I always liked routers, always liked taking apart firmware blobs as well. However, it was usually a time consuming practice.

Thankfully, tools such as Binwalk and Firmware-Mod-Kit, have made this whole procedure reasonably painless. So, let us quickly try them out.

First off, I decided to analyse the D-LINK DIR-601 router’s firmware, as I had it on hand. It is a simple, consumer grade router. Nothing too special.

Anyway, in this post I will simply cover the incredibly simple steps to get at the filesystem by taking apart the firmware, in another post I will do a brief

overfiew of some (potential) security issues, such as default credentials and possibly vulnerable services, that I may or may not uncover.

First off, we run “binwalk” on the target firmware binary in order to see what in the name of god it is we have here, and see if Binwalk can enlighten us.

Running Binwalk on the target firmware binary…

So we see binwalk identifies it, which means there is a good chance the firmware-mod-kit’s extract_firmware.sh script will do the job. firmware-mod-kit appears

to rely on binwalk to identify offsets and filetypes for dissection. It is an incredibly useful tool for rapidly analysing firmwares, as most of the time, it

will have them in bits within minutes without the need to manually do any actual work 😉

And so, we run extract_firmware.sh…

So, firmware extracted with ease. We now have a nice filesystem to poke through to our hearts content. First off, we should see what our targets architecture is! This is rather simple.

[packetforger@methlab dir601_FW_102NA]$ cd fmk/rootfs/ [packetforger@methlab rootfs]$ file bin/busybox bin/busybox: ELF 32-bit MSB executable, MIPS, MIPS32 version 1 (SYSV), dynamically linked (uses shared libs), stripped

So, now we know that we are looking at a MIPS based system, which is somewhat familiar ground for us. Most routers I have come across are either MIPS or ARM,

extremely popular embedded device architectures. Personally, I find MIPS a far nicer architecture for some reason, others prefer ARM.

The extra observant will note binwalk actually tells us it is, in fact, MIPS. I am quite embarrassed to admit I had never noticed the “CPU” details in the output before, and had always relied on “run file on the busybox binary” 😛

I would go on, but that is really all there was to it. Next time I look at this firmware, we will be looking to see what potential security issues it may suffer (with minimal effort – i.e. low hanging fruit)!

Finally, some music to see you off.