Blog

Dumping Router Firmware - A New Room

We've launched a Dumping Router Firmware room!

Frog Man

6 min read
Screen of coding with an imprinted eye

Dumping Router Firmware is a room at TryHackMe and can be accessed by using the below link!

https://tryhackme.com/room/rfirmware

We will move step by step i.e. from downloading the sample firmware and then analysing it to find the answers of the questions. So let's get started. You can follow along and answer questions here: https://tryhackme.com/room/rfirmware

Preparation

The first and the foremost important thing is to find a router firmware which is required to be analysed. In this case we are provided with the target so we will go ahead and download the firmware on our Linux machine.

We need to download the V2 firmware of the Linksys WRT1900ACS. It can be downloaded from their website.

https://www.linksys.com/us/support-article?articleNum=165487

https://downloads.linksys.com/downloads/firmware/FW_WRT1900ACSV2_2.0.2.188405_prod.img

Once downloaded you can run the 'file' command to look for the basic file details.

We can see that this is a 'u-boot legacy uImage' and is a firmware of Linksys WRT1900ACS Router based on Linux/ARM. We have different sections information.

Now we are done with our basic information gathering onto the preparation phase - Lets. investigate the firmware.

Investigation

An important tool here is the 'strings' command. It provides us with all the basic (English recognised) string information it can find in the file's binary code. Let's run the command and see what we can find.

There is an extremely large number of strings found here, lets save them to a text file to make it easier to analyse.

Lets use the less command to look at the first few lines of the file.

The first line is noticeable i.e. it is providing us the information of this firmware and the router for which it is created for. Now we will find the OS. For that we can print the whole file and search using the 'grep' command.

We can surely say that the operating system is Linux. We can see in the above screenshot that there are also several directories listed.

Now we have an overview. We need to extract the firmware. In order to extract the firmware we will be using 'BinWalk". I call it the "Swiss Army Knife for Firmware Analysis".

We run into the error and binwalk wasn't able to extract the file system. This is because binwalk does not have support for JFFS2. We first need to set it up.  Do the following to get your binwalk working properly:

sudo pip install cstruct
git clone https://github.com/sviehb/jefferson cd jefferson
python setup.py install

Once installed successfully, run the binwalk again and now we can see that binwalk has identified the file system as JFFS2.

We now have the plenty of information regarding the firmware. The header sizes, the image sizes, CRC check, last created date, the operating system details, the CPU it runs on etc..

Binwalk creates a separate folder for the data it extracts.

We can see that there is a file showing the JFFS2 filesystem and the other is a gzip file. Running the file outputs 6870 and no other data. This means that binwalk has misinterpreted the data, we can run binwalk again on the file to look for other possibilities to try and extract the data in the right format.

We can see that this file contains a copy of an actual Linux kernel; binwalk also shows us the version this kernel works on. Meanwhile we can also see some LZMA compressed data and some cpio archived data.

Lets move onto mounting this firmaware to be able to analyse this in more depth.

Mounting

At first we need create a "Block Device". It can be done by using:

mknod /dev/mtdblock0 b 31 0

Then we need to create a location where we can push our filesystem to. It can be done by using:

mkdir /mnt/jffs2_file/

The firmware required some kernel modules. So we need to load them all in order to make sure that our filesystem works fine. It can be done by using:

modprobe jffs2
modprobe mtdram
modprobe mtdblock

Now we need to write the image to the "Block Device" and it can be done using:

dd if=/root/Router/600000.jffs2 of=/dev/mtdblock0

Next, we need to mount our filesystem and it can be done by using:

mount -t jffs2 /dev/mtdblock0 /mnt/jffs2_file/

Finally, we will move into the mounted filesystem and it can be done using:

cd /mnt/jffs2_file/

Once all done doing an ls command will reveal the directories. We have just mounted this firmware to our local system!

Listing all files reveals that some are being symbolically linked to other locations. In essence, some files have 'shortcuts' to others elsewhere on the file system.

Also we can see that there are three parent folders which are linked to the /tmp/ directory. We can also see a /www/ directory, this is where web application data will is stored.

Lets look in the bin folder:

We can see that the database is "sqlite3".

Now lets see what's inside the etc directory.

There are many configuration files here, along with the lots of build details. Let's take a look at thebuilddate file... I wonder what this file could be...

There are also RSA keys in here and we can see that the SSH server being used here is "dropbear".

Hmm. Interesting, there are mediaserver details shown in here too. Further inspection shows that this is from Cisco.

Lets look into other service files to reveal as much information related to protocols used and their assigned port numbers.

There is another file called "system_defaults" which contains all the default settings for the router.

There is a file containing the firmware version.

There is a folder called JNAP that has lua scripts in. These scripts are used to control the network.

This was a very quick rundown on analysing router firmware, I hope you followed along and enjoyed the walkthrough.

Sign up for more like this.

Enter your email
Subscribe