Firmware Analysis

This is the quick-hit version of the firmware analysis training I gave.  As with all of the formal training, you can use the below for a quick reference, or view the full presentation here.

Downloads

You can use any firmware files you’d like, but this training and these exercises were designed around the following two files:

Extracting ZIP Files

hermit@system:~$ file Firmware.zip
Firmware.zip: Zip archive data, at least v1.0 to extract

ZIP Files With Offsets

hermit@system:~$ file Firmware.zip
Firmware.zip: data
hermit@system:~$ unzip Firmware.zip
Archive:   Firmware.zip
warning [Firmware.zip]: 64 extra bytes at beginning or within zipfile
[CTRL+C]
hermit@system:~$ dd if=Firmware.zip of=NewFirmware.zip bs=64 skip=1
993106+1 records in
993106+1 records out
63558829 bytes (64 MB, 61 MiB) copied, 1.16206 s, 54.7 MB/s

Extracting ZIP Files with Passwords

hermit@system:~$ fcrackzip -m 2 -v -b fw-dwr-932-2.03.zip
found file ‘FILENAME.EXT’, (size cp/uc      12/      0, flags 9, chk 7a64)
{etc}
8 file maximum reached, skipping further lines
possible pw found: beUT9Z ()
[CTRL+C]

Extracting Binary Files

hermit@system:~$ binwalk -e -C /path/to/extract/to -M -d 2 -v ./Firmware.bin

Extracting YAFFS Files

hermit@system:~$ unyaffs Firmware.yaffs2

Extracting squashfs Files

hermit@system:~$ unsquashfs Firmware.squashfs

Things To Try
Crack the system passwords:

hermit@system:~/FWDemo/yaffs_extract/etc$ john --incremental shadow

MD5 all files on the system:

hermit@system:~/FWDemo/yaffs_extract$ find . -type f -exec md5sum '{}’ \;

Look for webserver files , common places are:

/var/www
/var/html
/WEBSERVER

Look for all executables:

hermit@system:~/FWDemo/yaffs_extract$ find ./etc -type f -executable –print

Look for configurations:

hermit@system:~/FWDemo/yaffs_extract$ find ./etc -name *conf* -print
hermit@system:~/FWDemo/yaffs_extract$ find ./etc -name *cfg* -print

Look at what starts at boot:

hermit@system:~/FWDemo/yaffs_extract$ ls –la ./etc/rc*

Look for mount points:

hermit@system:~/FWDemo/yaffs_extract$ cat ./etc/fstab

Look for ISOs:

hermit@system:~/FWDemo/yaffs_extract$ find . -name *.iso* -print

Mount ISOs:

hermit@system:~/FWDemo/yaffs_extract$ mount -o loop,ro ./iso/path /path/to/mount
hermit@system:~/FWDemo/yaffs_extract$ pushd /path/to/mount
hermit@system:~/FWDemo/yaffs_extract$ popd

Scavenger Hunt
From least difficult to most difficult

  1. DD-WRT54G Firmware
    Find code being used in production that explicitly says it’s not for production use!
  2. DWR-932B Firmware
    Find the root password
  3. DWR-932B Firmware
    Find the default DynDNS username and password
  4. DWR-932B Firmware
    Find the Setup.exe file
  5. DD-WRT54G Firmware
    Find where the ”get_single_ip” function originates

Good hunting!