Dissecting a firmware image

dissecting-a-firmware-image

[Leland Flynn] did a great job of picking apart the firmware image for a Westell 9100EM FiOS router. Unfortunately he didn’t actually find the information he was looking for. But he’s not quite done poking around yet either. If you have never tried to make sense of an embedded Linux firmware image this serves as a great beginner’s example of how it’s done.

He was turned on to the project after port scanning his external IP and finding a random login prompt which he certainly didn’t set up. Some searching led him to believe this is some kind of back door for Verizon to push automatic firmware updates to his router. He figured why not see if he could yank the credentials and poke around inside of the machine?

He started by downloading the latest firmware upgrade. Running ‘hexdump’ and ‘strings’ gives him confirmation that the image is based on Linux. He’s then able to pick apart the package, getting at just the filesystem portion. His persistence takes him through extracting and decompressing three different filesystems. Even though he now has access to all of those files, broken symlinks meant a dead-end on his login search.

18 thoughts on “Dissecting a firmware image

  1. Awesome! hopefully a good WRT firmware will be developed for this. the wireless compatibility with some devices is horrible and will crash this router. it has to be power cycled to get the LAN going again. i think there’s a mini-pci card in there that should be tinkered with and possibly gain the ability to replace it.

    1. When I had FiOS, one of the CDs that came with the router had the source code on it. I doubt the Verizon specific services are there, but it never hurts to look.

  2. Also once you get on x86, vendors use stuff like the award VS 2010 framework to do ROMs and use custom packers and boot-block decryption routines; I’ve seen mobo BIOS images you had to actually brute even if you dump from shadow..

  3. It is a bit more likely that the login credentials for that prompt would be stored on non-volatile memory or a section of flash that is reserved for parameters.

      1. indeed, just fire up firebug and chear the entire section.

        ontopic: really nice writeup. there are some other articles that are worth reading there too.

  4. The “open source” web page clearly states “This product was specifically designed for Verizon and all support for this product is handled directly by Verizon.” so the source on that page SHOULD match the Verizon router.

  5. If you can find the passwd or shadow file, don’t bother trying to decrypt the password. Just replace the password hash with something that you DO know. This has a nice advantage that you can close the backdoor also. :-) If the firmware has some sort of CRC check or it’s signed then you might have trouble flashing it though.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s