Here is tutorial in different format:
https://docs.google.com/document/d/1EfCzsmX2mHWSOu8qsJFDszly3Of11AW5AtTZb3Wkez4/pub
https://docs.google.com/document/d/1EfCzsmX2mHWSOu8qsJFDszly3Of11AW5AtTZb3Wkez4/pub
I got the task to get as much as possible information from unknown Firmware.
The file is flash_dump.bin
Pre-analyses with WinHex or Hex readers shows nothing.
So I need to use Kali Linux… Some staff is missing on Kali Linux and I have to preinstall it.
Tools which you need to preinstall before start working with firmware:
! On my Kali version those tools are preinstalled and I do not need to install it. If you will find that you do not have this tools here is steps how to install it.
Binwalk:
Check if binwalk is latest version, in terminal windows:
apt-get install binwalk
apt-get install binwalk
It shows that binwalk already latest version. You can force to install new version with this commands
- wget https://binwalk.googlecode.com/files/binwalk-1.2.2-1.tar.gz
- tar xvzf binwalk-1.2.2-1.tar.gz
- cd binwalk-1.2.2-1/src
- dir
- ./debian_quick_install.sh
Firmware-Mod-Kit
- apt-get install git
- apt-get install build-essential
- apt-get install zlib
- apt-get install zlib1g-dev
- apt-get install liblzma-dev
- apt-get install python-magic
- apt-get install firmware-mod-kit
If you need to find where it is installed, use the command:
- find / -name extract-firmware.sh
In my case it is installed in: /opt/firmware-mod-kit/trunk/
Now we need to transfer firmware BIN file in Kali directory. I found the glitch that my Kali VM cannot see my USB Flash drive, and I fix it with this ( select USB 3 )
I found that the easy way to work for extracting the image to copy it in the same folder where Firmware mod kit installed
I’m using MC for this
Now we need to look inside of the image, to understand what we can get from it.
Let’s extract the readable strings with commands:
Strings flash_dump/bin >strings.txt
And
binwalk -S flash_dump.bin > list.txt
And after looking on that files we can see some strange strings:
First highlighted word is definitely should be “unknown” and “free”.
This is happened because architecture of processors which using this BIN file is 16 bit and decompiling is 32 bit.
You can search in internet for understanding “Little Big endian”.
You can search in internet for understanding “Little Big endian”.
Basically we need to switch each next bit with previous one: 1<>2, 3<>4, n<>(n+1)
This is can be easily done with command:
- dd if=flash_dump.bin of=conv.bin conv=swab
it will convert “strange” bin file into conv.bin.
And now let’s run again:
- strings conv_dump/bin >strings_corr.txt
And
- binwalk -S conv_dump.bin > list_corr.txt
Now we can read it.
Let’s extract the files form the conv.bin image with command:
- ./extract-firmware.sh conv.bin
Now you have extracted files which you can analyse and modify.
With different firmware – from ASUS router RT-AC68U, it is just 2 simple steps, because not confusing part with “little-big endian”
Before extracting let’s verify that no little-big endian conversion required.
Take the firmware which is in the different format: RT-AC68U_3.0.0.4_374_5656-g8d0a991.trx
And run command:
- Strings RT-AC68U_3.0.0.4_374_5656-g8d0a991.trx > strings.txt
In the files strings.txt - let’s go in the end and we can see that all text is readable:
You have to copy this firmware into directory where firmware-mod-kit located and run command
- ./extract-firmware.sh RT-AC68U_3.0.0.4_374_5656-g8d0a991.trx
Same “fmk” folder with extracted and ready for analyses files.
Massively helpful in getting FMK to work on Kali Linux. Many thanks and continue the work.
ReplyDelete