DFU Explorer

by Travis Goodspeed

Howdy y'all,

USB's Device Firmware Upgrade protocol is a semi-standard protocol for reading and writing firmware. Most clients for this protocol are designed for safely writing the firmware to specific devices. DFU Explorer is the opposite, designed to explore unknown DFU devices with an aim toward reading their firmware.

Like any low-level tool, this one can brick a device by accident if you are unlucky. For this reason, there is absolutely no warranty.

If you find this tool handy, please buy my book Microcontroller Exploits wherever fine books are sold.

--Travis

Status

This tool is reasonable good at dumping firmware and exploring unknown DFU devices. It is not yet very good at programming devices, but that will come sooner or later.

Usage

The -s or -d switch specifies the USB device to be used, and -L lists the available devices.

-U uploads data from the device and -D downloads data to the device. -S lists all of the device's strings, which sometimes include clues about the firmware.

% dfuexplorer --help
Usage: dfuexplorer [options]
DFU Explorer by Travis Goodspeed

Options:
  -h, --help                  Displays help on commandline options.
  --help-all                  Displays help, including generic Qt options.
  -v, --version               Displays version information.
  -V, --verbose               Verbose Mode
  -l, --shortlist             List DFU Devices
  -L, --list                  List All Devices
  -S, --strings               Dump All Strings
  -A, --auto                  Autoconnect
  -d, --vidpid <vid:pid>      Open VID:PID
  -s, --busdev <bus:dev>      Open Bus:Device
  -i, --interface <0>         Interface Number
  --progress                  Visualize Progress
  -E, --exclude <0x1fffc000>  Exclude an address from dumping.
  -U, --upload <foo.bin>      Upload from Device to File
  -H, --hex                   Upload from Device to Hex
  -D, --download <foo.bin>    Download to Device from File
  --md380-codeplug            MD380 Codeplug Mode
  --md380-firmware            MD380 Firmware Mode
  --md380-reboot              MD380 Reboot
  -a, --address <0>           Address
  --address-scan              Scans for valid addresses.
  --address-scan-upload       Uploads all regions found in address scan.
  -c, --size <16384>          Total Upload Size
  -b, --blocksize <1024>      Block Size
  --stepsize <0x10000>        Step Size for Searching
% 

Examples

Neewer Z160 Hot Shoe Flash

Neewer's Z160 has a DFU bootloader than can be enabled by holding the button on the scroll wheel as you power on the flash. This is best performed with a nearly dead battery; if you crash the flash, you'll have to wait days for the battery to die before it resets.

This runs an STM32 DFU example from STMicro. The block size is fixed to 1024 bytes, with other values not matching the specified block alignment. Flash is 64kB, holding first the DFU bootloader and then the application.

forum% dfuexplorer -d 0483:df11 -S
"STMicroelectronics"
"STM32 DownLoad Firmware Update"
"207732654231"
"DFU Config"
"DFU Interface"
"@Z160 /0x08000000/12*002Ka,104*001Kg"
""
forum% dfuexplorer -d 0483:df11 -c 65536 -b 1024 -U firmware.bin
...
forum% hd firmware.bin|head
00000000  a0 20 00 20 a9 81 00 08  a1 c6 00 08 f1 b7 00 08  |. . ............|
00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000020  00 00 00 00 00 00 00 00  00 00 00 00 71 d0 00 08  |............q...|
00000030  00 00 00 00 00 00 00 00  2d c9 00 08 15 d4 00 08  |........-.......|
00000040  bb 81 00 08 bb 81 00 08  bb 81 00 08 bb 81 00 08  |................|
00000050  bb 81 00 08 f9 94 00 08  bb 81 00 08 03 95 00 08  |................|
00000060  bb 81 00 08 d5 92 00 08  bb 81 00 08 bb 81 00 08  |................|
00000070  bb 81 00 08 bb 81 00 08  bb 81 00 08 01 d6 00 08  |................|
00000080  bb 81 00 08 11 d6 00 08  bb 81 00 08 bb 81 00 08  |................|
00000090  bb 81 00 08 bb 81 00 08  bb 81 00 08 bb 81 00 08  |................|
forum% 

MD380 Bootloader Dump

The Tytera MD380 two-way radio has a DFU recovery bootloader, accessible by holding PTT and the button above it while turning the radio on. This bootloader expects firmware updates to be encrypted with an XOR key, but you can dump the bootloader itself by doing a DFU upload without sending the command to choose a memory. See PoC||GTFO 10:8 or Chapter 3 of Microcontroller Exploits.

One complication is that this is exploiting a null pointer dereference, so LibUSB's maximum transaction size is an issue. Every packet will be pulled from address zero, and we need to do the entire transaction in one transfer. On Linux, that's usually 4096 bytes. On macOS, we can pull all 48kB of the bootloader in a single transaction.

air% uname
Darwin
air% dfuexplorer -l
Bus 000 Device 002: ID 0483:df11 Digital Radio in USB mode
air% dfuexplorer -d 0483:df11 -b 49152 -c 49152 -U bootloader.bin
Uploaded 49152 bytes of "bootloader.bin"
air% hd bootloader.bin | head
00000000  30 1a 00 20 15 56 00 08  29 54 00 08 2b 54 00 08  |0.. .V..)T..+T..|
00000010  2d 54 00 08 2f 54 00 08  31 54 00 08 00 00 00 00  |-T../T..1T......|
00000020  00 00 00 00 00 00 00 00  00 00 00 00 33 54 00 08  |............3T..|
00000030  35 54 00 08 00 00 00 00  83 30 00 08 37 54 00 08  |5T.......0..7T..|
00000040  61 56 00 08 65 56 00 08  69 56 00 08 5b 54 00 08  |aV..eV..iV..[T..|
00000050  71 56 00 08 75 56 00 08  4f 54 00 08 4d 54 00 08  |qV..uV..OT..MT..|
00000060  4b 54 00 08 49 54 00 08  89 56 00 08 8d 56 00 08  |KT..IT...V...V..|
00000070  91 56 00 08 95 56 00 08  99 56 00 08 9d 56 00 08  |.V...V...V...V..|
00000080  a1 56 00 08 a5 56 00 08  a9 56 00 08 ad 56 00 08  |.V...V...V...V..|
00000090  b1 56 00 08 b5 56 00 08  b9 56 00 08 bd 56 00 08  |.V...V...V...V..|
air%

MD380 Codeplugs

TODO

Geehy APM32 ISP DFU mode

ID 314b:0106

This was found in a counterfeit chip, labelled as if it were an STM32F407. I shorted BOOT0 to 3V3 to enable DFU mode.

This implementation crashes if you read illegal string indices or if you read the option bytes inappropriately.

air% dfuexplorer -l
Bus 001 Device 001: ID 314b:0106 APM32 ISP DFU mode
air% dfuexplorer -d 314b:0106 -S
"Geehy"
"APM32 ISP DFU mode"
"416231525384"
"@Internal Flash   /0x08000000/03*016Kg,01*016Kg,01*064Kg,07*128Kg"
"@Option Bytes   /0x1FFFC000/01*016 e"
"@OTP Memory   /0x1FFF7800/01*512 e,01*016 e"
"@Device Feature  /0xFFFF0000/01*04 e"
""
Timeout when entering DFU mode at 0

You can dump most regions automatically, so long as you avoid the option bytes. The first 8kB of RAM are inaccessible, so the SRAM dump will begin at 0x20002000.

air% dfuexplorer -d 314b:0106 \
                --address-scan-upload \
                --exclude 0x1fffc000
Scanning the usual suspects.
8000000 valid until 8100000
1fff0000 valid until 1fff8000
1fffc000 valid until 1fffc800
20000000 valid until 20020000
Scanning the rest.

Option bytes can be read from 0x1fffc000, but only as a single 256 byte block.

air% dfuexplorer -d 314b:0106 \
                -H -a 0x1fffc000 -b 256
ee 00 00 55 ee ee ee ee   ee ee ee ee ee ee ee ee 
ee ee ee ee ee ee ee ee   ee ee ee ee ee ee ee ee 
ee ee ee ee ee ee ee ee   ee ee ee ee ee ee ee ee 
ee ee ee ee ee ee ee ee   ee ee ee ee ee ee ee ee 
ee ee ee ee ee ee ee ee   ee ee ee ee ee ee ee ee 
ee ee ee ee ee ee ee ee   ee ee ee ee ee ee ee ee 
ee ee ee ee ee ee ee ee   ee ee ee ee ee ee ee ee 
ee ee ee ee ee ee ee ee   ee ee ee ee ee ee ee ee 
air%