Full Report
It has been a while since I did some hardware hacking, and this time I want to review the basics. The LinkSys EA6100 router intrigued me since I was only able to find encrypted firmware images (or updates). Known tools like binwalk were unable to unpack the system:> file
Analysis Summary
# Tool/Technique: LinkSys EA6100 Router Firmware Analysis (Hardware Hacking Context)
## Overview
This summary details the initial hardware analysis and reconnaissance performed on a LinkSys EA6100 router, specifically focusing on its encrypted firmware image and the physical components of the Printed Circuit Board (PCB) to identify potential debug interfaces like UART.
## Technical Details
- Type: Technique (Hardware Reverse Engineering/Firmware Analysis)
- Platform: LinkSys EA6100 Router (Embedded Linux/MediaTek CPU)
- Capabilities: Component identification (CPU, RAM, Flash), voltage level analysis on test points (TPs) and headers (J4, J2), firmware integrity/encryption check.
- First Seen: Relates to analysis conducted on known LinkSys hardware; specific analysis date not provided.
## MITRE ATT&CK Mapping
This exercise primarily focuses on reconnaissance and initial access preparation, which aligns loosely with the following high-level tactics:
- **TA0001 - Initial Access** (Focus on finding physical entry points)
- T1558 - Steal or Forge Credentials
- T1558.003 - Steal or Forge Credentials: From Shared Content (Firmware analysis can expose hardcoded credentials)
- **TA0043 - Software Discovery** (Identifying system components)
- T1592 - Gather Victim Identity Information
- T1592.005 - Gather Victim Identity Information: Hardware (Identifying CPU, Flash, RAM)
## Functionality
### Core Capabilities
- **Firmware Integrity Check:** Attempted unpacking of encrypted firmware image (`FW_EA6100_1.1.6.181939_prod.gpg.img`) using standard tools like `binwalk`, which only identified an embedded MySQL MISAM index file and high entropy, suggesting encryption or proprietary packing.
- **Component Identification:** Identified key hardware components via PCB silkscreen labels and cross-referencing datasheets:
- CPU: MediaTek MT7620A
- Flash: Spansion S34ML01G100TFI00
- RAM: Winbond W971GG6KB-25 (128 MB)
- WIFI: MediaTek MT7612E
- **Debug Pin Analysis (J4, J2):** Measured voltages on unlabeled headers (J4, J2) and test points (TP1, TP2, TP3) during boot-up using a multimeter to determine potential communication or power lines (e.g., 3.3V supply, GND, oscillating signals indicating transmission).
### Advanced Features
- **Signal Monitoring:** Detected oscillating voltages on certain pads (e.g., J4 Pin 3, J2 Pin 5), strongly indicating transmitting signals, likely related to a serial console (UART).
- **PCB Inspection:** Noted missing components (R6, R3) and an empty SOIC8 socket on the reverse side, suggesting potential modifications or alternative hardware revisions.
- **Information Sourcing:** Used publicly available FCC filings (via Google Dorking) to quickly obtain internal photos and schematics, confirming initial findings.
## Indicators of Compromise
*Not applicable as this is a hardware analysis methodology, not an active compromise.*
- File Hashes: `25efc5b63d6b35366bf556111d0a8368` (MD5 for firmware image)
- File Names: `FW_EA6100_1.1.6.181939_prod.gpg.img`
- Registry Keys: N/A
- Network Indicators: N/A (Analysis focused on physical access)
- Behavioral Indicators: Oscillating voltages on specific PCB pads during boot sequence.
## Associated Threat Actors
This analysis describes a research and reverse-engineering effort, not activity by a specific threat actor group. The knowledge gained could be used by researchers or malicious actors seeking initial access to embedded devices.
## Detection Methods
*Not applicable to the analysis process itself.* These techniques represent methods for *gaining* unauthorized access, not detecting ongoing attacks.
## Mitigation Strategies
*For users/owners of the device:*
- Physical Security: Limit physical access to networking equipment.
- Firmware Integrity: Only install official firmware updates; vet third-party firmware sources.
*For security researchers attempting replication:*
- Utilize standard hardware analysis tools (multimeter, logic analyzer, oscilloscope).
- Cross-reference component information with FCC ID databases for documentation.
## Related Tools/Techniques
- **binwalk:** Tool used for analyzing firmware images for embedded filesystems and signatures.
- **Hardware Debugging (UART/JTAG):** The overall goal of the analysis is to establish a serial connection (UART) for low-level system interaction.
- **Google Dorking:** Used to locate internal photos and documentation filed with regulatory bodies (e.g., FCC ID search).