Firmware Analysis Part-1 | Prabhankar Tripathi | Lucideus

Firmware is a set of programs which are stored on a hardware device to perform several tasks which a manufacturer wants that device to perform. 

Like, for example, suppose you are operating your smartphone and want to take a picture, what you basically do is you just click on the capture icon present on the touch screen and that camera (which is actually hardware) takes your beautiful picture.  But in the complex world of back-end, there is a superhero working around making it possible to pass such information using hardware. That hero is your Firmware. Let's dive into another example. You just open up your desktop. It takes time to boot up that all booting procedure, placing your crucial files into places and making your device functional or operational, all are done by your firmware.

There are various fields where firmware has spread its roots like any networking device like routers, switches use firmware, your smartphones ( android/ios) have firmware installed, your laptops, desktops, smartwatches, cameras all of them use firmware.

As we have seen that firmware have huge applicability.It also comes with vulnerabilities which can lead to :

Sensitive data exposures like passwords, API keys, private certificates etc.

Compromising devices and tampering with data.

Replicating the firmware image with malicious backdoor embedded.

Understanding the working of the firmware.

In this blog we will be going with the extraction of a firmware and simulating it to perform further pentesting without actually buying one.

Environment used :

1.IOT pentesting OS named attifyOS you can have it from here : It has all the tools needed to perform analysis on any firmware.

Let's begin :In this blog we will be analysing a router firmware you can take up any other device for analysis.

Step 1: Download the firmware which you want to analyse and simulate.

Various manufacturers provide their firmware online so you can download them from there like:

Dlink : http://dlink.co.in/firmware/ftp.aspx

Netgear : https://www.netgear.com/support/download/

Tp-Link : https://www.tp-link.com/in/support/download/

or Google it .

The firmware which I am going to use in this blog is Dlink-DIR645 .

Once you downloaded the firmware, rename it to something simple like DLINK645.bin .

     DIR645.bin file in firmadyne folder 

Step 2 : Analyse the firmware by using a tool like binwalk to understand what are the addresses of various segments in the firmware. Most importantly knowing the file system type because it will help us to further during the extraction scenario.

Firmware segments

In the above diagram our major focus needs to be in the lower segment i.e. Root file system because it is the one which contains major files and data of the device.Lets first fetch the information about the firmware using binwalk.

Binwalk result of Firmware

From the above result we can see that this firmware is using LZMA compression and the file system used is Squashfs which starts from the address 1441936 ( in decimals).

Things to know:

The common file system which we typically encounter in our IOT devices are: SquashFS, CramFS, JFF S2, YAFF S2, EXT2. On the top the different file systems, there are also varying types of compressions in use.

Some of the common compression which we see in IOT devices are: LZMA,  GZIP, normal

ZIP, Zlib, ARJ.

Step 3 : Now as we have ample amount of information regarding our firmware we will now start extracting the firmware. There are ample ways to extract the firmware so here we will describe it in two ways.

  WAY 1 : By first extracting the file system form the firmware and then extract it .

We simply use dd and segregate a specific file system from firmware and then use tools to extract firmware.

      dd if=<firmware_name>.bin skip=<offset in decimal> bs=1 of=<output_filename>

where  if denotes input file ; of denotes output file ; bs : block size (in kb by default)

skip denotes after how many offset it should start extracting.

  Output after running dd command

Check the output file you will notice only the file system has been extracted.

Now simply extract it using unsquashfs_all.sh present in /tools/firmware-mod-kit

After running the command ./unsquashfs_all.sh DLink.bin we get a folder named squashfs-root

As you move inside it you will see a folder which seems similar to that of the root directory as in Linux systems.

NOTE :

For CPIO archive files

$ cpio -ivd --no-absolute-filenames -F <bin>

For jffs2 filesystems

$ jefferson rootfsfile.jffs2

For ubifs filesystems with NAND flash

$ ubireader_extract_images -u UBI -s <start_offset> <bin>

$ ubidump.py <bin>

WAY 2: Another way of extracting a firmware is very simple we can simply use binwalk -e <firmware name>.bin the extracted folder will contain squashfs-root folder going into it you will get the extracted file system.

Now as we have extracted the file system lets search for some sensitive files like :

etc/shadow and etc/passwd or list out the etc/ssl directory or search for SSL related files such as .pem, .crt, etc. or search for configuration file or look for script files or search for other .bin files or look for keywords such as admin, password, remote, AWS keys, etc.

Lets try out searching stuff related to telnet so for that we can use grep command like

grep -iRn "telnet"

In that search result we got something like

telnetd -l /usr/sbin/login -u Alphanetworks:$image_sign ---> etc/init0.d/S80telnetd.sh

On opening the file we came up to the following result :

Through the above screen we can see that Telnet username was Alphanetworks and password was saved as a variable named image_sign which was reading a file named image_sign

So there are so many other things which  an analyst can approach after extracting a firmware.