Embedded Code Reuse – /dev/ttyS0

When examining embedded devices, it is not uncommon to find that two or more of them share common code, and even common hardware. This probably comes as no surprise, as re-using code and hardware designs helps lower production costs. What might be a little more surprising is when you find two devices from two different vendors that share the same code or hardware.

It’s important to be able to identify devices that use the same code or design. If you find a bug or vulnerability in one device, it’s likely that it affects other devices as well. Likewise, if you are having trouble reversing or analyzing a particular device, work that others have done on similar products can help put you on the right track.

In reality, a lot of vendors, particularly vendors that specialize in consumer grade products, do very little technical work. They are in the marketing and sales business and they farm out the technical work to third party companies that you’ve probably never heard of. For example, if you look at the JavaScript source of some Linksys products you’ll see copyright references to “CyberTAN  Inc.”, the Taiwanese company that wrote the firmware for Linksys.

Vendors will often use the same third-party company for more than one product. The firmware for the Linksys WRT160N router has references to CyberTAN, but there is also an icon file in the /etc directory called ‘wrt300n.small.ico’. If you look at the firmware for a WRT300N router you’ll find that it also has files that reference CyberTAN, indicating that the firmware for both these devices were at least partially developed by CyberTAN and likely share similar code.

Different vendors will often hire the same companies to develop their products, so it is not uncommon to find code shared between devices from different vendors. Some of the SSL VPNs from both Cisco and Netgear were developed by the same company, Cavium, and share very similar firmware.

Other devices are so similar that you can actually load the firmware from one vendor onto a device sold by a completely different vendor. The Trendnet TEW-632BRP and the D-Link DIR-615 revC1 routers both have the exact same hardware, and their firmware is in fact inter changeable. Further, the TEW-632 firmware has an icon image of a D-Link router, although the image is not that of a DIR-615 indicating that the company behind both these routers has re-used code for other devices as well.

There are other ways of identifying devices that were made by the same third-party company besides icons and copyright references. Take a look at the TEW-632BRP and DIR-615 boards:

TEW632BRP

DIR-615

Although not exactly the same, these two boards are almost identical, particularly the layout and circuitry around the CPU, flash, RAM, and network chips. Additionally, the TEW-632BRP board is labeled ‘21514632BRPA1A2’, while the DIR-615 board is labeled ‘21514DIR615C1A1’ and both boards are dated within few months of each other. Given the similarities in hardware, board design and board markings, these two devices were almost certainly developed by the same company, who simply made some slight modifications and sold them to two different vendors.

Bookmark the permalink.

Comments are closed.