IoT hacking — Reversing a router firmware
In this article I will show you how you can reverse engineer a router firmware and get in to the internal file system. This will be a very high overview of how reverse engineering is done in IoT security.
For this demonstration, I am using the TP-Link TL-WR1042NDv1 router firmware. To follow along, you can download the image file from here.
Analyzing the firmware
The main thing and the first most important step is to, analyze the binary and get an understanding of how it is made and what it contains.
For that there are multiple tools you can use. First one being “file”. This tools uses the headers(if present) within the binary to identify what type of file it is.
file wr1042nv1_en_3_15_7_up_boot\(130923\).bin
As you can see, right off the bat it tells us that this file is a firmware. Now that we know we are dealing with the right file, let’s go ahead and see what’s inside.
For that you can use a tool called “binwalk”. This will parse through the file and tell us (including the offsets) what that file contains.
binwalk wr1042nv1_en_3_15_7_up_boot\(130923\).bin
Here you can see the firmware header I mentioned earlier. Also you can see two Lzma compressed data sections and one Squashfs file system section right at the bottom.
At the left side, you can see there are some decimal and hex numbers.
These are the offsets of the file where those the specified data sections exist. For example, the Squashfs file system starts at 1180160 (in bytes)
And the lzma compressed data starts at 142344.
So in theory, if we can get just those fields, we should be able extract them right ? And that’s what we are going to do.
Carving out the data
Since we have the correct offsets where these sections start from, we can copy those sections with the help of “dd”. This stands for “Data duplication” . This tool will duplicate the data inside the firmware.
dd if=wr1042nv1_en_3_15_7_up_boot\(130923\).bin bs=1 skip=1180160 of=rootfs.sqfs
So here what I am doing is, I am saying this to get the firmware file as the input file(if ), use a block size of 1(bs), skip 1180160 number of bytes from the start of the file(skip) and put what ever after that into a output file(of) called “rootfs.sqfs”.
Now when I run “files” against it, it tells me that this is a lzma compressed Squashfs filesystem.
And also if you want, you can duplicate all the sections you found from the “binwalk” output. Since our expectation is to get in to the file system, I will just stick with this.
Extracting the file system
After all that, it’s just one commands and you will have the whole file system dumped. Before dumping the file system, it’s a good practice to see what’s inside it. To do that, I am using a tool called “unsquashfs” which you can download with APT.
apt install squashfs-tools
Once installed, you can run unsquashfs -l rootfs.sqfs to list the file system.
Surely, you can say that this is a Linux file system by looking at the binaries in the “squashfs-root/bin” directory.
Finally, you can extract the files with this command.
sudo unsquashfs rootfs.sqfs
After that a directory called “squashfs-root” should be created. Inside it is the dumped file system.
Congratulations !!! You have successfully reverse engineered the firmware. 👏
Further analysis
From here, you have lot of things you can do. For example, if you look at the “/etc/shadow” file, you can see you have some usernames including their hashes.
If you want to, you can crack these and get the real passwords. Then you can find a device of the same model by a search engine like Shodan, and try to see if you can access it with those credentials you found.
Or you can change the hashes to a hash of your choice, recompile this and flash it in to a physical router. With this you can use it as an Rouge AP and use it to do wireless attacks.
If you want to go deeper, you can try to reverse the custom binaries you find such as the “/bin/auth”(in this firmware) and see if you can find any vulnerabilities through that.
Finally, the way I’ve gotten the most use, you can look at the source code of the web interface and see if there are any hard-coded values such as passwords or API keys and things like that.
A life hack, beyond the topic
Some what like 3 months ago, I bought a new router as my old one only supported 2.4GHz. After couple of days, I had the curiosity to see if I can find the firmware it’s running. So I found the version and the model number from my router manual and did some digging. I was able to track down the firmware from my ISPs website.
I started reversing the firmware. It took some more steps than this, but finally I was able to get in to the file system. Looking at the Web interface I found something that I never thought I would. It was an API key. That was used to log the current status of my router such as the DNS servers I am using, the version of the firmware its’ running and stuff like that.
The cool thing was, that API key was common to all of the neighbouring routers. So with that I was able to get the information about not only my router, but also all the other routers that was running this firmware.
“So that’s it for now folks, if you have any questions, make sure to leave them down in the comments or contact me through social media.”
Email — iamkavigihan@gmail.com
Instagram — https://www.instagram.com/_kavi.gihan/
Eat spicy, Hack wisely !!! 😉
