Firmware Analysis¶
Introduction¶
What is a firmware?¶
Firmware is the software that is embedded in a piece of hardware. It can provides a standard operating environment for your embedded system. It is also the place where the most important pieces of data gets stored. You can think of firmware simply as "software for embedded devices". Basically the firmware is what makes your device work the way it is meant to work.
How to get your hands on a firmware?¶
There are many ways to get the firmware of a device:
- Extract from the device
This is the probably the most obvious way of obtaining the firmware. There are many methods for extracting the firmware from the memory of the device such as using the bootloader, JTAG etc. The difficulty of extraction will depend on the way the device is manufactured.
- From the official site
For devices like routers, the firmware is readily available on the vendor's official web site as some of these devices require installation of external firmware for updates. The availability of a firmware depends on the device. Sometimes the whole firmware will be available but sometimes, only the parts necessary for the firmware update will be public.
How to analyse a given a firmware?¶
Once we have a firmware, the next step is about making sense of it. We need to figure out what all are there in this firmware, how the device works and so on. We can get important data from its firmware, like information about the filesystem of the embedded device. There are tools which can help us analyse that.
Binwalk is a tool for searching inside a given binary or image for embedded files and executable code. It can identify files and code embedded inside the firmware image.
To analyse a binary file using binwalk, use the command:
$ binwalk -eM filename.bin
The -e
tag is used to extract any files binwalk encounters while analysing the binary.
The -M
tag is used for recursive analysis of the binary.
Let's try analysing a sample firmware:
$ binwalk -eM wg602v3_1_2_5ww.trx
Scan Time: 2019-09-16 18:58:02
Target File: /home/hari/Documents/bi0s/hardware/firmwares/wg602v3_1_2_5ww.trx
MD5 Checksum: 6c59f58d519ff865c8d6a793a317a88c
Signatures: 391
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 TRX firmware header, little endian, image size: 1691648 bytes, CRC32: 0x50C5FAF8, flags: 0x0, version: 1, header size: 28 bytes, loader offset: 0x1C, linux kernel offset: 0x8A260, rootfs offset: 0x0
28 0x1C gzip compressed data, maximum compression, has original file name: "piggy", from Unix, last modified: 2007-02-14 19:21:37
565856 0x8A260 CramFS filesystem, little endian, size: 1122304, version 2, sorted_dirs, CRC 0xD6DE1CB8, edition 0, 797 blocks, 212 files
Scan Time: 2019-09-16 18:58:02
Target File: /home/hari/Documents/bi0s/hardware/firmwares/_wg602v3_1_2_5ww.trx-0.extracted/piggy
MD5 Checksum: 27ce9759a5c0837a8ddcf985d99dc103
Signatures: 391
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
1044640 0xFF0A0 Linux kernel version 2.4.20
1063452 0x103A1C Unix path: /usr/lib/libc.so.1
1110975 0x10F3BF Copyright string: "Copyright 1995-1998 Mark Adler"
1303420 0x13E37C CRC32 polynomial table, little endian
We have successfully extracted the firmware and we can see that there is a cramfs filesystem
in the firmware. Also, binwalk analysed the file piggy
and we can see that it is a
linux kernel.
We can extract the filesystem from the firmware by using the dd
command.
$ dd if=wg602v3_1_2_5ww.trx skip=565856 bs=1 of=fs.cramfs
1125803+0 records in
1125803+0 records out
1125803 bytes (1.1 MB, 1.1 MiB) copied, 12.8153 s, 87.8 kB/s
$ file fs.cramfs
fs.cramfs: Linux Compressed ROM File System data, little endian size 1122304 version #2 sorted_dirs CRC 0xd6de1cb8, edition 0, 797 blocks, 212 files
If we use the dd
command, we will have to manually mount the filesystem but binwalk
with -e
will automatically extract the filesystem for you.
Now, let's have a look at the filesystem:
$ cd cramfs-root && ls
bin dev etc lib mnt proc sbin tmp usr var
Once you have access to the filesystem you can look for hardcoded data and many other things as the filesystem of a firmware is a simplified version of a typical linux filesystem.
The next step is about figuring out how the device works.