IoT Security โ€“ Firmware Reverse Engineering โ€“ #Day4 [TWT๐Ÿ†]

Sharing/ๅˆ†ไบซ Resources/่ณ‡ๆบ
1

Firmware Reverse Engineering

Now that we learnt how to maximize our chance to find a exploit (see previous post), letโ€™s dive in and start with firmware.

Whatever IoT device you use, it all has some kind of processing unit designed to perform certain specific tasks, these tasks have to be stored in a non-volatile memory like ROM, flash or EEPROM in the form of firmware just in case of power outage. So by attacking the firmware, we can learn whole bunch of things about the IoT device which might lead us to a 0-day exploit.

Getting the Firmware

There are a variety of ways to get your hands on the firmware, depending on the popularity of the processing unit used, the ways may include as follows,

  1. Getting it from productโ€™s official website
  2. Getting from the online community
  3. Reversing the mobile app
  4. Sniffing the OTA update mechanism
  5. Dumping it from the device itself

(the order is arranged by difficulty)

Yes you are right, getting the firmware is not as hard as you thought, and the easiest way to get the firmware is through its official website.

For this article, we will look at the firmware of an off-the-shelf WiFi router, whose firmware can be downloaded using the link below,

http://www.downloads.netgear.com/files/GDC/WNAP320/WNAP320 Firmware Version 2.0.3.zip

Once downloaded, stored it to a clean directory.

Reverse Engineering

To reverse engineer the firmware, there are a few tools needed regardless of your OS,

  1. unzip
  2. tar
  3. binwalk

Make sure to install these tools before proceeding. For demonstration purpose, Cygwin is used here, but Linux is recommended for in-depth hacking.

Steps:

  1. Unzip the archive

    unzip using command

    unzip WNAP320\ Firmware\ Version\ 2.0.3.zip

    You will see something similar as the figure below

    image
    image1213ร—382 24.3 KB

  2. Unzip the tar archive

     tar -xf WNAP320_V2.0.3_firmware.tar

    You should see more files got extracted into the current directory

    image
    image1243ร—377 26.9 KB

  3. Reverse the firmware and extract the file system

    binwalk -e rootfs.squashfs

    You should see something like this,
    image

Done!

Now you have successfully reversed the firmware and expose its internal files to us. In the next article, we will see how to hack the firmware using the files we just obtained.