How to unpack Cisco firewall OS
Actions in this article was made by standard FreeBSD commands.
All bytes sequences is header of ZIP(.zip) and GNU ZIP (.gz) file format.
Nothing was reverse or decompile.
I think that Cisco does'nt break GPL then made asa8xx.bin, they just run proprietary application (lina,lina_monitor) in Linux environment.
PIX&ASA7 and early
# md5 asa722-k8.bin
MD5 (asa722-k8.bin) = d2641f1441347b0204449da1d4a06758
# hexdump -C asa722-k8.bin > asa722-k8.hd
# grep "50 4b 03 04 14" asa722-k8.hd
00017000 50 4b 03 04 14 00 00 00 08 00 21 73 76 35 49 9b
# ls -la asa722-k8.bin
-rw-r--r-- 1 ftp wheel 8312832 Aug 9 09:24 asa722-k8.bin
# perl -e '$x=8312832-0x17000;print "$x\n"'
8218624
# tail -c 8218624 asa722-k8.bin > asa722.bin.zip
# unzip asa722.bin.zip
Archive: asa722.bin.zip
warning: skipped "../" path component(s) in ../target/f1/pix
inflating: target/f1/pix
# mv target/f1/pix asa722.bin.main
# file asa722.bin.main
asa722.bin.main: unknown machine executable not stripped
ASA8
# md5 asa802-k8.bin
MD5 (asa802-k8.bin) = a94c3eff8c6d12d6ae6d1be9ba2ea529
# hexdump -C asa802-k8.bin > asa802-k8.hd
# grep "1f 8b 08 00 1d" asa802-k8.hd
001228b0 1f 8b 08 00 1d 3d 73 46 00 03 ec 3a 6d 54 14 57
# ls -la asa802-k8.bin
-rw-r--r-- 1 ftp wheel 14524416 9 Aug 09:25 asa802-k8.bin
# perl -e '$x=14524416-0x1228b0;print "$x\n"'
13334352
# tail -c 13334352 asa802-k8.bin > asa802-k8.gz
# gzip -d asa802-k8.gz
# cpio -i --make-directories < asa802-k8
cpio: Removing leading `/' from member names
...
cpio: Removing leading `/' from member names
61039 blocks
# rm asa802-k8
# file asa/bin/lina
asa/bin/lina: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.4.3, dynamically linked (uses shared
libs), stripped
# ls -la
total 1688
drwxr-xr-x 12 root wheel 512 Aug 9 10:37 .
drwxr-xr-x 4 root wheel 512 Aug 9 10:34 ..
-rw-r--r-- 1 root wheel 563896 Aug 9 10:36 System.map
drwxr-xr-x 4 root wheel 512 Aug 9 10:36 asa
drwxr-xr-x 2 root wheel 512 Aug 9 10:36 bin
drwxr-xr-x 3 root wheel 512 Aug 9 10:36 dev
drwxr-xr-x 3 root wheel 512 Aug 9 10:36 etc
lrwxrwxrwx 1 root wheel 7 Aug 9 10:36 init -> linuxrc
drwxr-xr-x 3 root wheel 512 Aug 9 10:36 lib
lrwxrwxrwx 1 root wheel 11 Aug 9 10:36 linuxrc -> bin/busybox
drwxr-xr-x 4 root wheel 512 Aug 9 10:36 mnt
drwxr-xr-x 2 root wheel 512 Aug 9 10:36 proc
drwxr-xr-x 2 root wheel 512 Aug 9 10:36 sbin
drwxr-xr-x 2 root wheel 512 Aug 9 10:36 sys
drwxr-xr-x 3 root wheel 512 Aug 9 10:36 usr
-rw-r--r-- 1 root wheel 1095856 Aug 9 10:36 vmlinuz
Stage2
# mv etc/init.d/rcS etc/init.d/rcS.bak
# sed -e 's/# l/\/bin\/sh # l/' etc/init.d/rcS.bak > etc/init.d/rcS
# chmod 755 etc/init.d/rcS
# find . | cpio -o -H newc | gzip -9 > asa802.gz
61040 blocks
# qemu -kernel vmlinuz -initrd asa802.gz -append "root=/dev/ram console=ttyS0" -nographic -hda /dev/null
(qemu) Linux version 2.6.17.8 (kevfox@kevfox-lnx) (gcc version 4.0.2) #5 PREEMPT Mon May 7 18:35:37 EDT 2007
BIOS-provided physical RAM map:
BIOS-e820: 0000000000000000 - 000000000009fc00 (usable)
BIOS-e820: 000000000009fc00 - 00000000000a0000 (reserved)
BIOS-e820: 00000000000e8000 - 0000000000100000 (reserved)
BIOS-e820: 0000000000100000 - 0000000007ff0000 (usable)
BIOS-e820: 0000000007ff0000 - 0000000008000000 (ACPI data)
BIOS-e820: 00000000fffc0000 - 0000000100000000 (reserved)
0MB HIGHMEM available.
127MB LOWMEM available.
DMI not present or invalid.
Allocating PCI resources starting at 10000000 (gap: 08000000:f7fc0000)
Built 1 zonelists
Kernel command line: root=/dev/ram console=ttyS0
Enabling fast FPU save and restore... done.
Enabling unmasked SIMD FPU exception support... done.
Initializing CPU#0
PID hash table entries: 512 (order: 9, 2048 bytes)
Detected 1795.291 MHz processor.
Using tsc for high-res timesource
Console: colour dummy device 80x25
Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
Memory: 114260k/131008k available (1553k kernel code, 16272k reserved, 348k data, 116k init, 0k highmem)
Checking if this processor honours the WP bit even in supervisor mode... Ok.
Calibrating delay using timer specific routine.. 3607.84 BogoMIPS (lpj=7215693)
Mount-cache hash table entries: 512
CPU: L1 I cache: 8K
CPU: L2 cache: 128K
CPU: Intel Pentium II (Klamath) stepping 03
Checking 'hlt' instruction... OK.
SMP alternatives: switching to UP code
Freeing SMP alternatives: 0k freed
Unpacking initramfs... done
Freeing initrd memory: 12916k freed
NET: Registered protocol family 16
PCI: PCI BIOS revision 2.10 entry at 0xfa120, last bus=0
Setting up standard PCI resources
PCI: Probing PCI hardware
PCI quirk: region b000-b03f claimed by PIIX4 ACPI
PCI quirk: region b100-b10f claimed by PIIX4 SMB
PCI: Using IRQ router PIIX/ICH [8086/7000] at 0000:00:01.0
PCI: Ignore bogus resource 6 [0:0] of 0000:00:02.0
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 4096 (order: 2, 16384 bytes)
TCP bind hash table entries: 2048 (order: 1, 8192 bytes)
TCP: Hash tables configured (established 4096 bind 2048)
TCP reno registered
Total HugeTLB memory allocated, 0
Initializing Cryptographic API
io scheduler noop registered
io scheduler anticipatory registered (default)
io scheduler deadline registered
io scheduler cfq registered
Limiting direct PCI/PCI transfers.
PCI: PIIX3: Enabling Passive Release on 0000:00:01.0
Activating ISA DMA hang workarounds.
Serial: 8250/16550 driver $Revision: #2 $ 4 ports, IRQ sharing disabled
serial8250: ttyS0 at I/O 0x3f8 (irq = 4) is a 16450
loop: loaded (max 8 devices)
pcnet32.c:v1.32 18.Mar.2006 tsbogend@alpha.franken.de
tun: Universal TUN/TAP device driver, 1.6
tun: (C) 1999-2004 Max Krasnyansky
Uniform Multi-Platform E-IDE driver Revision: 7.00alpha2
ide: Assuming 33MHz system bus speed for PIO modes; override with idebus=xx
hda: QEMU HARDDISK, ATA DISK drive
hdc: QEMU CD-ROM, ATAPI CD/DVD-ROM drive
ide0 at 0x1f0-0x1f7,0x3f6 on irq 14
ide1 at 0x170-0x177,0x376 on irq 15
hda: max request size: 128KiB
hda: 2016 sectors (1 MB) w/256KiB Cache, CHS=2/16/63
hda: set_multmode: status=0x41 { DriveReady Error }
hda: set_multmode: error=0x04 { DriveStatusError }
ide: failed opcode was: 0xef
hda: cache flushes supported
hda:
TCP bic registered
NET: Registered protocol family 1
NET: Registered protocol family 17
Using IPI Shortcut mode
Freeing unused kernel memory: 116k freed
mount: Mounting /dev/hda1 on /mnt/disk0 failed: No such device or address
mount: Mounting /dev/hda1 on /mnt/disk0 failed: No such device or address
TIPC: Activated (compiled May 2 2007 15:38:08)
NET: Registered protocol family 30
TIPC: Started in single node mode
TIPC: Started in network mode
TIPC: Own node address <1.1.1>, network identity 1234
TIPC: Enabled bearer , discovery domain <1.1.0>, priority 10
# ls -la /
drwxr-xr-x 13 0 0 0 Oct 4 06:31 .
drwxr-xr-x 13 0 0 0 Oct 4 06:31 ..
drwxr-xr-x 4 0 0 0 Oct 4 06:31 asa
drwxr-xr-x 2 0 0 0 Oct 4 06:31 bin
drwxr-xr-x 3 0 0 0 Oct 4 06:31 dev
drwxr-xr-x 3 0 0 0 Oct 4 06:31 etc
lrwxrwxrwx 1 0 0 7 Oct 4 06:31 init -> linuxrc
drwxr-xr-x 3 0 0 0 Oct 4 06:31 lib
lrwxrwxrwx 1 0 0 11 Oct 4 06:31 linuxrc -> bin/busybox
drwxr-xr-x 4 0 0 0 Oct 4 06:31 mnt
dr-xr-xr-x 26 0 0 0 Oct 4 06:31 proc
drwx------ 2 0 0 0 Oct 4 06:31 root
drwxr-xr-x 2 0 0 0 Oct 4 06:31 sbin
drwxr-xr-x 10 0 0 0 Oct 4 06:31 sys
drwxr-xr-x 3 0 0 0 Oct 4 06:31 usr
# ifconfig -a
dummy0 Link encap:Ethernet HWaddr 02:9E:54:9A:AB:71
BROADCAST NOARP MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
lo Link encap:Local Loopback
LOOPBACK MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
tap0 Link encap:Ethernet HWaddr 42:6D:68:A2:39:92
inet addr:127.0.2.2 Bcast:127.255.255.255 Mask:255.0.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:56 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
# /asa/bin/lina -h
Processor memory 99094528, Reserved memory: 20971520 (DSOs: 0 + kernel: 20971520)
open /proc/bigphysarea failed, error 2
Guest RAM start: 0xd8c00080
Guest RAM end: 0xdd400000
lina [-n ] [-i ] [-m] [-h]
-h : help
-n : specify the unit number
-i : specify the number of interfaces (nics) to simulate
-m : launch the instance in multiple mode
-s : don't use pthreads, run everything in one process
-d : base disk/flash path (/mnt/disk0/)
# /asa/bin/lina_monitor -h
lina [-h]
-m : SM or AM (*SM Default for 7.3*)
-g : start ASA in gdb via serial device'
-n : gdb ethernet device 'eth0'
-s : gdb serial device '/dev/ttySx'
-d : generate debug messages
-c : control C will exit.
-h : help
# exit
Processor memory 99094528, Reserved memory: 20971520 (DSOs: 0 + kernel: 20971520)
open /proc/bigphysarea failed, error 2
Guest RAM start: 0xd8c00080
Guest RAM end: 0xdd400000
LINA unit number: 1
Guest RAM brk: 0xd8c01000
MKDIR failed No such file or directory for /var/log/
Welcome to LINA - ( F1-on-Linux platform ) desktop version!
********************************************************************
* WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING *
* *
* This product is for Cisco internal use ONLY!!! *
* *
* WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING *
********************************************************************
i2c_read_byte_w_wait() error, slot = 0x4, device = 0xb0, address = 0 byte count = 1. Reason: I2C_SMBUS_UNSUPPORT
Total SSMs found: 0
Ignoring PCI card in slot:0 (vendor:0x0 deviceid:0x0)
Ignoring PCI card in slot:1 (vendor:0x0 deviceid:0x0)
Ignoring PCI card in slot:2 (vendor:0x0 deviceid:0x0)
Ignoring PCI card in slot:3 (vendor:0x0 deviceid:0x0)
Ignoring PCI card in slot:4 (vendor:0x0 deviceid:0x0)
Ignoring PCI card in slot:5 (vendor:0x0 deviceid:0x0)
Ignoring PCI card in slot:6 (vendor:0x0 deviceid:0x0)
Total NICs found: 6
setup_irq: irq handler mismatch
Unable to open /proc/irq/15/irq error: Device or resource busy
Panic: kernel - intr_establish: open interupt descriptor irq 15
-----------------------------------------------
Traceback output aborted.
Flushing first exception frame:
Abort: Assert failure
vector 0x00000000
edi 0x0000000f
esi 0xd924a598
ebp 0xd8bf7658
esp 0xd8bf764c
ebx 0x000000b6
edx 0xd8bf7690
ecx 0x00000006
eax 0x00000000
error code n/a
eip 0xdd6a72a1
cs 0x00000073
eflags 0x00000246
CR2 0x00000000
Nested traceback attempted via signal, from:
Page fault: Address not mapped
vector 0x0000000e
edi 0xd8bf70db
esi 0xd8bf70bf
ebp 0xd8bf6fe8
esp 0xd8bf6fa0
ebx 0xd8bf70bf
edx 0x08acd5d8
ecx 0x00000000
eax 0x00000000
error code 0x00000004
eip 0x0805ee77
cs 0x00000073
eflags 0x00000246
CR2 0x00000084
An internal error occurred. Specifically, a programming assertion was
violated. Copy the error message exactly as it appears, and get the
output of the show version command and the contents of the configuration
file. Then call your technical support representative.
assertion "_vf_mode_init" failed: file "vf_api.c", line 99
Rebooting....
Restarting system.
.
About CatOS. Just ignoge MZIP header. (constantly the first 0x70 bytes of image)
# dd if=c3550-i9k2l2q3-mz.121-13.EA1.bin of=sw.zip bs=1 skip=112
3833542+0 records in
3833542+0 records out
3833542 bytes transferred in 18.750873 secs (204446 bytes/sec)
# unzip sw.zip
Archive: sw.zip
inflating: -
# mv - sw
# file sw
sw: data
# strings sw | grep -i c3550-i9k2l2q3-m\\$
CW_IMAGE$C3550-I9K2L2Q3-M$
#
About IOS. PKZIP header have float offset. (0x444c in the case)
# hexdump -C c2600-io3-mz.122-13.bin | grep "50 4b 03 04"
00004440 00 56 f9 7b 6a 23 84 b6 43 53 c6 80 50 4b 03 04 |.V.{j#..CS..PK..|
# dd if=c2600-io3-mz.122-13.bin of=rtr.zip bs=1 skip=17484
5699964+0 records in
5699964+0 records out
5699964 bytes transferred in 23.792014 secs (239575 bytes/sec)
# unzip rtr.zip
Archive: rtr.zip
inflating: C2600-IO.BIN
# file C2600-IO.BIN
C2600-IO.BIN: ELF 32-bit MSB executable, SPARC V9, version 1 (SYSV), statically linked, stripped
# strings C2600-IO.BIN | grep -i 2600-io3-M\\$
CW_IMAGE$C2600-IO3-M$
#
See also:
full ls -lR output
same action from FIDO
IOS binary format
ASA emulation
Any questions?