ECOS Offensive Security Research Logbook

Explore the world of eCos RTOS offensive security research in this comprehensive conference talk from BruCON 0x0D. Delve into the inner workings of eCos-based devices, from cable modems to ICS components, and learn techniques for firmware analysis, exploitation, and long-term persistence. Follow along as the speaker demonstrates how to extract and analyze eCos firmware, write exploits for memory corruption vulnerabilities, and develop firmware implants. Gain insights into Broadcom's eCos internals, including interrupts, exception handling, memory layout, and heap management. Discover tools and methodologies for security professionals interested in eCos platform security, covering topics such as function identification, vtable analysis, and memory mapping. Witness practical demonstrations of exploiting vulnerabilities and achieving persistence on eCos devices. Conclude with recommendations for improving eCos security and explore future research directions in this underexplored area of embedded systems security.

Introduction
Disclaimers
About me
Battle plan
Extracting Firmware
Shell
Device Profile
Device Content
Cleanup
Load in Gydra
R2 Pipe
Function Offsets
Broadcom
Firmware dump
Header format
Program store
Plan
Signature Libraries
Function ID databases
Functions signatures
Function tracing
Function naming
Vtable
Rename Vtables
Address of vectors
Data segment identification
Firmware Offset
Stack Location
Stack Base Address
Memory Map
Memory Map offsets
Bugs
Memory Corruption
Store Copy
Parental Control Page
Storycuts
Heap Overflow
Device Crash
Drop Chain
Recap
Netgear
Exploit
Shellcode
Linker
Persistence
Implant
Bootkit
Persistence Demonstration
Recommendations
IP Manager
Future work
Open source
References