Analyze Firmware

After you successfully obtained a firmware dump, it's time to analyze its content.

Quick wins

binwalk is the goto option for quickly analyzing your firmware

• Identify data

  • binwalk firmware.bin : will give you an overview which contents are found in the dump

  • Example Output:

    Copy

    DECIMAL       HEXADECIMAL     DESCRIPTION
    --------------------------------------------------------------------------------
    0             0x0             U-Boot bootloader image, header size: 64 bytes, load address: 0x80800000, entry point: 0x80800000, CRC32: 0xFFFFFFFF
    64            0x40            LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 524288 bytes
    1024          0x400           Linux kernel ARM boot executable zImage (little-endian)
    1048576       0x100000        Squashfs filesystem, little endian, version 4.0, compression: lzma, size: 262144 bytes, 1198 inodes, blocksize: 131072 bytes, created: Mon Jan  1 00:00:00 2024

• Extract Firmware

  • binwalk -e firmware.bin : will try to automatically extract all content => will often give us full root-filesystem.

  • Example:
• Entropy Analyiss

  • binwalk -E firmware.binThis will give us the entropy of the firmware

    • Note: parts of very high entropy can be sign for compression or encryption being used.

    • Example Output:

The strings command can be helpful to quickly find sensitive data like passwords or password hashes:

• Password Hashes:

  Copy

  strings firmware.bin | grep -E ':[x$1$5$6]:'

• Hardcoded Credentials

  Copy

  strings firmware.bin | grep -i 'password'
  strings firmware.bin | grep -i 'user'
  strings firmware.bin | grep -i 'admin'
  strings firmware.bin | grep -i 'login'

• Private Keys and Certificates

  Copy

  strings firmware.bin | grep -i 'PRIVATE KEY'
  strings firmware.bin | grep -i 'BEGIN RSA'
  strings firmware.bin | grep -i 'BEGIN DSA'

• API Keys, Tokens, and Secrets

  Copy

  strings firmware.bin | grep -i 'api_key'
  strings firmware.bin | grep -i 'token'
  strings firmware.bin | grep -i 'secret'

• IP Addresses and URLs

  Copy

  strings firmware.bin | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}'
  strings firmware.bin | grep -E 'http://|https://'
  strings firmware.bin | grep -i 'ftp'

• Configuration Files

  Copy

  strings firmware.bin | grep -i '.conf'
  strings firmware.bin | grep -i '.ini'
  strings firmware.bin | grep -i '.xml'

• Encryption Keys and Passwords

  Copy

  strings firmware.bin | grep -i 'encryption_key'
  strings firmware.bin | grep -i 'aes'
  strings firmware.bin | grep -i 'des'
  strings firmware.bin | grep -i 'key='

• Version Information

  Copy

  strings firmware.bin | grep -i 'version'
  strings firmware.bin | grep -i 'build'

• Debug Information

  Copy

  strings firmware.bin | grep -i 'debug'
  strings firmware.bin | grep -i 'trace'
  strings firmware.bin | grep -i 'error'
  strings firmware.bin | grep -i 'fail'

• Email Addresses

  Copy

  strings firmware.bin | grep -E '\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b'

• Encryption/Decryption Routines

  Copy

  strings firmware.bin | grep -i 'openssl'
  strings firmware.bin | grep -i 'encrypt'
  strings firmware.bin | grep -i 'decrypt'

• Default and Backup Files

  Copy

  strings firmware.bin | grep -i 'default'
  strings firmware.bin | grep -i 'backup'

• SSH Information

  Copy

  strings firmware.bin | grep -i 'ssh'
  strings firmware.bin | grep -i 'port'

Analysis of bare metal firmware

Todo

Resources: