exploit_check_flash.py does not work with firmware versions other than 2.50

[stevengeroux]

Bonjour!

ilo4_toolbox/scripts/iLO4/exploits/exploit_check_flash.py does not work with firmware versions other than 2.50 because ilo4_toolbox/scripts/iLO4/exploits/exploit_offsets.py is missing their respective 'VComClientSync_Call' definitions.
I did try to simply copy 2.50's definition of 'VComClientSync_Call' for version 1.53 without success.

Cheers!

[alexgzt]

That's correct, we've not build the full database for all versions. Copying definition from one version to another will most probably fail as it is a function address and thus subject to change. Still you can get it quickly if you load the module in a disassembler (see the loaders scripts).

[stevengeroux]

Thanks for your reply.
I've run dissection.rb on elf.bin which generated a whole lot of loaders, scripts and mods. I've then run loaders/webserv.elf.bat (modified as I am on Linux), but IDA is now asking for an entry point to start disassembly and I am once again out of my depth.
Am I at least looking in the right place?

[alexgzt]

Yes the approach is correct.

There is a .bat loader script (just a cmdline wrapper) for each module. I'm not sure why IDA is asking you for an entry point. However in case, the entry point for all module is the same as their loading address: 0x10000

Once a module is loaded, what I usually do is to trigger a complete auto-analysis (this behaviour has changed recently) using: AnalyzeArea(0, BADADDR). Then you can recover the symbols you need.

alex.

[alexgzt]

Closing it as inactive and approach is correct.