Gadget Reverse Engineering Environment

I had been relying on a friendly neighbour to help me capture USB traffic for a sport's watch [1] I had bought a while back. While that sort of works, it is inconvenient and didn't feel quite right. I mean, why make someone else use non-free software on your behalf if your not prepared to do so yourself?

About 11.5 minutes into his TEDx presentation, Richard Stallman himself mentioned that bringing non-free software to school is okay for a "reverse engineering exercise". That finally made me have a go at putting together a setup where I could do my own USB captures. For the record, all of the below is done on Debian GNU/Linux' jessie.

Getting A Usable Windows Environment

Okay, okay, get back on your chair you ROTFL folks. "Usable Windows" may be an oxymoron for you but I'm talking about an environment that lets me use the vendor provided application software for my watch. Turns out that there are several Windows virtual machine images that meet these needs just fine.

I downloaded Windows 7 with IE 10 with

$ wget https://az412801.vo.msecnd.net/vhd/VMBuild_20131127/VirtualBox/IE10_Win7/Linux/IE10.Win7.For.LinuxVirtualBox.txt
$ wget -c -i IE10.Win7.For.LinuxVirtualBox.txt
$ ls IE10.Win7.For.LinuxVirtualBox.part*
IE10.Win7.For.LinuxVirtualBox.part1.sfx
IE10.Win7.For.LinuxVirtualBox.part2.rar
IE10.Win7.For.LinuxVirtualBox.part3.rar
IE10.Win7.For.LinuxVirtualBox.part4.rar

Depending on your network connection that may take a while, a long while. It downloads four parts of an archive totalling about 4GB. BTW, the second command can be used to pick up where your previous download stopped in case of network trouble. Make sure you check the md5 checksums [2].

The first part, the *.sfx file, is a self-extracting rar file, on i386 systems at least. Now I wouldn't blindly run that, even if I were to be using such a system, so I suggest you get the unrar utility [3] to do that job. While not exactly free, at least the unrar source code can be audited.

$ sudoedit /etc/apt/sources.list                      # enable non-free
$ sudo apt-get update
$ sudo apt-get install unrar
$ unrar e IE10.Win7.For.LinuxVirtualBox.part1.sfx     # empty lines removed
UNRAR 5.00 beta 8 freeware      Copyright (c) 1993-2013 Alexander Roshal
Extracting from IE10.Win7.For.LinuxVirtualBox.part1.sfx
Extracting  IE10 - Win7.ova                                           29%
Extracting from IE10.Win7.For.LinuxVirtualBox.part2.rar
...         IE10 - Win7.ova                                           58%
Extracting from IE10.Win7.For.LinuxVirtualBox.part3.rar
...         IE10 - Win7.ova                                           88%
Extracting from IE10.Win7.For.LinuxVirtualBox.part4.rar
...         IE10 - Win7.ova                                           OK
All OK
$ sudo apt-get purge unrar
$ sudoedit /etc/apt/sources.list                      # disable non-free

So now you have an IE10 - Win7.ova file for use with VirtualBox. Just out of curiosity, I checked what kind of file that was.

$ file "IE10 - Win7.ova"
IE10 - Win7.ova: POSIX tar archive (GNU)
$ tar tf "IE10 - Win7.ova"
IE10 - Win7.ovf
IE10 - Win7-disk1.vmdk

As Qemu can handle *.vmdk files, you should be able to use that instead of VirtualBox. We'll get to Running Windows Under Qemu after the following VirtualBox excursion.

Running Windows Under VirtualBox

Debian has moved its virtualbox package to the contrib area. You now need a non-free compiler to build the BIOS :-(. More bad news, to use USB you need a closed-source extension :-((, available from the VirtualBox download page. First, let's install virtualbox [4].

$ sudoedit /etc/apt/sources.list              # to activate contrib
$ sudo apt-get update
$ sudo apt-get install virtualbox virtualbox-dkms
$ sudoedit /etc/apt/sources.list              # to deactivate contrib

Next, the extension pack. Adjust version numbers for your version of virtualbox and what's available for download. Also, make sure to verify the checksum.

$ wget http://download.virtualbox.org/virtualbox/4.3.18/Oracle_VM_VirtualBox_Extension_Pack-4.3.18-96516.vbox-extpack
$ sha256sum Oracle_VM_VirtualBox_Extension_Pack-4.3.18-96516.vbox-extpack
b965c3565e7933bc61019d2992f4da084944cfd9e809fbeaff330f4743d47537  Oracle_VM_VirtualBox_Extension_Pack-4.3.18-96516.vbox-extpack
$ sudo vboxmanage extpack install Oracle_VM_VirtualBox_Extension_Pack-4.3.18-96516.vbox-extpack
0%...10%...20%...30%...40%...50%...60%...70%...80%...90%...100%
Successfully installed "Oracle VM VirtualBox Extension Pack".

With that out of the way, we are ready to import the appliance.

$ vboxmanage import "IE10 - Win7.ova"
0%...10%...20%...30%...40%...50%...60%...70%...80%...90%...100%
Interpreting /absolute/path/to/IE10 - Win7.ova...
OK.
Disks:  vmdisk1       136365211648    -1      http://www.vmware.com/interfaces/specifications/vmdk.html#streamOptimized       IE10 - Win7-disk1.vmdk  -1      -1
Virtual system 0:
 0: Suggested OS type: "Windows7"
    (change with "--vsys 0 --ostype <type>"; use "list ostypes" to list all possible values)
 1: Suggested VM name "IE10 - Win7"
    (change with "--vsys 0 --vmname <name>")
 2: Number of CPUs: 1
    (change with "--vsys 0 --cpus <n>")
 3: Guest memory: 512 MB
    (change with "--vsys 0 --memory <MB>")
 4: Sound card (appliance expects "", can change on import)
    (disable with "--vsys 0 --unit 4 --ignore")
 5: USB controller
    (disable with "--vsys 0 --unit 5 --ignore")
 6: Network adapter: orig NAT, config 3, extra slot=0;type=NAT
 7: CD-ROM
    (disable with "--vsys 0 --unit 7 --ignore")
 8: IDE controller, type PIIX4
    (disable with "--vsys 0 --unit 8 --ignore")
 9: IDE controller, type PIIX4
    (disable with "--vsys 0 --unit 9 --ignore")
10: SATA controller, type AHCI
    (disable with "--vsys 0 --unit 10 --ignore")
11: Hard disk image: source image=IE10 - Win7-disk1.vmdk, target path=/absolute/path/to/IE10 - Win7/IE10 - Win7-disk1.vmdk, controller=8;channel=0
    (change target path with "--vsys 0 --unit 11 --disk path";
    disable with "--vsys 0 --unit 11 --ignore")
0%...10%...20%...30%...40%...50%...60%...70%...80%...90%...100%
Successfully imported the appliance.

Now we have a IE10 - Win7 virtual machine located in a directory of the same name. You can start it with:

$ vboxmanage startvm "IE10 - Win7" --type sdl

The --type sld is needed because I didn't install the VirtualBox GUI client (virtualbox-qt). So that started Windows7 without a hitch but does not give you access to any USB devices yet. First, make sure you have been added to the vboxusers group [5]. Next, add a usbfilter for your virtual machine. For my sport's watch the following will do the trick. Adjust the vendor ID, add a product ID or even a serial number to suit your needs.

$ vboxmanage usbfilter add 0 --target "IE10 - Win7" \
    --name Suunto --action hold --vendorid 1493

You should now be able to find matching USB devices via the Devices and Printers entry on the start menu after a restart.

Running Windows Under Qemu

I'm not particularly happy about using a closed source extension pack for VirtualBox. Moreover, I'm also not too thrilled about using any software not in Debian's main area, like VirtualBox. Having seen that the IE10 - Win7.ova is just a simple tar archive with a *.vmdk file that should be usable with qemu, I decided to give that a spin.

First, extract the *.vmdk file with

$ tar xvf "IE10 - Win7.ova"
IE10 - Win7.ovf
IE10 - Win7-disk1.vmdk

We don't care for the *.ovf file so feel free to trash that. Next, create a regular qcow2 image with the *.vmdk file as a backing file. This will keep the *.vmdk file pristine so you can reuse it to create additional images. It also works around a read-only issue for *.vmdk files when starting the VM.

$ qemu-img create -f qcow2 -o backing_file="IE10 - Win7-disk1.vmdk" \
    ie10win7.qcow2
Formatting 'ie10win7.qcow2', fmt=qcow2 size=136365211648 backing_file='IE10 - Win7-disk1.vmdk' encryption=off cluster_size=65536 lazy_refcounts=off

Now, we can start the Windows VM using the ie10win7.qcow2 file. To make the same sport's watch as before available to the VM, the -usbdevice option is used. Adjust to needs and taste.

$ qemu-system-x86_64 -enable-kvm -m 512 ie10win7.qcow2 \
    -usbdevice "host:1493:*"

The above assumes you have qemu installed, of course. If you also install qemu-kvm and your hardware supports it, you can use the following shorter command-line instead.

$ kvm -m 512 ie10win7.qcow2 -usbdevice "host:1493:*"

Getting Rid Of Virtualbox

Choosing to sacrifice as little freedom as possible, I decided to go with qemu for my reverse engineering needs. Hence, I no longer have any use for VirtualBox. Time to clean up then. To undo the steps from Running Windows Under VirtualBox

$ vboxmanage usbfilter remove 0 --target "IE10 - Win7"
$ vboxmanage unregistervm "IE10 - Win7" --delete
$ sudo vboxmanage extpack uninstall "Oracle VM VirtualBox Extension Pack"
$ rm Oracle_VM_VirtualBox_Extension_Pack-4.3.18-96516.vbox-extpack
$ sudo apt-get purge virtualbox virtualbox-dkms

I'm off now, capturing and exploring the communication between my sport's watch and the vendor's non-free application software. That software is also intricately linked with a website that very much wants to get a hold of my data.

Footnotes

[1] The watch is only supported on Windows and MacOS and its maker's commitment to Linux support so far consists of empty promises. There is a reverse engineering effort for this and related watches but mine came with a firmware version that was considered "obsolete" already at the time of purchase.
[2] I have suggested they add text files with checksums for all the parts of each VM. That would make checking these checksums a much simpler chore.
[3] The Debian unrar-free package does not support *.sfx files. You need the unrar package from the non-free area. You can remove it after you extracted the archive ;-)
[4] I have my APT set up so it does not install recommended packages. Meaning that in this case the virtualbox-qt GUI will not be pulled in and we can stick to the VirtualBox command-line interface.
[5] If you add yourself to the vboxusers group at this point, you can make it effective immediately with the sg command. That way you don't have to logout and back in again.