 Okay, I trunk it, I trunk the name a little bit, so it's now practical firmware reverse engineering using Python. It's easier to say, and it's a very fast tutorial, because there's a lot of stuff to say. Today we'll talk about the reverse engineering of the firmware of this device. It's a Unident Burkat BC2-296T. It went out in 2006, and it's still cutting edge today. It's a multi-back frequency scanner, supports digital echo 25, 9600 volts, which is pretty, it's well in place now. It supports the trunking. It can be enhanced with an FM discriminator tab, so you can only have the FM output of the device without all the decodings. And it even has a light, if you hold it. That's pretty useful. Wow. Yeah, it's a killer feature. Why reverse this device in particular? The machine locks some bands, so if you look at what you can scan with it, there's limitations. Do we like them? Nope. FCOPE 25 is getting very popular. In Quebec, we have a new network which is called Renier. It's a digital, radio-signal network that's used by public services. Expect the SPVM to go on it pretty soon. It's kind of old, since it's from 2006, so there are filmers of data available. It helps a lot. And in October 9, 2006, there's a guy that says, it will take a concerted effort by a large group of individuals cognizant in embedded system and assembly language to figure out how the entire film works works. I don't think we will ever see this. It's 600 kilobytes of assembly, that's not that much, including the data part. That's a good incentive. So, reversing. So, technically, how do we start to reverse such kind of a device? Since we have firmware update, the first easy step is to download the firmware file and look at it. So, this is what you get when you open the firmware file. It's pretty interesting. You say, oh, it has a sense. It's not random data. It's pretty much exa. Looks like you've got to have something that you can read. It's not in binary format. This is a human So, it's some human. So, we make some kind of, I did some kind of Googling and I figured out that this is Motorola S-Records. It's used to burn eProms. It's a format developed by Motorola in the 68K time. It's validated by a checksum. So, each S-Records should have a valid checksum. And it should be human readable for the ASCII part. So, if you take the bytes in there, turn them to ASCII, you should see text as simple as that. So, if you boot up the machine, it says, you need them, bear cat. So, we should be able to see this if we turn that to text simply. So, I developed a little library which is called PySREC. It's a general purpose S-Record library, plus a tool to use it. It parsed the file, validates the checksum and you can perform some forensics in that, adding offsets, moving data, extracting, calculating and validating checksums. It's GPL. It's on get up and true testing. What it looks like. So, this is the library. Kudos to Montreal CSSP Groupies who comes in masses. Looking for a presentation. It takes the data from a website where you can have the specs of the format. It's just kind of a lid that mangles the stuff. So, have a look at it if you really wish. I put some cute comments so you can use help function. I find it useful. There's also a little tool called S-RecParser that comes with it. So, you can output the file to human-readable, wrap around characters, disable checksum, useful stuff to do when you're handling those kinds of files. Okay. Back to work. You can see back to our S-Rec file. This is my laptop. So, technically, as they say, it should be human-readable. So, let's do a little test. Let's take our file, VCD. Let's say I want to have line count data only because there's address, types, and checksum. I just want to see the data and human-readable. Let's go. And the file. So, we agree. It's kind of exciting. Okay. So, as we see, it's clearly human-readable. Defining on the format I used, we should be able to search for something like u.n.unit.n. Oh, no. You cannot find it. So, it's weird because it's not readable as it should be. So, I think the first thing you need to try is to validate the checksum. So, because all the lines should be validated by the last byte. That's right. If it works, it was already on. So, yeah, they're bad. So, it's not human-readable. So, what we're going to do is escape again. And we're going to add a little offset to all the bytes just for fun. Let's say, no, usually I go from 0 to 255 and I read them all. It's fun. But today I will use something more conservative like 8086 just for fun. So, fail again. Maybe. Can you make control plus to make it bigger? Maybe? Well, now it's bigger than my string. I'm really good. Okay. So, it still looks weird. I think it is. It's still, technically, I've taken the other file so it can work if it doesn't work. Okay. It's still a bad offset. No, it will work because I should see the version number. Let's just try this. No, it's not the right offset. Maybe it's 87. That's right. Just to be sure. There's something around that. Anyway, I have the converted file. It's still failed. Okay. Let's forget about it. Usually, when you find the offset, it's there. You've got to escape your periods to search. No, no, that's all right for that. Say 86, but it's just not the good one. Technically, if we punch the right offset, the one I forgot, we will really find unidem, every venue, everything that is a data, but other junk. So, usually, when I did that, I just went from 0 to 225, and another offset, I found some more text. So, basically, it's like a rot 13, but a different, yeah, it is. It's a rot something at different place for different block size. So, we need a better way to find this. It's a good. So, introducing you, BCVOIP, the unidem provided update software. It's pretty cool. So, try to update the firmware. Just start the software. Try to... We don't add it. When I started this, I didn't add it. And anyway, you can flash it more than once. So, it's not really visible to work on that. So, programming error. We didn't even have the device to make sense. So, screw it. Let's reverse the BCVOIP or EXE. I don't think so. Using IDE, I've been able to prove that the program, that the program that it's used to write text file to a serial port is five times more complex than 7-Zip. There's around 200 routines like that. It's four megs of compile C++, thousands of compile C++. It's a total logical mess. Never leave an electrical engineer with a C++. And this after writes a file to the serial port, and it applies a rotational byte. It's complex. It supports all their scanners, but I'm sure there's good software pattern that has been forgotten. So, what's the strategy? Write the Python tool to mock the scanner. Reverse the update procedure using the live debugger of IDE, which is easier because we know what we're going to expect, so we're going to be able to at least put breakpoints in that file. Save the output to a file. This is a totally decoded file that should go directly to this machine. Diff the files to discover the different offset. We see this part today because it's so long. And that's if everything works. It seems easy. So, Birmak. I wrote another tool which is called Birmak. It's basically a Python tool that mocks a scanner. It supports almost all unidim scanners. You need to use it with a com port loop back, like com zero, com under windows, so we can sim link in Linux. So, basically, it opens two com port, 11 and 12, when you can listen to one and write to the other and you can just mock. The computer is going to believe it is talking to a devise. So, the code looks like this. This one is a lot less professional. It goes fast, a quick act, it works well. So, basically, it emulates a protocol. Oh, I did it. It's pretty easy. I think this is the next slide. No one did touch it. Yeah, exactly. So, it looks like this when it works. I need windows so we won't see it working. But, basically, you see what we receive. By putting breakpoints in the tool, I figure out how to send the right stuff until the things upload the firmware, decode the firmware. So, back to the back console. Thank you for the soundtrack. Okay, so, now it just ran and it gives us the file which is decoded.x90. So, this is how it looks like when it's decoded. It looks a little better, isn't it? Yeah, it looks a little better. Basically, the s stuff is the same, the address are the same, but the checksum changed. So, the data changed also and the checksum is still valid. If you test it, better to queue there. That's not a problem. So, you see, it doesn't crash. So, the checksums are valid. So, we're sure that the software applies some kind of transformation and put back a new checksum. So, it's just there to fool you. Now, let's have a look at it. Human readable. Oh, version 3.60. If we go to normal string. Yeah, Uniden, Bearcat, PCD. So, basically, this file is totally decoded. It's usable and we can go cycle through it. There's a fun part at this point. When you go through it and you go to line, let's see. This one is good in the presentation. We're... No, we don't remember that. You know, offsets, it's yet lost. Right instead? 8, 5, 1, 8. Okay, that's fine. You have this little string, m16c62p. What is this? This is the MCU that runs the device. So, it's pretty useful for the next step. This is basically the CPU in the machine. So, what we're looking at is the part of the code that handles the firmware upload. So, you don't mess with that part. So, remember this. Okay. This is an MCU by Renaissance. The cool thing is that they offer, they gladly offer an emulator and a workbench for it, and it supports S-record file. This is a cute screenshot of the above screen, if you don't. It runs. If you load the S-record file through their wordbench, the proof is that it works. I can have it running so we can get it through. There's a stat part. IDE doesn't support this MCU, so I need somebody to... We're willing to add this supporting IDE. I need to release the tool because I have a tool in the work that will take a decoded file, makes an encoded file so you can break your scanner like a pro. And now we're actually at the mother firmware and put your formula. So, that's it. Hope you liked it. Questions? Because I'm a get-up, so if you really like this kind of stuff, you can download the source code. Any questions? Thank you. Thank you guys.