Intro

Recently I stumbled upon Paul dot com blog post Reverse Engineering Firmware Primer and decided to see if I could repeat the process and to test my newly installed Debian VM packed with RE tools. Here is my take on the task. To repeat the steps one generally needs binwalk and cpio.

Walk through

1) Got a firmware copy
I got a copy of the DLink firmware – dir655_revB_v211NAb07.bin from the DLink ftp server. It comes zipped so you need to unpack it first.

2) Inspect the binary file with binwalk
Here is the output I got.

$ binwalk dir655_revB_v211NAb07.bin
 
DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             uImage header, header size: 64 bytes, header CRC: 0xFD286854, created: Thu Jul 18 08:37:50 2013, image size: 6684932 bytes, Data Address: 0x40100000, Entry Point: 0x408F0C68, data CRC: 0x80C5838C, OS: Linux, image type: OS Kernel Image, compression type: gzip, image name: "Unknown - IP7160_DIR855_F_Board"
64            0x40            gzip compressed data, maximum compression, from Unix, last modified: Thu Jul 18 08:37:49 2013

Obviously the binary contains zip container and intuitively one would like to get the container out and see what’s inside.
Paul suggest using -dd binwalk option. You can either go with –dd(-D) or with -e option. In case you use -e option there is no need to specify the container type, binwalk will directly use predefined -dd rules (those cover the most common scenarios).

3) Extract the containers from the bin file

$binwalk -e dir655_revB_v211NAb07.bin

If the process was successfull you will get a directory _dir655_revB_v211NAb07.bin.extracted and a single file inside called 40.

$ ls -lah _dir655_revB_v211NAb07.bin.extracted/
total 8.0M
drwxr-xr-x 2 eps eps 4.0K Sep  8 13:58 .
drwxr-xr-x 4 eps eps 4.0K Sep  8 13:58 ..
-rw-r--r-- 1 eps eps 8.0M Sep  8 13:58 40

4) Run file on 40 to see if it is known format

$ cd _dir655_revB_v211NAb07.bin.extracted/
$ file 40
40: data

Apparently the file cannot tell us more about the file format.

5) Inspect the 40 file with binwalk

$ binwalk 40
 
DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
2438824       0x2536A8        Linux kernel version "2.6.28.10 (vicchang@vicchang-desktop) (gcc version 4.4.1 201003sktop) (gcc version 4.4.1 20100320 (stable) (GCC) ) #4 Thu Jul "
2977684       0x2D6F94        gzip compressed data, maximum compression, from Unix, last modified: Thu Jul 18 08:37:31 2013

Apparently another gzip container. We will basically repeat the process of extracting the container.
5)Extract the gzip container from 40 and inspect the content further

$ binwalk -e 40
 
DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
2438824       0x2536A8        Linux kernel version "2.6.28.10 (vicchang@vicchang-desktop) (gcc version 4.4.1 201003sktop) (gcc version 4.4.1 20100320 (stable) (GCC) ) #4 Thu Jul "
2977684       0x2D6F94        gzip compressed data, maximum compression, from Unix, last modified: Thu Jul 18 08:37:31 2013
 
$ ls -lah
total 8.0M
drwxr-xr-x 3 eps eps 4.0K Sep  8 14:16 .
drwxr-xr-x 4 eps eps 4.0K Sep  8 13:58 ..
-rw-r--r-- 1 eps eps 8.0M Sep  8 13:58 40
drwxr-xr-x 2 eps eps 4.0K Sep  8 14:16 _40.extracted
 
$ ls -lah _40.extracted/
total 14M
drwxr-xr-x 2 eps eps 4.0K Sep  8 14:16 .
drwxr-xr-x 3 eps eps 4.0K Sep  8 14:16 ..
-rw-r--r-- 1 eps eps  14M Sep  8 14:16 2D6F94
 
$ file _40.extracted/2D6F94 
2D6F94: ASCII cpio archive (SVR4 with no CRC)

As you can see as a result of unpacking we got a file 2D6F94 which is apparently cpio archive.
6) Unpack the 2D6F94 cpio container

$ cd _40.extracted/
$ sudo cpio --no-absolute-filenames -i < 2D6F94
$ ls -lah
total 14M
drwxr-xr-x 17 eps eps 4.0K Sep  8 14:28 .
drwxr-xr-x  3 eps eps 4.0K Sep  8 14:16 ..
-rw-r--r--  1 eps eps  14M Sep  8 14:16 2D6F94
drwxr-xr-x  2 root    root    4.0K Sep  8 14:28 bin
drwxr-xr-x  2 root    root    4.0K Sep  8 14:28 boot
drwxr-xr-x  5 root    root    4.0K Sep  8 14:28 dev
drwxr-xr-x  9 root    root    4.0K Sep  8 14:28 etc
drwxr-xr-x  2 root    root    4.0K Sep  8 14:28 home
-rwxr-xr-x  1 eps     eps      682 Sep  8 14:28 init
drwxr-xr-x  6 eps     eps     4.0K Sep  8 14:28 lib
drwxr-xr-x  2 root    root    4.0K Sep  8 14:28 mnt
dr-xr-xr-x  2 root    root    4.0K Sep  8 14:28 proc
drwxr-x---  2 root    root    4.0K Sep  8 14:28 root
drwxr-xr-x  2 root    root    4.0K Sep  8 14:28 sbin
drwxr-xr-x  2 root    root    4.0K Sep  8 14:28 sys
drwxrwxrwt  2 root    root    4.0K Sep  8 14:28 tmp
drwxr-xr-x  4 root    root    4.0K Sep  8 14:28 usr
drwxr-xr-x  9 root    root    4.0K Sep  8 14:28 var
drwxr-xr-x  3 eps     eps      12K Sep  8 14:28 www

Voilà! We have an entire file system. I will explore it in details in the next blog post.

DLink dir655 rev B firmware reverse engineering – part 1

2 thoughts on “DLink dir655 rev B firmware reverse engineering – part 1

  • December 20, 2014 at 10:49 pm
    Permalink

    where can i find part 2?

    Reply
    • December 25, 2014 at 9:05 am
      Permalink

      Hi mate, shame on me but I’ve never compiled part two. If I could be of any help for you though I would be happy to answer your questions.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

*