# Firmware Unlike JTAG where we modify and manipulate data in the memory on the fly, we can extract firmware and modify it offline to achieve the same or similar things. ## Filesystem Manipulation ```bash $ binwalk -e flashdump.bin .. 1466652 0x16611c Squashfs filesystem, little endian, version 4.0, compression: xz, size: 1919250, 714 inodes, blocksize: 262144 bytes, created: 2016-09-13 04:47:24 $ cd _flashdump.bin.extracted/squashfs-root ## Change uid of users in ./etc/passwd ## Change password hash of users in ./etc/shadow ## Change ./etc/inittab to modify what command is run when the system is powered on ## Change scripts in ./etc/init.d/ ## Modify binaries, such as /bin/getty, to force (-f) authentication and bypass login (more info about this in the JTAG section) ``` 
## Preserve user permissions of squashfs-root by using unsquashfs 
$ binwalk -e flashdump.bin
$ cd _flashdump.bin.extracted
$ rm squashfs-root
$ sudo unsquashfs 16611c.squashfs
Parallel unsquashfs: Using 4 processors
..
created 468 files
created 61 directories
created 184 symlinks
created 1 devices
created 0 fifos
Pack it all back together: ```bash $ sudo apt install squashfstools ## compression (xz) and blocksize (262144) is told to us when extracting with binwalk $ mksquashfs squashfs-root myfs -comp xz -always-use-fragments -nopad -noappend -root-owned -b 262144 ## Copy original dump, find offset build file with dd $ cp flashdump.bin mod.bin $ binwalk mod.bin DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- ... 1466652 0x16611C Squashfs filesystem, little endian, version 4.0, compression: xz, size: 1919250, 714 inodes, blocksize: 262144 bytes, created: 2016-09-13 04:47:24 $ dd if=myfs of=mod.bin bs=1 seek=1466652 conv=notrunc 1937464+0 records in 1937464+0 records out 1937464 bytes /1.9 MB, 1.8 MiB) copied, 10.7821 s, 180 kB/s ``` Image `mod.bin` is now ready to be flashed back to the target system.