firmware hacking, slash the pineapple for fun
TRANSCRIPT
FIRMWARE HACKING,SLASH +he PINEAPPLE FOR FUN
@smrx86
/usr/bin/whoami- IDSECCONF 2013, 2014, 2015 SPEAKER
- MEMBER of OPENWRT INDONESIA
- me Opreker != Hacker
“an act to customizing frmware content that later
have to rewrite/fash into rom memory of related devices”
Firmware Hacking(maybe)
Firmware Hacking
Openwrt Firmware
The steps
Extracting
Sorting & fnd Unique File
Eksploitation
Recognize
Debugging
Repacking
The Tools- Binwalk 2.1.0*(analysis = good, unpack/repack = bad)
- Firmware mod kit*(analysis = bad, unpack/repack =good)- Usb2TTL dongle *(ur safenet)
BINWALK 2.1.0 VS FMK
Binwalk 2.1.0
- Analyzed result
$ binwalk upgrade-2.2.0.binDECIMAL HEXADECIMAL DESCRIPTION--------------------------------------------------------------------------------512 0x200 LZMA compressed data, properties: 0x6D, dictionarysize: 8388608 bytes, uncompressed size: 2805816 bytes927532 0xE272C Squashfs filesystem, little endian, version 4.0,compression:xz, size: 12259772 bytes, 2932 inodes, blocksize: 262144 bytes,blocksize: 262144 bytes, created: 2015-01-12 22:39:23
Binwalk 2.1.0- Extracted
*binwalk ignore the prefix
Prefix content
l Vendor Namel Firmware versionl Hardware_id
l MD5SUMl Kernel_lal Kernel_ep
Firmware Mod Kit
*FMK didn't know Squashfs compression type
- Analyzed resultMD5 Checksum: 457a32d5b78cbdb5cf47fcb0fd3b719aDECIMAL HEX DESCRIPTION------------------------------------------------------------------------------------------------512 0x200 LZMA compressed data, properties: 0x6D,dictionary size: 8388608 bytes, uncompressed size: 2805816 bytes927532 0xE272C Squashfs filesystem, little endian, version 4.0,compression: size: 12259772 bytes, 2932 inodes, blocksize:262144 bytes, created: Tue Jan 13 05:39:23 2015
Firmware Mod Kit
- Extracted
WHY we DON'T combineBINWALK 2.1.0 and FMK
fusion (Binwalk + FMK)- Edit ./shared-ng.inc (fmk)
- Edit ./build-firmware.sh (fmk)
Debugging
* change value 0x0040 from 6D6B3531 to 08000001
- Change Hardware_id first (prefix)
Debugging*Flash router with unmodified HW_id
DebuggingIs there any protection???
Debugging
- Trace the protection script$ grep -lr -e 'wrong pattern entered' *includes/welcome/welcome.inc.php
Exploitation- Edit welcome.inc.php
*In version 2.4.0, we just need to change the equation "==" to "! ="below the resetDips() function
Exploitation- Edit fstab (etc/config/fstab)
Exploitation- Edit format_sd(pineapple/components/system/resources/includes/files/format_sd)
Repacking (FMK)
*If output size too big, delete some files or use “-min”option
$ sudo ./build-firmware.sh fmk/
POC & demo
BYPASS Protection
SSLSTRIP
Trapcookies
Question?
GREETINGSTerima kasih kepada Cindy Wijaya, Xopal Unil, TisarosKaskus, Openwrt Indonesia, Om Hero lirva32,Brahmanggi Aditya, Richy Hendra, Ade Surya, ...allhuman or not (^^) who always support inspiredme. And ofcourse it’s U... ra’
USE IT WISELY.... OKKai