killchain-compendium/Reverse Engineering/Firmware.md

Reversing Firmware

Tools

• binwalk
• unlzma
• tar
• fat
  • Create usable environment and start firmware inside it

  ./fat.py <firmware>
  

• Jefferson or AUR package jefferson-git
• Squashfs

Usage

• Check image via strings
• Check CRC via cksum -a crc <image>
• Use binwalk to extract. There are to methods
  • -e extract by offset
  • --dd=".*" by file extension

Mount Squashfs

Extract the filesystem of a firmware image

• Use squashfs-tools
• Extract via binwalk and

unsquashfs <SquashFS image>
mksquashfs squashfs-root filesystem.squashfs
mount filesystem.squashfs /mtn/squash

Mount JFFS2 File

• Use kernel where CONFIG_MTD_RAM is set. Using Arch this is any kernel before 5.10

rm -rf /dev/mtdblock0
mknod /dev/mtdblock0 b 31 0
mkdir /mnt/jffs2
modprobe jffs2
modprobe mtdram
modprobe mtdblock
dd if=<jffs2File> of=/dev/mtdblock0
mount -t jffs2 /dev/mtdblock0 /mnt/jffs2/

Tips & Tricks

• Watch out for HNAP and JNAP as an attack vector