Virtualizing ARM-Based Firmware Part – 2

Welcome to Part-2 of ARM firmware emulation blog series. If you haven’t gone through part 1 of Firmware Emulation, I would recommend to go through it. ARM system built duringΒ Part 1Β will be used here.

This blog will guide you through emulating any ARM based firmware for e.g. a router or a IP camera etc. At the end of this blog you will have your ARM firmware emulated in your system. Buckle up and get ready with your tools.

Part – 2: Booting up ARM Firmware

Let’s start booting up firmware on ARM machine. Steps are below:

  • Download any ARM based firmware and extract it
  • Boot up firmware

Install required tools

sudo apt-get install binwalk unzip

Download any ARM trusted firmware and extract it

Before starting with the steps make sure to shutdown the ARM system which was started at the end of part1Β sudo shutdown -h now. This step will help to download firmware and extract it.

  • Download any firmware. For demo, https://support.dlink.com/ProductInfo.aspx?m=DIR-890L%2FR is used. This is firmware of a router.
  • Extract it. The extracted content may contain many files. UsuallyΒ .binΒ file contains firmware.Firmware file extraction
  • Use binwalk to see and extract contents of the .bin file.
  • UseΒ binwalk filename.binΒ to see the content of the file.
  • To extract content of .bin file content useΒ binwalk -e filename.bin. After extraction a directory prefixed with “_” will be created containing extracted contents.Firmware file extracted
  • Move to the extracted directory and explore more. Here the file system is “squashfs”. So there is a folder with the name squashfs-root. This folder contains an operating system which will boot up when the router is started. It is a minified linux with required softwares in it.Firmware content
  • Mount the ARM partitionΒ sudo mount <drivepath> <foldername>.Firmware content
  • Copy the content of squashfs-root to ARM systemΒ sudo cp -r squashfs-root ~/armfs/squashfs-root. At this point there should be a directory calledΒ squashfs-rootΒ in the ARM file system.Copy Firmware content
  • Unmount the file systemΒ sudo umount ~/armfs.
  • Bootup the ARM system
1sudo qemu-system-arm -M virt -cpu cortex-a15 -kernel <kernel path>/arch/arm/boot/zImage -nographic -append "-noinitrd root=/dev/sda rw init=/sbin/init" -device virtio-scsi-device,id=scsi -device scsi-hd,drive=hd -drive if=none,id=hd,file=<device path. In my case /dev/sdb1> -netdev tap,id=net0,ifname=tap0,script=no,downscript=no -device virtio-net-device,netdev=net0,mac=52:55:00:d1:55:01
  • Once the ARM system is up, check its allocated ipΒ ifconfigΒ and ssh to it.SSH to ARM system
  • Navigate toΒ /squashfs-rootΒ directory. Next step is to find the init script which will initiate(start) the router’s firmware.
  • Usually init scripts are present under /etc/ => init, init.d, init0.d and inittab directories. We need to identify the first init script which will trigger all the scripts and start the router. The script will contain code to initiate a few services and will execute other scripts too.
  • Here we found /squashfs-root/etc/init.d directory which contains rcS file. This file contains code to run all the scripts and move further with running other scripts too.Find the init script
  • Mount proc, dev, sys from ARM system to router’s firmware as we are simulating firmware.
1sudo mount --bind /proc /squashfs-root/proc
2sudo mount --bind /dev /squashfs-root/dev
3sudo mount --bind /sys /squashfs-root/sys

Find the init script

  • After mounting, change the root to squashfs-root filesystem. If everything goes well, it will result in a router’s shell.
1sudo chroot /squashfs-root /bin/sh

Routers shell

  • Now just run the init script fromΒ /etc/init.d/rcSΒ from the router’s shell.Router Started
  • Once you run the above script, router will start booting up. There might be errors getting displayed on screen as hardware is not present.

Optional:Β Later on you can identify and kill the respective process which will reduce or stop the errors being displayed.

From the ARM file system keep on looking at the processes getting spawn. Once httpd or a related webservice is up and running you will be able to browse through the web portal of the router.Router Access From Browser 1Router Access From Browser 2As this demo setup is on a virtual machine, A ssh socks tunnel was created to the ARM system to access the web interface of the router. Depending on your setup, you might need to change some configurations or might need to go through some basic linux commands to start the firmware and access the web portal.

Bingo router is up and running…

Now you can start testing the web interface or binaries present in the router.

Happy fuzzing and hacking πŸ˜‰


Payatu is at the front line of IoT security research, with a world-renowned team, and cutting edge in house tools like expliot.io. In the last 8+ years, Payatu has performed, security assessment of 100+ IoT product ecosystems and we understand the IoT ecosystem inside out.

Get in touch with us by clicking below “Get Started Today” button.

Subscribe to our Newsletter
Subscription Form
DOWNLOAD THE DATASHEET

Fill in your details and get your copy of the datasheet in few seconds

CTI Report
DOWNLOAD THE EBOOK

Fill in your details and get your copy of the ebook in few seconds

Ebook Download
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download ICS Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Cloud Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download IoT Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Code Review Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Red Team Assessment Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download AI/ML Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download DevSecOps Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Product Security Assessment Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download AI/ML Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download IoT Sample Report

Let’s make cyberspace secure together!

Requirements

Connect Now Form

What our clients are saying!

Trusted by