blob: e1edbed31e46836388e4add9f99f45dc8fdc8c73 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
|
%include "default.mgp"
%default 1 bgrad
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%nodefault
%back "blue"
%center
%size 7
Reverse Engineering
%size 5
of Linux-Based Firmware Images
%center
%size 4
by
Harald Welte <laforge@gnumonks.org>
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Linux Firmware Reverse Engineering
Overview
Linux has gained ground in the commercial market
Embedded hardware is getting cheaper
Network Appliances become more popular
802.11(abg) Acces Points, Bridges, Routers
DSL 'Routers' (in reality NAT-gateways)
Users demand more and more CPU-intensive functions
PPPoE, PPTP
NAT with ALG's for H.323, PPTP
IPsec
Many vendors seem to conclude:
Why not use Linux?
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Linux Firmware Reverse Engineering
Why is this worth a presentation?
Vendors tend to forget about their GPL obligations
They have to
redistribute or make available the sourcecode
redistribute or maka available build scripts
inform their users about their rights and obligations under the GPL
They are not allowed to link with GPL-incompatible code
Vendors tend to forget about security issues
Most people don't know that their appliance runs linux
Thus they won't even know that they're affected by a vulnerability
Vendors of consumer-class equipment tend to be lazy
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Linux Firmware Reverse Engineering
How to start (from a technical point of view)
In most cases you don't even need the device
Firmware images are available for download from the vendors
Reverse engineering starts by looking at that binary
In a number of cases, you will either find
a gzip signature for a compressed kernel
a signature of a cramfs disk image
a configuration file to enable/disable features
some other (arj/lzh/zip/...) image
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Linux Firmware Reverse Engineering
How to start from a technical point of view (cont'd)
Useful tools for looking at that image
'strings' (from gnu binutils)
your favourite hex editor
'file' (especially it's 'magic' signature file)
libmagic (library for accessing 'magic' signatures)
Strings to look for:
'piggy' (compressed kernel image)
0x28cd3d45 (compressed ram fs)
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Linux Firmware Reverse Engineering
Practical Example
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Linux Firmware Reverse Engineering
Thanks
The slides of this presentation are available at http://www.gnumonks.org/
Thanks to
the BBS people, Z-Netz, FIDO, ...
for heavily increasing my computer usage in 1992
KNF
for bringing me in touch with the internet as early as 1994
for providing a playground for technical people
for telling me about the existance of Linux!
Alan Cox, Alexey Kuznetsov, David Miller, Andi Kleen
for implementing (one of?) the world's best TCP/IP stacks
Paul 'Rusty' Russell
for starting the netfilter/iptables project
for trusting me to maintain it today
Astaro AG
for sponsoring parts of my netfilter work
|