You’ve managed to get a serial console or telnet shell onto a device, but this can be very limiting. You may not have tools like find, grep and strings. Watchdog timers could reset the device. There may only be a very limited amount of storage space. So how do we copy the firmware off a device like a DVR when we don’t have FTP or SSH available?
If you have a USB socket, the quickest solution is to use a USB memory stick.
Suitable USB memory sticks
I’ve found a lot of DVRs dislike USB3 memory sticks. They should fall back to USB2, but this doesn’t always work. Personally, I really like the Sandisk Cruzer Blade drives, which come in packs of 3 for less than £10.
Size is largely irrelevant. The flash is going to be 16Mbytes or so, and the unpacked filesystem less than 512Mbytes. 8GB or 16GB memory sticks are fine.
The drive needs to be formatted in something that the DVR will support. Generally, FAT is the lowest common denominator. Don’t assume EXT2/3/4 or similar – many DVRs have custom file systems for the hard drives.
Getting a shell
We already have a shell via serial onto the Zosi DVR, as root. Telnet, command injection, a dodgy limited reverse shell – whatever. We want to get the files and firmware off.
We could maybe come up with some xmodem type transfer over serial, but it’s going to be painfully slow.
Mounting the USB memory stick
Put the USB memory stick into the DVR. Next, on the device, try running “dmesg”. This should show you if the stick has been seen.
Sometimes, dmesg does not exist. If you have a serial console, these messages may just be dumped out anyway.
Otherwise, you can check /dev/sd* for devices:
Now you want to mount the drive. The following steps are needed:
- Create an empty directory to mount the drive (/mnt/usb in this case)
- Mount the /dev/sd*1 drive that showed up before
- Go into the directory, and test that a file can be written (I used touch)
Copying Firmware
There are different levels at which we can copy the firmware off:
- The files inside the filesystem
- The raw flash memory
Both are useful, but the files tend to be lower effort.
File copy
There are some challenges here. The USB memory stick is FAT formatted and will not support all the Linux features like symbolic links. We also have limited tools on the device itself to help us here.
I tend to target individual directories. In this case, the /mnt/mtd/ directory is most interesting – it appears to contain the settings and application.
Most DVRs will support tar, but only the limited busybox version. The following command will put the entire /mnt/mtd into mnt_mtd.tgz in the current directory, which is the USB memory stick we mounted.
tar -zcvf mnt_mtd.tgz /mnt/mtd
There are more efficient ways to do this if you have full tar, but busybox tar does not support directory exclusion. You can create a list of files and provide that to tar.
Raw Flash Copy
There will be some aspects in the flash that you may not be able to see from the OS level, such as U-boot, the U-boot environment variables, and fallback/factory reset images. We can access these at the raw flash level.
First, determine if you can access the flash by running:
ls /dev/mtd*
MTD is Memory Technology Device. You can’t directly tell how big they are using ls.
You can just copy these directly onto the memory stick using:
cp /dev/mtd0 /mnt/usb/mtd0.bin
However, this one-liner is probably easier:
for f in /dev/mtd?; do cp $f /mnt/usb/${f##*/}.bin; done
Unmounting
You now need to unmount the disk. Don’t just try pulling it out – it may not have flushed. Leave the directory and run:
umount /mnt/usb
Analysis
You now have the files on a USB stick. You can analyse them at your leisure, with binwalk, emulators, strings, IDA, Ghidra!
Conclusion
This is a quick and easy way to get files and flash images off a device with only serial access. It doesn’t always work, but it often does.
Pat
October 26, 2020 at 1:56pmYou think this would work on rtos?
cybergibbons
October 26, 2020 at 4:17pmIf you can mount USB sticks and there is a filesystem or memory device, sure. I have done this on QNX, which is more limited than Linux.
Pat
October 26, 2020 at 4:33pmInteresting, I’ll try this later today and see what I find. Excellent write up, thank you.
» Copying Firmware From Embedded Devices – Library Project: Epilogue
October 27, 2020 at 12:06pm[…] https://cybergibbons.com/hardware-hacking/copying-firmware-from-embedded-devices/ […]