Peering Into Firmware

Today, I'm going to show you how to use binwalk to extract a kernel image and filesystem from a firmware using embedded Linux. This is actually a very common configuration; embedded Linux is a very popular alternative to writing your own embedded system from scratch.

I'm going to use the firmware image from TP-Link's NC200 Cloud Camera. You can download the firmware image from TP-Link's site if you want to follow along. And seriously, kudos to TP-Link — if you look around their site, they're distributing the source code they're using in their devices. Granted, I think that GPL compliance is part of the reason they're doing it, but still, other companies don't and it's a really good idea. It allows folks to start to develop their own apps on TP-Link's devices, potentially creating an IoT platform for TP-Link. It also gives cybersecurity researchers something to work with so they can find potential problems before others do. Good for them.

Anyway, let's look at the NC200 firmware. They have two versions up. I downloaded the A version for this. You can use the other if you'd like something slightly different. First, let's take a quick look through the contents:

cclamb@fawkes:~/Work/tplink/nc200 $ binwalk NC200_2.1.7_Build_160315_Rel.27420.bin 

DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
104448 0x19800 U-Boot version string, "U-Boot 1.1.3 (Sep 15 2015 - 08:38:27)"
106096 0x19E70 xz compressed data
127264 0x1F120 uImage header, ... , CPU: MIPS, ..."Linux Kernel Image"
127328 0x1F160 LZMA compressed data, ...
1984851 0x1E4953 JFFS2 filesystem, little endian

This by itself is interesting. We can already see the bootloader used, the kernel, the target CPU architecture, and the filesystem type. JFFS2 is what OpenWRT uses, too, by the way.

But we can go farther than this - check this out:

cclamb@fawkes:~/Work/tplink/nc200 $ binwalk -eM NC200_2.1.7_Build_160315_Rel.27420.bin 

Scan Time: 2017-04-23 17:33:31
Target File: /home/cclamb/Work/tplink/nc200/NC200_2.1.7_Build_160315_Rel.27420.bin
MD5 Checksum: b9824fac60e302add83daa0ea27b10d6
Signatures: 344
...

Now, move into the _NC200_2.1.7_Build_160315_Rel.27420.bin.extracted directory and take a look around. The bootloader image is in the 19E70 file and the kernel components are in the _1F160.extracted directory. The filesystem, uncompressed, is in the jffs2-root directory. We have another one, too; take a look at _NC200_2.1.7_Build_160315_Rel.27420.bin.extracted/_1F160.extracted/_432000.extracted/cpio-root.

The filesystem is very interesting — this is where the binaries that provide the cloud and camera services live. We'll take a closer look at these next.