Last week Jim posted a comment asking about reverse engineering the firmware for some Chinese routers with the intention of extracting the Web files and translating them to English.
Although I usually work with Linux based firmware, this sounded interesting so I thought I’d investigate.
Although I wasn’t able to completely recover the Web files, the process of reversing a file system format seemed like a good subject for discussion.
Customizing firmware images can be a very useful skill, allowing you to add or unlock features, fix bugs, and patch vulnerabilities when vendors can’t (or won’t) do so in a timely manner.
A while ago I found that my Trendnet TEW-632BRP and TEW-652BRP routers had a TFTP service running on both the LAN and WAN interfaces that allowed anyone to download the device’s configuration file without authentication:
embedded@ubuntu:~/TEW632$ tftp 192.168.10.1
tftp> get /tmp/etc/nvram.conf
Received 19897 bytes in 0.0 seconds
embedded@ubuntu:~/TEW632$ head nvram.conf
After contacting the vendor they verified the vulnerability and issued a firmware update that disables TFTP access from the WAN. However, they insisted on leaving TFTP accessible from the LAN “for repair purposes”. I’d much rather have TFTP disabled completely, so in this tutorial we’ll be patching the Trendnet firmware in order to completely disable TFTP. The patching process for the TEW-632BRP is also pretty simple, so it makes for a good introduction to firmware patching too.
The ability to analyze a firmware image and extract data from it is extremely useful. It can allow you to analyze an embedded device for bugs, vulnerabilities, or GPL violations without ever having access to the device.
In this tutorial, we’ll be examining the firmware update file for the Linksys WAG120N with the intent of finding and extracting the kernel and file system from the firmware image. The firmware image used is for the WAG120N hardware version 1.0, firmware version 1.00.16 (ETSI) Annex B, released on 08/16/2010 and is currently available for download from the Linksys Web site.
So you’ve got an embedded device that’s running Linux, you’ve tapped into the board’s serial port and you have a root shell. You’re poking around and want to run netstat/netcat/grep/whatever – but it’s not installed! And what’s worse, the device doesn’t have any utilities to perform a network file transfer. How do you get the file you want to execute from your host machine up to the embedded device?
Transferring ASCII files can be done with minicom, but that method won’t work properly for binary files. ASCII encoding a binary file usually isn’t an option since most embedded systems won’t have utilities like base64 or uuencode in order to un-encode the transferred file, and other transfer methods (Xmodem/Ymodem/Zmodem, Kermit) require a corresponding utility to already be installed on the embedded device.
If the echo command on your serial shell supports the -n and -e options (most do), serio can help. Continue reading