Dissecting A Firmware Image

dissecting-a-firmware-image

[Leland Flynn] did a great job of picking apart the firmware image for a Westell 9100EM FiOS router. Unfortunately he didn’t actually find the information he was looking for. But he’s not quite done poking around yet either. If you have never tried to make sense of an embedded Linux firmware image this serves as a great beginner’s example of how it’s done.

He was turned on to the project after port scanning his external IP and finding a random login prompt which he certainly didn’t set up. Some searching led him to believe this is some kind of back door for Verizon to push automatic firmware updates to his router. He figured why not see if he could yank the credentials and poke around inside of the machine?

He started by downloading the latest firmware upgrade. Running ‘hexdump’ and ‘strings’ gives him confirmation that the image is based on Linux. He’s then able to pick apart the package, getting at just the filesystem portion. His persistence takes him through extracting and decompressing three different filesystems. Even though he now has access to all of those files, broken symlinks meant a dead-end on his login search.

18 thoughts on “Dissecting A Firmware Image

  1. Awesome! hopefully a good WRT firmware will be developed for this. the wireless compatibility with some devices is horrible and will crash this router. it has to be power cycled to get the LAN going again. i think there’s a mini-pci card in there that should be tinkered with and possibly gain the ability to replace it.

  2. Also once you get on x86, vendors use stuff like the award VS 2010 framework to do ROMs and use custom packers and boot-block decryption routines; I’ve seen mobo BIOS images you had to actually brute even if you dump from shadow..

  3. The “open source” web page clearly states “This product was specifically designed for Verizon and all support for this product is handled directly by Verizon.” so the source on that page SHOULD match the Verizon router.

  4. If you can find the passwd or shadow file, don’t bother trying to decrypt the password. Just replace the password hash with something that you DO know. This has a nice advantage that you can close the backdoor also. :-) If the firmware has some sort of CRC check or it’s signed then you might have trouble flashing it though.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.