Unlike JTAG where we modify and manipulate data in the memory on the fly, we can extract firmware and modify it offline to achieve the same or similar things.
Filesystem Manipulation
$binwalk-eflashdump.bin..1466652 0x16611c Squashfs filesystem, little endian, version 4.0, compression: xz, size: 1919250, 714 inodes, blocksize: 262144 bytes, created: 2016-09-13 04:47:24
$cd_flashdump.bin.extracted/squashfs-root## Change uid of users in ./etc/passwd## Change password hash of users in ./etc/shadow## Change ./etc/inittab to modify what command is run when the system is powered on## Change scripts in ./etc/init.d/## Modify binaries, such as /bin/getty, to force (-f) authentication and bypass login (more info about this in the JTAG section)
## Preserve user permissions of squashfs-root by using unsquashfs $binwalk-eflashdump.bin$cd_flashdump.bin.extracted$rmsquashfs-root$sudounsquashfs16611c.squashfsParallelunsquashfs:Using4processors..created468filescreated61directoriescreated184symlinkscreated1devicescreated0fifos
Pack it all back together:
$sudoaptinstallsquashfstools## compression (xz) and blocksize (262144) is told to us when extracting with binwalk$mksquashfssquashfs-rootmyfs-compxz-always-use-fragments-nopad-noappend-root-owned-b262144## Copy original dump, find offset build file with dd$cpflashdump.binmod.bin$binwalkmod.binDECIMALHEXADECIMALDESCRIPTION--------------------------------------------------------------------------------...1466652 0x16611C Squashfs filesystem, little endian, version 4.0, compression: xz, size: 1919250, 714 inodes, blocksize: 262144 bytes, created: 2016-09-13 04:47:24
$ddif=myfsof=mod.binbs=1seek=1466652conv=notrunc1937464+0recordsin1937464+0recordsout1937464bytes/1.9MB,1.8MiB) copied, 10.7821 s, 180 kB/s
Image mod.bin is now ready to be flashed back to the target system.
