%include "default.mgp" %default 1 bgrad %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page %nodefault %back "blue" %center %size 7 Reverse Engineering %size 5 of Linux-Based Firmware Images %center %size 4 by Harald Welte %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Linux Firmware Reverse Engineering Overview Linux has gained ground in the commercial market Embedded hardware is getting cheaper Network Appliances become more popular 802.11(abg) Acces Points, Bridges, Routers DSL 'Routers' (in reality NAT-gateways) Users demand more and more CPU-intensive functions PPPoE, PPTP NAT with ALG's for H.323, PPTP IPsec Many vendors seem to conclude: Why not use Linux? %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Linux Firmware Reverse Engineering Why is this worth a presentation? Vendors tend to forget about their GPL obligations They have to redistribute or make available the sourcecode redistribute or maka available build scripts inform their users about their rights and obligations under the GPL They are not allowed to link with GPL-incompatible code Vendors tend to forget about security issues Most people don't know that their appliance runs linux Thus they won't even know that they're affected by a vulnerability Vendors of consumer-class equipment tend to be lazy %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Linux Firmware Reverse Engineering How to start (from a technical point of view) In most cases you don't even need the device Firmware images are available for download from the vendors Reverse engineering starts by looking at that binary In a number of cases, you will either find a gzip signature for a compressed kernel a signature of a cramfs disk image a configuration file to enable/disable features some other (arj/lzh/zip/...) image %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Linux Firmware Reverse Engineering How to start from a technical point of view (cont'd) Useful tools for looking at that image 'strings' (from gnu binutils) your favourite hex editor 'file' (especially it's 'magic' signature file) libmagic (library for accessing 'magic' signatures) Strings to look for: 'piggy' (compressed kernel image) 0x28cd3d45 (compressed ram fs) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Linux Firmware Reverse Engineering Practical Example %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Linux Firmware Reverse Engineering Thanks The slides of this presentation are available at http://www.gnumonks.org/ Thanks to the BBS people, Z-Netz, FIDO, ... for heavily increasing my computer usage in 1992 KNF for bringing me in touch with the internet as early as 1994 for providing a playground for technical people for telling me about the existance of Linux! Alan Cox, Alexey Kuznetsov, David Miller, Andi Kleen for implementing (one of?) the world's best TCP/IP stacks Paul 'Rusty' Russell for starting the netfilter/iptables project for trusting me to maintain it today Astaro AG for sponsoring parts of my netfilter work