IoT Firmware Analysis

Obtain Firmware

 * From vendor download site
 * Capture during device update
 * Extract directly from hardware

Analyze Firmware File
* We are looking for File to return as "data"
 * Run the "file" command on the *.bin file

* Run the "cat" command on the *.md5 file * Run the "md5sum" command on the *.bin file
 * Verify the MD5 signature if you have it

* ex. "strings -n 10 xyz.bin > strings.out" * ex. "less strings.out" * Running strings can give deeper insight into the file
 * Run "strings" against *.bin file

* ex. "hexdump -C -n 512 xyz.bin > hexdump.out" * ex. "cat hexdump.out" * Running hexdump can help identify the type of firmware build
 * Run "hexdump" against *.bin file

* ex. "binwalk xyz.bin" * We are looking for binwalk to identify the type of file system in use, ex. squashfs filesystem
 * "binwalk" will be one of the primary tools used for analyzing, reverse engineering and extracting data from the firmware image

Extracting the File System from the Firmware File
* ex. "binwalk xyz.bin" * Again, we are looking for binwalk to hopefully identify the file system
 * Run binwalk against the firmware file

* Assuming binwalk has identified a valid file system like squashfs for example, we can use "dd" as one way to extract the file system * ex. "dd if=xyz.bin bs=1 skip=922460 count=2522318 of=xyz.squashfs" * Note: skip and count values will vary depending on your specific bin file * See documentation from Firmware Hacking VM for further detail * ex. "sasquatch xys.squashfs" * "cd" into "squash-root" and have a look around for interesting things * Some examples include: * /etc/banner * /etc/openwrt_version * /etc/openwrt_release * /etc/dropbear/authorized_keys
 * Extracting the filesystme using "dd"
 * Following extraction of the filesystem assuming it is squashfs, we can expand the contents by running "sasquatch"

Using the Firmware Modification Kit
* ex. "unsquashfs xyz.squashfs * If that does not work, we can try "unsquashfs_all" * ex. "unsquashfs_all.sh xyz.bin" * Assuming that works, you can view the file system at "fmk/rootfs"
 * The firmware modification kit can be used to attempt extracting a file system that is is not the traditional squashfs file system
 * Typically if you run hexedit on the firmware file you will see "sqsh" at the beginning of the file, however if you see something like "shsq" it's probable that the file system has been modified.
 * After we dd the firmware file to extract the squashfs file system, we can attempt to run "unsquashfs"

Extracting and Running Binaries

 * We might want to see how identified binaries behave without running them on the device itself
 * One way to identify potentially interesting binaries is by examining the startup script from the device which we can discover by extracting the file system
 * QEMU emulation is also another way to examine binaries

Mounting jffs2 file system

 * Use the "unjffs2" batch file which is part of the firmware modification kit. "/opt/firmware-mod-kit/src/jffs2/unjffs2"

Extracting from a CPIO archive file

 * cpio -ivd --no-absolute-filenames -F {filename}

Things to check for once the file system is mounted or extracted

 * "etc/passwd" and "etc/shadow"
 * "etc/ssl"
 * grep -rnw '/path/to/somewhere/' -e "pattern" like password, admin, root, etc.
 * find . -name '*.conf' and other file types like *.pem, *.crt, *.cfg, .sh, .bin, etc.