HN
Today

Dumping Lego NXT firmware off of an existing brick

This post chronicles a hacker's quest to archive a rare Lego NXT firmware, inadvertently discovering an arbitrary code execution vulnerability along the way. By dissecting the NXT's communication protocol and leveraging a writable function pointer in its IO-Map, the author demonstrates how to gain native ARM code execution. It's a fascinating look at embedded system exploitation, offering valuable lessons in retro-tech reverse engineering and showcasing how vulnerabilities can persist in older hardware.

34
Score
0
Comments
#2
Highest Rank
3h
on Front Page
First Seen
Mar 7, 8:00 PM
Last Seen
Mar 7, 10:00 PM
Rank Over Time
323

The Lowdown

The author embarked on a mission to archive a specific, early version (1.01) of the Lego NXT firmware that they discovered on a used brick. This seemingly straightforward task quickly evolved into a deep dive into embedded systems exploitation, revealing an arbitrary code execution vulnerability that allowed them to successfully dump the firmware. The process serves as an excellent educational example of reverse engineering and security auditing for older hardware.

  • Initial research indicated that the 1.01 firmware was not publicly archived, and digital bitrot was eroding other historical resources, necessitating a self-dumping solution.
  • Standard approaches like the firmware updater (which would overwrite data) and JTAG (requiring hardware modification) were ruled out in favor of a software-only method.
  • Analysis of the NXT's bytecode VM and communication protocols revealed that user programs were sandboxed, preventing direct memory access without an exploit.
  • A breakthrough occurred by examining the firmware source code and the NXT's 'IO-Maps,' which exposed a critical vulnerability: a writable function pointer (pRCHandler) within the VM's IO-Map responsible for handling direct commands.
  • The author explained the significance of function pointers in gaining control and detailed how to exploit this by overwriting it with a custom address.
  • Using Python with PyUSB, a proof-of-concept was developed to upload ARM assembly code (preceded by a NOP slide) into the NXT's MemoryPool and then redirect the pRCHandler to this custom code, achieving native ARM code execution.
  • With arbitrary code execution secured, a new direct command handler was implemented in assembly to read data from any memory address, including the internal flash memory where the firmware resides.
  • The entire 256 KiB firmware, including user data from the previous owner, was successfully dumped.

This exploit, leveraging the lack of modern security mitigations in the NXT's AT91SAM7S256 microcontroller, is believed to work across all stock-derived NXT firmwares. The author highlights the potential for running bare-metal code and even conceptualizes an NXT worm capable of spreading via Bluetooth, while urging skilled archivists to preserve other firmware versions before they are lost to time.