w00tsec: unpacking firmware images from cable modems
DESCRIPTION
Something about firmwareTRANSCRIPT
6/24/2014 w00tsec: Unpacking Firmware Images from Cable Modems
http://w00tsec.blogspot.com/2013/11/unpacking-firmware-images-from-cable.html 1/10
embedded device & webapp hacking
w00tsec
MONDAY, NOVEMBER 11, 2013
Unpacking Firmware Images from Cable Modems
Hacking Cable modems used to be very popular during the early 2000’s. People like DerEngel andIsabella from TCNiSO carried lots of research on the topic and talks from bitemytaco (R.I.P) andBlakeSelf during DEFCON 16 and DEFCON 18 covered lots of information on the subject.
Securing cable modems is more difficult than other embedded devices because, on most cases, youcan’t choose your own device/firmware and software updates are almost entirely controlled by yourISP. Most cable modems offer a limited administrative interface and management commands aresent using SNMP.
Cable Modem Firmware
There are basically three types of firmware images for cable modems:
- Signed and compresed (PKCS#7 & binary)- Compressed binary images- RAM dump images (uncompressed & raw)
You can dump your own firmware image using JTAG or sniffing the connection during upgrades, forexample. I’m a big fan of binwalk and I always wondered why it doesn't unpack firmwares frompopular Broadcom based cable modems so I decided to research on this.
Unpacking the Firmware
For this analysis I’ll use Cisco DPC3925, which is a very common DOCSIS 3.0 modem here in Brazil.Cisco DPC3925 has a BCM3380 chipset, 16MB Flash x 64MB DRAM memory configuration.
The compressed firmware image has around 4MB. Using strings against the file didn't help much andbinwalk v1.2.1 (without any additional parameters) did not recognize it.
Bernardo Rodrigues
View my complete profile
ABOUT ME
@bernardomr
► 2014 (2)
▼ 2013 (5)► December (1)
▼ November (1)Unpacking Firmware Images
from Cable Modems
► September (1)
► August (2)
BLOG ARCHIVE
More Next Blog» Create Blog Sign In
6/24/2014 w00tsec: Unpacking Firmware Images from Cable Modems
http://w00tsec.blogspot.com/2013/11/unpacking-firmware-images-from-cable.html 2/10
We can gather lots of useful information from the vendor’s page: user guides, datasheets, licensinginformation and open source disclaimer for the product. There are no sources available on Cisco'shome, but the Copyright Notices section states that the product uses LZMA SDK 4.21.
So we know that the firmware is probably packed using LZMA but we still need to figure out how tounpack it. Binwalk -i displays results marked as invalid during the scan and we might get some clue:
The LZMA header is not well documented. There are some good resources on lzma-purejsGithub and you can also check binwalk's magic file signatures (devttys0 already did all the hard workfor us).
Offset Size Description 0 1 lc, lp and pb in encoded form 1 4 dictSize (little endian) 5 8 uncompressed size (little endian)
The Bootloader in the beggining of the flash contains the necessary information to boot the firmwareimage. On the top of the firmware there's always an extractor which decompress the firmware intoDRAM.
6/24/2014 w00tsec: Unpacking Firmware Images from Cable Modems
http://w00tsec.blogspot.com/2013/11/unpacking-firmware-images-from-cable.html 3/10
Offset 0x677 is a good candidate because it's located in the beginning of the file and it seems to havea valid header. 5D 00 00 00 01 indicates a LZMA compression level of -8 and the next 64 bits shouldbe the data's uncompressed size (in little endian).
The 64 bits following the header (00 20 20 0E 3A 28 AB EF) is clearly not a valid uncompressed size(2898643604054482944 bytes). It represents the actual compressed data, making binwalk and 7zrunable to extract it.
What we need to do here is append a few extra bytes to the header so our regular 7zr binary canrecognize and extract the data. We don't know the uncompressed size for the firmware yet: the goodnews is that we can append and specify a big value here, allowing 7zr utility to unpack it (althoughcomplaining that the EOF was reached too early). Let's specify 268435456 bytes (256MB), convert itto little endian (00 00 00 10 00 00 00 00) and append it to the original LZMA header. The new headershould be something like ... 5D 00 00 00 01 00 00 00 10 00 00 00 00 00 20 20 ...
I took the opportunity to have a look on binwalk's API and wrote a simple lzma-unpacker.py:
1234567891011
#!/usr/bin/python import os, sysfrom binwalk import Binwalk def lzma_callback(offset, results): for result in results: if result['description'].startswith('LZMA compressed data, properties: 0x5D'): with open(sys.argv[1]) as f: f.seek(result['offset']) lzma_header = f.read(5)
6/24/2014 w00tsec: Unpacking Firmware Images from Cable Modems
http://w00tsec.blogspot.com/2013/11/unpacking-firmware-images-from-cable.html 4/10
view raw
1213141516171819202122232425262728293031323334353637383940414243444546
uncompressed_size = '\x00\x00\x00\x10\x00\x00\x00\x00' data = f.read() output = open(sys.argv[1]+'.lzma', 'w') output.write(lzma_header+uncompressed_size+data) f.close() if __name__ == '__main__': nargs = len(sys.argv) if nargs != 2: print '\ \nLZMA Unpacker: Extract LZMA sections from firmware images\n\ \nTested with the following Cable Modems:\n\ - Cisco DPC3925, DPC2434\n\ - Motorola SB5100, SB5101, SVG6582, SVG1202\n\ - Thomson ACG905, DCM425, DHG534, DHG544, DWG850, DWG874\n\ - Webstar DPC2203\n\ \nBernardo Rodrigues, http://w00tsec.blogspot.com\n\ \nUsage: %s firmware_image.bin' % os.path.basename(sys.argv[0])+'\n' else: with Binwalk() as bw: try: with open(sys.argv[1], 'rb'): bw.display.header() bw.scan(sys.argv[1], callback=lzma_callback, show_invalid_results=True) try: with open(sys.argv[1]+'.lzma', 'rb'): bw.extractor.add_rule('lzma:7z:7zr e -y %e') bw.scan(sys.argv[1]+'.lzma', callback=bw.display.results) except Exception: print 'LZMA 0x5D signature not found' exit except IOError: print 'File not found: '+sys.argv[1]
lzma-unpacker.py hosted with ❤ by GitHub
This code will be obsolete in a couple of days because I'm pretty sure Binwalk incorporate this (aplugin maybe?)
6/24/2014 w00tsec: Unpacking Firmware Images from Cable Modems
http://w00tsec.blogspot.com/2013/11/unpacking-firmware-images-from-cable.html 5/10
The data was extracted successfully and contains 21982740 bytes. If we replace the uncompressedsize on the LZMA header with the correct value in Little Endian (14 6E 4F 01 00 00 00 00), the 7zr toolwould not complain about the file integrity.
Most Broadcom cable modems are packed this way, including the ones manufactured by differentvendors. The script was fully tested and works fine for the following models:
- Cisco DPC3925, DPC2434 - Motorola SB5100, SB5101, SVG6582, SVG1202 - Thomson ACG905, DCM425, DHG534, DHG544, DWG850, DWG874 - Webstar DPC2203
Firmware Analysis
Now that you successfully unpacked the firmware, here's a couple of cool things you should do:
- Find default passwords
- Find backdoors
6/24/2014 w00tsec: Unpacking Firmware Images from Cable Modems
http://w00tsec.blogspot.com/2013/11/unpacking-firmware-images-from-cable.html 6/10
- Pentest the Web Application
6/24/2014 w00tsec: Unpacking Firmware Images from Cable Modems
http://w00tsec.blogspot.com/2013/11/unpacking-firmware-images-from-cable.html 7/10
Posted by Bernardo Rodrigues at 11:16 AM
Labels: acg905, binwalk, cable modem, dcm425, dhg534, dhg544, dpc2203, dpc2434, dpc3925,dwg850, dwg874, firmware, lzma, sb5100, sb5101, svg1202, svg6582, unpack
- Fingerprint your device and submit to NMAP
- Find similar devices using scans.io dataset
- Mail HD Moore a copy of the firmware and wait for the CVE Spam
+22 Recommend this on Google
Replies
Reply
17 comments:
Luiz Felipe November 11, 2013 at 11:40 PM
Ótima análise do firmware, parabéns pelo texto!Sobre o bootloader, é possível fazer uma análise dele para habilitar o console via serial?
Reply
Bernardo Rodrigues November 11, 2013 at 11:52 PM
Hi Luiz, OpenWRT's wiki has some useful information about DPC3825/EPC3825, whichhas the same chipset (BCM3380) and probably the same bootloader as the DPC3925:http://wiki.openwrt.org/toh/cisco/epc3825
Damien O'Reilly November 12, 2013 at 8:49 AM
What way did you dump the firmware? I have an EPC3925 and would like to see if I can retrievethe firmware off it.
6/24/2014 w00tsec: Unpacking Firmware Images from Cable Modems
http://w00tsec.blogspot.com/2013/11/unpacking-firmware-images-from-cable.html 8/10
Replies
Reply
Replies
Reply
Bernardo Rodrigues November 12, 2013 at 11:26 AM
You can follow instructions from USBJTAG forums:http://www.usbjtag.com/vbforum/showthread.php?p=55977 andhttp://www.usbjtag.com/vbforum/showthread.php?p=55341
Damien O'Reilly November 12, 2013 at 12:06 PM
Cheers thanks. I actually read these threads earlier today! DO you use USB JTAG? Iwas thinking in investing in one of these. But this area is pretty new to me.
Bernardo Rodrigues November 13, 2013 at 11:21 PM
Hi Damien, I currently own a FlashcatUSB(http://www.embeddedcomputers.net/products/FlashcatUSB/) which is older andcheaper. USBJTAG NT has the best support and compatibility out there and theirsoftware is very good.
If you just want to test these firmwares you can also download dumps from their forums(http://www.usbjtag.com/vbforum/downloads.php?do=cat&id=8) or google them =)
Damien O'Reilly November 18, 2013 at 11:33 AM
Thanks for that. I want to test the firmware specifically no my modem also as its ISPspecific. Plus would learn the hardware side of things also! You hardly took a pic whenyou had the FlashcatUSB wired up to the SPI interface did you?
Bernardo Rodrigues November 20, 2013 at 8:12 PM
Sorry, I didn't take pics =(
MaCXyLo November 12, 2013 at 5:23 PM
Dear Bernardo,very nice Post!! Thanks for sharing. Search a long time for informations about the ciscomodem's.My Provider rent my router as a modem (because it have only one port).Can't bridge the device...Did you found any backdoor for ssh / telnet (e.g. a Web-GUI) activation ?I ordered already parts to read out the firmware.
Pictures of the board and my previous informations:http://www.haxorware.com/forums/thread-2824.html
Kind RegardsMaCXyLo
Reply
Bernardo Rodrigues November 13, 2013 at 11:39 PM
Hi MaCXyLo, I did not have much time to test it yet. Some modems like the WebstarDPC2100 have a firmware upgrade page at specific URI's(http://192.168.100.1/__swdld.asp). Try to carve and find HTML pages (using foremostor the latest binwalk-dev), analyze the strings, search for *.asp to identify hidden pagesand */goform/*, which is used for dynamic actions. The modem is MIPS-based, you canalso try reverse engineering it with IDA Pro.
6/24/2014 w00tsec: Unpacking Firmware Images from Cable Modems
http://w00tsec.blogspot.com/2013/11/unpacking-firmware-images-from-cable.html 9/10
Reply
Replies
Reply
Replies
Reply
Mike December 17, 2013 at 5:26 AM
Awesome post! Just discovered this while I was looking for CMImageTool ;) This is way better.Any chance of adding support for SBG6580? Join us on #surboard_hacker sometime. Will benice to chat with you.
Reply
Mike December 19, 2013 at 5:58 PM
SBG6580 disassembles just fine using the same commands. You can add it to the listof devices it works on.
Bernardo Rodrigues December 26, 2013 at 8:15 PM
Hey Mike, I didn't have a copy of the SBG6580 firmware and I couldn't test back then,thanks for letting me know. Firmwares for most broadcom based cable modems arepacked this way. Anyway, newer versions of binwalk already have a plugin to unpackthem, check it later on: http://binwalk.org/lzmamod-plugin/
Mike December 28, 2013 at 1:16 PM
Thanks for the reply Bernardo. Nice to see binwalk just enable it as a plugin by default,sure is coming in handy.
Btw ever work with the backdoor that says 255.255-255.255 ? (Notice how it seemsthere is a dash - instead of dot . between the 2nd and 3rd 255)
Bernardo Rodrigues February 16, 2014 at 10:18 PM
Hey Mike, sorry for the late reply. Regarding the 255.255-255.255 backdoor, I didn'tspend much time reversing it, as you may noticed that was a simple recursive grep, butit may reveal some interesting info.
magnex April 9, 2014 at 9:15 PM
Reply
This comment has been removed by the author.
magnex April 9, 2014 at 9:19 PM
Will this method work for Cisco DPC3000 modems also? (it's Puma 5 based)
6/24/2014 w00tsec: Unpacking Firmware Images from Cable Modems
http://w00tsec.blogspot.com/2013/11/unpacking-firmware-images-from-cable.html 10/10
Newer Post Older PostHome
Subscribe to: Post Comments (Atom)
Enter your comment...
Comment as: Google Account
Publish
Preview
Picture Window template. Powered by Blogger.