
Reverse Engineering My Home Security System: Decompiling Firmware Updates - cellover
https://markclayton.github.io/reverse-engineering-my-home-security-system-decompiling-firmware-updates.html
======
Rjevski
I don't want to sound rude but there isn't anything substantial in this
article - the author just found a way to extract the firmware image and mount
the Linux filesystem that's in it. No actual exploits or reverse-engineering
of the device's software itself.

~~~
justinjlynn
Not rude at all -- it's a good first step though. In my opinion, it does need
a bigger payoff at the end -- so close but they posted too soon. They
should've also responsibly disclosed the script on github as well (eh, maybe).

~~~
kogepathic
_> it's a good first step though_

Not only is it a good first step, but since the product clearly runs Linux,
the author should be able to download all GPL source code from Honeywell.
Being able to build the device firmware yourself from source is hugely
beneficial to understanding the structure of the firmware and can even help in
understanding the behaviour of the device.

If Honeywell aren't providing a GPL archive for the Tuxedo with the kernel and
any GPL licensed user-space programs, they are violating the GPL.

I'm not sure the author is aware that the source code for these _should be
freely available from Honeywell_

~~~
juiyout
True. Though Honeywell can elect to mail you the source code printed on flash
cards without any particular order.

~~~
Simulacra
That seems a tad excessive. Does any company do this, outside of high security
systems?

~~~
subway
That has nothing to do with security, and everything to do with malicious
compliance.

------
josteink
> About an hour later it occurs to me that what if the .hdr extension stands
> for ‘header’ and wasn’t the name of any valid file type?!

I guess that's just a mindset, but I see proprietary extensions created and
used everywhere.

Especially in the context of firmware, I never once made any assumptions about
this being a default file-format, nor that tooling for this extension was a
path was worth digging deeper into.

Ironically the author has found lots of good tools I didn't know about which
more or less should automatically reveal this, before he himself arrives at
this conclusion.

Facepalm, indeed.

------
justinjlynn
I spent the whole post thinking "binwalk ..." ... "binwalk -erM ..." to
myself. Clever searching for github repos though, that was a good find.

------
ynniv
The Tuxedo Touch is a glorified pin-pad to the actual security panel, so it
may be a stretch to call this the "security system". However it would be
trivial to MiTM arm/disarm codes if you could run code on it and it's the
interface to home automation, which could be interesting if anything is hooked
up.

------
mikehollinger
I've done that exact "let's prepend a header" thing before. For a past
project, each stage of the build and packaging process resulted in an
increasingly-difficult to use "by hand" file that was increasingly-friendly to
downloaders, flashers, and CMS systems. Each system wanted its own file header
or format (one, for example, disliked Debian files and insisted that we post a
gzipped tarball for some reason).

Aside from a stage that encrypted the firmware, if you knew the structures
being prepended to the file, you could "undo" all of that with a little bit of
perl.

------
britworst
Title is rather misleading. Sounds like it is going to be some interesting
binary to source code decompilation, but all the author does is extract some
files from an archive.

------
Dowwie
excellent uses of memes, Mark :)

