Scary Story:How to get free Wi-Fi in a whole City
Yurii Bilyk, 2014
AGENDA
• Embedded device architecture overview
• Tools overview
• Workshop (DEMO)
Files
• Files Archive :
–zip : http://goo.gl/UuKK51
–7zip : http://goo.gl/Q7mcnI
• FMK : http://goo.gl/pWZzNk
• Binwalk : http://goo.gl/U1TODl
Operation Systems
Operation Systems
Linux – Kernel 2.4 or 2.6
VxWorks – Real time OS
ZyNOS – Zyxel proprietary OS
Linux
Busybox tools
uClibc compiler
/proc File System
Hardware Design
Hardware
SoC – System On Chip
Flash, DRAM, Wi-Fi, Ethernet
Serial Console
JTAG Interface
SoC
MIPS Architecture
No Floating point operations
Embedded USB controller
32 bit CPU
Flash
Serial, Parallel
NAND, NOR Flash
MTD instead of FTL
Serial Console
Additional functions:recovery, debug, boot opt, etc
Software Debug
Works with OS/Loader
JTAG
Works directly with SoC
Full access to the Flash and Hardware
Hardware Debug options
Firmware Structure
Firmware
Boot Loader
Kernel
File System
Tag (Header)
Flash MTD
Spitted into chunks (partitions)
Boot, Kernel, FS, Settings, Logs
Kernel
Compressed
Usually with enabled debug via serial port
Linux 2.4 or 2.6
File System
CRAMFS
SQUASHFS
JFSS2
Compressed, uses MTD
etc
Musthave Set of Tools
Tools
Firmware unpackers
Static analysis (Decompile)
Dynamic analysis (Debug)
Tools
Firmware Mod Kit, Binwalk
IDA, strings, etc
GDB, QEMU, On Device
WPS Tools
WPS Vulnerabilities:• only 8 digit pin• pin can be divided into 2 parts• last digit is control sum
Reaver/WASH – tool to hack WPS
Aircrack-ng – tool to hack Wi-Fi
DEMO TIME
WEB Materials
• http://pudeev.livejournal.com/
• http://www.devttys0.com/
• http://robocraft.ru/blog/electronics/404.html
• http://wiki.openwrt.org/
• http://routerpwn.com/