Hack, Whack, Chop that…firmware…
I had a customer at Interop NYC yesterday ask me if I still hack stuff? Still?!?! Of course!! It’s something that’s just in your blood daddy-o! I just like to hack stuff. It doesn’t matter really what it is, I just enjoy the challenge of figuring out how stuff works and how to bypass certain controls. I am not trying to be a whank about it and post how to steal a case of Sundrop from a Dixie-Narco vending machine, I just want to know from an engineering stand point. When I see electronic firmware based stuff work I always wonder; “How did they code that one up?”
That’s all it takes to get me started. Now my wife is not a fan of guns but if I started purchasing all the stuff I hack around here weekly, my guess is that she would change her mind real quick… So I need another method…a more…low cost method of hacking a device without ever purchasing the device. Firmware baby!!! Matter of fact, it is very rare for me to get actual gear. I just go for the low hangin’ fruit! Firmware! say with me…What do we want! Firmware!! f.i.r.m.w.a.r.e!!
Many vendors out there today offer up firmware freely without authentication or with only a email address so they can gather marketing data. I just use a 10 minute emailer like Mailinator or I give them Robb’s email and then I start downloading firmware. The firmware can be like the wardroom door to Narina if you look deeply into it.
Here’s the thing. Many vendors out there today do not have firmware developers in house. They have a marketing plan, money, call centers , etc…but code jockeys are something that is normally outsourced. These code houses do not just buzz the code for one vendor but for 50 or more. Now to keep this code straight from vendor to vendor many code houses place comments in their firmware.
These can be comments about debug interfaces, HARD CODED ACCOUNTS!!!! Private keys, hidden commands and yes even backdoor passwords. (I just found two days ago in a vendor device) Basically, low rent firmware hacking is really a piece of cake to understand.Plus it can really yield huge…benefits. Remember Stuxnet? Oh Yeah… Most firmware out there today is unsigned and unencrypted which means I can read it in a simple hex editor. But before your go download firmware and opening it up in your favorite hex editor, here are a few pointers to get ya started:
Tip 00×01 I normally like to look for bootcode if I have the choice. If not, I just deal with what I have.
Tip 00×02 Firmware files are in hex and have a ton of unreadable data in them. I am interested in about 1% of the file which contains ASCII text. The first thing I do is run firmware thru the *Nix command; Strings. Strings is a command that will print out any ascii character sequences that is followed by a an unprintable character. The default character limit is 4 but you can change that. A example command would look like this:
strings -t firmwareName.bin
Simple but powerful command with few options. The -t is an option I use to tell me the offsets just in case I need to…use them later on…
Tip 00×03 Some firmware will be compressed in what is called ZLIB compressed chunks. In outsourced code larger then 3Meg this is very common. There is a great tool called DeeZee which is part of the Black Bag Tool Kit from Matasano. It is older but works really well still for binary dissection. DeeZee will search thru a binary file for ZLIB signatures then extract them and print out the results. Human behavior is such that we write and comment stuff out all the time. Look at the best practices for a simple ACL. If I run a file thru strings or view it in a hex editor and see nothing but unreadable crap, then I assume it must be ZLIB’ed or encrypted but that is very rare. I run it thru DeeZee, with the command:
DeeZee will chew on it few a while then spit out the results into the same directory I run it at. I just do a LS to see the results, then view those results in my hex editor and Kazam! it’s hammertime!
Now you have some readable ASCII extracted from firmware. Some of my results have been stuff like:
– FTP passwords
– Backdoor passwords for various ports
– Hidden SNMP community strings
– Mountable filesystems that actually allow me to mount the firmware and interact with it. Heck I have pulled off .pem files that allowed me to do a super effective bogus SSL connection!
– Internal server ip addresses of the code house
– Contact information, which is great for social engineering
– Debug interfaces with access commands
and of course some of the funniest comments you have seen. If you decode a OEM suppliers firmware you may have hit a real jackpot since most C code is modularized and reused in other devices, so this the gift that keeps on givin’!! At this point you can gather the data and test certain conditions you have mined OR you can move up to the graduate level of hacking and start looking at disassembly with IDA Pro and start installing rootkits in firmware. That is the true Holy Grail of hacking embedded systems, but we’ll cover that next blog.
What’s that? You want a how to and not just tips? Hmmm…OK, here is an excellent blog showing you the step by step details of reversing some code from a…product…. http://www.devttys0.com/2011/05/reverse-engineering-firmware-linksys-wag120n/
Jimmy Ray Purser
Trivia File Transfer Protocol
In the rockin’ age of 390B.C. Playwright Aristophanes wanted to show the world just how pretentious db whack he really was. In his play Ecclesiazusae the characters feasted on a dish called; lopadotemachoselachogaleokranioleipsanodrimupotrimmatosilphioliparomelitoaktakexhumeno-kichlepikossuphophattoperisteralektruonoptopiphallidokinklopeleioplagoosiraiobaphetragalopterugon
MMMMM…Please sir may I have another helping of…lopa, lopadotema.. just forget it. Where’s the gyro stand?