For IoT Penetration Testing Training Contact Here

Name

Email *

Message *

Dumping the Firmware from the device Using buspirate



One of the best way to get the firmware from the hardware


While doing penetration testing there are scenarios in which we need to dump the firmware from the devices.This method is typically used when there are no firmware’s available from vendor site. Today we are going to show you how to dump the firmware from an Wireless router Binatone DT 850W
Software and hardware Requirements:

  • Buspirate
  • Ubuntu 16.04 or any other Linux machine
  • Flashrom tool
  • SOIC cable pin 8
  • Buspirate connectors



             
This is a Wireless router from Binatone DT 850W which will be used as an example for dumping the firmware.

Let’s us Analyze the Inside Device.You can see IC chips like EEPROM, UART pins and Ralink CPU and also some Other IC chips Let us focus mainly on the EEPROM chip (winbond W25Q16).
What is EEPROM:
EEPROM (also written E2PROM and pronounced “e-e-prom”, “double-e-prom” or “e-squared-prom”) stands for electrically erasable programmable read-only memory and is a type of non-volatile memory used in computers and other electronic devices to store relatively small amounts of data but allowing individual bytes to be erased and reprogrammed.This is the chip we need to read to dump the firmware.

To read EEPROM chip we required Buspirate and SOIC Pin 8 connector which can be used to connect the interfaces to the device.


This is how Buspirate and SOIC Pin 8 connector looks like.

To Interface bus pirate with the EEPROM chips we need to clearly identify the pins and their corresponding colour codes. we can easily determine the required pins with colour combination

Give the connection to EEPROM chip to SOIC pin8 cable

While giving the connection RED wire must be connecting to pin 1 EEPROM chip , There is round mark on the chip to recognise the pin 1 on EEPROM , as shown below picture

Connect the SOIC cable to Buspirate Pins according to below picture

Use this extra connector to SOIC cable to identify the pins easily




After giving the connections Buspirate to SOIC pin 8 will be looks like this,

Before we are going to dumping the firmware, we have to check the connections of SOIC Cable, buspirate and EEPROM are connected properly

VREG and PWR are blinking on the buspirate which means connections established perfectly as shown below


Make sure you already connected to buspirate , to verify observe PWR led light is turned on the buspirate

Step 1

$sudo flashrom –p buspirate_spi:dev=/dev/ttyUSB0

To identifying the EEPROM chip


Step 2:

To dumping the firmware from the chip

$sudo flashrom –p Buspirate_spi:dev=/dev/ttyUSB0,spispeed=1M –c (Chip name)  –r (Name.bin)




Firmware analysis Basic Approach


OWASP I9: Insecure Software/Firmware, But here Our main concern is Firmware.


Testing Methodology:

• Get the firmware
• Reconnaissance
• Unpacking
• Localize point of interest
• Decompile/pentest/fun!

What are the requirements i will explain step by step. Here i am using the Ubuntu Xenial 16.04 you can use which Linux is comfortable with you.

Requirements:

1.Binwalk
2.Strings
3.Hexeditor
4.Linux OS - Ubuntu or Any other
5.Vulnerable firmware

So here i am not attacking any device directly because for firmware you will get from the vendor site or you can find some firmware in index of some sites.

Installation:

1.Binwalk:

as shown below And follow the installation steps from the Github location some dependencies need to be install. Some of them i will show how to do and remaining check from here

https://github.com/ReFirmLabs/binwalk/blob/master/INSTALL.md
  
$sudo apt-get install binwalk





2.Strings:

After installation in the Binwalk in my Linux operating OS so next strings already default many Linux systems if it’s not there then install strings and Hexeditor

Strings using for printable characters in files. Depending upon how the strings program was configured it will default to either displaying all the printable sequences that it can find in each file, or only those sequences that are in loadable, initialised data sections. If the file type in unrecognisable, or if strings is reading from "stdin" then it will always display all of the printable sequences that it can find.



3.hexedit tool: 

hexedit tool - view and edit files in hexadecimal or in ASCII.



4.Linux OS:

Here coming for the firmware analysis many Linux OS having some problems while doing the testing, so i am choosing Ubuntu 
You can choose other Linux as well but issues found many

5. Vulnerable Firmware:

In firmware testing we required a firmware and why i mentioned vulnerable firmware here , i am not going to target any particular device , the people who are working in this firmware analysis they designed one DVRF - Damn Vulnerable Framework Router , we are going test DVRF you can download from here:



Some other firmware files to test 


Here i am showing the a simple firmware of “openwrt” for testing purpose you can download with help of Google dorks also for example: “index of firmware”


Before going to start the "firmware analysis"


What is firmware:

Firmware is a software for hardware, and it is helped for the user running programs on the devices

Where it is available :

1. CD/DVD from vendor 
2. Device Vendor websites 
3. Dump with the help of hardware debuggers from the devices.
4. Capture when updating firmware 
5. Reversing APPS

What is firmware testing:

Firmware testing is nothing but finding the bug inside of firmware before hackers do ..
In firmware testing main flaw findings are buffer/stack/heap over flows , so some other testing are like functionality test and security test , so we are discuss about the security test.

Why firmware testing:

Firmware is consist of hidden data and it is controller of device which means once find the vulnerabilities like are zero days in firmware , that firmware related all devices can be hackable , already many hacks exposed like “netusb” related hacking techniques , so before hackers taking advantage of devices hacking will go for test first,


Lets get into testing:

Before i am going to test i want to say something to all , this is not only final or advanced method , As a beginner it will give some idea on testing , there many more methods are there i am keep writing for the different types of testing of firmware analysis and IoT hacking also.

1. File information
2. Printable characters analysis
3. Identify the Build of firmware
4. Reverse engineering with the Binwalk
5. Finding the confidential information

Run “file” command in on testing binary file to get the data information of bin file,
A data contains of the .txt files and .bin files , when we are running the file command it will showing the data it means bin file containing information.

 # file “file.bin”



And check for the printable characters in bin file with help of “strings”
 # strings -n 10 file.bin



The above image is giving the information of the architecture of “MIPS”there are two main types of architecture MIPS and ARM ,

MIPS(Microprocessor without Interlocked Pipeline):  This architecture is mainly in Routers and Play stations , and it is is a reduced instruction set computer (RISC)

ARM(Advanced RISC Machine): this architecture is using for the mainly mobiles , and SoC (system on chips) , radios etc.

MIPS And ARM Exploitation is possible , from strings not only the Architecture information disclosing some other information also disclosing like chksum information , file information 


Identify the Build of firmware:

For finding the firmware build information we are going to use Hexdump

# hexdump -C -n 512 xyz.bin





Analysis with Binwalk:

With help of binwalk we can find more information from the firmware files so lets begin
Here we go for the testing firmware file

Here we going to check for the signatures and file containing inside of binary file]

 $binwalk file.bin


After that what we got information about the given file containing ,
LZMA compressed data , squashfs file system , and some other information for video actually what are they.


The Lempel–Ziv–Markov chain algorithm (LZMA) is an algorithm used to perform lossless data compression. 


SquashFS is a compressed read-only file system for Linux. SquashFS compresses files, inodes and directories, and supports block sizes up to 1 MB for greater compression.


And it is containing information of passwords and many others


Extracting the data form the firmware and analyzing the information what it contains


$binwalk -Me “file.bin”


In binwalk “M” for even recursively scan files as it extracts them , For extracting firmware we choose option “e” after extracting looking like this as shown below



And like that grab the banner information and root information

Command:

$cat etc/banner


For finding the Confidential information form the extracted files
Some interesting information is available like passwords , root information and certificated , hardcoded url’s etc

Once squashfs folder is extracted we will get more information from it like passwords,
Go to extracted folder as shown below 

$cat /etc/passwd
$cat /etc/shadow



To check additional information about

Firmware like release and version information


$cat openwrt_release


$cat openwrt_version
 




Software Defined Radio



Software Defined Radio 

Part 1

 
SDR is Software defined Radio is used for the to Capturing and analyzing the various radio frequency signals , we can monitor and transmit the signals also , according to security reasons i am not showing transmission of open source signals but soon i will update how to pentest the replay attacks of key fobs and smart door lock systems.

what we going to discuss

1. Introduction about Radio And Software Defined Radio
2. Various types of devices
3. Antennas
4. Radio waves
5. Capturing the FM Signals And Analyzing


Requirements:

1. Software Defined Radio (SDR)
2. Antenna
3. GQRX software for Linux , windows - SDR software
4. Gnu Radio Companion
5. Computer


Radio:

Radio is the technology of using radio waves to carry information, such as sound, by systematically modulating some property of electromagnetic energy waves transmitted through space, such as their amplitude, frequency, phase, or pulse width.(Wikipedia)





Software Defined Radio (SDR):
Radio communication system where components that have been typically implemented in hardware (e.g. mixers, filters, amplifiers, modulators/demodulators, detectors, etc.) are
instead implemented by means of software on a personal computer or embedded system.(Wikipedia)




Some other different SDR Devices for testing radio signals

1. AirSpy
  












Antennas
An antenna , or aerial, is an electrical device which converts electric power into radio waves, and vice versa.It is usually used with a radio transmitter or radio receiver. (wikipedia)

Types of antennas..
1. Wire Antennas
2. Travelling Wave Antennas
3. Reflector Antennas
4. Microstrip Antennas
5. Log-Periodic Antennas
6. Aperture Antennas





Radio Waves
Radio waves are a type of electromagnetic radiation with wavelengths in the electromagnetic spectrum longer than infrared light. Radio waves have frequencies as high as 300 GHz to as low as 3 kHz, though some definitions describe waves above 1 or 3 GHz as microwaves, or include waves of any lower frequency. At 300 GHz, the corresponding wavelength is 1 mm (0.039 in), and at 3 kHz is 100 km (62 mi). Like all other electromagnetic waves, they travel at the speed of light. Naturally occurring radio waves are generated by lightning, or by astronomical objects.(Wikipedia)






Analyzing FM Signals:

Connect SDR To Computer as shown below


And Connect Discone Antenna , here we are using Discone antenna
To get more signal radius of long distances. specially people will use parabolic antennas to get long distance radio signals practically proved already 

After connecting SDR , Run the gqrx and set the appropriate frequency for the testing the FM Signal Example: 93.5mhz
Features of gqrx
    .. Discover devices attached to the computer.
    .. Process I/Q data from the supported devices.
    .. Change frequency, gain and apply various corrections (frequency, I/Q balance).
    .. AM, SSB, CW, FM-N and FM-W (mono and stereo) demodulators.
    .. Special FM mode for NOAA APT.
    .. Variable band pass filter.
    .. AGC, squelch and noise blankers.
    .. FFT plot and waterfall.
    .. Record and playback audio to / from WAV file.
    .. Record and playback raw baseband data.
    .. Spectrum analyzer mode where all signal processing is disabled.
   




Here we can observe in that particular frequency range there thick line visible , it means the radio wave consists the audio




 
Gnuradio is written in Python and it is using for Signal processing and without hardware in a simulation-like environment. It is widely used in hobbyist, academic, and commercial environments to support both wireless communications research and real-world radio systems.

Download from here

To Install Gnuradio in Ubuntu follow the command
#sudo apt install gnuradio-companion


To Analyze the FM Signal with Gnuradio , download and open with gnuradio-companion



And set the frequency in Wx gui as shown below and click on run



The Fast Fourier Transform (FFT) is simply a fast (computationally efficient) way to calculate the Discrete Fourier Transform (DFT).

Fourier analysis converts a signal from its original domain (often time or space) to a representation in the frequency domain and vice versa.

Here we can see in FFT Plot (Fast Fourier transform) shown below





A waterfall plot is a three-dimensional plot in which multiple curves of data, typically spectra, are displayed simultaneously.
And here it is waterfall plot Image



What we did in this part its just a ordinary FM Stationary Signals analyzing so this is not much interesting for next signal analyzing module a bit interesting to coma