The Internet of Things (IoT) has become an integral part of modern technology, encompassing various devices such as smart home appliances, security systems, and industrial controls. However, many IoT devices suffer from security vulnerabilities due to outdated firmware, weak authentication mechanisms, and poor software implementations. As ethical hackers and cybersecurity researchers, understanding how to dump, analyze, and exploit IoT firmware is crucial in identifying and mitigating these vulnerabilities.
This article explores the process of extracting and analyzing firmware from IoT devices, particularly wireless routers. We will discuss the necessary tools, the methodology for firmware extraction, unpacking, emulation, and possible exploitation techniques. This tutorial focuses on two specific routers:
TP-Link TD-W8151n Wireless Router
TP-Link WR841n Wireless Router
By following this guide, you will gain practical introduction to IoT hacking, how to emulate firmware for further exploitation.
Lab Tools
To extract and analyze firmware from IoT devices, we need specific hardware and software tools. Below is a list of tools required for this article:
Hardware Tools
CH341A Programmer - A USB-based EEPROM programmer used to interface with flash memory chips.
SOIC8 Clip - A clip used to connect the programmer to SOIC8 memory chips without soldering.
Raspberry Pi (optional) - Can be used as an alternative to CH341A for dumping firmware.
Multimeter - Used to measure voltage levels on the board to ensure safe connections.
Screwdrivers and tweezers - For disassembling IoT devices and accessing internal components.
We chose these tools as the best balance of accessibility and quality we could find to make this post as interesting as possible and to help you do it yourself. I tested all the linked tools and used them throughout this tutorial.
Software Tools
flashrom - An open-source tool used to read and write flash memory.
binwalk - A tool for firmware analysis, capable of extracting file system images.
qemu-system-arm - A full-system emulator for running ARM-based firmware.
qemu-arm - A user-mode emulator to run individual binaries from the extracted firmware.
lsusb - A command-line utility for listing connected USB devices.
Firmware dumping and unpacking
Most IoT devices use flash memory to store firmware and system configurations. There are different types of flash memory:
NOR Flash - Common in routers and embedded systems, known for fast random read speeds.
NAND Flash - Used in larger storage applications but requires error correction mechanisms.
In our case, both TP-Link routers use NOR Flash (SOIC8 package), which makes it relatively easy to interface with using SPI-based tools.
On our TP-Link TD-W8151n this looks like this:
Then we have dumped the firmware with CH341A and Flashrom.
First of all, identify the flash memory chip on the router's circuit board. It is usually labeled with a part number such as W25Q32.
At the next step, connect the SOIC8 clip to the flash memory chip, ensuring correct pin alignment.
Then, attach the CH341A programmer to the computer via USB.
Verify the connection using:
lsusb
If the CH341A is detected, it will appear in the output.
Dump the firmware using flashrom:
flashrom -p ch341a_spi -r firmware.bin
This command reads the entire flash memory and saves it as firmware.bin.
As firmware has been dumped, we need to unpack it and mount the filesystem into our folder. For unpacking we use:
binwalk -Me
command as shown below:
Once the firmware is extracted, the next step is to analyze and extract its contents.
Use Binwalk to scan the firmware for known file signatures:
binwalk firmware.bin
This command reveals embedded files such as compressed archives, file systems, and executable binaries.
Then extract the firmware using:
binwalk -Me firmware.bin
This command recursively extracts all found files into a new directory.
Finally, navigate into the extracted directory and mount the filesystem:
sudo mount -o loop extracted_firmware/rootfs.img /mnt/firmware
This step allows us to explore the firmware's file system as if it were a standard Linux directory.
Exploitation and emulation
To analyze the firmware in a controlled environment, we can emulate it using QEMU.
Check for the presence of a uImage kernel:
ls extracted_firmware
or alternatively, run individual binaries with:
qemu-arm -L cramfs-root/ cramfs-root/bin/<binary>
This command allows us to execute programs from the firmware in a simulated environment.
Identifying Vulnerabilities
Many IoT devices suffer from security flaws such as:
Buffer Overflows: Occur when unvalidated user input is copied into a fixed-size buffer.
Command Injections: Allow execution of arbitrary system commands via web interfaces.
Path Traversal: Enables attackers to access restricted files through manipulated URLs.
Example of a path traversal vulnerability:
http://192.168.1.203/images/../devinfo.html
This request attempts to access a system file by bypassing directory restrictions.
Analyzing the router's web server reveals multiple buffer overflow vulnerabilities. For example, an input field may use strcpy() without proper length checks:
An attacker can exploit this flaw by sending an oversized input, overwriting the instruction pointer and redirecting execution to:
system("/bin/sh");
Conclusion
Extracting and analyzing firmware from IoT devices is a fundamental skill for cybersecurity researchers and ethical hackers. By using tools such as CH341A, flashrom, binwalk, and QEMU, we can gain insights into device internals, identify vulnerabilities, and develop mitigations.
This simple tutorial demonstrated the full process of firmware extraction, unpacking, emulation, and exploitation. While many IoT manufacturers have improved their security measures, there are still numerous vulnerable devices in use today. Understanding these weaknesses helps in securing IoT ecosystems and making informed decisions about device security.
A good way to mitigate these findings is by doing a pentest, if you are a manufacturer and you wish us to review your products then please make sure to check out our IoT Pentest page where you can find more information about how WebSec can help secure your IoT products.
References
TP-Link Wireless Routers
CH341A USB Programmer
Multimeter
Flashrom
binwalk
QEMU