A Code Signature Plugin for IDA – /dev/ttyS0

When reversing embedded code, it is often the case that completely different devices are built around a common code base, either due to code re-use by the vendor, or through the use of third-party software; this is especially true of devices running the same Real Time Operating System. For example,… Continue reading

Mucking About With SquashFS – /dev/ttyS0

SquashFS is an incredibly popular file system for embedded Linux devices. Unfortunately, it is also notorious for being hacked up by vendors, causing the standard SquashFS tools (i.e., unsquashfs) to fail when extracting these file systems. While projects like the Firmware-Mod-Kit (FMK) have amassed many unsquashfs utilities to work with… Continue reading

WRT120N fprintf Stack Overflow – /dev/ttyS0

With a good firmware disassembly and JTAG debug access to the WRT120N, it’s time to start examining the code for more interesting bugs. As we’ve seen previously, the WRT120N runs a Real Time Operating System. For security, the RTOS’s administrative web interface employs HTTP Basic authentication: 401 Unauthorized Most of… Continue reading

Encryption vs Compression, Part 2 – /dev/ttyS0

I’ve recently been examining the feasibility of differentiating compressed data from encrypted data based on variations in the entropy of the data. Initial results showed some promise, but were tested against too small of a sample set to draw any hard conclusions. Since then, I’ve been experimenting with larger data… Continue reading

Differentiate Encryption From Compression Using Math – /dev/ttyS0

When working with binary blobs such as firmware images, you’ll eventually encounter unknown data. Particularly with regards to firmware, unknown data is usually either compressed or encrypted. Analysis of these two types of data is typically approached in very different manners, so it is useful to be able to distinguish… Continue reading

Reverse Engineering Serial Ports – /dev/ttyS0

Given the name of this blog and the number of requests that I’ve had, I think it’s high time we discussed serial ports; specifically, serial ports in embedded systems. My goal here is to describe the techniques that I’ve found effective in identifying and reverse engineering embedded serial ports through… Continue reading

Writing a bFLT Loader for IDA – /dev/ttyS0

I was recently working on some uClinux-based devices and needed to disassemble some of the binaries in the firmware. Unfortunately, IDA doesn’t have a loader for the bFLT file format used by uClinux: No bFLT Loader Fortunately, I was able to find a bFLT loader over at rockbox.org. Unfortunately this… Continue reading

Emulating NVRAM in Qemu – /dev/ttyS0

Being able to emulate embedded applications in Qemu is incredibly useful, but not without pitfalls. Probably the most common issue that I’ve run into are binaries that try to read configuration data from NVRAM; since the binary is running in Qemu and not on the target device, there is obviously… Continue reading

Exploiting Embedded Systems – Part 4 – /dev/ttyS0

So far in this series we’ve found that we can log in to our target TEW-654TR router by either retrieving the plain text administrator credentials via TFTP, or through SQL injection in the login page. But the administrative web interface is just too limited – we want a root shell!… Continue reading

Exploiting Embedded Systems – Part 3 – /dev/ttyS0

In part 2 of this series we found a SQL injection vulnerability using static analysis. However, it is often advantageous to debug a target application, a capability that we’ll need when working with more complex exploits later on. In this segment we won’t be discovering any new vulnerabilities, but instead… Continue reading