The interactive firmware emulator is built using Riposte and provide a CLI to interact with a firmware while attempting to emulate it. This page breaks down each of the commands offered by the CLI.
The add_network command will attempt to create a tap adapter at run time connecting the device ip address and host ip address under the name interface.
The export command will export the given emulator with dependencies into a provided folder with. This includes a runner.sh file which can run the emulator, the kernel that was to emulate it, and the emulator image.
Parameter
Description
location
Path to export folder
Example
emu:~$ export test_image/
# Outside the emulator
$ ls test_image/
image.raw runner.sh vmlinux.mips
force_network
The force_network command will attempt to force the router image to network with the host during boot by adding an additional forcenetworking script to run at boot.
Parameter
Description
None
emu:~$ force_network
[+] loop device at /dev/mapper/loop25p1
loop deleted : /dev/loop25
[+] loop device at /dev/mapper/loop25p1
loop deleted : /dev/loop25
[+] Files changed, ready to setup network
force_tty_login
The force_tty login command will attempt to force the router image to drop to /bin/sh instead a general login binary in the inittab.
Parameter
Description
None
emu:~$ force_tty_login
DEBUG:root:Replacing default ttyS0 program to /bin/sh
[+] loop device at /dev/mapper/loop28p1
loop deleted : /dev/loop28
[+] Successfully replaced tty login with /bin/sh
info
The info command will list out some information about the currently loaded image being emulated.
Parameter
Description
None
emu:~$ info
[+] Image Arch : mips
[+] Image Endi : Iend_BE
[+] Image Path : /tmp/tmptw5a2mdy/image.raw
[+] Image IP ADDR : ['192.168.0.253']
[+] Image Kernel : /home/chris/projects/firmware_emulator/binaries/vmlinux.mips
make_image
The make_image command will take a given firmware image, run an extractor on it, look for a root file system, identify the architecture of the firmware, and prepare initial emulator configurations.
Note, this command may ask for your sudo password to mount the image.
The mount command will mount the active image and provide a path to the temporary mount location. The file system can be unmount using the unmount command.
Changes made to the mounted file system will persist into the image.
Parameter
Description
None
emu:~$ mount
[+] loop device at /dev/mapper/loop28p1
[+] Successfully mounted at /tmp/tmpijag8vt0/file_system
remove_root_password
The remove_root_password command will attempt to remove the root password hidden in the /etc/passwd or /etc/shadow file.
Parameter
Description
None
emu:~$ remove_root_passwd
DEBUG:root:Removing root passwd from shadow and passwd
[+] loop device at /dev/mapper/loop30p1
loop deleted : /dev/loop30
[+] Removed root passwd
run
The run command will run the current emulator image and if any networking is configured, run the networking commands as well.
To exit the emulator Ctrl+a, x
Parameter
Description
None
emu:~$ run
DEBUG:root:Press Ctrl+a then x to exit
DEBUG:root:sudo QEMU_AUDIO_DRV=none qemu-system-mips -M malta -net nic,vlan=0 -net socket,vlan=0,listen=:2000 -net nic,vlan=1 -net socket,vlan=0,listen=:2001 -net nic,vlan=2 -net socket,vlan=0,listen=:2002 -net nic,vlan=3 -net socket,vlan=0,listen=:2003 -kernel /home/chris/projects/firmware_emulator/binaries/vmlinux.mips -drive if=ide,format=raw,file=/tmp/tmpxs8clt64/image.raw -append "firmadyne.syscall=0 root=/dev/sda1 console=ttyS0 nandsim.parts=64,64,64,64,64,64,64,64,64,64 rdinit=/firmadyne/preInit.sh rw debug ignore_loglevel print-fatal-signals=1" -m 1024 -nographic
Ctrl A + X to leave
...Emulator TTY here...
setup_network
The setup_network command will run the firmware image and monitor for the router's attempt to network itself. On successful identification this information is captured and transferred to the image's networking config and will be used on future runs. It will run for 60 seconds.
Parameter
Description
None
emu:~$ setup_network
DEBUG:root:Getting network information
DEBUG:root:Getting serial from 60 second run
DEBUG:root:['qemu-system-mips', '-M', 'malta', '-net', 'nic,vlan=0', '-net', 'socket,vlan=0,listen=:2000', '-net', 'nic,vlan=1', '-net', 'socket,vlan=0,listen=:2001', '-net', 'nic,vlan=2', '-net', 'socket,vlan=0,listen=:2002', '-net', 'nic,vlan=3', '-net', 'socket,vlan=0,listen=:2003', '-kernel', '/home/chris/projects/firmware_emulator/binaries/vmlinux.mips', '-drive', 'if=ide,format=raw,file=/tmp/tmpxs8clt64/image.raw', '-append', 'firmadyne.syscall=1 root=/dev/sda1 console=ttyS0 nandsim.parts=64,64,64,64,64,64,64,64,64,64 rdinit=/firmadyne/preInit.sh rw debug ignore_loglevel print-fatal-signals=1', '-m', '1024', '-serial', 'file:/tmp/tmpxs8clt64/qemu.initial.serial.log', '-serial', 'unix:/tmp/tmpxs8clt64/serial.S1,server,nowait', '-monitor', 'unix:/tmp/tmpxs8clt64/monitor,server,nowait', '-display', 'none']
qemu-system-mips: -net nic,vlan=0: 'vlan' is deprecated. Please use 'netdev' instead.
qemu-system-mips: warning: vlan 3 is not connected to host network
qemu-system-mips: warning: vlan 2 is not connected to host network
qemu-system-mips: warning: vlan 1 is not connected to host network
DEBUG:root:done
[{'ip': '192.168.0.100', 'host_ip': '192.168.0.99', 'dev': 'eth0', 'vlan': None, 'mac': None, 'tap_dev': 'tap_0', 'host_net_dev': 'tap_0'}]
[+] Network is accessible!
unmount
The unmount command will unmount the active image
Changes made to the mounted file system will persist into the image.
