Welcome to Part-2 of ARM firmware emulation blog series. If you haven’t gone through part 1 of Firmware Emulation, I would recommend to go through it. ARM system built during Part 1 will be used here.
This blog will guide you through emulating any ARM based firmware for e.g. a router or a IP camera etc. At the end of this blog you will have your ARM firmware emulated in your system. Buckle up and get ready with your tools.
Part – 2: Booting up ARM Firmware
Let’s start booting up firmware on ARM machine. Steps are below:
- Download any ARM based firmware and extract it
- Boot up firmware
Install required tools
sudo apt-get install binwalk unzip
Download any ARM trusted firmware and extract it
Before starting with the steps make sure to shutdown the ARM system which was started at the end of part1
sudo shutdown -h now. This step will help to download firmware and extract it.
- Download any firmware. For demo, https://support.dlink.com/ProductInfo.aspx?m=DIR-890L%2FR is used. This is firmware of a router.
- Extract it. The extracted content may contain many files. Usually
.binfile contains firmware.
- Use binwalk to see and extract contents of the .bin file.
binwalk filename.binto see the content of the file.
- To extract content of .bin file content use
binwalk -e filename.bin. After extraction a directory prefixed with “_” will be created containing extracted contents.
- Move to the extracted directory and explore more. Here the file system is “squashfs”. So there is a folder with the name squashfs-root. This folder contains an operating system which will boot up when the router is started. It is a minified linux with required softwares in it.
- Mount the ARM partition
sudo mount <drivepath> <foldername>.
- Copy the content of squashfs-root to ARM system
sudo cp -r squashfs-root ~/armfs/squashfs-root. At this point there should be a directory called
squashfs-rootin the ARM file system.
- Unmount the file system
sudo umount ~/armfs.
- Bootup the ARM system
1sudo qemu-system-arm -M virt -cpu cortex-a15 -kernel <kernel path>/arch/arm/boot/zImage -nographic -append "-noinitrd root=/dev/sda rw init=/sbin/init" -device virtio-scsi-device,id=scsi -device scsi-hd,drive=hd -drive if=none,id=hd,file=<device path. In my case /dev/sdb1> -netdev tap,id=net0,ifname=tap0,script=no,downscript=no -device virtio-net-device,netdev=net0,mac=52:55:00:d1:55:01
- Once the ARM system is up, check its allocated ip
ifconfigand ssh to it.
- Navigate to
/squashfs-rootdirectory. Next step is to find the init script which will initiate(start) the router’s firmware.
- Usually init scripts are present under /etc/ => init, init.d, init0.d and inittab directories. We need to identify the first init script which will trigger all the scripts and start the router. The script will contain code to initiate a few services and will execute other scripts too.
- Here we found /squashfs-root/etc/init.d directory which contains rcS file. This file contains code to run all the scripts and move further with running other scripts too.
- Mount proc, dev, sys from ARM system to router’s firmware as we are simulating firmware.
1sudo mount --bind /proc /squashfs-root/proc 2sudo mount --bind /dev /squashfs-root/dev 3sudo mount --bind /sys /squashfs-root/sys
- After mounting, change the root to squashfs-root filesystem. If everything goes well, it will result in a router’s shell.
1sudo chroot /squashfs-root /bin/sh
- Now just run the init script from
/etc/init.d/rcSfrom the router’s shell.
- Once you run the above script, router will start booting up. There might be errors getting displayed on screen as hardware is not present.
Optional: Later on you can identify and kill the respective process which will reduce or stop the errors being displayed.
From the ARM file system keep on looking at the processes getting spawn. Once httpd or a related webservice is up and running you will be able to browse through the web portal of the router.As this demo setup is on a virtual machine, A ssh socks tunnel was created to the ARM system to access the web interface of the router. Depending on your setup, you might need to change some configurations or might need to go through some basic linux commands to start the firmware and access the web portal.
Bingo router is up and running…
Now you can start testing the web interface or binaries present in the router.
Happy fuzzing and hacking 😉
Payatu is at the front line of IoT security research, with a world-renowned team, and cutting edge in house tools like expliot.io. In the last 8+ years, Payatu has performed, security assessment of 100+ IoT product ecosystems and we understand the IoT ecosystem inside out.
Get in touch with us by clicking below “Get Started Today” button.