Perusing the release notes for the latest Linksys WRT120N firmware, one of the more interesting comments reads: Firmware 1.0.07 (Build 01) – Encrypts the configuration file. Having previously reversed their firmware obfuscation and patched their code to re-enable JTAG debugging, I thought that surely I would be able to use… Continue reading
After de-obfuscating the WRT120N’s firmware, I started taking a closer look at the code, which runs the now-defunct SuperTask! RTOS. Thanks in no small part to copious debug strings littered throughout the code and some leaked Atheros datasheets, I made good progress in statically disassembling the code. The next step… Continue reading
It was recently brought to my attention that the firmware updates for the Linksys WRT120N were employing some unknown obfuscation. I thought this sounded interesting and decided to take a look. The latest firmware update for the WRT120N didn’t give me much to work with: Binwalk firmware update analysis As… Continue reading
Binwalk version 2.0 is currently under development. This is a fundamental re-design which makes binwalk more modular and easier to extend. Scripting is easier, plugins are easier – basically everything is easier. New features, plus Python3 support (and possibly even a Windows package) are also in the works. The only… Continue reading
Just added some fun 3D binary visualization features to binwalk. Read more about it here. Visualizing AVR32 code
For various reasons, I’ve decided to move binwalk away from GoogleCode. Its new home is now at binwalk.org, and the code repository is now hosted on GitHub. That is all.
I’ve previously written some examples of how to exploit MIPS stack overflows using ROP techniques. The problem is that finding suitable MIPS ROP gadgets manually can be quite tedious, so I have added a new IDA plugin – mipsrop.py – to my github repository. This plugin searches the code segment(s)… Continue reading
Binwalk 1.2.2 has just been released which introduces some useful new features: Binary diffing of an arbitrary number of files Heuristic compression/encryption analysis Identification of zlib compression streams (implemented via a plugin) Here are three thousand words to demonstrate these new features: Diffing two firmware headers Heuristic analysis of firmware… Continue reading
I’ve posted a few of my IDA plugins on github. Though simple, I’ve found their functionality quite useful when reversing firmware and RISC architectures: Defining ASCII strings not defined during IDA’s auto analysis Defining undefined bytes in the data segment as DWORDs (allowing IDA to resolve function/jump table pointers, etc)… Continue reading
Lest anyone think that D-Link is the only vendor who puts backdoors in their products, here’s one that can be exploited with a single UDP packet, courtesy of Tenda. After extracting the latest firmware for Tenda’s W302R wireless router, I started looking at /bin/httpd, which turned out to be the… Continue reading