Republic of Pwning

Three years ago, in a CTF I found a challenge using ESP32 architecture. In that context the time is key, and this blogpost are my notes about how to quickly reconstrut the ESP32 app image challange to an ELF binary.

A reconstruction from an ESP32 app image to ELF could be trivial with the @lynerc and @nickmiles research. They made a tool for dumping a firmware of an IoT device ESP32 architecture based, where is necessary to specify from the dump the segment to reconstruct to an ELF. Of course, whole technical explanation in their talk.

The tool doesn’t reconstruct an app image by default because the dump of an ESP32 firmware has more segments and it only handle that dump format. Anyways, with only a few lines we can use that tool to reconstruct an app image to ELF.

import sys
from esp32_image parser import *

print ("{} {}".format(sys.argv[1], sys.argv[2]))

input_file = sys.argv[1]
output_file = sys.argv[2]

image2elf(input_file, output_file, True)

After that, we can use ghidra to decompile it using an external ghidra processor

$ sudo apt-get install openjdk-11-jdk
$ git clone https://github.com/Ebiroll/ghidra-xtensa xtensa
$ cd xtensa/
$ make

And that’s it!

Written by Nox

Follow us on our twitter account @rop-la, our public Github repositories RoP-LA and Youtube Channel.