Tutorials/Reverse engineering embedded software using Radare2

From LCA2015 Delegate wiki
Jump to: navigation, search

This page describes preparation for Reverse engineering embedded software using Radare2

The instructions here are require if you intend to come to the tutorial and do the any of examples yourself as we go through. Observers are welcome of course :-)


We will try and get through all the following:

  • Introduction to Radare2 reverse engineering tool
  • The Radare2 utilities
  • Basics of using the Radare to examine a binary you probably have on your laptop
  • Looking at an arduino binary
  • Introduction to MIPS architecture and disassembly
  • Extracting firmware images

You might like to bring your own binary to play with as well!

Important - please make an rc file

Radare2 was created by other, many people. Radare2 will by default print fortune cookies. Please, turn this feature off, by making the following file, in case there is a possibility of NSFW output. Remember that people sit behind in tutorial rooms.

Instructions for Linux/Unix systems:

   echo 'e cfg.fortunes=false' > ~/.radare2rc

Feel free to remove this file and peruse the fortune cookies _after_ the event (in your own time/space)


If during the tutorial you are planning to follow the examples and/or try your own ideas, you really want to get this sorted before the event.

Absolute minimum requirements:

  • a C compiler and standard libraries needed to build radare2 - the "apt-gettable" version is out of date

Used for one or two examples:

  • xdot for viewing callgraphs
  • nasm is required by radare2 for 16-bit x86
  • binwalk is used for firmware unpacking
  • srecord is required if you wish to complete the arduino 'homework' challenge

Various other tools may be helpful, and indeed needed (e.g. an editor) to complete some of the examples

If you are using a Debian-derived distro, for example:

   sudo apt-get install build-essential git xdot eog ghex binwalk vim gedit srecord nasm

It should be possible to build radare2 on Linux, FreeBSD/NetBSD etc, Max OS/X and Windows and possibly on Android if you try hard enough (using a Debian root, for example)

However, the tutorial examples have only been tested using Debian Wheezy.

Clone & build radare2

Note, changing to the lca2015_tutorial branch is important, because the software is under active development there could be breakage in master upstream

   git clone http://github.com/pastcompute/radare2
   cd radare2
   git checkout tutorial_branch
   make -j
   sudo make symstall

Note, you can install as a normal user if you need to:

   ./configure --prefix=$HOME/path/to/wherever
   make -j
   sudo make symstall
   export PATH=$HOME/path/to/wherever:$PATH

Clone the examples repository, ready for use during the tutorial

   git clone http://github.com/pastcompute/lca2015-radare2-tutorial

I have already added prebuilt examples to git but there are instructions for building them in git, you will need the arduino IDE or an openwrt buildroot.

To replicate _all_ of the firmware unpacking example requires unsquashfs4, the easiest way to get this is download a recent OpenWRT SDK or compile the OpenWRT firmware from scratch. I hope to demoing use of it but have left it up to the viewer if they want to try it themselves later, so a OpenWRT buildroot is not required for full tutorial participation.

To recompile to example binaries from source requires an OpenWRT buildroot and the arduino ide.

To run the DOS example needs DOSBOX or a FreeDOS machine :-)


The tutorial is not until Thursday afternoon. If you need help with the above ping me on Twitter, preferably before the day! @pastcompute