killchain-compendium/Reverse Engineering/Firmware.md

Reversing Firmware

Tools

Extraction

• binwalk

• unlzma

• tar

• fat

  • Create usable environment and start firmware inside it

  ./fat.py <firmware>
  

• Firmware-Mod-Kit contains extract-firmware.sh

• Jefferson or AUR package jefferson-git

• squashfs-tools

• squashfs-tools-ng

Dynamic Analysis

gdb (remote debugging feature) and qemu.

Enumeration

• Firmwalker

• An image may contain files like

  • Usernames and Passwords
  • Keys and Paraphrase for gpg keys. Import them

  grep -ir -E "key|paraphrase"
  

  • URLS
  • Email Addresses

• Check image via strings

• Check CRC via cksum -a crc <image>

Binwalk

Use the following for file entropy check. If the image is encrypted it will be stated as "rising entropy edge".

binwalk -E -N <firmware>

• Use binwalk to extract. There are to methods
  • -e extract by offset
  • --dd=".*" by file extension

Mount Squashfs

Extract the filesystem of a firmware image

• Use squashfs-tools
• Extract via binwalk and

unsquashfs <SquashFS image>
mksquashfs squashfs-root filesystem.squashfs
mount filesystem.squashfs /mtn/squash

Mount JFFS2 File

• Use kernel where CONFIG_MTD_RAM is set. Using Arch this is any kernel before 5.10

rm -rf /dev/mtdblock0
mknod /dev/mtdblock0 b 31 0
mkdir /mnt/jffs2
modprobe jffs2
modprobe mtdram
modprobe mtdblock
dd if=<jffs2File> of=/dev/mtdblock0
mount -t jffs2 /dev/mtdblock0 /mnt/jffs2/

Tips & Tricks

• Watch out for HNAP and JNAP as an attack vector