Booloader Agent

Firmware Reviewer provides a Bootloader Agent (to be purchased as additional Firmware Reviewer module) for enhancing the firmware’s Dynamic Analysis. It gives the ability to make changes to a firmware image automatically, without recompiling the firmware sources. It works by extracting the firmware bootloader component fro the firmware image, then extracting the init system image, modify them and rebuild the whole firmware image. No need of physical devices. The Bootloader Agent makes sense on the Emulation environment only, in order to monitor the boot-up phase, and leak additional information from the running firmware, like encryption details and access credentials.

A list of Bootloader Agent’s main features:

  • add initialization scripts to the bootloader, in order to monitor the emulation boot-up process

  • install new packages, like: encryption unlocker, credentials leaker, private keys logger, backdoors tracker, streaming tracker

  • extend/change HTTP managed console

  • remove un-needed packages, cutting features impossible to emulate

  • mix-and-match packages from various flavors of the firmware image

  • operate with minimal CPU, storage and memory overheads

  • manipulate the original firmware image CRC

  • skip bootloader security by simulating a corrupted bootloader. In case of bootloader security cannot be skipped, common components like Busybox, DropBear SSH, Dnsmasq, wpa_supplicant, etc. will be replaced with a modified version, containing the packaged part of the Agent.

Our Bootloader Agent can also replace most of opensource SIP modules, like:

As well as most of opensource SIP clients:

The Bootloader Agent has been tested for the following devices, amongst many others:

  • ABB SAP_S_13_FW_XX_V252_2CKA000292E2023 (Smart Meter)

  • AGSTAR APP202 (Receiver)

  • ALICE W-GATE Router-telsey_magic_070120_1306

  • Arduino Arduplane (Drone)

  • ASUS WL-330g, WL-500g/p, WL-520g, WL-530g, WL-550g (Access Points)

  • ASUS RT-AC1200G, RT-AC1900P, RT-AC3100, RT-AC3200, RT-AC5300, RT-AC56U (AC1200), RT-AC56U, RT-AC66U, RT-AC68U, RT-AC87, RT-AC56U U, RT-AC86P, RT-G32, RT-N10, RT-N10U, RT-N12, RT-N12U, RT-N13, RT-N13U, RT-N14, RT-N14U, RT-N15, RT-N15U, RT-N16, RT-N18U, RT-N53U, RT-N66U (Routers)

  • BaiStation_FDD_U_V100R001C00B030SPC006_191121T01 (Base Station)

  • BCE AP, IDO, ODU (Base Station)

  • Belkin 7230-4, 7231-4, F9K1124_WW (Routers)

  • Busch-jaeger 6197-1X-101 (Access point)

  • Buffalo WHR-G54S, WHR-HP-G54 (Routers)

  • CANON Powershot SX-220 (Camera)

  • CISCO RV32X Dual Gigabit WAN VPN Router, ASR9000 Aggregation Router

  • CISCO LinkSys WRT54G v1 - v6, WRT54GS v1 - v6, WRTSL54G (Routers)

  • CITRIX NetScaler ADC (Appliance Image)

  • Comtrend 802.11n (300Mbps) Wireless ADSL2+ Router AR-5382u-a731, AR-5381u-A731

  • Creality 3D Ender 3 - 3D Printer-Ender-3 V2-Marlin-2.0.1 (3D Printer)

  • Dahua DH_HCVR5x08-S3, DH_IPC-HX8XXX-Eos (Surveillance)

  • Deauther DSTIKE NodeMCU (Router)

  • DLINK DIR 615, DIR 820L (Router)

  • Eaton SAM Display 12-1-9-1 (Smart Meter)

  • HUAWEI AR-160, B612S (Routers)

  • IDEMIA-MorphoAccess-Sigma (Biometric Device)

  • Milli SFI sig.01.04.1007.127281 (Smart Meter)

  • Panasonic Camera GM5

  • Reolink_4MP-Wireless_Dual-Band_WiFi_Security_Camera-RLC-410W (Surveillance)

  • Schneider PM51xx, PM 51xx, PM 53xx, PM 200, PM 710, PM 750, PM 800, PM 8000 (Smart Meters)

  • Schneider_Modicon_M580_PLC-PAC-BMEP582040S (PLC-PAC)

  • Schneider_SCADA_Pack_300E_TRSS-Trio-Ethernet-E-Series (SCADA)

  • Siemens Gigaset SE505 Router

  • Siemens SIMATIC IOT2000 (IoT Gateway)

  • StarSat SR-9000HD (Satellite)

  • TP-LINK Wireless N Router-Archer (Router)

  • Trendnet TEW-632BRP (Router)

  • Vstarcam C7824WIP-CH (Surveillance)

  • wdtv livehub (Smart TV)

  • ZyXEL MAX218MW Gateway

By the extraction point-of-view, It doesn't matter which firmware image you supply. These images usually share the same bootloader type and differ only in the header format. The rebuilding process will create images for the various models. An extraction log is created.

In complement to automatically making changes, Firmware Reviewer make use of pre-built IPKG format package files with the ipkg_install/remove scripts.

Packages are pre-built collections of files pertaining to a set of software. These packages are stored in a tar/gzip archive of a pre-defined structure that includes some control files. 

DISCLAIMER: our Bootloader Agent never operates on physical devices.