Binwalk v0.3.4 Released!

Version 0.3.4 of binwalk has just been released. New and improved signatures have been added to the magic file, and more importantly, an update feature has been built in that lets you update your magic file definitions to the latest SVN check in.

To update your magic signatures, just run:

# binwalk -u

New file system signatures have also been added in this release, as well as improved LZMA signatures.

Mystery File System

Last week Jim posted a comment asking about reverse engineering the firmware for some Chinese routers with the intention of extracting the Web files and translating them to English.

Although I usually work with Linux based firmware, this sounded interesting so I thought I’d investigate. Although I wasn’t able to completely recover the Web files, the process of reversing a file system format seemed like a good subject for discussion.

Continue reading

Firmware Patching: Fixing the TEW-632BRP

Customizing firmware images can be a very useful skill, allowing you to add or unlock features, fix bugs, and patch vulnerabilities when vendors can’t (or won’t) do so in a timely manner.

A while ago I found that my Trendnet TEW-632BRP and TEW-652BRP routers had a TFTP service running on both the LAN and WAN interfaces that allowed anyone to download the device’s configuration file without authentication:

embedded@ubuntu:~/TEW632$ tftp 192.168.10.1
tftp> get /tmp/etc/nvram.conf
Received 19897 bytes in 0.0 seconds
tftp> quit
embedded@ubuntu:~/TEW632$ head nvram.conf
hostname=TEW-632BRP
admin_username=admin
admin_password=admin
user_username=user
user_password=
default_html=lan.asp
lan_mac=00:14:d1:12:5e:7d
wan_mac=00:14:d1:12:5e:7e
lan_eth=eth0
wan_eth=eth1

After contacting the vendor they verified the vulnerability and issued a firmware update that disables TFTP access from the WAN. However, they insisted on leaving TFTP accessible from the LAN “for repair purposes”. I’d much rather have TFTP disabled completely, so in this tutorial we’ll be patching the Trendnet firmware in order to completely disable TFTP. The patching process for the TEW-632BRP is also pretty simple, so it makes for a good introduction to firmware patching too.

Continue reading