Unlike JTAG where we modify and manipulate data in the memory on the fly, we can extract firmware and modify it offline to achieve the same or similar things.
Filesystem Manipulation
$ binwalk -e flashdump.bin
..
1466652 0x16611c Squashfs filesystem, little endian, version 4.0, compression: xz, size: 1919250, 714 inodes, blocksize: 262144 bytes, created: 2016-09-13 04:47:24
$ cd _flashdump.bin.extracted/squashfs-root
## Change uid of users in ./etc/passwd
## Change password hash of users in ./etc/shadow
## Change ./etc/inittab to modify what command is run when the system is powered on
## Change scripts in ./etc/init.d/
## Modify binaries, such as /bin/getty, to force (-f) authentication and bypass login (more info about this in the JTAG section)
## Preserve user permissions of squashfs-root by using unsquashfs
$ binwalk -e flashdump.bin
$ cd _flashdump.bin.extracted
$ rm squashfs-root
$ sudo unsquashfs 16611c.squashfs
Parallel unsquashfs: Using 4 processors
..
created 468 files
created 61 directories
created 184 symlinks
created 1 devices
created 0 fifos
Pack it all back together:
$ sudo apt install squashfstools
## compression (xz) and blocksize (262144) is told to us when extracting with binwalk
$ mksquashfs squashfs-root myfs -comp xz -always-use-fragments -nopad -noappend -root-owned -b 262144
## Copy original dump, find offset build file with dd
$ cp flashdump.bin mod.bin
$ binwalk mod.bin
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
...
1466652 0x16611C Squashfs filesystem, little endian, version 4.0, compression: xz, size: 1919250, 714 inodes, blocksize: 262144 bytes, created: 2016-09-13 04:47:24
$ dd if=myfs of=mod.bin bs=1 seek=1466652 conv=notrunc
1937464+0 records in
1937464+0 records out
1937464 bytes /1.9 MB, 1.8 MiB) copied, 10.7821 s, 180 kB/s
Image mod.bin is now ready to be flashed back to the target system.
