Reversing LifeSize 220 HD Video Conferencing Appliance Firmware
https://milo2012.wordpress.com/category/reversing-firmwares/
This blog post is from 2011 so I will going through the post to learn about reversing firmware and document everything as it applies to 2018.
milo2012’s blog is still active at https://milo2012.wordpress.com. This particular article is from 2011 which is probably when I bookmarked it. The links to the information about the LifeSize device and firmware no longer work and cannot be found on archive.org. (side note: you should checkout http://www.lifesize.com/robots.txt) In order to get a LifeSize firmware to test you need to register an email at http://software.lifesize.com. After logging into the portal you can “Get Serial Number Information” for any serial number. Provide a serial number for a product you own. If you are looking to purchase a used product from sites such as www.ebay.com and they provide an image of the serial number you can enter it to research the product being sold. You will want to know whether current support exists for a specific device you are looking to purchase. For example, the image below shows that support expired for this device and you are unable to obtain the current firmware without purchasing additional support.
For the purposes of revisiting milo2012’s blog post we can obtain version 5.0.7 (LS_RM1_5.0.7_2.cmg). For this tutorial we will download the Lifesize firmware from a 3rd party’s website (mine).
edge@ubuntu16:~$ mkdir Life
edge@ubuntu16:~$ cd Life
edge@ubuntu16:~/Life$ wget http://www.jedge.com/files/LS_RM1_5.0.7_2.cmg
edge@ubuntu16:~/Life$ file LS_RM1_5.0.7_2.cmg
LS_RM1_5.0.7_2.cmg: Linux Compressed ROM File System data, big endian size 166256640 version #2 sorted_dirs CRC 0x9ec52e4e, edition 1440465315, 76842 blocks, 7867 files
Everything tested is from a fully updated (6.28.2018) stock install of Ubuntu 16.04.4 LTS. Things have changed since the article from 2011. You can now install binwalk from the Ubuntu repository. This will require over 200mb of prerequisites since this is a new install of Ubuntu.
edge@ubuntu16:~/Life$ sudo apt-get –y install binwalk
edge@ubuntu16:~/Life$ binwalk -e LS_RM1_5.0.7_2.cmg
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 CramFS filesystem, big endian size 166256640 version 2 sorted_dirs CRC 0x9EC52E4E, edition 1440465315, 76842 blocks, 7867 files
When you try and list the contents of _LS_RM1_5.0.7_2.cmg.extracted/cramfs-root you will see nothing. Currently binwalk will not extract the contents of a cramfs filesystem. This was the case in 2011 so we will continue to follow the steps provided by milo2012 and install the firmware-mod-kit and compile uncramfs.
edge@ubuntu16:~$ sudo apt-get –y install git build-essential zlib1g-dev liblzma-dev python-magic
edge@ubuntu16:~$ mkdir source
edge@ubuntu16:~$ cd source
edge@ubuntu16:~/source$ git clone https://github.com/rampageX/firmware-mod-kit.git
Cloning into 'firmware-mod-kit'...
remote: Counting objects: 3375, done.
remote: Total 3375 (delta 0), reused 0 (delta 0), pack-reused 3375
Receiving objects: 100% (3375/3375), 10.15 MiB | 4.84 MiB/s, done.
Resolving deltas: 100% (1692/1692), done.
Checking connectivity... done.
edge@ubuntu16:~/source$ cd ~/source/firmware-mod-kit/src/uncramfs
edge@ubuntu16:~/source/firmware-mod-kit/src/uncramfs$ make
cc -g -O -g -O uncramfs.c -lz -o uncramfs
uncramfs.c: In function ‘usage’:
uncramfs.c:72:4: warning: implicit declaration of function ‘exit’ [-Wimplicit-function-declaration]
exit(1);
^
. . . SNIP . . .
uncramfs.c:720:7: note: include ‘<stdlib.h>’ or provide a declaration of ‘exit’
uncramfs.c:727:11: warning: format ‘%x’ expects argument of type ‘unsigned int’, but argument 2 has type ‘size_t {aka long unsigned int}’ [-Wformat=]
printf("[Volume size: 0x%x]\n", fslen_ub);
Ignore the “warning” messages. You have successfully compiled “uncramfs”. Like it is pointed out in the blog article you need to change the “endianness” of the file to allow Ubuntu to process it. If not you will see the message “The image file doesn’t have cramfs signatures”. So we must convert it with the utility cramfsswap which is already installed on the Ubuntu system as part of the binwalk install.
edge@ubuntu16:~/source/firmware-mod-kit/src/uncramfs$ cramfsswap ~/Life/_LS_RM1_5.0.7_2.cmg.extracted/0.cramfs ~/Life/_LS_RM1_5.0.7_2.cmg.extracted/1.cramfs
Filesystem is big endian, will be converted to little endian.
Filesystem contains 7866 files.
CRC: 0x07bec628
Now that the file is changed to little endian we create a directory to mount the file system to and use uncramfs to mount it.
edge@ubuntu16:~/source/firmware-mod-kit/src/uncramfs$ mkdir /tmp/life
edge@ubuntu16:~/source/firmware-mod-kit/src/uncramfs$ ./uncramfs /tmp/life ~/Life/_LS_RM1_5.0.7_2.cmg.extracted/1.cramfs
chmod: No such file or directory
chmod: No such file or directory
chmod: No such file or directory
chmod: No such file or directory
[Volume size: 0x9e8e02f]
[Volume serial: 28c6be07a3c1db552a2c0100bb1e0000]
[Volume name: LS_150824_2015]
drwxr-xr-x 0/0 284(284) /
/:
drwxr-xr-x 0/0 1132(1132) bin
drwxr-xr-x 0/0 1656(1656) boot
drwxr-xr-x 0/0 0(0) data
. . . SNIP . . .
/usr/share/terminfo/v:
-r-xr-xr-x 0/0 1147(564) vt100
/usr/share/terminfo/x:
-r-xr-xr-x 0/0 1367(619) xterm
-r-xr-xr-x 0/0 1569(647) xterm-color
/var:
[Summary:]
[Total uncompressed size: 315716482]
[Total compressed size: 177073344]
[Number of entries: 7867]
[Number of files compressed: 3812]
[Number of files expanded: 4055]
We can now search the file system for interesting files. We do not need to continue the tutorial and install QEMU to list or view the contents of the file system.
edge@ubuntu16:~/source/firmware-mod-kit/src/uncramfs$ cd /tmp/life
edge@ubuntu16:/tmp/life$ ls
bin boot data dev etc home initrd lib media mnt proc root sbin tftpboot tmp usr var
edge@ubuntu16:/tmp/life$ cd bin
edge@ubuntu16:/tmp/life/bin$ ls
arch bzless chmod dd domainname fgrep gzip less login mktemp netstat ps sed sync umount zcat
bash bzmore chown df echo fuser hostname lessecho ls more nisdomainname pwd sh tar uname
bashbug cat cp dmesg egrep grep kill lesskey mkdir mount pidof rm sleep touch vi
busybox chgrp date dnsdomainname false gunzip killall ln mknod mv ping rmdir su true ypdomainname
edge@ubuntu16:/tmp/life/bin$ file busybox
busybox: ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), dynamically linked, interpreter /lib/ld.so.1, for GNU/Linux 2.4.3, stripped
After going through the steps outlined in the blog post I did some Googling and wanted to understand why binwalk will not automatically extract a cramfs file system. I found an “issue” submission where it was suggested you may be able to just extract the files without invoking binwalk. The following will pull out all the files found in the firmware.
edge@ubuntu16:~/Life$ 7z x LS_RM1_5.0.7_2.cmg
7-Zip [64] 9.20 Copyright (c) 1999-2010 Igor Pavlov 2010-11-18
p7zip Version 9.20 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,1 CPU)
Processing archive: LS_RM1_5.0.7_2.cmg
CRC error
Extracting bin
Extracting boot
Extracting data
Extracting dev
Extracting etc
Extracting home
Extracting initrd
Extracting lib
Extracting media
Extracting mnt
. . . SNIP . . .
Extracting usr/share/terminfo/v/vt100
Extracting usr/share/terminfo/x/xterm
Extracting usr/share/terminfo/x/xterm-color
Everything is Ok
Folders: 303
Files: 7563
Size: 315525194
Compressed: 166256687
No need to use any of the utilities detailed above. At least for this version of the firmware for this product.
Resources:
https://milo2012.wordpress.com/category/reversing-firmwares/
https://lfto.me/reverse-engineering-dvr-firmware/
https://github.com/ReFirmLabs/binwalk/issues/296
https://github.com/rampageX/firmware-mod-kit/wiki
One thought to “milo2012 – Reversing LifeSize 220 HD Video Conferencing Appliance Firmware”