Hacking the Linksys WRT120N

linksyshack

[Craig Heffner] recently found himself on the case of the Linksys WRT120N router. The router’s firmware was using some previously unknown form of obfuscation, causing headaches for those wishing to run their own software. The WRT120N, being a 2009 model is somewhat out of date at this point. That didn’t stop [Craig] though, as he dove into reverse engineering the firmware obfuscation.

[Craig] started by running the firmware through his own Binwalk tool. Binwalk analyzes firmware files for known data, be it embedded filesystems, raw compression streams, or binary files. In this case Binwalk only found a small LZMA block which contained the compressed html files for the router’s web interface. The rest of the firmware was unknown data with a high level of entropy. [Craig] couldn’t do anything more with the firmware update file alone, so he ordered a router to attack from the hardware side. Inside he found typical low-end router components:  An Atheros AR7240 SoC, a 2MB SPI flash chip, 32MB of RAM. He also found serial and JTAG headers.

[Craig] connected to the serial port and was greeted with a boot menu. This allowed him to run some commands on the router, but didn’t give him any way to dump memory. He had to go straight to the source – connecting directly to the router’s SPI flash with an FTDI C232HM cable. Using libmpsse, another of his open source tools, [Craig] was able to dump the flash. He now had the un-obfuscated bootloader code, albeit in MIPS assembly. [Craig] was then able to go after the bootloader with IDA Pro. After a bit of work, the obfuscation system was exposed. The system was simple – several byte and nibble swaps had been performed between the LZMA header block and the first few bytes of data. [Craig] finished out this part of his hack by writing a simple C program to de-obfuscate and decompress the firmware.

Comments

  1. Kaspokas says:

    Reverse engineering obfuscated stuff is very cool. But forgive me for my lack of knowledge, what can you do with a hacked router?

  2. FuzzyfuzzyFungus says:

    So, is this just Cisco being Cisco, or is there some reason that I’m missing for obfuscating the router firmware like that? It’s far weaker than a cryptographic signature check in the bootloader if you, for some ghastly reason, want to forbid 3rd party firmware; but I’m hard pressed to think of anything worth hiding in the firmware for a basic plastic-box home router.

    • ataa says:

      Cisco doesn’t care about people loading their own firmware. They still push product out the door. They do care about security on their devices though. Don’t want a reputation loss when someone finds an exploit that puts millions of home networks at risk.

      • FrankTheCat says:

        Cisco didn’t care about their own firmware. Stock firmware for the WRT120N (I have one) is crash prone and bug-ridden.

        Every ‘Linksys by Cisco’ isn’t worth more than the box they come in. Reason #255 I’m still using my WRT54G v4.

  3. Adam Jackson says:

    He takes it a bit further patching the bootloader and OS to re-enable JTAG with OpenOCD.

    http://www.devttys0.com/2014/02/re-enabling-jtag-and-debugging-the-wrt120n/

  4. Telek says:

    DD-WRT has been available on this router for 3 years now, so I don’t think the initial part of this story is correct. However this was an interesting way of being able to retrieve an unobfuscated copy of the original firmware.

  5. truehybridx says:

    Whats with all these people having copies of IDA Pro?
    Rich people :P

  6. Adam Jackson says:

    The guy wrote binwalk, hes not interested in putting alt FW on it, or saying that this “hack” enables that:

    “It was recently brought to my attention that the firmware updates for the Linksys WRT120N were employing some unknown obfuscation. I thought this sounded interesting and decided to take a look.”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 94,069 other followers