82 lines
1.9 KiB
Markdown
82 lines
1.9 KiB
Markdown
# Reversing Firmware
|
|
|
|
## Tools
|
|
|
|
#### Extraction
|
|
|
|
* binwalk
|
|
* unlzma
|
|
* tar
|
|
|
|
* [fat](https://github.com/attify/firmware-analysis-toolkit.git)
|
|
* Create usable environment and start firmware inside it
|
|
```sh
|
|
./fat.py <firmware>
|
|
```
|
|
* [Firmware-Mod-Kit](https://github.com/rampageX/firmware-mod-kit.git) contains `extract-firmware.sh`
|
|
* [Jefferson](https://github.com/sviehb/jefferson) or AUR package `jefferson-git`
|
|
* [squashfs-tools](https://github.com/plougher/squashfs-tools)
|
|
* [squashfs-tools-ng](https://github.com/AgentD/squashfs-tools-ng.git)
|
|
|
|
|
|
### Dynamic Analysis
|
|
|
|
gdb (remote debugging feature) and qemu.
|
|
|
|
### Enumeration
|
|
|
|
* [Firmwalker](https://github.com/craigz28/firmwalker.git)
|
|
* An image may contain files like
|
|
* Usernames and Passwords
|
|
* __Keys__ and __Paraphrase__ for gpg keys. Import them
|
|
```sh
|
|
grep -ir -E "key|paraphrase"
|
|
```
|
|
* URLS
|
|
* Email Addresses
|
|
|
|
|
|
* Check image via `strings`
|
|
* Check CRC via `cksum -a crc <image>`
|
|
|
|
### Binwalk
|
|
|
|
Use the following for file entropy check. If the image is encrypted it will be stated as "rising entropy edge".
|
|
```sh
|
|
binwalk -E -N <firmware>
|
|
```
|
|
|
|
* Use `binwalk` to extract. There are to methods
|
|
* `-e` extract by offset
|
|
* `--dd=".*"` by file extension
|
|
|
|
### Mount Squashfs
|
|
|
|
Extract the filesystem of a firmware image
|
|
|
|
* Use `squashfs-tools`
|
|
* Extract via binwalk and
|
|
```sh
|
|
unsquashfs <SquashFS image>
|
|
mksquashfs squashfs-root filesystem.squashfs
|
|
mount filesystem.squashfs /mtn/squash
|
|
```
|
|
|
|
### Mount JFFS2 File
|
|
|
|
* Use kernel where `CONFIG_MTD_RAM` is set. Using Arch this is any kernel before `5.10`
|
|
```sh
|
|
rm -rf /dev/mtdblock0
|
|
mknod /dev/mtdblock0 b 31 0
|
|
mkdir /mnt/jffs2
|
|
modprobe jffs2
|
|
modprobe mtdram
|
|
modprobe mtdblock
|
|
dd if=<jffs2File> of=/dev/mtdblock0
|
|
mount -t jffs2 /dev/mtdblock0 /mnt/jffs2/
|
|
```
|
|
|
|
## Tips & Tricks
|
|
|
|
* Watch out for `HNAP` and `JNAP` as [an attack vector](https://routersecurity.org/hnap.php)
|