Firmware is an embedded piece of software used in hardware devices to control their functionality, typically stored in nonvolatile memory and designed to provide specific instructions to allow for certain tasks to be accomplished by specific hardware devices.
Firmware analysis provides several advantages, including vulnerabilities like sensitive data exposures and preventing device compromise or data tampering. It enhances security by detecting malicious activities and offers insights into firmware operation. Additionally, it enables simulated pen testing without physical devices, facilitating cost-effective security assessments. Overall, firmware analysis plays a vital role in strengthening the security of devices and systems, safeguarding them against potential threats.
Extracting and analysing firmware filesystems involves several steps to understand the internal components and functionalities of a device’s firmware. Here is a summary of the process:
By following these steps from Step 1 to Step 4, you can extract and analyse firmware filesystems to detect potential security breaches on devices and bolster their overall security posture.
Step 1: Firmware Acquisition
For analysis of the firmware, I am using FW_WRT1900ACSV2_2.0.3.201002_prod image.
Clone the repository and extract all files using 7z linux built-in tool.
$ git clone https://github.com/prokunal/Dumping-Router-Firmware-Image
Extracting the firmware image from the archive.
$ 7z x FW_WRT1900ACSV2_2.0.3.201002_prod.zip
Step 2: Firmware Extraction
Analysing the firmware using the file command.
$ file FW_WRT1900ACSV2_2.0.3.201002_prod.img
The above command provides basic details about the firmware image, such as legacy mode, firmware architecture, product name, compression type, creation date and entry point.
Using strings command to analyse the image.
$ strings FW_WRT1900ACSV2_2.0.3.201002_prod.img
From the above command, we can analyse the strings to find more details about the firmware.
Using the binwalk tool, we can extract additional data from the firmware image file.
Binwalk is a versatile tool for identifying well-known file signatures within a given file. While its primary function is to analyse file structures, it can also be utilized in areas like Steganography. For instance, it can uncover hidden files within images.
In the context of router analysis, Binwalk proves invaluable for extracting the filesystem, allowing for deeper inspection and potential modification.
$ binwalk -e FW_WRT1900ACSV2_2.0.3.201002_prod.img –run-as=root
The above command output also gives basic information about the firmware and filesystem, such as image size, OS, CPU, product name, and compression type. The filesystem is JFFS2 in little-endian format.
Analysing the extracted file, found two files one is a jffs2 filesystem, and another one looks like a compressed file.
Analysing the compressed file 6870 using strings to find more information about this file.
$ strings 6870
From the above command, it didn’t give much information about the file.
Extracting the content of 6870 file using binwalk.
$ binwalk -e 6870 –run-as=root
From the above output, we can assume that this is an updated file of the firmware for version 3.10.39.
Analysing the extracted 6870 files, we found that they don’t contain much informational data on it, except 799E38.cpio file which might contain interesting information.
Analysing 799E38.cpio file using strings command.
Cpio stands for “copy in, copy out”. It is used for processing archive files such as *.cpio or *.tar and can transfer files in both directions from or into them. Additionally, this command allows accessing archived folders by copying files directly.
$ strings 799E38.cpio
Analysing 600000.jffs2 file and examining its content.
Using file command to analyse file type.
$ file 600000.jffs2
From the above output, it shows the filesystem is jffs2 in little endian format.
Journalling Flash File System version 2 or JFFS2 is a log-structured file system for use with flash memory devices.
Mounting the JFFS2 filesystem.
1. Create the block device.
$ mknod /dev/mtdblock0 b 31 0
2. Create a directory for the JFFS2 filesystem in /mnt directory.
$ mkdir /mnt/jffs2_file
3. Load the required kernel modules. These modules provide the necessary functionality to interact with JFFS2 filesystems and memory technology devices.
$ modprobe jffs2
$ modprobe mtdram
$ modprobe mtdblock
4. Write the image to /dev/mtdblock0 using dd too.
$ dd if=600000.jffs2 of=/dev/mtdblock0
5. Mount the filesystem to /mnt/jffs2_file
$ mount -f jffs2 /dev/mtdblock0 /mnt/jffs2_file
6. Jump into the mounted filesystem.
$ cd /mnt/jfffs2_file
This command sequence facilitates the extraction and mounting of a JFFS2 filesystem from a router firmware image.
Step 3: File System Analysis
Moving to /mnt/jffs2_file, we can list our mounted file.
Analysing the bin folder, found out it is using busy box. In this firmware, most of the binary is linked to a busy box; looking for other binaries, we can assume that it must be using services like SQLite3, smb, and http.
Busy box combines tiny versions of many common UNIX utilities into a single small executable.
Step 4: Static Analysis
Examine etc folder for configuration files.
Analysing the etc folder, we can find many interesting configuration files related to the router. Analyzing the system_defaults file contains juicy information and reveals the password for http_admin_password and many others.
$ cat system_defaults | grep password
We can analyse all configuration files to find more information about the product. Some of them which store interesting information about the product are buildate, version, dropbear_rsa_host_key.
Analyzing firmware and extracting filesystems is a critical process in understanding and securing embedded systems. Through this examination, we’ve uncovered potential vulnerabilities, identified misconfigurations, and gained insight into the underlying architecture and operations of the device. By systematically dissecting the firmware, we can implement robust security measures, ensure compliance with best practices, and enhance the overall resilience of the system. This comprehensive approach not only fortifies the current security posture but also paves the way for ongoing improvements and proactive threat mitigation in the evolving landscape of cybersecurity.
Redfox Security is a diverse network of expert security consultants with a global mindset and a collaborative culture. If you are looking to improve your organization’s security posture, contact us today to discuss your security testing needs. Our team of security professionals can help you identify vulnerabilities and weaknesses in your systems and provide recommendations to remediate them.
Join us on our journey of growth and development by signing up for our comprehensive courses.
Redfox Cyber Security Inc.
8 The Green, Ste. A, Dover,
Delaware 19901,
United States.
info@redfoxsec.com
©️2024 Redfox Cyber Security Inc. All rights reserved.
