Bare-metal ARM firmware reverse engineering with Ghidra and SVD-Loader

The signal-to-noise ratio of your channel is off the charts! Congrats - keep it up.

Great video! Would love to see some more embedded FW reverse engineering like this :D

As a mostly embedded programmer this is great, much easier to follow when there's no complicated OS to worry about.

great editing its cool that you dont pass on the technical aspects and not just the theoretical concepts

Thank you sir. As a beginner in reverse engineering that's starting with a bare metal firmware, this video is very helpful. Please do more

Coming from the Bare-Metal world, I often wonder how OSes actually do their thing on microcontrollers, and how to develop for them.

I don't have this device nor do RE for a living. But damn this is getting me close to trying this out. Always found integrated boards and chipsets fascinating

One thing I'd suggest with regards to memory mapping is to clear the write flag in the flash regions. That way Ghidra automatically dereferences constants and show strings as quoted strings rather than a pointer to a string. Do keep in mind it also removes what it considers to be extraneous reads and writes and unreachable code based on constants, so if there's some configurable options in the firmware, it may remove code from the decompilation for other options that it sees as unreachable.

These videos are an absolute goldmine. Incredible work

Outstanding! Thanks for continuing to share your dedicated work

I am really impressed and grateful. This was the most useful jump start I've gotten.

I've legit been looking for so long for content creators who just explain such things in detail without all the bs

Excellent thanks for writing the SVD loader script. This video popped into my feed and ironically I am just waiting on some details of cortex M3 project which may require some reversing (although hopefully not from a work POV).

Very good information. This is the exact microcontroller we used in our embedded systems courses in university!

Please do more of this, it's fantastic!

Would just like to say, your videos inspired me to have a go at reverse engineering something, so I grabbed a Cisco 2501 router off ebay (because its got a Motorola 68030 in it), and used Ghidra to explore the boot ROMs (was amazed that it supported the m68k architecture!), figured out the memory map, and managed to get FreeRTOS running on it after creating a m68k port for it. :-)

Love your channel!

Very impressive and educational, thanks!

Hi thanks for this awesome video, do you know any other device on which we can improve our knowledges, like a device where you need to extract the firmware with jtag ?
Really enjoy your videos :D

Nice explanation, I'm surprised at how fast you were able to go through that in Ghidra, it still takes me quite a while to create names and clean up decompiled output. Seems like a good goal.

This is the best tutorial of reverse engineering embedded systems with ghidra I've seen so far. Some days ago I wanted to RE an STM board but didn't know how to proceed. Could you please do something like this with the nRF51 or nRF52 processors?

Quality content, as always.

Love this channel - thanks for you all your vids. Bare metal/Embedded/IOT/Soc adventures are like "crack" for coders - I need help :P

Now I ask myself why I didn't know this channel before. Great work!

Nice Video, thanks:)
Be careful with the 5V. Not all pins are tolerant. See "FT" specification in data-sheet, Table 9 for this MCU (Depends on the series). To avoid this: There is 3.3V right next to the 5V supply pin on the NUCLEO. Up to 112 5 V-tolerant I/Os on max 114 I/O for the LQFP144 part. So the chances are good to not release the magic smoke:)
Yours is a LQFP64, so better look that up folks. At all, don't rely on chance. It's a 3.3V part and best practice is to treat it like one. While experimenting, only use the 5V-tolerance functionality if absolutely necessary. This protects against nasty surprises

Thank you mate your videos are the greatest in this field.

IOT reversing from Ghidra Ninja? I absolutely love it!! 😍

Great Channel man. You explain so well.
Good Job.

I swear. You give better lectures than all my CA teachers together!

Thanks for the video! Curious, but how did you get the baremetal firmware (example.bin)?

I just started to reverse some code for STM32F2 and you just make my life easier, ty <3

Excellent upload timing, my STM32 blue pill arrived but a couple days ago. Keep up the good work!

top quality. i was wondering about custom ARM ASIC without datasheet. how to guess base adress ? Now days they are everywhere they enable to reduce PCB size & cost & make reverse-engenring harder. ARM ASIC includes custom IP modules inside the SOC.

i tried rev engg with atmega2560 last year, ghidra has support for it, I just had to import the bin/hex file, the thing is i already knew every reg, therefore it was easier for me to rev engg the source code when I look at ghidra's conversion

This is an absolute amazing video!!!!

interesting topic and really well made video!

Top quality explanation and skills

I watched a video and subscribed right away! Amazing content 😊

The fact that STM calls their mode register MODER in their docs which loosely translates to mold in german, always cracks me up.

I've always thought that a computer was defined by both hardware AND an operating system. For a bare metal, does the application assume the role of operating system, how does the hardware "communicate" with the app ? Thanks

Great video, keep them coming, thnx!

as a beginner in RE, where should I start if I want to learn? I have a cyber security background, just not an RE background

Nice info, thanks :)

Love this explanation vid!

Which DevOps Engineers also thought this would be a bare metal tutorial for Kubernetes 😆

Omg this video brings up memories, I used ARM to build a robot. And oh boy, it's mind consuming to read the datasheet -.-

omg man.. please do tutorial series and teach us how to use Ghidra :)

Great thanks for creating the video

GREAT JOB!!!

Thanks! Any hints from you how to reverse engineer BOSH BHI160 sensor firmware? https://www.bosch-sensortec.com/products/smart-sensors/bhi160-firmware/ I believe they may use Zephyr. In any case `binwalk` kept silent, Ghidra doesn't help much seems...

And how do you get the binary from a flashed device?

Pls show how to include SVD scripts in ghidra environment I tried hard but can't find SVD scripts in script manager pls help

is it possible to flash a customized board firmware?

Please keep sharing RE videos
Ill be back for this stuff..

Nice, I can't wait till chips are purpose built for this accessibility to clock cycles - C'mon people WORK ON YOUR AI BABY MODELS!

super video.. danke dir

Incredible!

Can someone give me a list of prior knowledge do i need to do these things, roughly

Brilliant I have a challenge I know some brilliant mind like you Will solve it I need help with a Korean nintendo wii Locked on error 003 after update there is way to fix it but it's a painful and I can't find a modchip if there any way through software please and a lot of thanks to you for your time and work

Much more comfortable watching this at 0.75 speed lol

how did you get the display out that prints the crackme messages? the cable connected is a usb cable to power the microcontroller, right?

I'm having trouble finding the link to download example.bin. Can anyone help me out?

Thank you :)

thank you!

Tip: leave the address on the end of an unknown name. Eg usart_fn08000752. Then you don't have to worry about having a dozen different functions named usart_fn3 scattered around.

The main reason why I clicked on this video was that I was hoping to learn how to export binary from mcu :(

Would a reasonable way to be able to tell the endianness just be trial and error?

Please on your previous video on creating back door to a camera. I am having issue using the mkimage. It is not working for me. Is it not part of tools in Kali? Do I need to install it. I am not getting direct link on how to go about it. Can you help please?

I can't wait for next wannacry inverse engineering

I'm sorry but how did you figure out the SRAM lenght to that you put in the memory map? The SRAM blocks on the MCU I'm trying go from 0x20000000 to 0x40000000, also at the start of the Memory section in the datasheet says the chip has 256 kB RAM, so do I just put 0x40000 or could that be a different length since there are separate RAM and SRAM blocks and I see you are putting the SRAM's starting address

Bro which IDE is that

yes i have refreshed but dont work

So... Yikes... Looks like I'm too 👂ly here.

Not sure where to find the ghidra python module ? Python reports that I am missing this. Any idea where to find that ?

nice. good talk.

Im subscribed to this channel cz the dragon looks cool

brain.exe has stopped working

I didn't find decompiler for stm32f103c4 elf file to c code error

<3

Please, do a similar video but now with the most popular MCU: atmega328 (Arduino UNO)

Notification squad. Lol, I'm a nerd.

yeet

I'm sorry - I cannot get past you referring to 0x20000000 as hex two thousand etc. A hard pass on what could potentially have been an interesting video.

Pls reply fast because I have a project to complete

Add script folder to script directories in script manager but dont show scripts in script list

Sorry, but way too much base and I can hardy make out what you are saying.