I recently pulled a Linksys EA4500 out of storage for evaluation. The first thing I wanted to do was to update the firmware for the device.
https://www.linksys.com/us/support-article?articleNum=148385 offers the latest version of the firmware, which is 3.1.7 as of this writing.
However, we can see with the filename that its probably encrypted: FW_EA4500V3_3.1.7.181919_prod.gpg.img
When I run binwalk I don't get any meaningful results, confirming my suspcicions:
There are at least two valid, signed TLS certificates that are bundled with publicly available Netgear device firmware.
These certificates are trusted by browsers on all platforms, but will surely be added to revocation lists shortly.
The firmware images that contained these certificates along with their private keys were publicly available for download through Netgear's support website, without authentication; thus anyone in the world could have retrieved these keys.
| #!/bin/sh | |
| # | |
| # A Small Shell script to check a binary for different microcontroller cpu architectures. | |
| # | |
| # This works by importing the binary into a project in Ghidra | |
| # And then iteratively attempting to analyze chunks of the binary firmare | |
| # all while timing the analysis. | |
| # | |
| # The theory is Ghidra should take noticeably longer to analyze a valid |
| linux-firmware-20231111/rtl_bt/rtl8851bu_fw.bin full(0xc260) None chunk(0x400;2) MIPS16 | |
| linux-firmware-20231111/rtl_bt/rtl8822cs_fw.bin full(0xf474) None chunk(0x200;2) MIPS16 | |
| linux-firmware-20231111/rtl_bt/rtl8852cu_fw_v2.bin full(0x1b939) None chunk(0x300;3) MIPS16 | |
| linux-firmware-20231111/rtl_bt/rtl8761bu_fw.bin full(0xadc4) None chunk(0x200;2) MIPS16 | |
| linux-firmware-20231111/rtl_bt/rtl8822cs_config.bin full(0x21) None chunk(0x0;0) None | |
| linux-firmware-20231111/rtl_bt/rtl8761b_config.bin full(0x19) None chunk(0x0;0) None | |
| linux-firmware-20231111/rtl_bt/rtl8723d_fw.bin |
I have a collection of QEMU VMs for different CPU Architectures. In an attempt to fill in some gaps on architectures I lacked VMs for, I decided to spin up a PowerPC32 VM under QEMU. I chose Debian-PowerPC as the OS.
Install the prerequisite PowerPC packages:
# apt-get install qemu-system-ppc openbios-ppc
In this short tutorial we will go over how to reproduce the crash from CVE-2020-8597. This is a stack-based buffer overflow in the pppd binary.
We will use our own pppd binary compiled from source, using the latest version: 2.4.8.
To accomplish this goal, we will need two Virtual Machines connected by a virtual serial port. I typically use VirtualBox since it is open source, but the same sort of configuration should work on other hypervisors.
I spun up two VMs:
It is well know that through the ip and ifconfig commands it is possible to change a MAC address temporarily, meaning the change will not persist across host reboots.
But what if you would like to change your MAC address in a more permanent fashion? Is there a way to, through software, permanently change your network interface card's MAC address?
It turns out the answer is yes, and the tool to do so is called ethtool.
Ethtool comes pre-installed on many stock distributions of Linux, but can also be installed from your package manager of choice if necessary.
One of the most useful commands I've developed for reviewing source is a command to extract all strings from a
given directory. To execute this command, open a terminal and cd into the directory containing the source you
would like to audit. Next, run:
egrep -e "(\"|')(\w|\s|\d)*(\"|')" -r -h -I -o . | sort -u
In this tutorial we will detail how to connect two linux hosts via 56k modems. To do this we will use the following components:
linksys SPA-2102 on ebay | $18-$25 )
I recently ran into a situation where binwalk -M -e $FIRMWARE failed me. This was for a Netgear firmware image that ended in a .chkextension.
The firmware file name was R7960P-V1.0.1.34_1.0.20.chk.
This is the output when I ran binwalk R7960P-V1.0.1.34_1.0.20.chk:
$ binwalk R7960P-V1.0.1.34_1.0.20.chk