114 lines
3.2 KiB
Plaintext
114 lines
3.2 KiB
Plaintext
%include "default.mgp"
|
|
%default 1 bgrad
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
%nodefault
|
|
%back "blue"
|
|
|
|
%center
|
|
%size 7
|
|
|
|
|
|
Reverse Engineering
|
|
%size 5
|
|
of Linux-Based Firmware Images
|
|
|
|
|
|
%center
|
|
%size 4
|
|
by
|
|
|
|
Harald Welte <laforge@gnumonks.org>
|
|
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Linux Firmware Reverse Engineering
|
|
Overview
|
|
|
|
Linux has gained ground in the commercial market
|
|
Embedded hardware is getting cheaper
|
|
Network Appliances become more popular
|
|
802.11(abg) Acces Points, Bridges, Routers
|
|
DSL 'Routers' (in reality NAT-gateways)
|
|
Users demand more and more CPU-intensive functions
|
|
PPPoE, PPTP
|
|
NAT with ALG's for H.323, PPTP
|
|
IPsec
|
|
|
|
Many vendors seem to conclude:
|
|
Why not use Linux?
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Linux Firmware Reverse Engineering
|
|
Why is this worth a presentation?
|
|
|
|
Vendors tend to forget about their GPL obligations
|
|
They have to
|
|
redistribute or make available the sourcecode
|
|
redistribute or maka available build scripts
|
|
inform their users about their rights and obligations under the GPL
|
|
They are not allowed to link with GPL-incompatible code
|
|
|
|
Vendors tend to forget about security issues
|
|
Most people don't know that their appliance runs linux
|
|
Thus they won't even know that they're affected by a vulnerability
|
|
Vendors of consumer-class equipment tend to be lazy
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Linux Firmware Reverse Engineering
|
|
How to start (from a technical point of view)
|
|
|
|
In most cases you don't even need the device
|
|
Firmware images are available for download from the vendors
|
|
Reverse engineering starts by looking at that binary
|
|
In a number of cases, you will either find
|
|
a gzip signature for a compressed kernel
|
|
a signature of a cramfs disk image
|
|
a configuration file to enable/disable features
|
|
some other (arj/lzh/zip/...) image
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Linux Firmware Reverse Engineering
|
|
How to start from a technical point of view (cont'd)
|
|
|
|
Useful tools for looking at that image
|
|
'strings' (from gnu binutils)
|
|
your favourite hex editor
|
|
'file' (especially it's 'magic' signature file)
|
|
libmagic (library for accessing 'magic' signatures)
|
|
|
|
Strings to look for:
|
|
'piggy' (compressed kernel image)
|
|
0x28cd3d45 (compressed ram fs)
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Linux Firmware Reverse Engineering
|
|
Practical Example
|
|
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%page
|
|
Linux Firmware Reverse Engineering
|
|
Thanks
|
|
The slides of this presentation are available at http://www.gnumonks.org/
|
|
|
|
Thanks to
|
|
the BBS people, Z-Netz, FIDO, ...
|
|
for heavily increasing my computer usage in 1992
|
|
KNF
|
|
for bringing me in touch with the internet as early as 1994
|
|
for providing a playground for technical people
|
|
for telling me about the existance of Linux!
|
|
Alan Cox, Alexey Kuznetsov, David Miller, Andi Kleen
|
|
for implementing (one of?) the world's best TCP/IP stacks
|
|
Paul 'Rusty' Russell
|
|
for starting the netfilter/iptables project
|
|
for trusting me to maintain it today
|
|
Astaro AG
|
|
for sponsoring parts of my netfilter work
|