Emulating NVRAM in Qemu – /dev/ttyS0

Being able to emulate embedded applications in Qemu is incredibly useful, but not without pitfalls. Probably the most common issue that I’ve run into are binaries that try to read configuration data from NVRAM; since the binary is running in Qemu and not on the target device, there is obviously… Continue reading

Qemu vs sstrip – /dev/ttyS0

Qemu usually does a great job emulating embedded Linux applications, but as with anything you will occasionally run into bugs. While attempting to debug an embedded application in Qemu the other day, I ran into the following error: eve@eve:~/firmware$ sudo chroot . ./qemu-mips bin/ls bin/ls: Invalid ELF image for this… Continue reading

Speaking SPI & I2C With The FT-2232 – /dev/ttyS0

For a while now I’ve been looking for an easy way to interface with external SPI and I2C devices over USB in a manner that can be easily integrated into future projects as well as used in a simple stand-alone system. Although there are many existing SPI/I2C interface solutions, most… Continue reading

Exploiting Embedded Systems – Part 4 – /dev/ttyS0

So far in this series we’ve found that we can log in to our target TEW-654TR router by either retrieving the plain text administrator credentials via TFTP, or through SQL injection in the login page. But the administrative web interface is just too limited – we want a root shell!… Continue reading

Exploiting Embedded Systems – Part 3 – /dev/ttyS0

In part 2 of this series we found a SQL injection vulnerability using static analysis. However, it is often advantageous to debug a target application, a capability that we’ll need when working with more complex exploits later on. In this segment we won’t be discovering any new vulnerabilities, but instead… Continue reading

Exploiting Embedded Systems – Part 2 – /dev/ttyS0

In part 1 we used the TEW-654TR’s TFTP service to retrieve the administrative credentials to our target system. But what if we didn’t have access to the TFTP service? Many embedded devices don’t have a TFTP service, or there may be a firewall between us and the target that blocks… Continue reading

Modifying The DD-WRT GUI – /dev/ttyS0

Although released under the GPL, DD-WRT is notoriously difficult to build from source. If you want to customize your DD-WRT installation, it is usually easier to extract files from the firmware image, change what you need, and then re-construct the image. One exception here is the Web GUI. The DD-WRT… Continue reading

Extracting Non-Standard SquashFS Images – /dev/ttyS0

SquashFS is a widely used file system in embedded Linux devices; in fact, it is probably one of the most commonly used file systems among Linux based consumer products. While many devices use standard SquashFS file systems that can be extracted using the unsquashfs tools provided in the firmware mod… Continue reading

Mystery File System – /dev/ttyS0

Last week Jim posted a comment asking about reverse engineering the firmware for some Chinese routers with the intention of extracting the Web files and translating them to English. Although I usually work with Linux based firmware, this sounded interesting so I thought I’d investigate. Although I wasn’t able to… Continue reading

Firmware Patching: Fixing the TEW-632BRP – /dev/ttyS0

Customizing firmware images can be a very useful skill, allowing you to add or unlock features, fix bugs, and patch vulnerabilities when vendors can’t (or won’t) do so in a timely manner. A while ago I found that my Trendnet TEW-632BRP and TEW-652BRP routers had a TFTP service running on… Continue reading