Extracting an ELF From an ESP32

ShmooCon XVI - 2020

Presented by: Chris Lyne, Nick Miles
Date: Saturday February 01, 2020
Time: 10:00 - 10:50
Location: Build It!

The Espressif ESP32 is a system on a chip (SoC) “engineered for mobile devices, wearable electronics, and IoT applications.” It provides Wi-Fi and Bluetooth LE which makes it great for products needing wireless capabilities. While researching a consumer product, we discovered an ESP32 being used to provide Wi-Fi connectivity to the device. We found that there was limited tooling available to facilitate the reverse engineering process of an ESP32 firmware image. So, we decided to create tooling of our own.

We will talk about how we went about creating our tooling to extract an ELF file from an ESP32 flash dump. With excruciating amounts of detail, we will discuss the binary format of ESP32 firmware images as well as the process of converting it to an ELF file. By the end of the talk, you will know how to go from flash dump all the way to control flow graph in IDA.

Nick Miles

Nick Miles (@_NickMiles_) joined Tenable as a Research Manager in 2011. He has written hundreds of Nessus plugins and developed several core libraries used in the Nessus engine. He now leads the company’s Zero Day Research team. In his free time, Nick likes model aircraft, metalworking and breaking out his telescope on clear nights.

Chris Lyne

Chris Lyne (@lynerc) enjoys dissecting complex applications and lives for the hunt. Despite having deep roots in software development, his true passion is security. An avid learner, Chris is continuously evolving his skills, capabilities, and methodologies. Chris believes any problem can be solved with knowledge, intelligent decisions, and sheer grit.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats