Firmware reverse engineering with Ghidra

Learn how to reverse engineer firmware efficiently with Ghidra, from ARM over MIPS to x86.

The release of Ghidra changed the reverse engineering landscape: A free and open-source reverse engineering suite with a state-of-the art decompiler with support for a ton of architectures. In this training you will learn how to use Ghidra efficiently to reverse engineer firmware and other binaries from ARM to x86. At the end of the training you will be proficient enough in Ghidra to use it as your main, day-to-day reverse engineering tool.

What you will learn

  • Introduction to Ghidra
  • Reversing (x86 & ARM) ELF binaries using Ghidra
  • Introduction to the ARM architecture & instructions
  • Reversing ARM binaries using Ghidra
  • Thumb & ARM32 in Ghidra
  • Optimizing the decompiler output
  • Working with types and structures
  • Decompiling C++ using OOAnalyzer
  • Loading bare-metal code using SVD-Loader
  • Identifying chips using chipfinder
  • Using the graph view
  • Using different scripts supplied with Ghidra
  • Writing basic scripts in Python
  • Using advanced Ghidra functionality

Schedule

Day 1

Day 1 is all about getting started with Ghidra: A general introduction into the user-interface, focusing on the project manager and the code browser. We will look at the different automated analysis options, and start with reverse engineering some ELF binaries for different architectures.

Aftwarewards, we start exploring how we can optimize the decompiler output: Creating custom types, loading C headers, overriding function signatures, and so on.

We also look at how to make our life in Ghidra much easier by using Function ID: Generating function signatures for different standard libraries, and also for different embedded libraries.

At the end of day 1 you will be able to do basic reverse engineering in Ghidra.

Day 2

On day 2 we will start looking at the more advanced features of Ghidra and its plugins & scripts: Creating custom memory maps, working with some of the built-in scripts, and writing our own scripts in Python.

A big focus is also on learning how to work with flat binaries: Especially bare metal firmware often lacks any structured format, making reverse engineering a bit more challening.

We will start looking at datasheets of processors and how to use them during reverse engineering, and how to identify different ARM chips using chipfinder. Afterwards we look at loading the firmware of different devices and how to annotate all the different peripherals etc.

We will also look at using Yara signatures in Ghidra, a tool for pattern matching that makes finding cryptographic functions & co very easy.

At the end of day 2 you will be able to efficiently reverse a wide range of binaries using Ghidra, for most of the supported architectures.

Class requirements

  • Good understanding of the C language, especially pointers
  • Basic assembly skills (No matter which architecture)

What you need to bring

A computer with running Ghidra 9.1.2, alternatively you can also download our VM that has everything pre-installed.

Training by Thomas Roth

Thomas is best known for his attacks on embedded devices. His research focuses on mobile and embedded systems with published research on TrustZone, payment terminals, and embedded security.

Feedback by

Steven

07 May 2020

I tried to learn reverse engineering a few times on my own and didn't get very far. During this course I was actually able to start reading binaries and even understand the "framework" for reverse engineering (SVD loader, Function IDs, etc). Very easy recommend.

Feedback by

Anonymous

07 May 2020

Thomas does a great job of taking you from a Ghidra zero to a Ghidra hero in this training. Seriously. You'll learn just about everything you need to know to get started reverse engineering firmware.

Feedback by

Marius

06 May 2020

The course was great to get an insight into reverse engineering of firmware. The trainer also showed us many procedures and tools that can significantly reduce the workload for such tasks.

Feedback by @azflagbestflag

07 May 2020

Absolutely fantastic crash course on embedded RE, I enjoyed every minute.

Feedback by @Sam_Vido

07 May 2020

It was incredible to watch High Priest Roth absolutely slam dunk firmwares onto the floor. I learned an absolute TON over the span of two days, I hope I get to come back for more.

Can't attend? All of our trainings are also available as a private classes for your company.

Access all of our classes and profesionally edited recordings.
All of our courses are also available as private trainings.
Courses are offered multiple times in different timezones.