EN | DE

Router Firmware Investigation

Unauthorized firmware modifications in routers are a primary vector for persistent network compromise. We perform deep binary analysis to detect backdoors, hidden services, and supply-chain implants.

πŸ’° Price Starting from €3,500
πŸ“… Typical engagement 5–10 business days
πŸ”’ Confidentiality NDA available

πŸ” Investigation Methodology

πŸ”Ή Flash memory extraction (JTAG / UART / chip-off)
πŸ”Ή Filesystem unpacking & integrity verification
πŸ”Ή Diff analysis vs. vendor original firmware
πŸ”Ή Detection of hardcoded credentials & hidden accounts
πŸ”Ή Backdoor / C2 beacon detection
πŸ”Ή Boot process & signature verification bypass check
πŸ”Ή Entropy analysis (packed/encrypted payloads)
πŸ“¦ Accepted firmware formats: .bin / .img / .trx / .chk / .hex / raw flash dump (SPI/NAND)

πŸ–§ Supported Platforms

Enterprise & Consumer

Cisco / Juniper / MikroTik / TP-Link / Asus / Netgear / Ubiquiti

Open Source & Industrial

OpenWRT / DD-WRT / Industrial SCADA routers (Moxa, Advantech)

πŸ“‹ Example Investigation Scenario

MikroTik RB750Gr3 – Suspicious Outbound Proxy Traffic

πŸ”§ 1. Hardware Teardown & Flash Extraction

Router PCB – SPI flash W25Q128JV located near CPU

Router PCB – SPI flash located near CPU

Chip-off process – hot air station @ 380Β°C

Flash chip removal for direct reading

XGecu T56 Universal Programmer with Winbond W25Q128JV

SPI programmer connected to flash chip

πŸ“ Finding: Flash dump size: 16MB. MD5 hash verified against vendor checksum – mismatch detected.

πŸ“‘ 2. UART Console Access

U-Boot 2018.09 (Oct 15 2023 - 12:34:56)

CPU: MediaTek MT7621A (880 MHz)
DRAM: 512 MiB
SPI flash: 16 MiB (W25Q128JV)
PCIe: link up (x1)

Press any key to interrupt autoboot: 0
Booting from SPI flash...

## Loading kernel from 0x9f050000 ...
Image Name: MIPS RouterOS
Data Size: 2844672 Bytes

[ 0.000000] Linux version 4.14.98
[ 0.123456] mtk_soc_eth: MAC address: 64:D1:54:XX:XX:XX
[ 0.234567] spi-nor: detected w25q128 (16M)
[ 0.345678] squashfs: version 4.0
[ 1.234567] init: /etc/rc.d/S95netmon: starting
[ 1.345678] kernel: process 1423 (socks-proxy) listening on 0.0.0.0:31337
[ 1.456789] kernel: iptables: unknown table 'c2_rules' (ignored)

RouterOS login: _

πŸ“Ÿ UART console output – suspicious process detected during boot

JTAG> halt
target halted in MIPS32 mode
JTAG> dump_image firmware_dump.bin 0x9f000000 0x1000000
dumped 16777216 bytes to file firmware_dump.bin

[Post-extraction analysis]
β†’ Expected vendor region: 0x9f000000 - 0x9f7fffff
⚠️ Unexpected code found at: 0x9f800000 - 0x9fffffff
β†’ Not present in original firmware - implant

πŸ”Œ JTAG flash extraction – extra code section outside vendor region

πŸ” What this shows:
β€’ Unauthorized process (PID 1423) acting as SOCKS5 proxy on port 31337
β€’ Hidden C2 firewall table rejected by kernel (iptables error)
β€’ Modified init script /etc/rc.d/S95netmon (not in original firmware)

πŸ”¬ 3. Binary Diff Analysis (vs. Vendor Original)

Unexpected executable region detected at offset 0x001fee00

Vendor firmware (empty region):
001fee00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

Suspect firmware:
001fee00: 3c 1c 80 00 27 9c 12 34 0c 04 56 78 00 00 00 00
001fee10: 8f 99 00 10 03 20 f8 09 6e 65 74 6d 6f 6e 00 00
001fee20: 73 79 6e 63 5f 73 65 72 76 69 63 65 00 00 00 00

Decoded MIPS instructions:
001fee00: 3c 1c 80 00     β†’ lui $gp, 0x8000
001fee04: 27 9c 12 34     β†’ addiu $gp, $gp, 0x1234
001fee08: 0c 04 56 78     β†’ jal 0x1159e0
001fee0c: 00 00 00 00     β†’ nop (delay slot)
001fee10: 8f 99 00 10     β†’ lw $t9, 16($gp)
001fee14: 03 20 f8 09     β†’ jalr $t9

πŸ“ Findings:
β€’ Non-vendor executable code identified in unused flash region
β€’ Region originally contained only 0xFF (empty flash)
β€’ Now contains MIPS instructions – unauthorized modification confirmed
β€’ MIPS function prologue detected: lui, addiu, jal, jalr
β€’ Embedded strings reference undocumented services: netmon, sync_service
β€’ Region absent in original vendor firmware image

πŸ’£ 4. Exploit Analysis & CVE Mapping

During investigation, we identified evidence of exploitation using the following known vulnerabilities:

CVE-2024-54772 CVSS 5.4

Winbox User Enumeration

Discrepancy in response size between connection attempts with valid vs. invalid username allows account enumeration.

β†’ Used for initial reconnaissance (harvesting valid admin usernames)

CVE-2024-54952 CVSS 7.5 HIGH

SMB Service Memory Corruption

Remote, unauthenticated NULL pointer dereference via crafted SMB packets β†’ denial of service.

β†’ Used to crash watchdog service and maintain persistence after reboot

🎯 Exploit Chain (reconstructed from artifacts):

1. CVE-2024-54772 β†’ harvested valid admin usernames
2. Credential brute-force / default password β†’ gained Winbox access
3. Uploaded custom firmware package via /system package update
4. CVE-2024-54952 β†’ crashed watchdog during flash write to bypass rollback
5. Persistent backdoor active after reboot

πŸ” Detection indicators found in logs:

β€’ Failed SMB connections from 45.155.205.233 (CVE-2024-54952 scanning)
β€’ Winbox login attempts with usernames: admin, root, user, support
β€’ /etc/rc.d/S95netmon – not present in clean firmware (our diff)
β€’ Outbound connections to update.mikrotik-service[.]com (not official domain)

πŸ“€ 5. Firmware Extraction & Analysis

πŸ”¬ binwalk -e firmware.bin

Filesystem extraction

πŸ› οΈ IDA Pro / Ghidra

Reverse engineering

πŸ“Š entropy --binary

Entropy analysis

πŸ“ strings -n 8

Embedded strings extraction

$ binwalk firmware_dump.bin

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             U-Boot image (32-bit MIPS)
262144        0x40000         Squashfs filesystem (version 4.0, compression: lzma)
15728640      0xF00000        RAW data (high entropy)

$ entropy --binary firmware_dump.bin

0.0 - 0.5     : 15.2 MB (normal firmware code)
0.5 - 0.7     : 0.8 MB (compressed)
0.7 - 1.0     : 128 KB (HIGH ENTROPY β†’ suspicious, warrants further analysis)

$ strings -n 8 suspicious_region.bin | head -20

netmon_init
sync_worker
/etc/rc.d/S95netmon
update.mikrotik-service.com
AES_CTX_init
-----BEGIN RSA PRIVATE KEY-----

πŸ“Š Extraction findings:
β€’ Squashfs filesystem extracted successfully (347 files, 12 directories)
β€’ High-entropy region (128 KB) detected at offset 0xF00000 – not present in vendor firmware
β€’ Region requires further analysis (entropy suggests packing or encryption)
β€’ Embedded strings reveal: netmon_init, sync_worker, suspicious domain
β€’ AES_CTX_init detected – suggests cryptographic operations
β€’ RSA private key embedded in suspicious region

⚠️ Indicators of Compromise (IOC) extracted:

Domains: update.mikrotik-service[.]com, sync.router-check[.]net
IPs: 45.155.205.233, 185.130.5.253
File hashes (SHA256):
  firmware: 3e8c12a4f6b9d71e2c5a8b3f9e6d1c7a2b4f8e3d6c9a1b5e7f2d4c8a6b3e1f9d
  suspicious_region: a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c

πŸ“„ Deliverables

πŸ“‘ Full firmware diff report
πŸ—ΊοΈ CVE mapping (2 CVEs identified)
⚠️ IOC list (domains, IPs, hashes)
πŸ› οΈ Remediation roadmap
πŸ“Έ All extraction photos
πŸ”¬ Binary analysis artifacts

⚠️ Not Included

❌ Source code review (unless provided by client) ❌ Physical device modification or re-flashing (unless separately ordered)

Ready to investigate your router firmware?

Submit a request or ask for a confidential quote. Starting from €3,500

πŸ“© Request Investigation πŸ’° Get Quote

πŸ” All communication encrypted β€’ PGP key available on contact page