IOT Firmware Analysis by Mr.Vismit Rakhecha

[Music] okay [Music]

can you check effects working fine [Music] everything

[Music]

[Music]

[Music] stranded in the open dried out tears of sorrow lacking all emotions [Music] waiting for the final gates

is

[Music] [Applause]

[Applause]

[Music] bye [Music] uh [Music] [Music] it [Music] stranded in the open dried out tears of sorrow lacking all emotion staring down the barrel waiting for the final [Music] moving with some motion the light that is

[Music] [Applause]

[Applause]

do

[Music] okay [Music]

uh [Music] [Music] stranded in the open dried out tears of sorrow lacking all emotion [Music] staring down the barrel waiting for the final gates to open [Music] tomorrow

[Music] is

uh

[Music] hey [Music] [Applause]

[Applause] [Music]

[Music] so [Music] is

[Music]

[Music] stranded in the open dried out tears of sorrow [Music] waiting for the final gates [Music]

following the light that sets me up

[Music]

thank you

[Music]

hello hello hello everyone to our first session of besides noida on iot firmware analysis by infosec speaker mr women's sir he's a security analyst in environment health international and a bug hunter he's the chapter leader of os mdhawat and organized various events now not taking so much time of our guys i like to hand over to mr b smith sir sir please start thanks hello everyone so let's start so before starting just to start with some of the examples so a robot security guard at a stanford's shopping center in silicon valley knocked down a toddler fortunately the child was not seriously hurt a chinese-made robot had an accident at a tag trade fair smashing a glass

window and injuring someone standing nearby in 2007 a robot cannon killed nine soldiers and seriously injured 14 others during a shouting sorry during a shooting exercise due to a malfunction robotic surgery has been linked to 144 deaths in the u.s via the center studies so yep like when we are talking about our iot is like it's really great like we are we are like damn cools like okay having a smart gadgets uh smart watches smart cams and home and we are like um showing up to the friends like okay we bought this thing we bought that thing but uh like obviously if you buy a cheap project uh product or like a smart plan like i

think hardly you will get in like 30 to 400 bucks right now so obviously there is no security in that obviously you have to compromise with the security because i think um it's really hard like to implement security in such things like when we are talking about uh a smart bulb so obviously you can't place a passcode over there or something like that so obviously it will like uh when it's coming to the pairing and everything so obviously it's like a pre like in most of the cases like it's hard coded your username and password in your firmware so like our main goal today is like to check out like okay the basic analyzing of a firmware so

let's start so who am i my name is vismun sudhirakucha my handling is drug i am sscp i'm chfi well cci security currently working as an iron man at avalanche health international i'm chapter leader i am bug hunter i'm sat member and yep i i love to travel a lot so you can say i travel hippie so yep thanks uh dalai lama my mom and dad uh besides team noida and obviously my wife i have to include her so yeah that's our topic firmware analyze the basic approach so before starting what is firmware so firmware is the data that is stored in hardware devices uh mostly in like read-only memory that provide instruction on how the device should operate unlike

like our normal software's firmware can't be changed or delayed by or obviously buy and without the head of a special program and remains on the device whether or not it's done or off turned on or off so basically that is from there so firstly i want to cover that so where is it available like how you can find out like or gather like the firmware for a device when you are analyzing it so there are like lots of methods for that so you can directly contact to the developing team or a manufacturer or a vendor or a client like okay just give me your firmware like most is available on their website also so you can go to their website you can

use google docs yep i think that's the best way most of the hackers right now doing that only we can do mitm on the device communication during updates uh it's really your best method but yeah but it required lots of skills to do that we can extract directly from the hardware using uart or gtag ports mostly known as like um for uh your uart like it's uh it's easy to use that like for formwork structure and all it's mostly known as like a debugging port uh we can dump firmware from bootloader we can use u-boot or a flashing storage network via tftp removing the flash ship sap that is the best option you can use a

data extraction from there also but i think for all these things you require like lots of skills and yep i think uh in our coming session we'll try to cover that also so why firmware testing because uh firmware i think is as you know like it's like a main thing whenever you buy a hardware or a variety device or whatever device so it's like the uh main thing which runs that or operates that particular hardware like if i bought a smart watch so obviously there is a firmware that gives like okay i walk that much and this is the temperature and and uh my friend called me or something like that so everything like it's totally defined in the firmware so

whenever we are doing a firmware testing so we are mostly like uh looking for file information string use is there any hardware sorry is there any hard-coded credentials stored in that particular firmware api keys is there sensitive urls um private certification so they are like lots of information and did you see information present in the hardware if it's not properly encrypted so i'm just it's in the like double quote so as i already discussed like we will get file information the strings and everything so uh before that i want to discuss like uh more things on that okay so let's coming to the uh point like okay uh the common reversing steps uh if i'm doing a firmware analysis so that is

like information gathering i acquired the firmware extract it analyze it or modify it and just like repackage it so most of the common architecture okay used in like firmware is mi mips that is microprocessor without interlocked pipeline this architecture is mainly used in routers your playstations and the other is arm that is advanced risc machine this architecture is used for mainly mobile your stock that is system on chips radios and these types of things these types of hardwares so and uh yeah now talking about root files

so root files like most of the architecture of your um firmware is required like it contains band boot dab atc home media aspen tam user var so these are like the common for root files um root directories that are available over there uh one more thing i want to discuss over here like file systems so the common file system that is only mainly used in firmware that is a square shaft s on j double f s j double f s two uh cpio so these are like commonly um used file system mostly uh your form where they are using a square chef so yeah this is a thing so without wasting time i don't want to waste your time on this

nice sunday okay so let's start the demo time so this is the best thing uh you can go i will share the url and uh if you want to gather information from that so yeah synopsis is a good tool you will get like the architecture information and like information about the firmware which you are testing so i just select right now from here that is pre-built

my system is too slow

okay we will come to later on if you just click on it it will gives you all the information about that particular project so you will get like okay the structure and everything over here and uh the best thing if you want to practice it out so there is a damn good site known as founder.center so you can download like from where directly from here

so you can select like whether it's a d link or a tp link that's to say whatever form where you want to download so you can directly download from here

so yep it's uses language c c plus plus this is the license the last analyzed line of the code to be analyzed everything like most of the details are here and if you want to you can use the if you want to download a phone where you can use that as the best option like homegirl.center or if you want to test like there is a damn good uh damn vulnerable framework is also available dvrf so you can use that also it's like a vulnerable frame box we will get all the blocks on that and it's like the best thing to practice on

okay so i already downloaded data from there so let's start with it so the first thing i will use is like that is again a pre-installed tool in your linux box and um

so i downloaded this formula

enter oh okay time to rename it

strings using sunday morning i know so you will get all the strings using that particular bin file oh there are lots so if you want like a number you can use so i want like a string up to like six letters so you will get up to like six letters what you can use like ten letters it will give all the string up to thread letters so all the ten letters you will get you can use one more thing file

so it will gives you most of the information regarding that particular firmware which we downloaded so it's like um the peeling technology that is the version that is the bite so like most of the things you will get over here so it's like a um type of like you can say a report on that particular thing the firmware which we downloaded and we are just trying to uh find out a basic information like what we get over here so we get the strings we get what is the version of that particular firmware what is the bite of it so a basic things we will get now we are using when work that is again good tool to use uh windows is mostly

used for like extraction purpose so we will extract okay whatever so what i'm doing i'm just copy pasting

that

foreign so i'm using the new block for extraction body collection um oh

okay

click the links

so we'll get lots of information over here as we already discussed okay let's done some of the details yep tabling firmware header you will get a header over here

and we discussed that thing uh scratch up so it's uses slash fs uh algorithm to compress that particular file

okay so let's check it out so here it is okay so we'll get all the information over here so let's go to the folder yes so as we already discussed like the root file structure so you can see uh when the btc lab uh linux rc mint brock root has been so everything is here so now what uh we can use like two or three things over here um the first is the manual approach so you can go to each folder and you will check out like each and every file from here uh and one more thing like if you want to find it

so you can use hex temp also to check um

that is for sqfs check so you can check from this also oh sorry

let me change that also

so that particular formula is using the sqrfs file structure so it will say over here like okay it's using squash fs file structure

over here

but at the time so we are using a damn good tool for from walker i think it will give you all the information just information like few minutes so let's check it out

okay

so it's running it's giving you all like the bottom line admin room

password

okay so it's done so you can check out like the urls mentioned in that from there ip addresses tokens secrets plus point uh it will make a text file over here so we can directly check on that

so this is our text file with all the information that is displayed over here so the config file the db file nice thumbs tv nothing interesting um admins root lots of information um passwords this is a private key so let's check out the root thing okay so let's go to check out the path sharpest root etc group

there are lots of files like we'll check it out so let's open my one post config there is nothing to find services you can check all the services over here these are the financial services obviously it's a router from there so find lots of services to learn [Music] um

so these are the final login files mount easy box um so i already did that so i'm just without wasting time jumping to one of the best file over here

so let's check out this thing squash root slash

you can see there is the username root and this is the password again hash so there are two options like i think most of the people we know like how to track hash so you can use um john the repo johnny is there

it's already i mentioned so yeah but it is a bit time taking so i can show you and uh i will tell you the password is admin i already did that uh other thing you can do is you can simply google it right here on google

so we google it

so you can check out like few links you can find over here

uh there is one crack stations also i think you can check in that also sketching

it's like those of me like to crack that particular hash it's for foreign convenience you can use whatever you like oh it's an impression

you can use cracker station but i already told you like so password is that's why it's ready so like it's like a simple example like it's there is a hard coded password in that so and i think you can even see like a lot of things also uh what's your password like defined

there are lots of like talent service you can check secrets you can check so there are lots of like juicy information is already present i can check the urls also yeah ipad address predefined ip addresses are there some urls also there so you will get like lots of juicy information so if you are using a hardware and if you didn't check like because most of the companies like if you are purchasing uh not so costly iot device so i think the company they are don't believe like to secure that particular thing because i think you can check like like uh in your news or whatever you heard like lots of time like the cam is open even um

your smart lights like one can easily uh hack it i mean not exactly hack it but yep one can easily like unauthorize repaired it and they can change the light they can get like lots of information from there so yeah that is the information oh sorry that is the issue when we are using um priority devices on like low cost devices so i think your company they are like hardly believe like to put a security over there yeah so that's the thing yep so coming to the next part yeah uh one more thing is there like you can online um test your firmware okay but the issue is that there is a damn good site firmware dot

re but it's not that reliable so sometimes like um you have to wait like for three to four hours so it's like depend on that website whether it's running fine or not so you have to just damn easy just like upload a file simply drag and drop over here so we'll sign

simple drag and drop it will upload that particular firmware as i told you this site is really bad yep sometimes you can use it like you're in hurry and you just want to show something to your yeah so it will upload the whole firmware over here and then it will analyze it and yeah i think they are discussing that i just want to show you that

see let's try with some

other firmware and add it just want to show that also and add this one let's check like this

great

this particular formula is using spfs as we already discussed file our system so you can like get that information also from here so we checked out like um so we check out like tools file speeded the strings then walk

or you can directly check with uh grip

also

uh

so if a talent is there in that particular form there so you can use that also so see you will get like lots of information from grip command also that is the best thing you can use so that's all like i want to show you like the basic approach of a formula how you can do it what is it and so these are the reference like if you want and if you are any query you can contact me so thank you guys uh so this is my contact information if you have any uh if you want any help like doing iot v apt or any other thing you can just directly buzz me up and yeah the question of the day is

like uh list down any three tools we used in this session

if anyone has any questions about anything thank you sir for your valuable information with us and we have learned a lot from you session i hope we can do more session in future also sure anytime thanks team besides noida thanks everyone a visa and all thanks

thank you everyone for joining with us for more videos for more sessions like [Music] please subscribe how was this