A lot of ICS devices use uClinux/eCos which uses the bFLT format. The hopper_bflt_loader.py
implements basic bFLT support for Hopper. Open a binary with the settings:
Base address: 0x0
Entry point: 0x0
File offset: 0x0
CPU: ARMv6 Little endian
and then run the script on it.
The script is based on the IDA Pro loader written by Craig Heffner from Tactical Network Solutions
Extracts the firmware images of the simple Mgate and Nport devices without wireless capability.
Firmware images compatible with this tool can be found on the Moxa website.
moxa_parse_fw.py <firmware_file> <output_directory>
The output directory will contain all extracted files in a flat format. The binary firmware itself is saved to <output_directory>/fw.bin
.
Note that, depending on the device, different CPU architectures are used. Mgate devices seem to use ARM-based CPUs which can be directly loaded into Hopper/IDA Pro/Radare2 with the following settings:
Base address: 0x0
Entry point: 0x0
File offset: 0x0
CPU: ARMv6 Little endian
The NPort devices with a Moxa labelled chip are based on the R8822 (Thanks K. Reid Wightman!) architecture.
Converts .upg firmware files as used by some Schneider Electric devices into a binary file that can be loaded into a disassembler.
parse_upg.py <firmware_file> <output_file>
The firmware files for the Moxa NPort W2x50 can be loaded directlry into a disassembler with the following settings:
Base address: 0x0
Entry point: 0x0
File offset: 0x58
CPU: ARMv6 Little endian
Note that this only loads the Linux bootlaoder which uncompresses the kernel. The filesystems themselves can be extracted using binwalk -e
.
Starting with firmware version 2 the firmware is encrypted.
The firmware file (e.g. ADAM-4570-BE_FW_D1.70_268D671C.bin
) can be directly loaded into a disassembler.