Firmware Reverse Engineering with Ghidra
Learn how to reverse engineer firmware efficiently with Ghidra, from ARM over MIPS to x86.
The release of Ghidra changed the reverse engineering landscape: A free and open-source reverse engineering suite with a state-of-the art decompiler with support for a ton of architectures. In this training you will learn how to use Ghidra efficiently to reverse engineer firmware and other binaries from ARM to x86. At the end of the training you will be proficient enough in Ghidra to use it as your main, day-to-day reverse engineering tool.
What you will learn
- Introduction to Ghidra
- Reversing (x86 & ARM) ELF binaries using Ghidra
- Introduction to the ARM architecture & instructions
- Reversing ARM binaries using Ghidra
- Thumb & ARM32 in Ghidra
- Optimizing the decompiler output
- Working with types and structures
- Decompiling C++ using OOAnalyzer
- Loading bare-metal code using SVD-Loader
- Identifying chips using chipfinder
- Using the graph view
- Using different scripts supplied with Ghidra
- Writing basic scripts in Python
- Using advanced Ghidra functionality
Day 1
Day 1 is all about getting started with Ghidra: A general introduction into the user-interface, focusing on the project manager and the code browser. We will look at the different automated analysis options, and start with reverse engineering some ELF binaries for different architectures.
Aftwarewards, we start exploring how we can optimize the decompiler output: Creating custom types, loading C headers, overriding function signatures, and so on.
We also look at how to make our life in Ghidra much easier by using Function ID: Generating function signatures for different standard libraries, and also for different embedded libraries.
At the end of day 1 you will be able to do basic reverse engineering in Ghidra.
Day 2
On day 2 we will start looking at the more advanced features of Ghidra and its plugins & scripts: Creating custom memory maps, working with some of the built-in scripts, and writing our own scripts in Python.
A big focus is also on learning how to work with flat binaries: Especially bare metal firmware often lacks any structured format, making reverse engineering a bit more challening.
We will start looking at datasheets of processors and how to use them during reverse engineering, and how to identify different ARM chips using chipfinder. Afterwards we look at loading the firmware of different devices and how to annotate all the different peripherals etc.
We will also look at using Yara signatures in Ghidra, a tool for pattern matching that makes finding cryptographic functions & co very easy.
At the end of day 2 you will be able to efficiently reverse a wide range of binaries using Ghidra, for most of the supported architectures.
Class requirements
- Good understanding of the C language, especially pointers
- Basic assembly skills (No matter which architecture)
Hardware Requirements
A computer with running Ghidra 9.1.2, alternatively you can also download our VM that has everything pre-installed.