killchain-compendium/reverse_engineering/docs/firmware.md

36 lines
922 B
Markdown

# Reversing Firmware
## Tools
* binwalk
* unlzma
* tar
* [fat](https://github.com/attify/firmware-analysis-toolkit.git)
* Create usable environment and start firmware inside it
```sh
./fat.py <firmware>
```
* [Jefferson](https://github.com/sviehb/jefferson) or AUR package `jefferson-git`
## Usage
* Check image via `strings`
* Check CRC via `cksum -a crc <image>`
* Use `binwalk` to extract. There are to methods
* `-e` extract by offset
* `--dd=".*"` by file extension
### Mount JFFS2 File
* Use kernel where `CONFIG_MTD_RAM` is set. Using Arch this is any kernel before `5.10`
```sh
rm -rf /dev/mtdblock0
mknod /dev/mtdblock0 b 31 0
mkdir /mnt/jffs2
modprobe jffs2
modprobe mtdram
modprobe mtdblock
dd if=<jffs2File> of=/dev/mtdblock0
mount -t jffs2 /dev/mtdblock0 /mnt/jffs2/
```
## Tips & Tricks
* Watch out for `HNAP` and `JNAP` as [an attack vector](https://routersecurity.org/hnap.php)