I found some nice tools and documents which do help you analysing embedded firmware files.
Analyser tools
FIIN — Firmware Inspector
A bit outdated but still useful
uwfirmforce
Very nice file analyser which knows quite a lot of file types
draca — Crypto Analyser
Search for known cryptographic constants in a file
Documents
23C3-Fudging-with-firmware-analysis.pdf (khorben)
Reverse Engineering of Embedded Devices (dash)
Exploiting Embedded Systems, Blackhat 2006 (Barnaby Jack)
Hacking Embedded Linux Based Home Appliances (Alexander Sirotkin)
Hacking into TomTom GO (Thomas Kleffel, Christian Daniel)
Some handy dd examples
Convert firmware to ebcdic
1 | dd if=sw_t2e_6504.bin of=./sw_t2e_6504.ebcdic conv=ebcdic |
Convert firmware, switch endian-ness of whole file (16b)
1 | dd if=sw_t2e_6504.bin of=./sw_t2e_6504.swab conv=swab |
Split up the firmware (offset is 828200 bytes)
1 | dd if=sw_t2e_6504.bin of=part2 bs=1 skip=828200 |
An example, using the asus wrt 500gp firmware
Output of uwfirmforce:
1 2 3 4 | Analyzing file: ./WL500gp_1.9.7.7_TW.trx Matching TRX signature #0 at offset 0 big endian, length 7237632, flags 0, version 1, offset #0 0x0000001c, offset #1 0x000ca328, offset #2 0x00000000 Score: 100% |
1 2 3 | Matching GZIP signature #0 at offset 28 compression deflate, flags FNAME, 12/05/2008 12:59:48, OS Unix Score: 100% |
1 2 3 | Matching CRAMFS signature #0 at offset 828200 little endian, size 65536, flags NONE, 2069691273 blocks, 470036845 files, name “Compressed“ Score: 100% |
Get the initrd:
1 | dd if=WL500gp_1.9.7.7_TW.trx of=initrd.gz bs=1 skip=28 |
Get the cramfs image and mount it:
1 2 | dd if=WL500gp_1.9.7.7_TW.trx of=1.cramfs bs=1 skip=828200 mount –t cramfs –o loop ./1.cramfs /mnt/cramfs |
This is of course an easy example, there are also scrambled firmware files which are not that easy to unpack (philips tv firmware files or sonicwall firmware files to name some examples). If you manage to unpack such an firmware file, please let me know!
