killchain-compendium/Reverse Engineering/Firmware.md

# Reversing Firmware

## Tools

#### Extraction

* binwalk
* unlzma
* tar

* [fat](https://github.com/attify/firmware-analysis-toolkit.git)
    * Create usable environment and start firmware inside it
    ```sh
    ./fat.py <firmware>
    ```
* [Firmware-Mod-Kit](https://github.com/rampageX/firmware-mod-kit.git) contains `extract-firmware.sh`
* [Jefferson](https://github.com/sviehb/jefferson) or AUR package `jefferson-git`
* [squashfs-tools](https://github.com/plougher/squashfs-tools)
* [squashfs-tools-ng](https://github.com/AgentD/squashfs-tools-ng.git)


### Dynamic Analysis

gdb (remote debugging feature) and qemu.

### Enumeration

* [Firmwalker](https://github.com/craigz28/firmwalker.git)
* An image may contain files like
    * Usernames and Passwords
    * __Keys__ and __Paraphrase__ for gpg keys. Import them
    ```sh
    grep -ir -E "key|paraphrase"
    ```
    * URLS
    * Email Addresses


* Check image via `strings`
* Check CRC via `cksum -a crc <image>`

### Binwalk

Use the following for file entropy check. If the image is encrypted it will be stated as "rising entropy edge".
```sh
binwalk -E -N <firmware>
```

* Use `binwalk` to extract. There are to methods
    * `-e` extract by offset
    * `--dd=".*"` by file extension

### Mount Squashfs

Extract the filesystem of a firmware image

* Use `squashfs-tools`
* Extract via binwalk and
```sh
unsquashfs <SquashFS image>
mksquashfs squashfs-root filesystem.squashfs
mount filesystem.squashfs /mtn/squash
```

### Mount JFFS2 File

* Use kernel where `CONFIG_MTD_RAM` is set. Using Arch this is any kernel before `5.10`
```sh
rm -rf /dev/mtdblock0
mknod /dev/mtdblock0 b 31 0
mkdir /mnt/jffs2
modprobe jffs2
modprobe mtdram
modprobe mtdblock
dd if=<jffs2File> of=/dev/mtdblock0
mount -t jffs2 /dev/mtdblock0 /mnt/jffs2/
```

## Tips & Tricks

* Watch out for `HNAP` and `JNAP` as [an attack vector](https://routersecurity.org/hnap.php)