Firmware Analysis Toolkit : To Emulate Firmware And Analyse It For Security Vulnerabilities

Firmware analysis toolkit is a toolkit to emulate firmware and analyse it for security vulnerabilities. FAT is a toolkit built in order to help security researchers analyze and identify vulnerabilities in IoT and embedded device firmware.

Firmware Analysis Toolkit is build on top of the following existing tools and projects :

  • Firmadyne
  • Binwalk
  • Firmware-Mod-Kit
  • MITMproxy
  • Firmwalker
  • Setup instructions

If you are a training student and setting this as a pre-requirement for the training, it is recommended to install the tools in the /root/tools folder, and individual tools in there.

Also Read – Pixload : Image Payload Creating/Injecting Tools

Install Binwalk

git clone https://github.com/devttys0/binwalk.git
cd binwalk
sudo ./deps.sh
sudo python ./setup.py install
sudo apt-get install python-lzma :: (for Python 2.x)
sudo -H pip install git+https://github.com/ahupp/python-magic

Note: Alternatively, you could also do a sudo apt-get install binwalk

Setting up firmadyne

sudo apt-get install busybox-static fakeroot git kpartx netcat-openbsd nmap python-psycopg2 python3-psycopg2 snmp uml-utilities util-linux vlan qemu-system-arm qemu-system-mips qemu-system-x86 qemu-utils

git clone –recursive https://github.com/firmadyne/firmadyne.git

cd ./firmadyne; ./download.sh

Edit firmadyne.config and make the FIRMWARE_DIR point to the current location of Firmadyne folder.

Setting up the database

  • sudo apt-get install postgresql
  • sudo -u postgres createuser -P firmadyne, with password firmadyne
  • sudo -u postgres createdb -O firmadyne firmware
  • sudo -u postgres psql -d firmware < ./firmadyne/database/schema

Setting up Firmware Analysis Toolkit (FAT)

First install pexpect.

pip install pexpect

Now clone the repo to your system.

git clone https://github.com/attify/firmware-analysis-toolkit
mv firmware-analysis-toolkit/fat.py .
mv firmware-analysis-toolkit/reset.py .
chmod +x fat.py
chmod +x reset.py

Adjust the paths to firmadyne and binwalk in fat.py and reset.py. Additionally, provide the root password.

Firmadyne requires root privileges for some of its operations. The root password is provided in the script itself to automate the process.

Configurations – change this according to your systemfirmadyne_path = “/home/ec/firmadyne”
binwalk_path = “/usr/local/bin/binwalk”
root_pass = “root”
firmadyne_pass = “firmadyne”

Setting up Firmware-mod-Kit

sudo apt-get install git build-essential zlib1g-dev liblzma-dev python-magic
git clone https://github.com/brianpow/firmware-mod-kit.git

Find the location of binwalk using which binwalk . Modify the file shared-ng.inc to change the value of variable BINWALK to the value of /usr/local/bin/binwalk (if that is where your binwalk is installed). .

Setting up MITMProxy

pip install mitmproxy or apt-get install mitmproxy

Setting up Firmwalker

git clone https://github.com/craigz28/firmwalker.git

That is all the setup needed in order to run FAT.

Running FAT

Once you have completed the above steps you can run can fat. The syntax for running fat is

$ python fat.py

Provide the firmware filename as an argument to the script. If not provided, the script would prompt for it at runtime.

The script will then ask you to enter the brand name. Enter the brand which the firmware belongs to. This is for pure database storage and categorisational purposes.

The script would display the IP addresses assigned to the created network interfaces. Note it down.

Finally, it will say that running the firmware. Hit ENTER and wait until the firmware boots up. Ping the IP which was shown in the previous step, or open in the browser.

Congrats! The firmware is finally emulated. The next step will be to setup the proxy in Firefox and run mitmproxy.

To remove all analyzed firmware images, run

$ python reset.py

Example Run