Home > Reversing Firmwares > Reversing LifeSize 220 HD Video Conferencing Appliance Firmware

Reversing LifeSize 220 HD Video Conferencing Appliance Firmware

I have recently taken an interest in finding vulnerabilities in embedded devices.   Since it is expensive to purchase some of these equipments to perform testing, it might be more cost effective to reverse the firmwares instead.
The product which I am reversing is the LifeSize Room 220.  LifeSize Room 220 is a HD video conference solution.

It looks like a fairly interesting product to learn more about reversing firmware.

More information about the product can be found here.  http://www.lifesize.com/Products/Video/LifeSize_Room_Series/Room_220.aspx

First, we will need to install all the prerequisites in Debian.
$ apt-get install pkgconfig libglib2.0-dev libcurl4-gnutls-dev
$ wget http://zlib.net/zlib-1.2.5.tar.gz
$ tar xvfz zlib-1.2.5.tar.gz
$ ./configure && make && make install

Next, we will download the Lifesize firmware from a 3rd party’s website
$ wget http://videonations.net/upload/lifesize/LS_RM1_4.1.1_17.cmg

Next, we will downloading and compiling binwalk which will identify signatures of compressions/filesystems on the firmware
$ wget http://binwalk.googlecode.com/files/binwalk-0.4.1.tar.gz
$ ./configure
$ make && make install

$ binwalk LS_RM1_4.1.1_17.cmg

We will need to download cramfsswap which will convert the cramfs filesystem from big endian to little endian
$ apt-get install cramfsswap
$ cramfsswap LS_RM1_4.1.1_17.fs LS_RM1_4.1.1_17.cramfs

Next, we wil need to download firmware mod kit which contains uncramfs which can be used to extract the cramfs filesytem
$ mkdir /tmp1/image

$ apt-get install subversion
$ svn checkout http://firmware-mod-kit.googlecode.com/svn/trunk/ firmware-mod-kit-read-only
$ cd firmware-mod-kit-read-only/trunk/src/uncramfs
$ make
$ ./uncramfs /tmp/cramfs /tmp1/LS_RM1_4.1.1_17.cramfs

In order to properly emulate the device, we need to identify the processor type.  We can do that by running the file command against /bin/busybox.

Having identified the processor type as PowerPC, we will then download and compile Qemu which will be used for emulation.
$ wget http://wiki.qemu.org/download/qemu-1.0.tar.gz
$ tar xvfz qemu-1.0.tar.gz
$ ./configure -static
$ make && make install

$ cp /tmp1/qemu-1.0/ppc-linux-user/qemu-ppc /tmp1/image
$ chroot . ./qemu-ppc ./bin/ls

We have successfully run /bin/ls command from the firmware image

About these ads
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: