Reversing Aruba Instant Firmware

Reversing Aruba Instant Firmware

 This article was authorized by Aruba Networks and is based in the work done in the scope of Aruba's Bugcrowd bug bounty. Once again, thanks to Aruba Networks for their open approach to security researchers work.

Aruba produces two different software loads for their Access Point hardware. The first is called ArubaOS and the second is called Aruba Instant. With ArubaOS, the AP requires a Mobility Controller (hardware) to be installed in the network. With the Aruba Instant it is possible to run AP’s independently (standalone mode) or in a cluster, with no Mobility Controller in the network.

What follows is the full process to extract all the files recreating the Aruba Instant firmware file system.

As usual, the initial step is to check what the firmware image contains, binwalk was used for that.

This firmware image looks like a standard U-Boot image. The next step is to extract the header and then the body of the image.

Checking the previously extracted image body reveals a matryoshka doll. Same process is followed as for the initial image file, extract the image header and afterwards, the body.

Checking the new U-Boot image body with file and binwalk, reveals that the extracted file is the bootable image. This image contains another interesting and compressed file.

When this file is extracted and decompressed, the final matryoshka doll is revealed (the one containing the file system).

The final matryoshka doll is a LZMA compressed cpio file.

Extract the file and decompress it with 7-Zip.

The last step, is to assemble everything in order to mimic the appliance running file system layout.

 There will be some errors reproducing the /dev, /proc and /sys directories but those can be ignored.

And that’s it, the running access point file system is ready to go under the microscope :)