1. InfoconDB
  2. DEF CON
  3. DEF CON 32 (2024)
  4. Reverse Engineering MicroPython Frozen Modules: Data Structures, Reconstruction, and Reading Bytecode

Reverse Engineering MicroPython Frozen Modules: Data Structures, Reconstruction, and Reading Bytecode

Presented at DEF CON 32 (2024), Aug. 10, 2024, 10 a.m. (45 minutes).

MicroPython is a firmware environment for quickly developing and deploying software onto microcontroller systems. It is used in a variety of industrial and scientific applications, as well as (most importantly) in some DEF CON #badgelife projects. It's easy to learn and use for rapid prototyping. For hackers interested in reverse engineering compiled or obfuscated MicroPython code, there are some obstacles. MicroPython is an implementation of CPython, not a port, so it has its own compiled bytecode language that existing reverse engineering tools aren't designed to parse. Also, modules can be "frozen", compiled directly into the microcontroller firmware, and may be difficult to locate and parse when microcontroller firmware is extracted and analyzed. In this talk, Wesley will walk the audience through the process of identifying "frozen"/compiled modules in a firmware image without debug symbols using the Ghidra disassembler. The relevant module, string, object, and raw code data structures will be detailed, so that everything required to rebuild a non-frozen module can recovered. Once a compiled module is reconstructed, Wesley will present a detailed example of reading and understanding MicroPython compiled bytecode, for the purpose of reverse engineering the purpose and implementation of the module. - Micropython source code - Official documentation, including: - .mpy files: [link](https://docs.micropython.org/en/latest/reference/mpyfiles.html) - Micropython internals: [link](https://docs.micropython.org/en/latest/develop/index.html) - "Securing a MicroPython System" [link](https://github.com/micropython/micropython/wiki/Securing-a-MicroPython-system) - The collected Raspberry Pi Pico documentation for my test environment [link](https://www.raspberrypi.com/documentation/microcontrollers/raspberry-pi-pico.html#documentation) - Andrew Leech - "Profiling Pathogens with (micro) Python" [link](https://www.youtube.com/watch?v=YovngSLXoxw) - Kevin McAleer - "Securing Passwords with MicroPython" [link](https://www.youtube.com/watch?v=fl3UNaUoYzc) - C. Spindler - "MicroPython used in industrial applications" [link](https://www.youtube.com/watch?v=xDPdvjNxyWs) - "MicroPython and the European Space Agency" [link](https://forum.micropython.org/viewtopic.php?f=8&t=744)

Presenters:

  • Wesley McGrew - Senior Cybersecurity Fellow at MartinFederal
    Dr. Wesley McGrew directs research, development, and offensive cyber operations as Senior Cybersecurity Fellow for MartinFederal. He has presented on topics of penetration testing and malware analysis at DEF CON and Black Hat USA and taught a self-designed course on reverse engineering to students at Mississippi State University, using real-world, high-profile malware samples. Wesley has a Ph.D. in Computer Science from Mississippi State University for his research in vulnerability analysis of SCADA HMI systems.

Similar Presentations: