Find the Firmware!

Due Date: 2025-05-19 23:59:59

Find the Firmware!

Introduction

Often, it is possible to tap the communication between a device and its update servers. In this way, you can capture the transfer of the updated firmware. If you are lucky, it’s a full firmware that is transmitted, the update is over an unencrypted channel, and it’s transmitted as a single HTTP session. Unfortunately, the ideal case is fairly rare. Increasingly, updates are delivered over secured connections, it’s often just a delta or patch that is transmitted, and it’s even sometimes transmitted in small chunks over multiple sessions.

What you must do

Using the tools you’ve learned in this module, dissect the provided packet capture and extract the firmware. You will find the packet capture at ada.cs.pdx.edu:/disk/scratch/dmcgrath/firmware.pcap. Simply scp it to your kali machine. It is important to note that HTTP often transmits binary data via BASE64 encoding!

From your kali machine, run:

$ scp <MCECS_Username>@ada.cs.pdx.edu:/disk/scratch/dmcgrath/firmware.pcap .

Some useful information regarding the firmware you’re after:

┌─(dmcgrath@kali:pts/3)─────────────────────────────────────────────────────────────────────────(~)─┐
└─(14:43:%)── binwalk download.bin #what it should look like                          ──(Wed,Sep23)─┘

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
48            0x30            Unix path: /dev/mtdblock/2
96            0x60            LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 4438276 bytes
302958        0x49F6E         MySQL MISAM index file Version 4
1441888       0x160060        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 2208988 bytes, 1159 inodes, blocksize: 262144 bytes, created: 2019-08-06 21:20:37

┌─(dmcgrath@kali:pts/3)─────────────────────────────────────────────────────────────────────────(~)─┐
└─(14:43:%)── md5sum download.bin                                                     ──(Wed,Sep23)─┘
734b6d4d473be3f73d567eccc5639891  download.bin
┌─(dmcgrath@kali:pts/3)─────────────────────────────────────────────────────────────────────────(~)─┐
└─(14:44:%)── sha512sum download.bin                                                  ──(Wed,Sep23)─┘
18c9e43da60424c2e65fff13e8b869e505a179cfb3b2dceba7def579cd58d7366ab9288ad223d58f1da636433079f72255ca30c7c81ad77fafe85fd02888d367  download.bin
┌─(dmcgrath@kali:pts/3)─────────────────────────────────────────────────────────────────────────(~)─┐
└─(14:44:%)──                                                                         ──(Wed,Sep23)─┘

Checksums for the squashfs filesystem contained in the firmware.bin file are:

MD5: c05eab59124a9d288cf9678430fb26aa
SHA256: a74f86df76505bc7d502495e00d25383a739c8e3d6a4bcfea190ca71ce2fbb6f
SHA512: 0a9626897f5bc36b4f2aea2a580678b03ae12e0d7c6b55dcb4f57887e93716daff37d21c13164519c1a5b22cd69fff83c145b95e18c7a3ed0cfac140385db67e

Once you have a firmware extracted that matches the above, use a tool called binwalk to extract the contents (this isn’t a reverse engineering class, use the -M and -e options), then answer a few questions:

What architecture is the firmware intended to run on?
What OS is the firmware running?
What users are present on the system?

Write a document detailing how you extracted the firmware, how you investigated the firmware, and answers to the above questions. Please make sure to include any code you wrote or commands you executed.

Submission

Everything above should be documented in a markdown file in your repo called hw4/hw4.md. Commit and push this to your repo. Once you have done this, you can consider the assignment submitted.