# Firmware

Unlike JTAG where we modify and manipulate data in the memory on the fly, we can extract firmware and modify it offline to achieve the same or similar things.&#x20;

## Filesystem Manipulation

```bash
$ binwalk -e flashdump.bin
..
1466652    0x16611c    Squashfs filesystem, little endian, version 4.0, compression: xz, size: 1919250, 714 inodes, blocksize: 262144 bytes, created: 2016-09-13 04:47:24

$ cd _flashdump.bin.extracted/squashfs-root

## Change uid of users in ./etc/passwd
## Change password hash of users in ./etc/shadow
## Change ./etc/inittab to modify what command is run when the system is powered on
## Change scripts in ./etc/init.d/
## Modify binaries, such as /bin/getty, to force (-f) authentication and bypass login (more info about this in the JTAG section)
```

<pre class="language-bash"><code class="lang-bash"><strong>## Preserve user permissions of squashfs-root by using unsquashfs 
</strong><strong>$ binwalk -e flashdump.bin
</strong>$ cd _flashdump.bin.extracted
$ rm squashfs-root
$ sudo unsquashfs 16611c.squashfs
Parallel unsquashfs: Using 4 processors
..
created 468 files
created 61 directories
created 184 symlinks
created 1 devices
created 0 fifos
</code></pre>

Pack it all back together:

```bash
$ sudo apt install squashfstools

## compression (xz) and blocksize (262144) is told to us when extracting with binwalk
$ mksquashfs squashfs-root myfs -comp xz -always-use-fragments -nopad -noappend -root-owned -b 262144

## Copy original dump, find offset build file with dd
$ cp flashdump.bin mod.bin
$ binwalk mod.bin
DECIMAL    HEXADECIMAL    DESCRIPTION
--------------------------------------------------------------------------------
...
1466652    0x16611C       Squashfs filesystem, little endian, version 4.0, compression: xz, size: 1919250, 714 inodes, blocksize: 262144 bytes, created: 2016-09-13 04:47:24

$ dd if=myfs of=mod.bin bs=1 seek=1466652 conv=notrunc
1937464+0 records in
1937464+0 records out
1937464 bytes /1.9 MB, 1.8 MiB) copied, 10.7821 s, 180 kB/s
```

Image `mod.bin` is now ready to be flashed back to the target system.&#x20;


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0xpthree.gitbook.io/notes/hardware/firmware.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.