Cracking Linksys “Encryption” – /dev/ttyS0

Perusing the release notes for the latest Linksys WRT120N firmware, one of the more interesting comments reads: Firmware 1.0.07 (Build 01) – Encrypts the configuration file. Having previously reversed their firmware obfuscation and patched their code to re-enable JTAG debugging, I thought that surely I would be able to use… Continue reading

Re-enabling JTAG and Debugging the WRT120N – /dev/ttyS0

After de-obfuscating the WRT120N’s firmware, I started taking a closer look at the code, which runs the now-defunct SuperTask! RTOS. Thanks in no small part to copious debug strings littered throughout the code and some leaked Atheros datasheets, I made good progress in statically disassembling the code. The next step… Continue reading

Reversing the WRT120N’s Firmware Obfuscation – /dev/ttyS0

It was recently brought to my attention that the firmware updates for the Linksys WRT120N were employing some unknown obfuscation. I thought this sounded interesting and decided to take a look. The latest firmware update for the WRT120N didn’t give me much to work with: Binwalk firmware update analysis As… Continue reading

Binwalk 2.0 Development – /dev/ttyS0

Binwalk version 2.0 is currently under development. This is a fundamental re-design which makes binwalk more modular and easier to extend. Scripting is easier, plugins are easier – basically everything is easier. New features, plus Python3 support (and possibly even a Windows package) are also in the works. The only… Continue reading

MIPS ROP IDA Plugin – /dev/ttyS0

I’ve previously written some examples of how to exploit MIPS stack overflows using ROP techniques. The problem is that finding suitable MIPS ROP gadgets manually can be quite tedious, so I have added a new IDA plugin – – to my github repository. This plugin searches the code segment(s)… Continue reading

Binwalk 1.2.2 Release – /dev/ttyS0

Binwalk 1.2.2 has just been released which introduces some useful new features: Binary diffing of an arbitrary number of files Heuristic compression/encryption analysis Identification of zlib compression streams (implemented via a plugin) Here are three thousand words to demonstrate these new features: Diffing two firmware headers Heuristic analysis of firmware… Continue reading

Some IDA Plugins – /dev/ttyS0

I’ve posted a few of my IDA plugins on github. Though simple, I’ve found their functionality quite useful when reversing firmware and RISC architectures: Defining ASCII strings not defined during IDA’s auto analysis Defining undefined bytes in the data segment as DWORDs (allowing IDA to resolve function/jump table pointers, etc)… Continue reading

From China, With Love – /dev/ttyS0

Lest anyone think that D-Link is the only vendor who puts backdoors in their products, here’s one that can be exploited with a single UDP packet, courtesy of Tenda. After extracting the latest firmware for Tenda’s W302R wireless router, I started looking at /bin/httpd, which turned out to be the… Continue reading