What is Firmware Reverse Engineering
Firmware Reversing Steps
- The firmware is first obtained from the vendor’s website or extracted from the device to perform the analysis.
- The obtained/extracted firmware, usually a binary file, is first analysed to figure out its type (bare metal or OS based).
- It is verified that the firmware is either encrypted or packed. The encrypted firmware is more challenging to analyse as it usually needs a tricky workaround, such as reversing the previous non-encrypted releases of the firmware or performing hardware attacks like Side Channel Attacks (SCA) to fetch the encryption keys.
- Once the encrypted firmware is decrypted, different techniques and tools are used to perform reverse engineering based on type.
Types of Firmware Analysis
Firmware analysis is carried out through two techniques, Static & Dynamic.
- BinWalk: A firmware extraction tool that extracts code snippets inside any binary by searching for signatures against many standard binary file formats like
zip, tar, exe, ELF,etc. Binwalk has a database of binary header signatures against which the signature match is performed. The common objective of using this tool is to extract a file system like
Squashfs, yaffs2, Cramfs, ext*fs, jffs2,etc., which is embedded in the firmware binary. The file system has all the application code that will be running on the device.
- Firmware ModKit (FMK): FMK is widely used for firmware reverse engineering. It extracts the firmware using
binwalkand outputs a directory with the firmware file system. Once the code is extracted, a developer can modify desired files and repack the binary file with a single command.
- FirmWalker: Searches through the extracted firmware file system for unique strings and directories like
etc/ssl, special keywords like
admin, root, password, etc., vulnerable binaries like
ssh, telnet, netcatetc.
- Qemu: Qemu is a free and open-source emulator and enables working on cross-platform environments. The tool provides various ways to emulate binary firmware for different architectures like Advanced RISC Machines (ARM), Microprocessors without Interlocked Pipelined Stages (MIPS), etc., on the host system. Qemu can help in full-system emulation or a single binary emulation of ELF (Executable and Linkable Format) files for the Linux system and many different platforms.
- Gnu DeBugger (GDB): GDB is a dynamic debugging tool for emulating a binary and inspecting its memory and registers. GDB also supports remote debugging, commonly used during firmware reversing when the target binary runs on a separate host and reversing is carried out from a different host.
Santa1010if prompted for a sudo password.
binfolder contains the firmware binary, while the
firmware-mod-kitfolder contains the script for extracting and modifying the firmware.
- Binwalk: For verifying encryption and can also be used to decrypt the firmware (Usage:
binwalk -E -N)
- Firmware Mod Kit (FMK): Library for firmware extraction and modification (Usage:
Now coming over to the task, we will perform reversing step by step.
Step 1: Verifying Encryption
In this step, McSkidy will verify whether the binary
firmwarev2.2-encrypted.gpg is encrypted through file entropy analysis. First, change the directory to the
bin folder by entering the command
cd bin. She will then use the
binwalk tool to verify the encryption using the command
binwalk -E -N firmwarev2.2-encrypted.gpg.
In the above output, the rising entropy edge means that the file is probably encrypted and has increased randomness.
Step 2: Finding Unencrypted Older Version
Since the latest version is encrypted, McSkidy found an older version of the same firmware. The version is located in the
bin-unsigned folder. Why was she looking for an older version? Because she wants to find encryption keys that she may use to decrypt the original firmware and reverse engineer it. McSkidy has decided to use the famous
FMK tool for this purpose. To extract the firmware, change the directory by entering the command
cd .. and then
cd bin-unsigned. She extracted the firmware by issuing the following command.
Step 3: Finding Encryption Keys
The original firmware is gpg protected, which means that we need to find a public, and private key and a paraphrase to decrypt the originally signed firmware. We know that the unencrypted firmware is extracted successfully and stored in the
fmk folder. The easiest way to find keys is by using the
grep command. The
-i flag in the grep command ignores case sensitivity while the
-r operator recursively searches in the current directory and subdirectories.
Bingo! We have the public and private keys, but what about the paraphrase usually used with the private key to decrypt a gpg encrypted file?
Let’s find the paraphrase through the same
Step 4: Decrypting the Encrypted Firmware
Now that we have the keys, let’s import them.
While importing the private key, you will be asked to enter the paraphrase. Enter the one you found in Step 3.
Importing the public key. We can list the secret keys.
Once the keys are imported, McSkidy decrypts the firmware using the
gpg command. Again change the directory by entering the command
cd .. and then
Step 5: Reversing the Original Encrypted Firmware
This is the simplest step, and we can use
FMK to extract code from the recently unencrypted firmware. In this example, we will be using
FMK to extract the code.