Hello everyone, today I will give a tutorial on IOT Firmware Hacking. I hope that you find this useful.
How to get the firmware
- Vendors website
- Support groups
- Community forums
- OTA update sniffing
- Mobile application
- Dumping from the device
Analyzing firmware
- Analyze it via
strings
andhexdump
-
Is the firmware encrypted?
- What kind of encryption is being used?
hexdump -C firmware.bin
strings firmware.bin
-
binwalk -E firmware.bin
to figure out the entropy
- Where can you find the encryption keys?
- How can you get a copy of the decrypted firmware?
- What kind of encryption is being used?
-
Extracting components from the firmware
- Extract the file system (
binwalk -e firmware.bin
) - Does the file system has hardcoded credentials (
grep
is your friend)- API keys
- Private certificates
- Backdoors
- Sensitive URLs
- Config files revealing useful information
- Extract the file system (
-
Emulating the firmware
- Identify the architecture
- Emulate the firmware using Qemu and Chroot or FAT (
python fat.py
- FAT available from here ) - Perform analysis and exploitation via emulation
-
Reverse engineering firmware binaries
- Command Injection bugs (IDA analysis and looking at the web files)
- Identifying Buffer overflows and other software binary specific vulns and exploitation
- what all security protections are there in place?
- Bypassing the security protections.