I've recently been contributing to the Pybricks project, a community-run port of MicroPython to Lego Mindstorms hardware. As part of that, I obtained a used Lego NXT which just so happened to still be running the original version 1.01 firmware from when it launched in 2006. I wanted to archive a copy of this firmware, and doing so happened to involve the discovery of arbitrary code execution.
The NXT is a relatively simple exploitation target and can serve as a good introduction to ARM and embedded exploit development.
Preliminary research
Or, in the words of a much more innocent era, "Google is your friend" (lol, not anymore, making research skills even more critical than they ever have been) .
"Surely somebody must've already archived a copy of this firmware, right?" I thought to myself. Unfortunately, this does not appear to have been the case. I searched but never came across a copy of this particular firmware version despite the extensive NXT enthusiast community.
I did come across a mention of a 1.03 firmware which appears to have been released on or very close to launch day. I suspect that enthusiasts and advanced users likely eagerly switched to newer and/or community-modified firmwares when they wanted newer features.
The NXT is also old enough that, despite being part of "the Internet era", resources are starting to bitrot.
Looks like I'm going to have to figure out how to retrieve a copy myself!
Use the firmware updater?
The first idea which came to mind for backing up firmware is "does the tool which is used to download new firmware to the NXT also allow retrieving the preexisting firmware?"
... continue reading