EXTRACTING AND ANALYZING FIRMWARE OF KANKUN SMART PLUG
- Layout for this exercise:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCVRZupNyYUlwqfJ-anfvKSyZ4r3Zx1aErgdSkPO7p8PGmUHq3s9ix2SMOKT2fzo6v71BIVmuQ7mCjMeF1nrHOJTilEG3Dc7dRJheeUTeRqZdrYrQtmMIqSK0VdSiEQoDraeCL7-os35h_/s640/screenshot.14.jpg)
1 - Getting the mobile application
- As the product booklet indicates, this is the downloading page for the mobile application software smartwifi.apk:
http://kk.huafeng.com:8081/none/android/smartwifi.apk
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8xipDb6uzHxl0M4rqBdcye_PZRe2VaFTzsdufsKplMVabj3GutAvMIAW0Akontn5E1EPqfJ4VRq5FS6OQkCK-dRcJ3sP7a10sFg3qCeH-HHjhWFLsPuwtFdM58k7Bm2FoUEk3MSmpIDDA/s1600/screenshot.1.jpg)
2 - Decompiling the mobile application with jadx
- Once smartwifi.apk downloaded, let's decompile the apk file with jadx:
https://sourceforge.net/projects/jadx/
- Copying the .apk into the folder /jadx/bin:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGM8IbyORVORYQS5cokwPECrCNCI_H5QYTLP1Y7pub-HGsorl_fmDSQt6Wm88SQpUF-uR2e4wWVIQUK-yvMC4rkgg0ETaghqYB5WHrMJ0nX6JXPBqwD9GQYPJzX-tt1A6IkhIryLwF_G-n/s1600/screenshot.2.jpg)
- Decompiling, the original Java source code of the application is available:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsB7CoxHKwu7yGDYG4S3Oi_mQJOWb5WRiOCub88_oVKmPqxIaRyO0mMa6lihWCpa3jdnOjXidqSO2T_DWvIV4Ovt1j0F0M25R9U45ZNQqmSGt3HrYbOEbOjle13ZwJW1MyX6X4IILvOA3K/s1600/screenshot.3.jpg)
- Although several error messages are prompted to the user, eventually a new folder smartwifi is created:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilfB665_wyj86xM2f61U4ieKb0hYxtCgHqjPAsia5viE55p-JCEXciOlCWKyTv4aLyltkdavT1d5Yh1SBmHp0dqfCVQakZShc92dS_aKfMz0HqJK91oAbjkXfP5yoO5_-id9DajLc93-aO/s1600/screenshot.4.jpg)
- Copying the newly created folder to ~/kankun:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxL-aInPkrhRlpf8QrehtJRv4Pt2fbzm6atJPR9GkqZbRZ4-IG6hussMgjgrm9vfCTZzpaNAuIGj8zP91DoP24FBLkxgYJxCLnTt4IscG1p_vF-cIgN__cUgFyNXpTwOm-f-U24QY9AZ13/s1600/screenshot.5.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuqJoCTy-6KanYtYqAC1mceY2OZGr0NS_NtOQhOPsmI9UwYzaGo_7sPmHIRNywiNJ2Msov2hQp3LszMMVCdaUt08ADAo0vdNlhCIGoI-ChRNGuFgNCgkbJRl2kGfF9t6dt6ZMUc66PNaq4/s400/screenshot.6.jpg)
- Going into the folder smartwifi there are the Java class files of the mobile application:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiErmVHQ9XHGttQNV6JHeV7GeW7UKQTg7BPpI2S_Xj_Kt-g-Wa7JAEHPdYMnnfQVN43zyNcDarOTr55-FqaBx_ukmW2yriTQqeeTK6cLKvVcV-njjuIRiIzWcchuoiEMkNgTV293YNih46f/s1600/screenshot.7.jpg)
3 - Getting the firmware
- Examining the contents of AndroidManifest.xml we find that the package of the applications is hangzhou.zx:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvvYoNNwnx5PqjyOq1b-2bW4W6oWFUyzrUZJTAbolTcIyNtSvpFOaRxl9RCbDGK9D-1MWsqPcUrDe9nxDJ3jFSnjD_K_rMSff4cSPj-8xV_uyayNppClhPTVVQtZu66EgfA8oWm4nHF4SR/s1600/screenshot.8.jpg)
- Going into hangzhou:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgck-r42etfnWBoUIA6B3RLLAWt0ApVVfwV5Rf_t_iRNAOw4rbHaUILtIaDAfNtQ_Pta5U0VW99TKpNbEMw4N7PsFp9ZGGkQPPVTLclfp6QeAnIQodY26vB6KOkhTd6iaSfqrwbldfgGBQo/s1600/screenshot.9.jpg)
- Going into zx:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhoqk9e9ggohpoGzohSXAEiTyKQ0ClWrb5pPQGnlU1xux6qpVIe4PoZcQw6ToIvf6sjkySIBiso071nkjE2xcjdrY3iSUZBRd3sYoarxkJ7-i_Ds-5JFyMGIMxZ0fLX0o-f0kdl0WU_eh2/s1600/screenshot.10.jpg)
- Opening PreferencesUtil.java:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9phNvhsKc2iYq3XLXe7rgZgppSI8USvEM4O48BUz5v2Jv4e6901nAeY3egoscgUJFbNPWBwVBFjc7LbVtdMouu7rnuBVzJnkbv-1tflkcrczSTwmXWWhXAmd8G8S7HZHFFdWJ4LBqHxrx/s1600/screenshot.11.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSZ3P9adpkmSzs9BZNIdUwhB635O_9NLDgOgcsZAA2vAzr5NMxhsR_1gWX9UCxiG6Pf8HnLbttG1gJxasfBiEaPvO7OmivIc2YpCdpjU-hNXcT3cWtFTm6IMCJyO-eKw7g2mkBjg21RDTg/s1600/screenshot.12.jpg)
- There is a very interesting line that gives us a hint about where to download the firmware from:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2hr7QVOCEbWGswgwXhet3xRPE2ZQaZ30y5HTSyxyKlexOTq6bLZVwmKbZwvhum99h3xDhX_WpnHuP6e_ugU1_6UIlec07ngTxRokKe5b4nbcZog8stoUDWlCrhWJuRqOT7wtDPj55wKT1/s1600/screenshot.13.jpg)
- Downloading the firmware with wget:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzAxLZYe6w2YxGdA7UaTnk6Uh-UhoqPXu9F8iKgdPoi-jFhWrAC4m9LFAgg_T8oANPeUr4msHvDyxy5K6MEv3_t5nYaE7xsGm-P77oEQKh2g9FQzq4hh5qqeW7pM2DRx4d4W9j84Tm5jqg/s1600/screenshot.14.jpg)
- Now, the firmware of the application kkeps.bin is available for further study and analysis:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQGe_6GLUxNRufZL-qJM_zFWMgPM4wusedGSzDbPBe0dgXZAp_lcUcPD7umy20KhsPqGwceWqDnug7m-iaFKo9Gyo3Pz842d4bd2cBEufy3B-h_qJMSNs8F-df79AUHHFkl252jS21NcEY/s1600/screenshot.15.jpg)
- Checking the file type:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjo7IM19awMvV1O6-Sbpc7E3knjSwqqaGRNyP6S5uYu3PO6BtO1sEf0gJzQm__Z6b2ygJJEQWxgmrYYh5JNLKUJrLOCHggr48rNFWRrDAdSOqH7GFIvMTli9ORfi0foxPy2uhxW8kJq-Pke/s1600/screenshot.16.jpg)
4 - Extracting the root file system with binwalk
- Extracting the file system of the binary (LZMA compressed and Squashfs filesystem):
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdmbhhxO1pPs5rKDBKwXcgz-e7stSAWPdcHA3f8jD2XkgQtsElzUONZffyC2GTUZJ83Mu66AnHKrCMUXAFOsTrGEiIIq96O9-McJx9Lc0U81Ucew1e6oNduBXFgr69gtkn-Bq8uE5094pp/s1600/screenshot.17.jpg)
- A new folder _kkeps.bin.extracted is available:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9NFzsmkujD1RJAQLrAIKs89fOXr-7VYaWkE8D0VbnY-qnDTYEjXmPdH1QcxuGoYctH8tJRJI1fe9GyayBPS4sp4L03mi97gsag1H91oT5Lpemb3c49u6fwb78FPw9ker5R2iKJk0Hlu2y/s1600/screenshot.18.jpg)
- Going into _kkeps.bin.extracted there is the root file system squashfs-root:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyy1_ySzqV8RYqt8gAvEUzkjDuIrROtMh7O_8RCTInHPXQs_QPx_HmydCyEHqxWC-uudYA2-s1hLKHIdEYlBjVPkPldB8rVC8AR25O8iIyAPFMD-oAAdVm8c9-mG1EAht2nkKuoVsgRG3U/s1600/screenshot.19.jpg)
- Going into squashfs-root the entire root file system is found:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdV3CTtp5_U2vf59oB6DW5E27QQHIG5oxWeBSO7Bikq_C2hirwD__HIBmVuWV5WssLjgGltrZ1rl_HfNvU2gwyVCFzvsPJ6y52-8HcqHGqgnK4kTT7XeKHoMVonnlUhyphenhyphenDSuSsZxBjETm7Y/s1600/screenshot.20.jpg)