Understand how Threat Led Penetration Testing (TLPT) establishes a foundation for DORA compliance Watch the video›

Tearing Down (Sonic)Walls: Reverse-Engineering SonicOSX Firmware Encryption

Researchers walk through cracking SonicOSX: extracting keys, decrypting firmware, and analyzing its architecture at DistrictCon 2025.

Tearing Down (Sonic)Walls: Reverse-Engineering SonicOSX Firmware Encryption

Speakers: Jon Williams, Caleb Gross

Does SonicOSX raise the bar for SonicWall device security – or simply hinder legitimate research? In this talk, we’ll walk through cracking SonicOSX: extracting keys, decrypting firmware, and analyzing its architecture. Whether you’re a vuln researcher or just starting in RE, you’ll get a hands-on guide to tackling modern firmware security, along with an open-source tool to decrypt NSv firmware.

Presentation given at DistrictCon 2025.

Summary

Researchers introduced Sonic Crack, a command-line tool that automates extracting, decrypting, and analyzing encrypted firmware from SonicWall NSv virtual images. This tool enables security professionals to analyze firewall firmware the same way attackers do—without the usual restrictions.

Why We Built Sonic Crack

  • SonicWall firewalls are widely used by enterprises, yet vulnerabilities in them have been exploited for initial access attacks.
  • Many devices don’t provide direct root access, making firmware analysis difficult.
  • Attackers still manage to reverse-engineer firmware, so defenders should have that capability too.

What Sonic Crack Does

  • Takes a SonicWall NSv VMware image and extracts cryptographic keys.
  • Decrypts the firmware and dumps the root file system.
  • Allows researchers to inspect the SonicOS binary, which controls firewall functions.

Live Exploit Demo: The SSL-VPN Authentication Bypass

  • A recent SonicWall vulnerability allowed attackers to hijack VPN sessions.
  • By decrypting the firmware, we quickly analyzed the patch and developed an exploit.
  • The exploit:
    • Extracted a session ID from an active VPN user.
    • Bypassed MFA and authentication controls.
    • Allowed full session takeover, granting network access.

Breaking SonicWall Firmware Encryption

  • SonicWall encrypts firmware using various formats:
    • SIG – Encrypted, monolithic binary (no embedded key).
    • SWI – Contains some embedded decryption keys.
    • LUKS – Used in older versions.
  • We cracked the SIG format, allowing full decryption of modern SonicOS firmware.

Using AI to Automate Patch Analysis

  • Problem: SonicWall releases patches with stripped binaries—analyzing them manually is slow.
  • Solution: We built an AI-driven ranking tool to find vulnerabilities faster.
  • How it works:
    • Extract function call chains and decompiled code from patched/unpatched binaries.
    • Use LLMs to rank the most relevant changes.
    • Result: Found the root cause of the SSL-VPN vulnerability in minutes instead of days.

Finding a Zero-Day During Research

  • While analyzing SonicWall firmware, we found a zero-day vulnerability in the SSL-VPN service.
  • The exploit crashes the firewall whenever a user connects via VPN.
  • Disclosure: We’re following responsible disclosure, and full details will be released in April.

Key Takeaways & Call to Action

  • Encrypted firmware doesn’t stop attackers—it only makes research harder for defenders.
  • Vendors should lower barriers to security research or implement private bug bounty programs.
  • Sonic Crack is now public—use it to analyze firmware, find vulnerabilities, and improve security.
  • Check our blog in April for details on the zero-day.
Jon Williams

About the author, Jon Williams

Senior Security Engineer

As a researcher for the Bishop Fox Capability Development team, Jon spends his time hunting for vulnerabilities and writing exploits for software on our customers' attack surface. He previously served as an organizer for BSides Connecticut for four years and most recently completed the Corelan Advanced Windows Exploit Development course. Jon has presented talks and written articles about his security research on various subjects, including enterprise wireless network attacks, bypassing network access controls, and malware reverse engineering.

More by Jon
Caleb Gross Light Gray

About the author, Caleb Gross

Former Director of Capability Development

Caleb Gross was the Director of the Capability Development at Bishop Fox where he leads a team of offensive security professionals specializing in attack surface research and vulnerability intelligence. Prior to coming to Bishop Fox, he served as an exploitation operator in the US Department of Defense's most elite computer network exploitation (CNE) unit. As a top-rated military officer, Caleb led an offensive operations team in the US Air Force's premier selectively manned cyber attack squadron.
More by Caleb

Extend Your Knowledge

Check out these related resources.

Vulnerability Intelligence: Decrypting SonicOSX: Tearing Down Walls purple background.
Tech

Feb 24, 2025

Tearing Down (Sonic)Walls: Decrypting SonicOSX Firmware

By Jon Williams

SonicWall CVE-2024-53704 title with vulnerability intelligence tag: SSL VPN Session Hijacking.
Tech

Feb 10, 2025

SonicWall CVE-2024-53704: SSL VPN Session Hijacking

By Jon Williams

Video thumbnail with Jon Williams headshot and play button.
Video

SonicWall-CVE2024-53704: Exploit Details

Watch a quick explainer of Bishop Fox's successful exploit of SonicWall CVE-2024-53704.

Learn More

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.