Firmware Analysis Notes

08 Dec, 2024

These are my notes for firmware analysis. I will update them overtime as I learn more.

Basic questions to ask

What is the target device used for?
What is the CPU architecture?
What features does the device support?
What type of operating system runs on the device?
How do users interact with the device? (i.e web app, mobile app)
What other chips are onboard?
What type of software/programs/services run on it?
Did you read the release notes?

Commands

binwalk stuff

binwalk is used to scan and extract files from the firmware.

// scan file 
binwalk router.bin

// scan for common file signatures
binwalk --signature --term router.bin

// extract files
binwalk -e firmware.bin

// recursively scan extracted files
binwalk -Me firmware.bin

Target survey

Survey the target to determine what software it’s running, default users, credentials, startup programs, etc. Gaining situtational awarness is important!

A lot of IoT/embedded devices will use old Linux kernel versions.

// look at startup programs
cat /etc/inittab
ls -l /etc/init.d/

// user password info
cat /etc/passwd
cat /etc/shadow

// search for RSA keys
grep -irl "BEGIN RSA" .

// users
ls -latr /home

// scripts
ls -l /usr/local/bin
ls -l /bin

// strings, architecture, security mitigations, endianness, etc
rabin2 -zzz somebinary
rabin2 -I somebinary

// web
ls /var/www/

Example

Below is an example of extracting vmlinux.bin from the Netgear WNAP320 firmware.

$ binwalk vmlinux.gz.uImage

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             uImage header, header size: 64 bytes, header CRC: 0x8B048C59, created: 2011-06-23 10:45:30, image size: 983040 bytes, Data Address: 0x80020000, Entry Point: 0x801F2000, data CRC: 0xC0C376EF, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: gzip, image name: "Linux Kernel"
64            0x40            gzip compressed data, has original file name: "vmlinux.bin", from Unix, last modified: 2011-06-23 10:45:30

The uImage header states that the firmware is Linux MIPS. If we want to get the exact version of the Linux Kernel, we will need to extract the gzip compressed vmlinux.bin data.

It is stored at offset 64, so use dd to extract it:

// save output to vmlinux.bin.gz
$ dd if=vmlinux.gz.uImage of=vmlinux.bin.gz bs=1 skip=64

$ gunzip vmlinux.bin.gz

Find the Linux Kernel version and GCC version

$ strings vmlinux.bin | grep "Linux version"
Linux version 2.6.23-WNAP320_V2.0.3 (root@build) (gcc version 4.2.4) #1 Thu Jun 23 16:06:18 IST 2011

Despire this Netgear Wireless Access Point being released in November 2015, it is using very old versions of the Linux kernel and gcc compiler. Linux kernel version 2.6.23 released in October 2007 and gcc 4.2.4 released in May 2008!

Further Resources

#cheatsheets #reversing #firmware