How to start analysing a firmware? Ricoh GR I and III - Non-CANON cameras development - CHDK Forum

How to start analysing a firmware? Ricoh GR I and III

  • 6 Replies
  • 6503 Views
How to start analysing a firmware? Ricoh GR I and III
« on: 27 / November / 2019, 12:41:46 »
Advertisements
Hi all,i have the Ricoh GR I and Ricoh GR III.When i open the firmware file for the Ricoh GR III with a texteditor i can see that there is linux and kernel mentioned.But its still a lot of gibberish,How would i go about manipulating it?file ist .binif its linux, ricoh should provide source code, isnt that right?

When i open the firmware file for Ricoh GR its almost all gibberish.I would i investigate there?file is .frmin the beginning there is this:UNITY FILE V1.10 / RICOH COMPANYbut google doesnt help


*

Offline reyalp

  • ******
  • 14126
Re: How to start analysing a firmware? Ricoh GR I and III
« Reply #1 on: 27 / November / 2019, 16:06:22 »
Hi all,i have the Ricoh GR I and Ricoh GR III.When i open the firmware file for the Ricoh GR III with a texteditor i can see that there is linux and kernel mentioned.But its still a lot of gibberish,How would i go about manipulating it?file ist .binif its linux, ricoh should provide source code, isnt that right?
If you want to reverse engineer executable code, you should use a disassembler. Ghidra is a good one if it supports the architecture. To make much use of any tool like this you need some knowledge of assembly language and related low level concepts.

If it uses linux, the source code should be available somewhere. Googling "ricoh open source" leads to http://www.ricoh-imaging.co.jp/english/products/oss/ however releases like this are often just the linux source and not actually something you can build and load onto the camera.

Quote
When i open the firmware file for Ricoh GR its almost all gibberish.I would i investigate there?file is .frmin the beginning there is this:UNITY FILE V1.10 / RICOH COMPANYbut google doesnt help
It could be an executable for whatever system the camera runs. Firmware files are also often encoded in various ways. A tool like https://github.com/airbus-seclab/cpu_rec could help if it's not encoded. If it is encoded, then you need to analyze it.
Don't forget what the H stands for.

Re: How to start analysing a firmware? Ricoh GR I and III
« Reply #2 on: 28 / November / 2019, 06:25:40 »
Wow thank you.so it should be possible to hack the ricoh gr 3

Re: How to start analysing a firmware? Ricoh GR I and III
« Reply #3 on: 28 / November / 2019, 08:00:59 »
http://www.ricoh-imaging.co.jp/english/products/oss/ i crawled the source code for a little bit.i think there are ways to get control over the camera through the sd card.for anyone interested:if you download the source code.there is a package called stubby. which is a bootloader and which seems to provide to read from sdcard...

*

Offline reyalp

  • ******
  • 14126
Re: How to start analysing a firmware? Ricoh GR I and III
« Reply #4 on: 28 / November / 2019, 16:47:24 »
http://www.ricoh-imaging.co.jp/english/products/oss/ i crawled the source code for a little bit.i think there are ways to get control over the camera through the sd card.for anyone interested:if you download the source code.there is a package called stubby. which is a bootloader and which seems to provide to read from sdcard...
Typically these things are locked down and require signed / encrypted binaries. See README.crypto in the stubby package.

If one could just build something and run it, someone almost certainly would have done so by now. Here's a discussion from 2017 on dpreveiw https://www.dpreview.com/forums/thread/4217301

Knowing the versions of the packages involved might point to known vulnerabilities i.e. search CVEs for busybox 1.24.1, but note some have been fixed with patches in the patches directory. If you have a camera with the older firmware or Ricoh allows downgrading, you might be able to get to a vulnerable version of something. Of course, many vulnerabilities may not be exposed in a way that you can access them on the camera.

Ricoh also offers a remote control SDK which might provide an avenue for exploitation, but it appears to be for Pentax SLR and medium format cameras. It's possible other models use similar protocols. It no doubt uses PTP, which could easily have vulnerabilities (Canon's implementation did https://chdk.setepontos.com/index.php?topic=4338.msg140923#msg140923)

If the camera has a UART or jtag, that could be another avenue.

This story https://alexhude.github.io/2019/01/24/hacking-leica-m240.html has some nice examples of the kind of analysis involved (for Leica, so not directly applicable)
Don't forget what the H stands for.

Re: How to start analysing a firmware? Ricoh GR I and III
« Reply #5 on: 28 / November / 2019, 17:09:34 »
as you can see, the source implies that system.d is providing a serial tty.this is all way over my head.i tried getting a serial connection over usb but of course without luck.so either there is a way to activate usbtty or connect over a port on the board.the source contains many hints on the linux system inside.

*

Offline reyalp

  • ******
  • 14126
Re: How to start analysing a firmware? Ricoh GR I and III
« Reply #6 on: 28 / November / 2019, 17:19:46 »
as you can see, the source implies that system.d is providing a serial tty.this is all way over my head.i tried getting a serial connection over usb but of course without luck.so either there is a way to activate usbtty or connect over a port on the board.the source contains many hints on the linux system inside.
Typically the serial connector is just some pads on the board in production devices, see https://chdk.fandom.com/wiki/UART for how Canon does it. Note Ricoh may do things differently, that's just an example of how it's often done.

Reverse engineering something like this a big project that takes quite a bit of technical knowledge. You can teach yourself, there are tons of resources on the internet, but it's not just going to be a few afternoons work.
Don't forget what the H stands for.

 

Related Topics


SimplePortal © 2008-2014, SimplePortal