Copyleft/guide
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Rewrite firmware comparison section.

Browse source
This commit is contained in:
Bradley M. Kuhn 2014-11-07 09:56:54 -05:00
parent 0b9e6e7e28
commit 33b39cda78
1 changed files with 44 additions and 31 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

73
enforcement-case-studies.tex
View file

@ -642,44 +642,57 @@ compilation).
\section{Firmware Comparison} \section{Firmware Comparison}
To ensure that the CCS did indeed correspond to the firmware that was shipped on To ensure that CCS did corresponds properly to the firmware original
the router, we compared the firmware image that we built using the above steps installed on the TPE-NWIFIROUTER, the investigator compared the built
with the filesystem we found on the device itself. The comparison steps we used firmware image with the filesystem originally found on the device itself.
were: The comparison steps we as follows:
* Extract the filesystem from the image we built by running find-firmware.pl \begin{enumerate}
from https://gitorious.org/gpl-compliance-tools/gpl-compliance-scripts on
librecmc-ar71xx-generic-tl-wr841n-v8-squashfs-factory.bin from the bin/ar71xx \item Extract the filesystem from the image we built by running
directory mentioned above (we noticed that our router said "Ver:8.2" on the \href{https://gitorious.org/copyleft-org/gpl-compliance-scripts/source/master:find-firmware.pl}{find-firmware.pl}
bottom). Then run squashfs4.2/squashfs-tools/bat-unsquashfs42 from on ``bin/ar71xx/librecmc-ar71xx-generic-tl-wr841n-v8-squashfs-factory.bin''
bat-extratools (at http://www.binaryanalysis.org/en/content/show/download ) bottom), and running
on the resulting morx0.squash and use the filesystem in the new squashfs-root \href{http://www.binaryanalysis.org/en/content/show/download}{bat-extratools}'
directory for comparison. ``squashfs4.2/squashfs-tools/bat-unsquashfs42'' (at ) on the resulting
* Login to the web interface (at http://192.168.10.1/ ) from a computer that is morx0.squash and use the filesystem in the new squashfs-root directory for
comparison.
\item Login to the router's web interface (at \url{http://192.168.10.1/ }) from a computer that is
connected to the router. connected to the router.
* Set a password using the provided link at the top (the UI warns that no
password is set and asks the user to change it). \item Set a password using the provided link at the top (since the router's
* Login to the router via SSH, using the root user and the password we just set. UI warns that no password is set and asks the user to change it).
* Compare representative directory listings and binaries to ensure the set of
\item Login to the router via SSH, using the root user with the
aforementioned password.
\item Compare representative directory listings and binaries to ensure the set of
included files (on the router) is similar to those found in the firmware image included files (on the router) is similar to those found in the firmware image
we created (whose contents are now in the local squashfs-root directory). In we created (whose contents are now in the local squashfs-root directory). In
particular, we did the following comparisons: particular, we did the following comparisons:
** List the /bin folder ("ls -l /bin") and confirm the list of files is the same
\begin{enumerate}
\item List the /bin folder (``ls -l /bin'') and confirm the list of files is the same
and that the file sizes are similar. and that the file sizes are similar.
** Check the "strings" output of /bin/busybox to confirm it was similar in both
places (similar number of lines and content of lines). One cannot directly \item Check the ``strings'' output of ``/bin/busybox'' to confirm it was similar in both
places (similar number of lines and content of lines). (One cannot directly
compare the binaries because the slight compilation variations will cause compare the binaries because the slight compilation variations will cause
some bits to be different. some bits to be different.)
** Do the above two steps for /lib/modules, /usr/bin, and other directories with \item Do the above two steps for ``/lib/modules'', ``/usr/bin'', and other directories with
a significant number of binaries. a significant number of binaries.
** To check that the kernel is sufficiently similar, compare the "dmesg" output
both before and after flashing the new firmware. The kernel version string \item Check that the kernel is sufficiently similar. The investigator
should be similar, but should have a different build date and user@host compared the "dmesg" output both before and after flashing the new
indicator. The kernel binary itself is not easily accessible from an SSH firmware. As the investigator expected, the kernel version string was
login, but may be retrievable using the U-Boot console (the start address of similar, but had a different build date and user@host indicator. (The
the kernel in flash appears to be 0x9F000000, based on the u-boot\verb0_0reflash kernel binary itself is not easily accessible from an SSH login, but was
instructions). We were not able to verify this, due to the serial connection retrievable using the U-Boot console (the start address of the kernel in
issues (see above section on U-Boot installation). flash appears to be 0x9F000000, based on the ``u-boot\verb0_0reflash''
instructions).
\end{enumerate}
\end{enumerate}
\section{Minor Infractions} \section{Minor Infractions}