Qemu vs sstrip

Qemu usually does a great job emulating embedded Linux applications, but as with anything you will occasionally run into bugs. While attempting to debug an embedded application in Qemu the other day, I ran into the following error:

eve@eve:~/firmware$ sudo chroot . ./qemu-mips bin/ls 
bin/ls: Invalid ELF image for this architecture

This error is usually indicative of using the wrong endian emulator, but I knew that the target binary was big endian MIPS. The file utility began to shed some light on the issue:

eve@eve:~/firmware$ file bin/busybox 
bin/busybox: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), dynamically linked (uses shared libs), corrupted section header size

Hmmm, a corrupted section header? Let’s take a closer look at the binary.

Continue reading

Adding Hyperlinks to IDA HTML Files With IDAnchor

IDA can export disassembled data in a variety of formats, including HTML. However, the HTML output is difficult to navigate as there are no hyperlinks connecting any of the code cross references. This is a bit frustrating, so I wrote IDAnchor.

IDAnchor will take an HTML file generated by IDA and attempt to locate functions and code references in the file. It then adds anchor tags to each location and hyperlinks all cross references together for easy navigation. It also adds a function navigation table for easily jumping to a desired function:

IDAnchor Example Output

IDAnchor is still very much beta code, but so far it works for me!

Modifying The DD-WRT GUI

Although released under the GPL, DD-WRT is notoriously difficult to build from source. If you want to customize your DD-WRT installation, it is usually easier to extract files from the firmware image, change what you need, and then re-construct the image.

One exception here is the Web GUI. The DD-WRT Web pages (*.asp, *.htm, *.gif, *.css) in each firmware image are protected in order to prevent modification. Being able to customize the Web interface can be advantageous for those wishing to add compatibility with mobile/uncommon browsers, change themes, add links, etc.

And, despite claims to the contrary, that’s exactly what we’ll be doing.

DD-WRT Sporting the Hack-A-Day Logo

Continue reading

LittleBlackBox 0.1.2 Released!

Version 0.1.2 of LittleBlackBox was released last night. In addition to a new list of private SSL keys added to the database and some minor bug fixes, we’ve introduced a couple new features:

  • Ability to update SSL key database to the latest SVN check-in. This keeps you up to date with the newest SSL keys.
  • Support for BSD and OSX builds. The previous Makefile didn’t build without modifications on these systems.

We add new SSL keys to the database regularly, so run –update often!

Breaking SSL on Embedded Devices

No, this is not some new SSL vulnerability. In fact, it’s a really old vulnerability, as old as cryptography itself: keep your secret keys secret.

A lot of embedded devices provide HTTPS support so that administrators can administer the devices securely over untrusted networks. Some devices, such as SSL VPNs, center their entire functionality around SSL encryption. OK, well SSL isn’t perfect, but it’s still the de facto standard for Web-based encryption. So far, so good.

Here’s where it gets fun: many of these devices use hard-coded SSL keys that are baked into the firmware. That means that if Alice and Bob are both using the same router with the same firmware version, then both of their routers have the same SSL keys. All Eve needs to do in order to decrypt their traffic is to download the firmware from the vendor’s Web site and extract the SSL private key from the firmware image.

Continue reading

Binwalk 0.2 Released!

We’ve just released a new version of Binwalk, our open source firmware analysis tool. This release features new firmware signatures and a huge speed increase; scan times for large firmware images went from ~12 hours to less than a minute!

Download Binwalk here.