Firmware

Unlike JTAG where we modify and manipulate data in the memory on the fly, we can extract firmware and modify it offline to achieve the same or similar things.

Filesystem Manipulation

$ binwalk -e flashdump.bin
..
1466652    0x16611c    Squashfs filesystem, little endian, version 4.0, compression: xz, size: 1919250, 714 inodes, blocksize: 262144 bytes, created: 2016-09-13 04:47:24

$ cd _flashdump.bin.extracted/squashfs-root

## Change uid of users in ./etc/passwd
## Change password hash of users in ./etc/shadow
## Change ./etc/inittab to modify what command is run when the system is powered on
## Change scripts in ./etc/init.d/
## Modify binaries, such as /bin/getty, to force (-f) authentication and bypass login (more info about this in the JTAG section)

## Preserve user permissions of squashfs-root by using unsquashfs 
$ binwalk -e flashdump.bin
$ cd _flashdump.bin.extracted
$ rm squashfs-root
$ sudo unsquashfs 16611c.squashfs
Parallel unsquashfs: Using 4 processors
..
created 468 files
created 61 directories
created 184 symlinks
created 1 devices
created 0 fifos

Pack it all back together:

$ sudo apt install squashfstools

## compression (xz) and blocksize (262144) is told to us when extracting with binwalk
$ mksquashfs squashfs-root myfs -comp xz -always-use-fragments -nopad -noappend -root-owned -b 262144

## Copy original dump, find offset build file with dd
$ cp flashdump.bin mod.bin
$ binwalk mod.bin
DECIMAL    HEXADECIMAL    DESCRIPTION
--------------------------------------------------------------------------------
...
1466652    0x16611C       Squashfs filesystem, little endian, version 4.0, compression: xz, size: 1919250, 714 inodes, blocksize: 262144 bytes, created: 2016-09-13 04:47:24

$ dd if=myfs of=mod.bin bs=1 seek=1466652 conv=notrunc
1937464+0 records in
1937464+0 records out
1937464 bytes /1.9 MB, 1.8 MiB) copied, 10.7821 s, 180 kB/s

Image mod.bin is now ready to be flashed back to the target system.