With the world being my classroom, I’ve really been into "hacking" firmware lately. No, I’m not hacking unauthorized devices or units I do not own. This is one security professional talking to another one speaking our language. Geek to geek. Phreak to phreak.
Thanks to all the vendors out there offering it up (for free!), I can learn so much about their processes—and the comments are a hoot! These can be comments about debug interfaces, hidden commands, and yes, even backdoor passwords. Dare I call it a “Technicians Interface” for folks old enough to remember Q*bert and Bay Networks?
So, how do you open up this world of firmware hacking? The vast majority of firmware is unsigned and unencrypted, so Bob’s your uncle, baby! As basic methodology, here’s what Uncle Jimmy Ray does to unlock the digital secrets of the Voynich manuscript of code.
Start with bootcode. I used to run the firmware though the Linux strings command, but these days, I just go straight to the utility Binwalk.
Binwalk will reverse the crap out of firmware. Firmware has a bunch of unreadable stuff, and Binwalk helps get rid of the stuff we don’t care much about. I like to run Binwalk with the -e switch so it extracts everything.
It may get a false positive or two, but it’s not a big deal and nothing more than most reversers out there. I love it! It’s written in Python and runs very fast.
Side note: Binwalk is also part of the Firmware Mod Kit, which has ton of useful tools for decompression, etc. Make sure you scroll to the bottom, click forums, and read the community entries for some great examples. My honorable mention goes to ERESI.
Sometimes, files tend to have more proprietary-ness to them and may not be worth your time. That’s why I totally dig the tool Signsrch. This tool will mine the files to find compression, anti-debugging, multimedia, encryption types, etc. When I’m searching for possible malware, I pair Signsrch with Clamsrch. Signsrch handles the smaller files and then Clamsrch searches largest file sets using the ClamAV engine.
It’s around this time I move into IDA Pro. This is a fee-based product that’s worth every penny. It’s licensed by the proc type so a 32-bit proc is around 600 bucks USD and a 64-bit proc is somewhere around 1,100 bucks USD. IDA Pro is going to really give you lots of options. For example, take 20 minutes of your time and watch this demo by Amit Malik.
Groovy right? Also check out The IDA Pro Book by Chris Eagle. It’s an excellent, excellent resource.
What’s the point of this post, Jimmy Ray?
I believe there are folks out there that are just curious. All I want to do is take a peek and see. This is the No. 1 reason we security-type folks need to apply granular segmentation to fence applications in our data centers instead of relying on complicated, layered network security and access solutions. History has proven: If folks can take a peek, they will. And so should you.
—Jimmy Ray Purser