PERCH: Adding a peripheral layer to Ghidra

Presented at ToorCon San Diego TwentyOne (2019), Nov. 9, 2019, 3:30 p.m. (25 minutes)

PERCH is a tool that adds a new peripheral layer to Ghidra. The parsing of Trace32's .per files enables the augmentation of Ghidra projects with labeled MMIO mappings from thousands of different processors.

Ghidra, the recently released NSA reverse engineering tool, supports numerous processor cores allowing for the analysis of the vast majority of firmware images. However, a pain point in embedded firmware reverse engineering is identifying, and reverse engineering, peripheral interactions. Ghidra, and its commercial twin IDA, support registers in the processor core, however they do not map all of the processor’s peripheral registers. This is due to the fact that each processor has hundreds, if not thousands, of variants with different peripheral layouts. Fortunately, a debugging/emulation tool vendor Lauterbach has gone through the painstaking effort of documenting nearly every processor’s peripheral layout in a well-defined “Peripheral file”. Our contribution, PERCH (Peripheral Conversion Helper), is a utility that parses these files and allows for their integration into other tools. Its companion extension adds a peripheral register database to Ghidra. Extension features include the labeling of all peripheral registers and their accesses, enumeration of utilized peripherals, and a framework for scripting around the peripheral database. This framework allows for new scripts, e.g. a script for identifying peripheral setup functions through a reference count heuristic, to be built around the peripheral register database. In short, PERCH and its companion extension vastly improves the embedded firmware reverse engineering experience in Ghidra.


Presenters:

  • Rick Housley
    Rick Housley is a Principal Engineer at United Technologies Corp., where he works as part of UTC’s Cyber Security Center of Expertise. Previous to his time at UTC he worked as a Research Scientist at Red Balloon Security. His research has been showcased at numerous industry and academic conferences including Blackhat, Defcon, REcon, and WOOT. His most recent disclosure “Thrangrycat” was awarded a Pwnie for “Most Underhyped Research” earlier this year. When not designing secure-boot defeating EMPs and interposers, he is building axe handles and baby rattles in his woodshop.

Links:

Similar Presentations: