Firmware Reverse Engineering
Now that we learnt how to maximize our chance to find a exploit (see previous post), let’s dive in and start with firmware.
Whatever IoT device you use, it all has some kind of processing unit designed to perform certain specific tasks, these tasks have to be stored in a non-volatile memory like ROM, flash or EEPROM in the form of firmware just in case of power outage. So by attacking the firmware, we can learn whole bunch of things about the IoT device which might lead us to a 0-day exploit.
Getting the Firmware
There are a variety of ways to get your hands on the firmware, depending on the popularity of the processing unit used, the ways may include as follows,
- Getting it from product’s official website
- Getting from the online community
- Reversing the mobile app
- Sniffing the OTA update mechanism
- Dumping it from the device itself
(the order is arranged by difficulty)
Yes you are right, getting the firmware is not as hard as you thought, and the easiest way to get the firmware is through its official website.
For this article, we will look at the firmware of an off-the-shelf WiFi router, whose firmware can be downloaded using the link below,
http://www.downloads.netgear.com/files/GDC/WNAP320/WNAP320 Firmware Version 2.0.3.zip
Once downloaded, stored it to a clean directory.
Reverse Engineering
To reverse engineer the firmware, there are a few tools needed regardless of your OS,
- unzip
- tar
- binwalk
Make sure to install these tools before proceeding. For demonstration purpose, Cygwin is used here, but Linux is recommended for in-depth hacking.
Steps:
-
Unzip the archive
unzip using command
unzip WNAP320\ Firmware\ Version\ 2.0.3.zip
You will see something similar as the figure below
-
Unzip the tar archive
tar -xf WNAP320_V2.0.3_firmware.tar
You should see more files got extracted into the current directory
-
Reverse the firmware and extract the file system
binwalk -e rootfs.squashfs
You should see something like this,
Done!
Now you have successfully reversed the firmware and expose its internal files to us. In the next article, we will see how to hack the firmware using the files we just obtained.