents_4-2.50.67.elf
[INFO ] Dumping process 'restdirectory' into ./iLO4-2.50.67/proc_restdirectory_4-2.50.67.elf
[INFO ] Dumping process 'ssh' into ./iLO4-2.50.67/proc_ssh_4-2.50.67.elf
[INFO ] Dumping process 'json_dsp' into ./iLO4-2.50.67/proc_json_dsp_4-2.50.67.elf
[INFO ] Dumping process 'uefi' into ./iLO4-2.50.67/proc_uefi_4-2.50.67.elf
[INFO ] Dumping process 'nvdimm' into ./iLO4-2.50.67/proc_nvdimm_4-2.50.67.elf
[INFO ] Dumping process 'auxvideo' into ./iLO4-2.50.67/proc_auxvideo_4-2.50.67.elf
[INFO ] Dumping process 'pmci' into ./iLO4-2.50.67/proc_pmci_4-2.50.67.elf
[INFO ] Dumping process 'gpu' into ./iLO4-2.50.67/proc_gpu_4-2.50.67.elf
- Every file in
iLO4-2.50.67/is an ELF file with symbols that were written from JSON files that are saved infw_symbols/. This way, it should be possible to load them into any tool that support ELF files using ARM architecture. - For information, in my workflow, I open a file with IDA, rename some functions, export a
.mapfile and use a command like./symbols.py -v 4-2.50 -p ConAppCli addmap proc_ConAppCli.mapto sync the file into my JSON database. This is how I saved the offset that are used inhp_ilo_4_250.h.
In case someone is interested in porting the feature of "producing an ELF file with symbols from an iLO update" into the unpacker in this repository (which supports more iLO versions), feel free to reuse my code.
Thank you Nicolas for sharing you own extractor. Can't promise anything, but we'll look when we have some time how to merge on way or the other to unpack most of the fw.
@fishilico hi, do I need to import JSON files in fw_symbols manually after ./unpack_firmware.py ilo4_250.bin.scexe ? The .idb file doesn't have all symbols which were written in json.
Thanks.
Hello, it has been a long time since I last studied HP iLO's firmware. From what I remember, my extractor tried to apply the known symbols from JSON files by creating ELF files with symbols, which could then be loaded in IDA/Ghidra/Binary Ninja/... If some symbols are missing from the .idb, it is probably because of a bug in the extractor to extract the symbols (for example IIRC it does not define any "symbol size", which could be something that IDA expects).
So to answer your question, normally you would not "need" to import the JSON files, but if there are some bugs, this could help define missing symbols already "known" in the JSON files.
Thanks for your reply, I found the JSON files have a lot of common symbols, so when ida renames, errors will be reported. I had attempted to modify duplicate symbols. Thank you again^_^
@fishilico Hello, how do you recover the standard library function symbols table or all other symbols?
IDA can't recognize symbols such as strcmp printf...
Thanks.
@anotherpk I did this manually by recognizing the code in the functions. Other more automated approaches (such as using function databases from https://github.com/threatrack/ghidra-fidb-repo) could be more efficient.