Task 25, Day 20, Firmware Binwalkin’ around the Christmas tree

Focusing on firmware reverse engineering from a security standpoint. It’s possible a smart watch could have firmware programmed to send all incoming messages, emails, etc. to a specific IP unbeknownst to the user. Steps to follow:

  • Obtain firmware from the vendor’s website or extract from device
  • Analyze the fire (usually a binary) to figure out its type, bare metal or OS based
  • Verify if firmware is encrypted or packed and undo. If encrypted, usually takes a tricky workaround like reversing previous non-encrypted releases or performing hardware attacks like Side Channel Attacks to fetch the encryption keys
  • once encrypted, use different techniques and tools depending on type

Types of Analyisis

Static

Essential examination of the binary file contents, performing its reverse engineering, and reading assembly instructions to understand functionality. Commonly used command line utilities and binary analysis tools include:

  • BinWalk: firmware extraction tool that extracts code snippets by searching for signatures against many standard binary file formats like zip, tar, exe, ELF, etc. Has database of binary header signatures to run a match against. Common objective is to extract a file system like Squashfs, yaffs, Cramfs, ext*fs, jffs2, etc., which is embedded in the firmware binary. File system has all the application code of device.
  • Firmware ModKit (FMK): extracts firmware using binwalk and outputs directory with the file system. Developer can then modify desired files and repack the binary with a single command.
  • FirmWalker: searches through extracted firmware file system for unique strings and directories like etc/shadow, etc/passwd, etc/ssl, special keywords like admin, root, password, etc., and vulnerable binaries like ssh, telnet, netcat, etc.

Dynamic

Involves running the firmware code on actual hardware and observing its behavior through emulation and hardware/software based debugging. Significant advantages include analyzing unintended network communication for identifying data prilfering. Common tools used:

  • Qemu: free open-source emulator that enables working on cross-platform environments. Provides various ways to emulate firmware for different architectures (ARM, Microprocessors without Interlocked Pipelined Stages [MIPS], etc.) on the host. Can help in full-system emulation, or single binary emulation of Executable and Linkable Format (ELF) files for Linux and other platforms.
  • Gnu DeBugger (GDB): dynamic debugging tool for emulating a binary and inspecting its memory and registers. Supposrts remote debugging, as when firmware is running on one host and reversing is on another host.

The Task

Find a flag and some data on the device’s firmware.

Started with binwalk -E -N Binwalk entropy analysis without plotting entropy graph. Returned sing entry with rising entropy edge. Same process on unsigned returned multiple entries alternating between falling and rising entropy edges. (Should research more to see what that means)

Next used FMK extract-firmware.sh on older unencrypted version of firmware. Follow up by using grep -ir to search extracted files for gpg keys using case insensitive and recursive flags.

Flag and info found.