The firmware is compressed and encoded in the following high-level layers: It also allows us to compress parts of the data and code on disk. This stage is essential because it enables us to load different sections into memory for reverse engineering. The flash image gets loaded to memory on every printer boot.Unpacking and decoding of the update package (with extension.The firmware update consists of the following main stages: When in doubt, sniff the update process of the printer using Wireshark to find the correct download link and firmware version.
The update files are available on the HP FTP server. HP firmware comes packaged in the remote firmware update (RFU) format. We used an HP OfficeJet Pro 8720 with the firmware update file ojpro_8720_1919B_05102019.rfu.
The second takes a flash image and loads it correctly into Ghidra.ĭisclaimer All of this information is correct for the printer that we used and the firmware version that we used. The first tool unpacks the firmware update package to the stage where we have a flash image. We wrote two main tools to reverse engineer printer updates. One can see, in the colors and shapes of the stones, the opposing political factions that dominated the printer corporate empire over time. We are not sure whether this is some form of security-by-obscurity or a heap of legacy implementations built on top of each other like an ancient ruin. When reading through this document, it becomes evident that the highly layered firmware encoding/packaging is quite convoluted and random. We ended up writing in-house tooling, and documenting the essential structures and encodings. We also did not find any tooling to unpack and load the contents of an update package into a memory map for reverse engineering.
In our research, we encountered a lack of up-to-date and correct information. The firmware file format has been partially documented in numerous places by different researchers and companies at different times, including a thorough analysis by Check Point research and basic official documentation for the outer layer of encoding. rfu format all the way to a firmware mapped correctly in a Ghidra project. We wrote tools and documentation that can take us from a printer update file in the. We needed to be able to reverse engineer an HP firmware and chose to do so by looking at an update file. This is part of a larger security research project to be released in the following months. That time came for a few of us at JSOF these past few months. There comes a time when every person will need to reverse engineer an HP firmware update. Part 4 – memory map leads us to our destination.Part 3 – From NAND to RAM through sliding windows.The next parts of the series will be uploaded week by week as we write them. This post is the first of a four-part blog series documenting the different structures and stages of the firmware update.
0 kommentar(er)
