Virtualizing ARM-Based Firmware Part - 2

    mihir
    14-June-2020

Welcome to Part-2 of ARM firmware emulation blog series. If you haven’t gone through part 1 of Firmware Emulation, I would recommend to go through it. ARM system built during Part 1 will be used here.

This blog will guide you through emulating any ARM based firmware for e.g. a router or a IP camera etc. At the end of this blog you will have your ARM firmware emulated in your system. Buckle up and get ready with your tools.

Part - 2: Booting up ARM Firmware

Let’s start booting up firmware on ARM machine. Steps are below:

  • Download any ARM based firmware and extract it
  • Boot up firmware

Install required tools

sudo apt-get install binwalk unzip

Download any ARM based firmware and extract it

Before starting with the steps make sure to shutdown the ARM system which was started at the end of part1 sudo shutdown -h now. This step will help to download firmware and extract it.

  • Download any firmware. For demo, https://support.dlink.com/ProductInfo.aspx?m=DIR-890L%2FR is used. This is firmware of a router.

  • Extract it. The extracted content may contain many files. Usually .bin file contains firmware. Firmware file extraction

  • Use binwalk to see and extract contents of the .bin file.

  • Use binwalk filename.bin to see the content of the file.

  • To extract content of .bin file content use binwalk -e filename.bin. After extraction a directory prefixed with “_” will be created containing extracted contents. Firmware file extracted

  • Move to the extracted directory and explore more. Here the file system is “squashfs”. So there is a folder with the name squashfs-root. This folder contains an operating system which will boot up when the router is started. It is a minified linux with required softwares in it. Firmware content

  • Mount the ARM partition sudo mount <drivepath> <foldername>. Firmware content

  • Copy the content of squashfs-root to ARM system sudo cp -r squashfs-root ~/armfs/squashfs-root. At this point there should be a directory called squashfs-root in the ARM file system. Copy Firmware content

  • Unmount the file system sudo umount ~/armfs.

  • Bootup the ARM system

sudo qemu-system-arm -M virt -cpu cortex-a15 -kernel <kernel path>/arch/arm/boot/zImage -nographic -append "-noinitrd root=/dev/sda rw init=/sbin/init" -device virtio-scsi-device,id=scsi -device scsi-hd,drive=hd -drive if=none,id=hd,file=<device path. In my case /dev/sdb1> -netdev tap,id=net0,ifname=tap0,script=no,downscript=no -device virtio-net-device,netdev=net0,mac=52:55:00:d1:55:01
  • Once the ARM system is up, check its allocated ip ifconfig and ssh to it. SSH to ARM system

  • Navigate to /squashfs-root directory. Next step is to find the init script which will initiate(start) the router’s firmware.

  • Usually init scripts are present under /etc/ => init, init.d, init0.d and inittab directories. We need to identify the first init script which will trigger all the scripts and start the router. The script will contain code to initiate a few services and will execute other scripts too.

  • Here we found /squashfs-root/etc/init.d directory which contains rcS file. This file contains code to run all the scripts and move further with running other scripts too. Find the init script

  • Mount proc, dev, sys from ARM system to router’s firmware as we are simulating firmware.

sudo mount --bind /proc /squashfs-root/proc
sudo mount --bind /dev /squashfs-root/dev
sudo mount --bind /sys /squashfs-root/sys

Find the init script

  • After mounting, change the root to squashfs-root filesystem. If everything goes well, it will result in a router’s shell.
sudo chroot /squashfs-root /bin/sh

Routers shell

  • Now just run the init script from /etc/init.d/rcS from the router’s shell. Router Started

  • Once you run the above script, router will start booting up. There might be errors getting displayed on screen as hardware is not present.

Optional: Later on you can identify and kill the respective process which will reduce or stop the errors being displayed.

From the ARM file system keep on looking at the processes getting spawn. Once httpd or a related webservice is up and running you will be able to browse through the web portal of the router. Router Access From Browser 1 Router Access From Browser 2 As this demo setup is on a virtual machine, A ssh socks tunnel was created to the ARM system to access the web interface of the router. Depending on your setup, you might need to change some configurations or might need to go through some basic linux commands to start the firmware and access the web portal.

Bingo router is up and running…

Now you can start testing the web interface or binaries present in the router.

Happy fuzzing and hacking ;)


Payatu is at the front line of IoT security research, with a world-renowned team, and cutting edge in house tools like expliot.io. In the last 8+ years, Payatu has performed, security assessment of 100+ IoT product ecosystems and we understand the IoT ecosystem inside out.

Get in touch with us by clicking below “Get Started Today” button.

Get to know more about our process, methodology & team!

Close the overlay

I am looking for
Please click one!

Latest news See all news

11-July-2020
Webinar, Online

Visit

Munawwar will give security professionals a comprehensive understanding of the ARM Architecture, reversing ARM binaries, exploiting vulnerabilities and the nuances of ARM shellcoding.

21-May-2020
Webinar, Online

Visit

Arun Magesh will be delivering a webinar on <em>Introduction to IoT Reversing Firmware</em> and discussing how to get started with IoT pentesting with hands-on.

25-April-2020
Workshop, Online

Visit

Ashfaq Ansari is conducting a workshop to get you started with kernel vulnerability analysis and exploitation in the Android platform.