Skip to content

Firmware Analysis

Introduction

What is a firmware?

Firmware is the software that is embedded in a piece of hardware. It can provides a standard operating environment for your embedded system. It is also the place where the most important pieces of data gets stored. You can think of firmware simply as "software for embedded devices". Basically the firmware is what makes your device work the way it is meant to work.

How to get your hands on a firmware?

There are many ways to get the firmware of a device:

  • Extract from the device

This is the probably the most obvious way of obtaining the firmware. There are many methods for extracting the firmware from the memory of the device such as using the bootloader, JTAG etc. The difficulty of extraction will depend on the way the device is manufactured.

  • From the official site

For devices like routers, the firmware is readily available on the vendor's official web site as some of these devices require installation of external firmware for updates. The availability of a firmware depends on the device. Sometimes the whole firmware will be available but sometimes, only the parts necessary for the firmware update will be public.

How to analyse a given a firmware?

Once we have a firmware, the next step is about making sense of it. We need to figure out what all are there in this firmware, how the device works and so on. We can get important data from its firmware, like information about the filesystem of the embedded device. There are tools which can help us analyse that.

Binwalk is a tool for searching inside a given binary or image for embedded files and executable code. It can identify files and code embedded inside the firmware image.

To analyse a binary file using binwalk, use the command:

$   binwalk -eM filename.bin

The -e tag is used to extract any files binwalk encounters while analysing the binary. The -M tag is used for recursive analysis of the binary.

Let's try analysing a sample firmware:

$ binwalk -eM wg602v3_1_2_5ww.trx

Scan Time:     2019-09-16 18:58:02
Target File:   /home/hari/Documents/bi0s/hardware/firmwares/wg602v3_1_2_5ww.trx
MD5 Checksum:  6c59f58d519ff865c8d6a793a317a88c
Signatures:    391

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             TRX firmware header, little endian, image size: 1691648 bytes, CRC32: 0x50C5FAF8, flags: 0x0, version: 1, header size: 28 bytes, loader offset: 0x1C, linux kernel offset: 0x8A260, rootfs offset: 0x0
28            0x1C            gzip compressed data, maximum compression, has original file name: "piggy", from Unix, last modified: 2007-02-14 19:21:37
565856        0x8A260         CramFS filesystem, little endian, size: 1122304, version 2, sorted_dirs, CRC 0xD6DE1CB8, edition 0, 797 blocks, 212 files


Scan Time:     2019-09-16 18:58:02
Target File:   /home/hari/Documents/bi0s/hardware/firmwares/_wg602v3_1_2_5ww.trx-0.extracted/piggy
MD5 Checksum:  27ce9759a5c0837a8ddcf985d99dc103
Signatures:    391

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
1044640       0xFF0A0         Linux kernel version 2.4.20
1063452       0x103A1C        Unix path: /usr/lib/libc.so.1
1110975       0x10F3BF        Copyright string: "Copyright 1995-1998 Mark Adler"
1303420       0x13E37C        CRC32 polynomial table, little endian

We have successfully extracted the firmware and we can see that there is a cramfs filesystem in the firmware. Also, binwalk analysed the file piggy and we can see that it is a linux kernel. We can extract the filesystem from the firmware by using the dd command.

$ dd if=wg602v3_1_2_5ww.trx skip=565856 bs=1 of=fs.cramfs
1125803+0 records in
1125803+0 records out
1125803 bytes (1.1 MB, 1.1 MiB) copied, 12.8153 s, 87.8 kB/s
$ file fs.cramfs 
fs.cramfs: Linux Compressed ROM File System data, little endian size 1122304 version #2 sorted_dirs CRC 0xd6de1cb8, edition 0, 797 blocks, 212 files

If we use the dd command, we will have to manually mount the filesystem but binwalk with -e will automatically extract the filesystem for you.

Now, let's have a look at the filesystem:

$ cd cramfs-root && ls
bin  dev  etc  lib  mnt  proc  sbin  tmp  usr  var

Once you have access to the filesystem you can look for hardcoded data and many other things as the filesystem of a firmware is a simplified version of a typical linux filesystem.

The next step is about figuring out how the device works.