Binary-Level Code Injection for Automated Tool Support on the ESP32 Platform

Authors

Benjamin Plach, Matthias Börsig, Maximilian Müller, Roland Gröll, Martin Dukek, and Ingmar Baumgart

Abstract

The analysis and testing of proprietary ESP32 firmware by independent security experts is often hampered by the lack of specialized tools that provide the necessary capabilities and ease of use to effectively support these tasks.
This paper presents a novel binary rewriting framework that addresses this challenge by allowing additional instructions to be inserted into ESP32 firmware without altering its original functionality. The framework leverages two already existing tools, Esptool and ESP32-Image-Parser, to extract firmware from ESP32 devices and convert it to ELF format, simplifying both the implementation of the framework and the development of subsequent tools.
In addition, an assembler has been developed to encode Xtensa assembly instructions without the need for linking the code afterward, facilitating the development of patch code. The framework includes a new patching methodology adapted from x86 patching tactics to the Xtensa architecture. These tactics have been implemented in a binary rewriting framework capable of inserting code at almost arbitrary locations without affecting the original firmware functionality.
A proof of concept tool that inserts fuzzing instrumentation was implemented to demonstrate the utility of the framework. This tool successfully integrates functional coverage information into ESP32 binaries. This framework represents a significant advancement in the tools available for firmware analysis and security testing of ESP32 devices.

Keywords

Static Binary Rewriting, Internet of Things, Embedded Systems, ESP32, Xtensa, Microcontroller Security, Fuzzing

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2025
L. Horn Iwaya et al. (Eds.): NordSec 2024, LNCS 15396, pp. 1--18, 2025.
https://doi.org/10.1007/978-3-031-79007-2_7

This version of the contribution has been accepted for publication, after peer review but is not the Version of Record and does not reflect post-acceptance improvements, or any corrections. The Version of Record is available online at: https://dx.doi.org/10.1007/978-3-031-79007-2_7. Use of this Accepted Version is subject to the publisher's Accepted Manuscript terms of use https://www.springernature.com/gp/open-science/policies/accepted-manuscript-terms

Publication

Secure IT Systems: 29th Nordic Conference, NordSec 2024 Karlstad, Sweden, November 6-7, 2024 Proceedings

DOI: 10.1007/978-3-031-79007-2_7
BibTeX: Download
PDF: Download

@inproceedings{Plach2025,
   author = {Benjamin Plach and Matthias Börsig and Maximilian Müller and Roland Gröll and Martin Dukek and Ingmar Baumgart},
   title  = {{Binary-Level Code Injection for Automated Tool Support on the ESP32 Platform}},
   booktitle = {Secure IT Systems: 29th Nordic Conference, NordSec 2024 Karlstad, Sweden, November 6–7, 2024 Proceedings},
   month = {1},
   year = {2025},
   isbn = {978-3-031-79006-5},
   editor= {Leonardo Horn Iwaya and Liina Kamm and Leonardo Martucci and Tobias Pulls},
   publisher = {Springer-Verlag},
   address = {Berlin, Heidelberg},
   pages = {121–138},
   location = {Karlstad, Sweden},
   series = {Lecture Notes in Computer Science},
   volume = {15396},
   doi = {10.1007/978-3-031-79007-2_7},
   url = {https://dx.doi.org/10.1007/978-3-031-79007-2_7}
}