Categories: Kali Linux

BootStomp – A Bootloader Vulnerability Bug Finder

BootStomp is a tool to boot-loader vulnerability bug finder. It will look different for two different class of bugs: memory corruption and state storage vulnerabilities. BootStomp works with boot-loaders compiled for ARM architectures (32 and 64 bits both) and that results might slightly vary depending on angr and Z3’s versions.

Requirements

  • angr
$ pip install angr
  • IDA PRO
  • IDA Decompiler

Run BootStomp manually

Automatic detection of taint sources and sinks

  1. Load the boot-loader binary in IDA (we used v6.95). Depending on the CPU architecture of the phone it has been extracted from, 32 bit or 64 bit IDA is needed.
  2. From the menu-bar, run File => Script file => find_taint.py
  3. Output will appear in the file taint_source_sink.txt under the same directory as the boot-loader itself.

Also Read Trape – Learn To Track The World & To Avoid Being Traced

Configuration File

Create a JSON configuration file for the boot-loader binary (see examples in config/), where:

  1. bootloader: boot-loader file path
  2. info_path: boot-loader source/sink info file path (i.e., taint_source_sink.txt )
  3. arch: architecture’s number of bits (available options are 32 and 64)
  4. enable_thumb: consider thumb mode (when needed) during the analysis
  5. start_with_thumb: starts the analysis with thumb mode enabled
  6. exit_on_dec_error: stop the analysis if some instructions cannot be decoded
  7. unlock_addr: unlocking function address. This field is necessary only for finding insecure state storage vulnerabilities.

Finding memory corruption vulnerabilities

Run

python bootloadertaint.py config-file-path

Results will be stored in /tmp/BootloaderTaint_[boot-loader].out, where [boot-loader] is the name of the analyzed boot-loader. Note that paths involving loops might appear more than once.

Finding insecure state storage vulnerability

Run

python unlock_checker.py config-file-path

Results will be stored in /tmp/UnlockChecker_[boot-loader].out, where [boot-loader] is the name of the analyzed boot-loader. Note that paths involving loops might appear more than once.

Checking Results

To check BootStomp results, use the script result_pretty_print.py, as follows:

python result_pretty_print.py results_file

Run BootStomp using docker

Easiest way to use BootStomp is to run it in a docker container. The folder docker contains an appropriate Dockerfile. These are the commands to use it.

cd docker
# build the docker image
docker build -t bootstomp .
# run the docker image (if you need, use proper options to have persistent changes or shared files)
docker run -it bootstomp

# now you are inside a docker container
cd BootStomp
# run BootStomp's taint analysis on one of the examples
# this will take about 30 minutes
python taint_analysis/bootloadertaint.py config/config.huawei
# the last line of the output will be something like:
# INFO    | 2017-10-14 01:54:10,617 | _CoreTaint | Results in /tmp/BootloaderTaint_fastboot.img_.out

# you can then "pretty print" the results using:
python taint_analysis/result_pretty_print.py /tmp/BootloaderTaint_fastboot.img_.out

The output should be something like this:

...
17)
===================== Start Info path =====================
Dereference address at: 0x5319cL
Reason: at location 0x5319cL a tainted variable is dereferenced and used as address.
...
Tainted Path 
----------------
0x52f3cL -> 0x52f78L -> 0x52f8cL -> 0x52fb8L -> 0x52fc8L -> 0x52fecL -> 0x53000L -> 0x53014L -> 0x5301cL -> 0x53030L -> 0x53044L -> 0x53050L -> 0x5305cL -> 0x53068L
===================== End Info path =====================
# Total sinks related alerts: 5
# Total loop related alerts: 8
# Total dereference related alerts: 4

R K

Recent Posts

SpyAI : Intelligent Malware With Advanced Capabilities

SpyAI is a sophisticated form of malware that leverages advanced technologies to capture and analyze…

22 hours ago

Proxmark3 : The Ultimate Tool For RFID Security And Analysis

The Proxmark3 is a versatile, open-source tool designed for radio-frequency identification (RFID) security analysis, research,…

22 hours ago

Awesome Solana Security : Enhancing Program Development

The "Awesome Solana Security" collection is a comprehensive resource designed to help developers build more…

22 hours ago

IngressNightmare-POCs : Understanding The Vulnerability Exploitation Flow

The "IngressNightmare" vulnerabilities, disclosed in March 2025, represent a critical set of security issues affecting…

23 hours ago

AdaptixC2 : Enhancing Penetration Testing With Advanced Framework Capabilities

AdaptixC2 is an advanced post-exploitation and adversarial emulation framework designed specifically for penetration testers. It…

23 hours ago

Bincrypter : Enhancing Linux Binary Security through Runtime Encryption And Obfuscation

Bincrypter is a powerful Linux binary runtime crypter written in BASH. It is designed to…

23 hours ago