Reversing Aruba Instant Firmware
Aruba produces two different software loads for their Access Point hardware. The first is called ArubaOS and the second is called Aruba Instant. With ArubaOS, the AP requires a Mobility Controller (hardware) to be installed in the network. With the Aruba Instant it is possible to run AP’s independently (standalone mode) or in a cluster, with no Mobility Controller in the network.
What follows is the full process to extract all the files recreating the Aruba Instant firmware file system.
As usual, the initial step is to check what the firmware image contains, binwalk was used for that.
1#!/bin/bash
2binwalk image.bin
3#
4#DECIMAL HEXADECIMAL DESCRIPTION
5#--------------------------------------------------------------------------------
6#514 0x202 uImage header, header size: 64 bytes, header CRC: 0x26175460, created: Wed May 27 14:22:39 2015, image size: 10090700 bytes, Data Address: 0x80008000, Entry Point: 0x80008000, data CRC: 0x63E746B1, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "Linux-2.6.35"
7#7706 0x1E1A LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: -1 bytes
This firmware image looks like a standard U-Boot image. The next step is to extract the header and then the body of the image.
1#!/bin/bash
2# Extract the header
3dd if=image.bin bs=514 count=1 of=image.header
4#1+0 records in
5#1+0 records out
6#514 bytes (514 B) copied, 0.000580873 s, 885 kB/s
7
8# Extract the body
9tail -c+515 < image.bin > image.uimage
Checking the previously extracted image body reveals a matryoshka doll. Same process is followed as for the initial image file, extract the image header and afterwards, the body.
1#!/bin/bash
2# Verify the extracted file contents
3binwalk image.uimage
4#DECIMAL HEXADECIMAL DESCRIPTION
5#--------------------------------------------------------------------------------
6#0 0x0 uImage header, header size: 64 bytes, header CRC: 0x26175460, created: Wed May 27 14:22:39 2015, image size: 10090700 bytes, Data Address: 0x80008000, Entry Point: 0x80008000, data CRC: 0x63E746B1, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "Linux-2.6.35"
7#7192 0x1C18 LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: -1 bytes
8
9# Extract the header of the new U-Boot image
10dd if=image.uimage bs=64 count=1 of=image.uimage.header
11#1+0 records in
12#1+0 records out
13#64 bytes (64 B) copied, 0.00699276 s, 9.2 kB/s
14
15# Extract the body of the new U-Boot image
16tail -c+65 < image.uimage > image.uimage.data
Checking the new U-Boot image body with file and binwalk, reveals that the extracted file is the bootable image. This image contains another interesting and compressed file.
1#!/bin/bash
2file image.uimage.data
3#image.uimage.data: Linux kernel ARM boot executable zImage (little-endian)
4
5# Yet another compressed file is revealed
6binwalk image.uimage.data
7#
8#DECIMAL HEXADECIMAL DESCRIPTION
9#--------------------------------------------------------------------------------
10#7128 0x1BD8 LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: -1 bytes
When this file is extracted and decompressed, the final matryoshka doll is revealed (the one containing the file system).
1#!/bin/bash
2# Extract the header
3dd if=image.uimage.data bs=1 count=7128 of=image.uimage.data.header
4
5# Extract the compressed file
6tail -c+7129 < image.uimage.data > image.uimage.data.compressed.lzma
7
8# Decompress it
97z x image.uimage.data.compressed.lzma
10#
11#7-Zip 9.20 Copyright (c) 1999-2010 Igor Pavlov 2010-11-18
12#p7zip Version 9.20 (locale=en_GB.UTF-8,Utf16=on,HugeFiles=on,2 CPUs)
13#
14#Processing archive: image.uimage.data.compressed.lzma
15#
16#Extracting image.uimage.data.compressed
17#
18#Everything is Ok
19#
20#Size: 12220288
21#Compressed: 10085616
The final matryoshka doll is a LZMA compressed cpio file.
1#!/bin/bash
2binwalk image.uimage.data.compressed
3#
4#DECIMAL HEXADECIMAL DESCRIPTION
5#--------------------------------------------------------------------------------
6#94208 0x17000 LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 34330624 bytes
7#11455148 0xAECAAC Copyright string: " (c) 2002-2015, Aruba Networks, Inc. Inc."
8#11455868 0xAECD7C ASCII cpio archive (SVR4 with no CRC), file name: "cate dir_entry buffer", file name length: "0xR!!!", file size: "0x>Initram"
9#11462204 0xAEE63C Unix home path string: "/home/p4build/depot/margot/IAP4.1.1.7_50209/aos-cmn/platform/os"
10#12206595 0xBA4203 LZMA compressed data, properties: 0xC0, dictionary size: 524288 bytes, uncompressed size: 720896 bytes
Extract the file and decompress it with 7-Zip.
1#!/bin/bash
2# Extract the file
3tail -c+94209 < image.uimage.data.compressed > image.uimage.data.compressed.cpio.lzma
4
5# Decompress it
67z x image.uimage.data.compressed.cpio.lzma
7#
8#7-Zip 9.20 Copyright (c) 1999-2010 Igor Pavlov 2010-11-18
9#p7zip Version 9.20 (locale=en_GB.UTF-8,Utf16=on,HugeFiles=on,2 CPUs)
10#
11#Processing archive: image.uimage.data.compressed.cpio.lzma
12#
13#Extracting image.uimage.data.compressed.cpio
14#
15#Everything is Ok
16#
17#Size: 34330624
18#Compressed: 12126080
The last step, is to assemble everything in order to mimic the appliance running file system layout.
1#!/bin/bash
2# Create a new directory to hold the root file system
3mkdir rootfs
4
5# Extract the files
6cd rootfs/
7cpio --quiet -i --make-directories --preserve-modification-time --no-absolute-filenames -F ../image.uimage.data.compressed.cpio
8#cpio: Removing leading `/' from member names
9#cpio: dev/console: Cannot mknod: Operation not permitted
10#cpio: dev/mem: Cannot mknod: Operation not permitted
11#cpio: dev/ptmx: Cannot mknod: Operation not permitted
12#cpio: dev/null: Cannot mknod: Operation not permitted
13# (...)
/dev, /proc and /sys directories but those can be ignored.And that’s it, the running access point file system is ready to go under the microscope :)