
Reversing the WRT120N’s Firmware Obfuscation - FiloSottile
http://www.devttys0.com/2014/02/reversing-the-wrt120n-firmware-obfuscation/
======
rdl
Why do they bother with doing this? I could see signing firmware, but maybe
I'm crazy, but I don't see anything in the WRT120N which is particularly
innovative in hardware or software that they'd be trying to keep secret, or RF
stuff which they'd need to keep locked down in a baseband to keep their FCC/CE
certs.

Did they do this just for the lulz?

~~~
gvand
I could be wrong, but it looks like a decision come out from some management-
only meeting.

~~~
alextingle
I've been the technical guy in a meeting where this kind of nonsense was
decided...

Me: The customer has asked for security measures to stop unauthorised
employees from subverting the system and defrauding them. Your solution uses
clear-text passwords, so anyone with a copy of Wireshark could crack it in
seconds.

Management: Yeah, but they're only asking for the _appearance_ of security.
They don't care about the details.

Me: What will they say if someone cracks our "security" and steals millions of
dollars from them?

Management: <shrug>

Me: ???

~~~
1qaz2wsx3edc
Rest assured Mr. Management, hackers only target profitable business, and
since you're the manager, we won't have much to worry about.

------
hippich
Does someone have link to a manual where not just disassembly presented, but
also process of patching, packing everything back and uploading back to
hardware?

I had a printer Kodak Hero 4.2. It has ink level warnings which I can not get
around without new cartridge and new ink chips.

I found a way to get firmware and how to upload firmware manually. I also
disassembled it and found few spots where I could change ARM asm code to jump
around ink level checks. But I could not figure out how to put it all back
together so printer would use this firmware instead. My naive approach did not
work well and I bricked it (not a big deal).

I would love to read more about process people used to, for example, build DD-
WRT, which I believe is modification of stock firmware.

~~~
userbinator
I haven't seen anyone actually hack printer firmware in that way, outside of
some shops in China that claim they can do that. Any chance you could do a
writeup on it?

There is probably a checksum (or even worse, digital signature) on the
firmware image, or some other checks like that, but as for getting the
firmware back on the device, I'd probably use a hardware flash programmer.

------
adsche
Very nice.

I wish, I had a better question: What is the software used to produce the
"flow charts"?

~~~
jmgrosen
That's IDA, the interactive disassembler. The free version's not too bad, but
if you're doing any work with 64bit, you'll need the pro version, which is a
fairly hefty sum (at least for a student like me).

~~~
adestefan
The free version is also x86 only.

I'd recommend using Hopper as a hobbiest.

~~~
voltagex_
Agreed, I have high hopes for Hopper.

------
MrQuincle
Even if this is to show off the binwalk software, it's still a really nice
post! :-)

I like the 3D visualization at [http://binwalk.org/wp-
content/uploads/2013/12/avr32_3d.gif](http://binwalk.org/wp-
content/uploads/2013/12/avr32_3d.gif)

What might perhaps also be interesting, is to create a plugin for binwalk that
compares the firmware with other firmware binaries.

~~~
userbinator
Fun visualisation, but I don't see that one as being particularly useful (what
does it really represent?)

As someone who has looked through many different types of files in doing quite
a bit of RE, I've become able to separate out different types of data just by
the "feel" of how it looks in a text editor; Z80 and 6502 code, x86, MIPS,
ARM, bitmap images, and compressed data all have different "textures" to them.

~~~
callesgg
It represents randomness(entropy) in the firmware file. And "known" file types
found in the firmware file.

It is very useful. As different file types and data structures. Often has a
quite common entropy level to them.

Rather than doing it in your head as you do one can use a machine to help,
which happens to be the hole point of machines.

~~~
userbinator
I'm talking about the animated one in the parent - AFAIK entropy is a scalar,
not three-dimensional.

~~~
callesgg
Oh the animated one, yeah you are correct that is not entropy at all.

It is just bytes visually represented. 1byte = x axis, 2byte = y axis, 3byte =
z axis. And then jump forward and repeat.

------
tbarbugli
Just throw that piece of shit out of the window and get a decent router!

