Firmware Analysis

  Firmware DIR850LB1_FW207WWb05.bin is encrypted with XOR cipher. Original firmware is XORed with two keys. First key is wrgac25_dlink.2013gui_dir850l Second key is numbers from 1 to 251. Python program to decrypt the firmware is given below: import itertools import sys key1 = itertools.cycle(b'wrgac25_dlink.2013gui_dir850l') key2 = itertools.cycle(range(1, 252)) with open(sys.argv[1], 'rb') as f:     fw = f.read() with open(sys.argv[2], 'wb') as f:     for i in range(0, len(fw)):         f.write(bytes([fw[i] ^ next(key1) ^ next(key2)])) Demo

  1. Install required packages: sudo apt install python3-pip git python3-lzo sudo pip3 install cstruct git clone https://github.com/sviehb/jefferson.git cd jefferson sudo python3 setup.py install 2. Extract filesystem: jefferson rootfs This will extract the filesystem contents to directory jffs2-root. Demo

Introduction Telnet credentials can be extracted from firmware of vulnerable D-Link devices like: DIR-868L Rev. C1 - FW v3.01 (CVE-2020-29321) DIR-880L Rev. Ax - FW v1.07 (CVE-2020-29322) DIR-885L Rev. Ax - FW v1.15b02 (CVE-2020-29323) DIR-895L Rev. Ax - FW v1.21b05 (CVE-2020-29324) Analysis 1. Extract filesystem from firmware: binwalk -eM DIR868LC1_FW301b08.bin 2. Obtain username from file squashfs-root/etc/init0.d/S80telnetd.sh . Username can be seen as Alphanetworks.  3. Get password from file squashfs-root/etc/config/image_sign . In case of DIR-868L password is wrgac35_dlink.2013gui_dir868lc. Demo

Introduction D-Link DVG-3104MS version 1.0.2.0.3, 1.0.2.0.4, and 1.0.2.0.4E contains hard-coded credentials for undocumented user accounts in the '/etc/passwd' file. Passwords can be easily recovered using john. D-Link DVX-2000MS also has similar vulnerability (CVE-2021-39614). Analysis 1. Extract filesystem from the firmware using binwalk :  binwalk -eM DVG-3104MS_010204.flash 2. Extract etc.tgz file in _DVG-3104MS_010204.flash.extracted/squashfs-root/etc/ directory. Two different types of hashes can be found in passwd file.  3.Separate them and crack the hashes using john . john passwd_type1.txt john passwd_type2.txt 4. Following credentials will be obtained after successful crack: root:brecis:0:0:root:/root:/bin/sh CLI:brecis:0:0:root:/root:/bin/sh demo:demo:5000:5000:Demo User:/home/demo:/bin/bash maintain:blip:6000:6000:maintainer:/var:/bin/sh cloudraker:brecis:32770:32770:Linux User,,,:/home/cloudraker:/bin/sh pmc:pmc123:32771:32771:Linux User,,,:/home/pmc:/bin/sh  Dem

Introduction Analysis of TP-Link firmware file wr841nv11_wr841ndv11_en_3_16_9_up_boot(150616).bin with header version 1. Header Structure Offset Size (Bytes) Item Value 0 4 Version 0x01000000 4 24 Vendor Name TP-Link Technologies 0x1C 36 FW Version Ver. 1.0 0x40 4 HW ID 0x08410011 0x44 4 HW Revision 0x00000001 0x48 4 Unused 0 0x4C 16 Image MD5SUM 0xBF...65 0x5C 4 Unused 0 0x60 16 MD5SUM2 0x23...F0 0x70 4 Unused 0 0x74 4 Kernel Load Address 0x80002000 0x78 4 Kernel Entry Point 0x801CDB90 0x7C 4 FW Length 0x003E0200 0x80 4 Kernel Data Offset 0x00000200 0x84 4 Kernel Data Length

Introduction  Analysis of file  FW_RT_N53_30043763754.trx   corresponding to firmware of Asus RT N53. Header Structure Offset Size (Bytes) Item Value (FW_RT_N53_30043763754.trx) 0 4 Magic Bytes HDR0 4 4 Length (including header) 0x00707000 8 4 CRC32 (for data from offset 0xC) 0x512E08B5 0xC 2 Flags 0 0x0E 2 Version 0x0001 0x10 4 Loader Offset 0x0000001C 0x14 4 Kernel Offset 0x00000A8C 0x18 4 Rootfs Offset 0x001299EC Analysis If the magic bytes is HDR0 firmware is little endian. 1. Verify size of file is same as that in header, ie. 0x707000 or 7368704 bytes. 2. To calculate CRC32 extract data from offset 0xC. dd iflag=skip_bytes if=fw.trx skip=$((0xC)) of=crc_data Calculate CRC32: crc32 crc_data Convert result  obtained, 0xaed1f74a to signed value an

 Ensure that Bus Pirate has firmware version which supports JTAG protocol. Connect pins on the device and Bus Pirate as given below: Edit file /usr/local/share/openocd/scripts/interface/buspirate.cfg and uncomment lines: buspirate port /dev/ttyUSB0 transport select jtag Start OpenOCD sudo openocd -f /usr/local/share/openocd/scripts/interface/buspirate.cfg Demo

   Introduction Firmadyne can be used to perform emulation and analysis of Linux based firmware. Installation Install Ubuntu 18.04 LTS and upgrade all packages: sudo apt update sudo apt upgrade Install and configure other packages: sudo apt-get install busybox-static fakeroot git dmsetup kpartx netcat-openbsd nmap python3-psycopg2 snmp uml-utilities util-linux vlan python3-pip python3-magic sudo update-alternatives --install /usr/bin/python python /usr/bin/python3 10 git clone --recursive https://github.com/firmadyne/firmadyne.git git clone https://github.com/ReFirmLabs/binwalk.git cd binwalk sudo ./deps.sh sudo python ./setup.py install cd .. sudo apt-get install postgresql sudo -u postgres createuser -P firmadyne Give firmadyne as password. sudo -u postgres createdb -O firmadyne firmware sudo -u postgres psql -d firmware < ./firmadyne/database/schema cd firmadyne ./download.sh sudo apt-get install qemu-system-arm qemu-system-mips qemu-system-x86 qemu-utils nano firmadyne.config Un

  Steps 1. Download latest stable firmware from the JTAGulator github page. At the moment, version 1.11 is the latest.  wget https://github.com/grandideastudio/jtagulator/archive/refs/tags/1.11.zip 2. Unzip downloaded zip file: unzip 1.11.zip JTAGulator.eeprom is the file required for upgrading firmware. 3. Dowload BST command line loader: wget https://www.fnarfbargle.com/bst/bstl/Latest/bstl.linux.zip 4. Unzip BST loader zip file: unzip bstl.linux.zip 5. Upgrade JTAGulator firmware: sudo ./bstl.linux -d /dev/ttyUSB0 -p 3 jtagulator-1.11/JTAGulator.eeprom Demo

  Extract Cramfs Check the endianness of the Cramfs file: file cramfs  This is a big endian file. Convert  cramfs   file to little endian file  cramfs_le  using cramfsswap. cramfsswap cramfs cramfs_le Extract the little endian file  cramfs_le  to folder  fs  using fsck.cramfs. sudo fsck.cramfs --extract=fs cramfs_le Create Cramfs Use mkfs.cramfs to create Cramfs file system from the contents of folder  fs .To create a little endian file system: sudo mkfs.cramfs fs cramfs_new For big endian Cramfs file system: sudo mkfs.cramfs -N big fs cramfs_new Demo

   Introduction Dump firmware or other contents from memory of a device with U-Boot bootloader to a file by converting output of memory display (md) command to binary image.  Steps 1. Connect to U-Boot console using picocom and save all outputs in a log file using commad given below. Here the output is saved to log file named 'mdb.log'. sudo picocom /dev/ttyUSB0 --baud 115200 --logfile mdb.log 2. Display the contents of the memory using command: md.b <address> <length> Figure below shows the command to display memory contents from address 0x400000000 and of length 0x20000 (128KB) . The data in this example corresponds to a jffs2 file system. 3. Once the execution completes, edit the log file and remove everything other than md.b output. 4. Clone the github project uboot-mdb-dump.git git clone https://github.com/gmbnomis/uboot-mdb-dump.git 5. Generate the binary image file 'output.bin' from log file 'mdb.log'. python3 uboot-mdb-dump/uboot_mdb_to_image

  Introduction  D-Link firmware with SHRS magic bytes contain firmware encrypted using AES 128 CBC with key as 0xC05FBF1936C99429CE2A0781F08D6AD8. Original firmware can be obtained by extracting the encrypted block from the firmware and then decrypting using this key. Header Structure Header structure of firmware along with corresponding values for a sample firmware DIR-867_FW1.30B07.bin is given in table. Offset Size (Bytes) Item Value (DIR-867_FW1.30B07) 0 4 Magic Bytes SHRS 4 4 Decrypted FW Size 0x9D2AF9 8 4 Encrypted Block Size 0x9D2B00 0xC 16 IV 0x67C6697351FF4AEC29CDBAABF2FBE346 0x1C 64 SHA512(Decrypted FW + Key) 0x7139.......AA94 0x5C 64 SHA512(Decrypted FW) 0xDAC3.......5DA7 0x9C 64 SHA512(Encrypted Block) 0x7D3F.......12D2 0xDC 512 Unused 00 0x2DC 512 Decrypted Block Signature 0x0253.......F178 0x4DC 512 Encrypted Block Signature 0x81D4.......7383 Encrypted block starts at offset 0x6DC. 1. Extract encrypted block: dd iflag=skip_bytes,count_bytes if=enc_fw.bin of=enc_block.bin