Analyze Firmware

After you successfully obtained a firmware dump, it's time to analyze its content.

Quick wins

binwalk is the goto option for quickly analyzing your firmware

Identify data

binwalk firmware.bin : will give you an overview which contents are found in the dump

Example Output:

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             U-Boot bootloader image, header size: 64 bytes, load address: 0x80800000, entry point: 0x80800000, CRC32: 0xFFFFFFFF
64            0x40            LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 524288 bytes
1024          0x400           Linux kernel ARM boot executable zImage (little-endian)
1048576       0x100000        Squashfs filesystem, little endian, version 4.0, compression: lzma, size: 262144 bytes, 1198 inodes, blocksize: 131072 bytes, created: Mon Jan  1 00:00:00 2024

Extract Firmware
- binwalk -e firmware.bin : will try to automatically extract all content => will often give us full root-filesystem.
- Example:
Example extraction of a firmware
Entropy Analyiss
- binwalk -E firmware.binThis will give us the entropy of the firmware
  - Note: parts of very high entropy can be sign for compression or encryption being used.
  - Example Output:
Here we see a blob which might be encrypted or compressed

The strings command can be helpful to quickly find sensitive data like passwords or password hashes:

Password Hashes:

strings firmware.bin | grep -E ':[x$1$5$6]:'

Hardcoded Credentials

strings firmware.bin | grep -i 'password'
strings firmware.bin | grep -i 'user'
strings firmware.bin | grep -i 'admin'
strings firmware.bin | grep -i 'login'

Private Keys and Certificates

strings firmware.bin | grep -i 'PRIVATE KEY'
strings firmware.bin | grep -i 'BEGIN RSA'
strings firmware.bin | grep -i 'BEGIN DSA'

API Keys, Tokens, and Secrets

strings firmware.bin | grep -i 'api_key'
strings firmware.bin | grep -i 'token'
strings firmware.bin | grep -i 'secret'

IP Addresses and URLs

strings firmware.bin | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}'
strings firmware.bin | grep -E 'http://|https://'
strings firmware.bin | grep -i 'ftp'

Configuration Files

strings firmware.bin | grep -i '.conf'
strings firmware.bin | grep -i '.ini'
strings firmware.bin | grep -i '.xml'

Encryption Keys and Passwords

strings firmware.bin | grep -i 'encryption_key'
strings firmware.bin | grep -i 'aes'
strings firmware.bin | grep -i 'des'
strings firmware.bin | grep -i 'key='

Version Information

strings firmware.bin | grep -i 'version'
strings firmware.bin | grep -i 'build'

Debug Information

strings firmware.bin | grep -i 'debug'
strings firmware.bin | grep -i 'trace'
strings firmware.bin | grep -i 'error'
strings firmware.bin | grep -i 'fail'

Email Addresses

strings firmware.bin | grep -E '\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b'

Encryption/Decryption Routines

strings firmware.bin | grep -i 'openssl'
strings firmware.bin | grep -i 'encrypt'
strings firmware.bin | grep -i 'decrypt'

Default and Backup Files

strings firmware.bin | grep -i 'default'
strings firmware.bin | grep -i 'backup'

SSH Information

strings firmware.bin | grep -i 'ssh'
strings firmware.bin | grep -i 'port'

Analysis of bare metal firmware

Todo

Resources:

PreviousElectromagnetic Fault Injection NextIntroduction

Last updated 1 year ago

hashtagQuick wins

hashtagAnalysis of bare metal firmware

Quick wins

Analysis of bare metal firmware