{"id":1122,"date":"2018-06-28T22:20:55","date_gmt":"2018-06-29T04:20:55","guid":{"rendered":"http:\/\/www.jedge.com\/wordpress\/?p=1122"},"modified":"2018-06-28T22:27:20","modified_gmt":"2018-06-29T04:27:20","slug":"milo2012-reversing-lifesize-220-hd-video-conferencing-appliance-firmware","status":"publish","type":"post","link":"https:\/\/www.jedge.com\/wordpress\/2018\/06\/milo2012-reversing-lifesize-220-hd-video-conferencing-appliance-firmware\/","title":{"rendered":"milo2012 – Reversing LifeSize 220 HD Video Conferencing Appliance Firmware"},"content":{"rendered":"

Reversing LifeSize 220 HD Video Conferencing Appliance Firmware
\nhttps:\/\/milo2012.wordpress.com\/category\/reversing-firmwares\/<\/a>
\nThis blog post is from 2011 so I will going through the post to learn about reversing firmware and document everything as it applies to 2018.
\n
\nmilo2012\u2019s blog is still active at https:\/\/milo2012.wordpress.com<\/a>. This particular article is from 2011 which is probably when I bookmarked it. The links to the information about the LifeSize device and firmware no longer work and cannot be found on archive.org. (side note: you should checkout http:\/\/www.lifesize.com\/robots.txt) In order to get a LifeSize firmware to test you need to register an email at http:\/\/software.lifesize.com<\/a>. After logging into the portal you can \u201cGet Serial Number Information\u201d for any serial number. Provide a serial number for a product you own. If you are looking to purchase a used product from sites such as www.ebay.com and they provide an image of the serial number you can enter it to research the product being sold. You will want to know whether current support exists for a specific device you are looking to purchase. For example, the image below shows that support expired for this device and you are unable to obtain the current firmware without purchasing additional support.
\n<\/p>\n

For the purposes of revisiting milo2012\u2019s blog post we can obtain version 5.0.7 (LS_RM1_5.0.7_2.cmg). For this tutorial we will download the Lifesize firmware from a 3rd party\u2019s website (mine).<\/p>\n

edge@ubuntu16:~$ mkdir Life\nedge@ubuntu16:~$ cd Life\nedge@ubuntu16:~\/Life$ wget http:\/\/www.jedge.com\/files\/LS_RM1_5.0.7_2.cmg\nedge@ubuntu16:~\/Life$ file LS_RM1_5.0.7_2.cmg\nLS_RM1_5.0.7_2.cmg: Linux Compressed ROM File System data, big endian size 166256640 version #2 sorted_dirs CRC 0x9ec52e4e, edition 1440465315, 76842 blocks, 7867 files<\/code><\/pre><\/p>\n
Everything tested is from a fully updated (6.28.2018) stock install of Ubuntu 16.04.4 LTS. Things have changed since the article from 2011. You can now install binwalk from the Ubuntu repository. This will require over 200mb of prerequisites since this is a new install of Ubuntu.<\/p>\n
edge@ubuntu16:~\/Life$ sudo apt-get \u2013y install binwalk\nedge@ubuntu16:~\/Life$ binwalk -e LS_RM1_5.0.7_2.cmg\n\nDECIMAL       HEXADECIMAL     DESCRIPTION\n--------------------------------------------------------------------------------\n0             0x0             CramFS filesystem, big endian size 166256640 version 2 sorted_dirs CRC 0x9EC52E4E, edition 1440465315, 76842 blocks, 7867 files<\/code><\/pre><\/p>\n
When you try and list the contents of _LS_RM1_5.0.7_2.cmg.extracted\/cramfs-root<\/strong> you will see nothing.  Currently binwalk will not extract the contents of a cramfs filesystem. This was the case in 2011 so we will continue to follow the steps provided by milo2012 and install the firmware-mod-kit and compile uncramfs.
\n
edge@ubuntu16:~$ sudo apt-get \u2013y install git build-essential zlib1g-dev liblzma-dev python-magic\nedge@ubuntu16:~$ mkdir source\nedge@ubuntu16:~$ cd source\nedge@ubuntu16:~\/source$ git clone https:\/\/github.com\/rampageX\/firmware-mod-kit.git\nCloning into 'firmware-mod-kit'...\nremote: Counting objects: 3375, done.\nremote: Total 3375 (delta 0), reused 0 (delta 0), pack-reused 3375\nReceiving objects: 100% (3375\/3375), 10.15 MiB | 4.84 MiB\/s, done.\nResolving deltas: 100% (1692\/1692), done.\nChecking connectivity... done.\nedge@ubuntu16:~\/source$ cd ~\/source\/firmware-mod-kit\/src\/uncramfs\nedge@ubuntu16:~\/source\/firmware-mod-kit\/src\/uncramfs$ make\ncc -g -O -g -O   uncramfs.c  -lz -o uncramfs\nuncramfs.c: In function \u2018usage\u2019:\nuncramfs.c:72:4: warning: implicit declaration of function \u2018exit\u2019 [-Wimplicit-function-declaration]\n    exit(1);\n    ^\n. . . SNIP . . .\n\nuncramfs.c:720:7: note: include \u2018<stdlib.h>\u2019 or provide a declaration of \u2018exit\u2019\nuncramfs.c:727:11: warning: format \u2018%x\u2019 expects argument of type \u2018unsigned int\u2019, but argument 2 has type \u2018size_t {aka long unsigned int}\u2019 [-Wformat=]\n    printf("[Volume size: 0x%x]\\n", fslen_ub);<\/code><\/pre>
\nIgnore the \u201cwarning\u201d messages.  You have successfully compiled “uncramfs”. Like it is pointed out in the blog article you need to change the “endianness” of the file to allow Ubuntu to process it.  If not you will see the message “The image file doesn’t have cramfs signatures”. So we must convert it with the utility cramfsswap <\/strong>which is already installed on the Ubuntu system as part of the binwalk <\/strong>install.
\n
edge@ubuntu16:~\/source\/firmware-mod-kit\/src\/uncramfs$ cramfsswap ~\/Life\/_LS_RM1_5.0.7_2.cmg.extracted\/0.cramfs ~\/Life\/_LS_RM1_5.0.7_2.cmg.extracted\/1.cramfs\nFilesystem is big endian, will be converted to little endian.\nFilesystem contains 7866 files.\nCRC: 0x07bec628<\/code><\/pre>
\nNow that the file is changed to little endian we create a directory to mount the file system to and use uncramfs <\/strong>to mount it.
\n
edge@ubuntu16:~\/source\/firmware-mod-kit\/src\/uncramfs$ mkdir \/tmp\/life\nedge@ubuntu16:~\/source\/firmware-mod-kit\/src\/uncramfs$ .\/uncramfs \/tmp\/life ~\/Life\/_LS_RM1_5.0.7_2.cmg.extracted\/1.cramfs\nchmod: No such file or directory\nchmod: No such file or directory\nchmod: No such file or directory\nchmod: No such file or directory\n[Volume size: 0x9e8e02f]\n[Volume serial: 28c6be07a3c1db552a2c0100bb1e0000]\n[Volume name: LS_150824_2015]\n\ndrwxr-xr-x 0\/0               284(284)     \/\n\n\/:\ndrwxr-xr-x 0\/0              1132(1132)    bin\ndrwxr-xr-x 0\/0              1656(1656)    boot\ndrwxr-xr-x 0\/0                 0(0)       data\n\n. . . SNIP . . .\n\n\/usr\/share\/terminfo\/v:\n-r-xr-xr-x 0\/0              1147(564)     vt100\n\n\/usr\/share\/terminfo\/x:\n-r-xr-xr-x 0\/0              1367(619)     xterm\n-r-xr-xr-x 0\/0              1569(647)     xterm-color\n\n\/var:\n\n[Summary:]\n[Total uncompressed size:    315716482]\n[Total compressed size:      177073344]\n[Number of entries:               7867]\n[Number of files compressed:      3812]\n[Number of files expanded:        4055]<\/code><\/pre>
\nWe can now search the file system for interesting files. We do not need to continue the tutorial and install QEMU to list or view the contents of the file system.
\n
edge@ubuntu16:~\/source\/firmware-mod-kit\/src\/uncramfs$ cd \/tmp\/life\nedge@ubuntu16:\/tmp\/life$ ls\nbin  boot  data  dev  etc  home  initrd  lib  media  mnt  proc  root  sbin  tftpboot  tmp  usr  var\nedge@ubuntu16:\/tmp\/life$ cd bin\nedge@ubuntu16:\/tmp\/life\/bin$ ls\narch     bzless  chmod  dd             domainname  fgrep   gzip      less      login  mktemp  netstat        ps     sed    sync   umount        zcat\nbash     bzmore  chown  df             echo        fuser   hostname  lessecho  ls     more    nisdomainname  pwd    sh     tar    uname\nbashbug  cat     cp     dmesg          egrep       grep    kill      lesskey   mkdir  mount   pidof          rm     sleep  touch  vi\nbusybox  chgrp   date   dnsdomainname  false       gunzip  killall   ln        mknod  mv      ping           rmdir  su     true   ypdomainname\nedge@ubuntu16:\/tmp\/life\/bin$ file busybox\nbusybox: ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), dynamically linked, interpreter \/lib\/ld.so.1, for GNU\/Linux 2.4.3, stripped<\/code><\/pre>
\nAfter going through the steps outlined in the blog post I did some Googling and wanted to understand why binwalk<\/strong> will not automatically extract a cramfs file system. I found an “issue” submission where it was suggested you may be able to just extract the files without invoking binwalk.  The following will pull out all the files found in the firmware.
\n
edge@ubuntu16:~\/Life$ 7z x LS_RM1_5.0.7_2.cmg\n\n7-Zip [64] 9.20  Copyright (c) 1999-2010 Igor Pavlov  2010-11-18\np7zip Version 9.20 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,1 CPU)\n\nProcessing archive: LS_RM1_5.0.7_2.cmg\n\nCRC error\nExtracting  bin\nExtracting  boot\nExtracting  data\nExtracting  dev\nExtracting  etc\nExtracting  home\nExtracting  initrd\nExtracting  lib\nExtracting  media\nExtracting  mnt\n\n. . . SNIP . . .\n\nExtracting  usr\/share\/terminfo\/v\/vt100\nExtracting  usr\/share\/terminfo\/x\/xterm\nExtracting  usr\/share\/terminfo\/x\/xterm-color\n\nEverything is Ok\n\nFolders: 303\nFiles: 7563\nSize:       315525194\nCompressed: 166256687<\/code><\/pre>
\nNo need to use any of the utilities detailed above.  At least for this version of the firmware for this product.
\nResources:<\/strong>
\nhttps:\/\/milo2012.wordpress.com\/category\/reversing-firmwares\/<\/a>
\nhttps:\/\/lfto.me\/reverse-engineering-dvr-firmware\/<\/a>
\nhttps:\/\/github.com\/ReFirmLabs\/binwalk\/issues\/296<\/a>
\nhttps:\/\/github.com\/rampageX\/firmware-mod-kit\/wiki<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Reversing LifeSize 220 HD Video Conferencing Appliance Firmware https:\/\/milo2012.wordpress.com\/category\/reversing-firmwares\/ This blog post is from 2011 so I will going through the post to learn about reversing firmware and document everything as it applies to 2018.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[167,113,3,163,114,5],"tags":[168,169],"class_list":["post-1122","post","type-post","status-publish","format-standard","hentry","category-bookmarks","category-compiling","category-configuration","category-hacking","category-hardware-hacking","category-installing-using-tools","tag-binwalk","tag-firmware"],"_links":{"self":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/posts\/1122","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/comments?post=1122"}],"version-history":[{"count":7,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/posts\/1122\/revisions"}],"predecessor-version":[{"id":1132,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/posts\/1122\/revisions\/1132"}],"wp:attachment":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/media?parent=1122"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/categories?post=1122"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/tags?post=1122"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}