Reversing the TC7210 Embedded Linux Firmware

Reversing the TC7210 Embedded Linux Firmware

In this article I will explain how to reverse the firmware of the embedded Linux part of the Technicolor (TC) 7210 router by leveraging the usual tools of the trade.

In a previous article, I explained how to get root on the embedded Linux part of the TC7210 router by leveraging a remote code execution (RCE). With that level of access, I was able to image the various flash partitions of the router. The first thing I tried was to use binwalk to identify what files may be contained in the images.

The partitions mtd8.img and mtd10.img appear to have a valid UBIFS file system on them. Using ubidump it is possible to extract the file system. First, we download the tool repository and then setup a virtual Python environment to where the tool dependencies are installed.

The next step is to extract the file system of both images.

This creates two directories, rootfs and linuxapps. The first contains the root file system and the second ancillary applications and files. From this point onwards, it is possible to read configuration files, reverse engineer executables, libraries, etc.

After this, I wanted to see if I could run the executables using QEMU (similar to what I did when reversing the ArubaOS). To do that, I needed to confirm the processor architecture of the executables, copy the respective statically linked QEMU executable to the rootfs directory and then use the chroot command.

Next, I tried to run the smbapp (the executable that was previously identified as the one responsible for managing the NAS file sharing functionality). After fixing some of the errors, I was also successful :D

The ability to run the executables makes the reverse engineering and vulnerability finding process a lot easier. In upcoming posts, I will detail how I found and exploited some yet to be released vulnerabilities. Cheers :)