Ikea TRADFRI Gateway - extraction and analysis | konstantinos xynos

This blog entry is about the Ikea TRADFRI Gateway.

Device Details:
Device Name: Ikea TRADFRI Gateway
Type : E1526
Purchased: 03/2019

I was able to hardware extract (using the Hardsploit) the firmware without any issues. It has a simple flash SPI chip (IS25CQ032) set at 4MB (4194304 bytes).

So I ran the firmware through binwalk to see what could be found and extracted by it.

The following is a short version of what binwalk provided:

DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 TRX firmware header, little endian, image size: 45716 bytes, CRC32: 0x0, flags: 0x60, version: 2, header size: 32 bytes, loader offset: 0xB270, linux kernel offset: 0x67E000, rootfs offset: 0x0, bin-header offset: 0x0
39888 0x9BD0 PEM certificate
40029 0x9C5D PEM RSA private key
40091 0x9C9B PEM EC private key
40163 0x9CE3 LZMA compressed data, properties: 0x6D, dictionary size: 0 bytes, uncompressed size: 16843776 bytes
73808 0x12050 LZMA compressed data, properties: 0xB8, dictionary size: 0 bytes, uncompressed size: 3175412143 bytes
...
573550 0x8C06E LZMA compressed data, properties: 0xC8, dictionary size: 0 bytes, uncompressed size: 75072 bytes
573652 0x8C0D4 LZMA compressed data, properties: 0x88, dictionary size: 0 bytes, uncompressed size: 20971520 bytes
614400 0x96000 ELF, 32-bit LSB executable, ARM, version 1 (SYSV)
1141748 0x116BF4 PEM certificate
1144159 0x11755F LZMA compressed data, properties: 0x64, dictionary size: 65536 bytes, uncompressed size: 65537 bytes
1161175 0x11B7D7 LZMA compressed data, properties: 0x63, dictionary size: 0 bytes, uncompressed size: 32657408 bytes
1166236 0x11CB9C PEM certificate
1166402 0x11CC42 PEM RSA private key
1166464 0x11CC80 PEM EC private key
1173297 0x11E731 LZMA compressed data, properties: 0x6C, dictionary size: 0 bytes, uncompressed size: 1220542464 bytes
1173353 0x11E769 LZMA compressed data, properties: 0x91, dictionary size: 0 bytes, uncompressed size: 2376073216 bytes
1173760 0x11E900 LZMA compressed data, properties: 0xC0, dictionary size: -805306368 bytes, uncompressed size: 268456583 bytes
1173921 0x11E9A1 Copyright string: "Copyright (c) 1996-2013 Express Logic Inc. * NetX Duo Cortex-M3/GNU Version G5.7.5.2 SN: 23451-108-0515 *"
1212607 0x1280BF LZMA compressed data, properties: 0x64, dictionary size: 0 bytes, uncompressed size: 7827312 bytes
1213731 0x128523 LZMA compressed data, properties: 0x65, dictionary size: 0 bytes, uncompressed size: 2037151050 bytes
1662976 0x196000 ELF, 32-bit LSB executable, ARM, version 1 (SYSV)
1849675 0x1C394B Copyright string: "Copyright (c) 1996-2013 Express Logic Inc. * NetX Duo Cortex-M3/GNU Version G5.7.5.2 SN: 23451-108-0515 *"

Items of interest are :

Private Certificates
TRX firmware header at the start
Lots of LZMA compressed sections
Lots of interesting strings found as well. (strings ikea-dump.bin > ikea-dump.txt)

TRX
The firmware is compacted within a format known as TRX. TRX has the following identifier (HDR0). The firmware modification kit has code to attempt to extract the firmware.

Create a folder to save the extracted elements (e.g., ikea-seg)

Run the following command:

./firmware-mod-kit/src/untrx ikea-dump.bin ikea-seg

That should then produce one or more files. I think the code needs to be altered to work correctly.

I had one segment extracted successfully. I tried looking for some strings in the original file and they where not there. Therefore an extraction sort of worked.

I ran strings against the segment and found lots of interesting strings.

strings segment1 > segment1.txt

Sites of interest :

http://fw.test.ota.homesmart.ikea.net/feed/version_info.json
http://fw.ota.homesmart.ikea.net/feed/version_info.json

konstantinos xynos - security & insecurity

Ikea TRADFRI Gateway - extraction and analysis

Konstantinos Xynos

Friday, March 27, 2020

Post a Comment