Analyzing HP Thinpro Firmware
Today I got my hands on a HP t510 Thinclient and wanted to analyze the OS and running services (apparently it’s running Ubuntu 10.04.4 LTS). Here is my solution to run the Firmware in a VMware Infrastructure, or simply mount the image for browsing.
First you need to download the ThinPro Firmware for your Thinclient model from HP’s Downloadcenter. Here is the link for the T510:
After you finished the download you will get an exe containing the firmware. Run this file under Windows, select the Button named “Image” and save the extracted image.
This will give you a gz image. Transfer this image to your favorite linux box (I used kali) und run gunzip to unzip it
gunzip T6X43101.dd.gz
Now you have a .dd file, which is a raw ext3 disk image created with the dd command.
T6X43101.dd: x86 boot sector; GRand Unified Bootloader, stage1 version 0x3, 1st sector stage2 0x1380c5; partition 1: ID=0x83, active, starthead 1, startsector 63, 2001825 sectors, code offset 0x48
Here is the binwalk output from this file
DECIMAL HEX DESCRIPTION
-------------------------------------------------------------------------------------------------------------------
32256 0x7E00 Linux EXT filesystem, rev 1.0 ext3 filesystem data, UUID=c0cba688-cc23-404f-a7fb-d67fde13de13, volume name "ROOT"
1606144 0x188200 Squashfs filesystem, little endian, version 4.0, compression: gzip, size: 462368156 bytes, 33965 inodes, blocksize: 131072 bytes, created: Thu Mar 28 01:57:34 2013
644937077 0x2670F575 MPFS (Microchip) filesystem, version 61.121, 17162 file entries
644937095 0x2670F587 MPFS (Microchip) filesystem, version 95.77, 21839 file entries
645012614 0x26721C86 MPFS (Microchip) filesystem, version 61.121, 17162 file entries
645012629 0x26721C95 MPFS (Microchip) filesystem, version 95.80, 21327 file entries
645028352 0x26725A00 gzip compressed data, from Unix, last modified: Thu Mar 28 01:56:23 2013
653039724 0x26EC986C gzip compressed data, from Unix, last modified: Fri Jul 29 23:17:55 2011, max compression
657147869 0x272B47DD ELF (NetBSD)
657155473 0x272B6591 ELF
679509504 0x28807E00 Linux EXT filesystem, rev 1.0 ext3 filesystem data, UUID=c0cba688-cc23-404f-a7fb-d67fde13de13, volume name "ROOT"
To convert this image to a VMware Harddisk you first need to install the package qemu (if you only want to browse this image, scroll down a bit).
To start the conversion run the following command:
qemu-img convert -f raw -O vmdk T6X43101.dd thinpro.vmdk
Next create an empty Virtual Machine, select existing Harddisk and use the converted thinpro.vmdk image. If you get a prompt to convert this image to a newer version of VMware, select yes.
Now you can boot and configure your very own “Thinclient” inside a VM :)
If you just need to browse the image contents, run parted on the .dd image to get the offset (User input is bold) or just use the offset from the binwalk output above.
parted T6X43101.dd
GNU Parted 2.3
Using /media/psf/ThinClient/T6X43101.dd
Welcome to GNU Parted! Type 'help' to view a list of commands.
(parted) unit
Unit? [compact]? B
(parted) print
Model: (file)
Disk /media/psf/ThinClient/T6X43101.dd: 1024966656B
Sector size (logical/physical): 512B/512B
Partition Table: msdos
Number Start End Size Type File system Flags
1 32256B 1024966655B 1024934400B primary ext3 boot
(parted) quit
Now mount the image with the correct offset
mkdir /media/thinclient
mount -o loop,ro,offset=32256 T6X43101.dd /media/thinclient/
This will mount the dd image readonly and you will get some kernel images and the filesystem as a squashfs file. Install firmware-mod-kit on your linux box so you get the tools needed to extract the filesystem.
/root/firmware-mod-kit/unsquashfs_all.sh /media/thinclient/filesystem.squash extract
This will extract the harddisk content to the folder extract.
root@kali:/media/psf/ThinClient/extract# ls -alh
total 0
drwxr-xr-x 1 root root 646 May 22 21:43 .
drwxr-xr-x 1 root root 442 May 23 09:58 ..
drwxr-xr-x 1 root root 3.5K Mar 28 01:55 bin
drwxr-xr-x 1 root root 136 Mar 28 01:50 debootstrap
drwxr-xr-x 1 root root 136 Mar 28 01:50 dev
drwxr-xr-x 1 root root 102 Mar 28 01:56 .flash
-rw-r--r-- 1 root root 2 Mar 28 01:56 fonts.dir
drwxr-xr-x 1 root root 3.3K May 22 21:46 lib
drwxr-xr-x 1 root root 170 May 22 21:46 opt
drwxr-xr-x 1 root root 68 Feb 3 2012 proc
drwxr-xr-x 1 root root 3.9K Mar 28 01:55 sbin
drwxr-xr-x 1 root root 68 Dec 5 2009 selinux
drwxr-xr-x 1 root root 68 Mar 28 01:50 srv
drwxr-xr-x 1 root root 68 Jan 20 2012 sys
drwxr-xr-x 1 root root 68 Mar 28 01:56 tmp
drwxr-xr-x 1 root root 340 May 22 21:46 usr
drwxr-xr-x 1 root root 306 May 22 21:46 var
drwxr-xr-x 1 root root 340 May 22 21:43 writable
Happy analyzing :)