Breaking Bits
  • What this gitbook is
  • Vulnerability Discovery
    • Reverse Engineering
      • Modern Vulnerability Research Techniques on Embedded Systems
      • Remote Dynamic Blackbox Java App Analysis
    • Emulation
      • QEMU Usermode Tracing
      • Building QEMU on Ubuntu
    • Fuzzing with AFL
    • Automated Vulnerability Discovery
      • Buffer Overflows
      • Analyzing Functions
    • Automatic Exploit Generation
      • Automatic Rop Chain Generation
  • CTF
  • Battelle Shmoocon 2024
    • Time Jump Planner
  • Spaceheros CTF 2022
    • RE: Shai-Hulud
  • UMDCTF 2020
    • UMDCTF 2020: Evil Santa's Mysterious Box of Treats
  • UMDCTF 2022
    • Tracestory
  • Spaceheroes CTF 2023
    • Everything-is-wrong
  • US CyberGames RE-Cruise 4
  • Firmware Emulator
  • Interactive Firmware Emulator Usage
  • Recreating CVE-2015-1187 in the DIR-820L
  • Exploit Development
    • Linux kernel exploit development
      • Setup
      • Interacting with Kernel Modules
      • Kernel stack cookies
      • Kernel Address Space Layout Randomization (KALSR)
      • Supervisor mode execution protection (SMEP)
      • Kernel page table isolation (KPTI)
      • Supervisor Mode Access Prevention (SMAP)
Powered by GitBook
On this page
  • Running Firmware Emulator
  • add_file
  • add_network
  • del_file
  • export
  • force_network
  • force_tty_login
  • info
  • make_image
  • mount
  • remove_root_password
  • run
  • setup_network
  • unmount

Was this helpful?

Interactive Firmware Emulator Usage

PreviousUS CyberGames RE-Cruise 4NextRecreating CVE-2015-1187 in the DIR-820L

Last updated 3 years ago

Was this helpful?

Running Firmware Emulator

The interactive firmware emulator is built using and provide a CLI to interact with a firmware while attempting to emulate it. This page breaks down each of the commands offered by the CLI. 

$ python fw_emulator.py
______ _                                      
|  ___(_)                                     
| |_   _ _ __ _ __ _____      ____ _ _ __ ___ 
|  _| | | '__| '_ ` _ \ \ /\ / / _` | '__/ _ \
| |   | | |  | | | | | \ V  V / (_| | | |  __/
\_|   |_|_|  |_| |_| |_|\_/\_/ \__,_|_|  \___|
                                              
                                              
 _____                _       _               
|  ___|              | |     | |              
| |__ _ __ ___  _   _| | __ _| |_ ___  _ __   
|  __| '_ ` _ \| | | | |/ _` | __/ _ \| '__|  
| |__| | | | | | |_| | | (_| | || (_) | |     
\____/_| |_| |_|\__,_|_|\__,_|\__\___/|_|     


emu:~$

add_file

The add_file command will copy a file from the host to the built image's file system.

Parameter

Description

local_file

Path to file on the host to copy

remote_file

Path in firmware to place file

Example

emu:~$ add_file README.md /README.md
[+] loop device at /dev/mapper/loop22p1
loop deleted : /dev/loop22
[+] Added file

add_network

The add_network command will attempt to create a tap adapter at run time connecting the device ip address and host ip address under the name interface.

Parameter

Description

device_ip

Device IP address to use

host_ip

Host IP address to use

iface_dev

Name of adapter to use

Example

emu:~$ add_network 192.168.0.253 192.168.0.254 tap_8
DEBUG:root:Adding 192.168.0.253 192.168.0.254 tap_8
[+] Successfully added network information

del_file

The del_file command will delete a file inside of the firmware image given the file path.

Parameter

Description

file_path

Path to file in firmware to delete

Example

emu:~$ del_file /README.md
DEBUG:root:Deleting file /README.md
[+] loop device at /dev/mapper/loop22p1
/tmp/tmp499bjsa4/file_system/README.md
loop deleted : /dev/loop22
[+] Removed file

export

The export command will export the given emulator with dependencies into a provided folder with. This includes a runner.sh file which can run the emulator, the kernel that was to emulate it, and the emulator image.

Parameter

Description

location

Path to export folder

Example

emu:~$ export test_image/
# Outside the emulator
$ ls test_image/
image.raw  runner.sh  vmlinux.mips

force_network

The force_network command will attempt to force the router image to network with the host during boot by adding an additional forcenetworking script to run at boot.

Parameter

Description

None

emu:~$ force_network
[+] loop device at /dev/mapper/loop25p1
loop deleted : /dev/loop25
[+] loop device at /dev/mapper/loop25p1
loop deleted : /dev/loop25
[+] Files changed, ready to setup network

force_tty_login

The force_tty login command will attempt to force the router image to drop to /bin/sh instead a general login binary in the inittab.

Parameter

Description

None

emu:~$ force_tty_login
DEBUG:root:Replacing default ttyS0 program to /bin/sh
[+] loop device at /dev/mapper/loop28p1
loop deleted : /dev/loop28
[+] Successfully replaced tty login with /bin/sh

info

The info command will list out some information about the currently loaded image being emulated.

Parameter

Description

None

emu:~$ info
[+] Image Arch    : mips
[+] Image Endi    : Iend_BE
[+] Image Path    : /tmp/tmptw5a2mdy/image.raw
[+] Image IP ADDR : ['192.168.0.253']
[+] Image Kernel  : /home/chris/projects/firmware_emulator/binaries/vmlinux.mips

make_image

The make_image command will take a given firmware image, run an extractor on it, look for a root file system, identify the architecture of the firmware, and prepare initial emulator configurations.

Note, this command may ask for your sudo password to mount the image.

Parameter

Description

firmware_path

A path to the firmware to make an image out of.

emu:~$ make_image WNAP320.zip
INFO:root:Using firmadyne extractor

/home/chris/projects/firmware_emulator/WNAP320.zip
>> MD5: 51eddc7046d77a752ca4b39fbda50aff
>> Tag: WNAP320.zip_51eddc7046d77a752ca4b39fbda50aff
>> Temp: /tmp/tmpz7vwg79o
>> Status: Kernel: True, Rootfs: False, Do_Kernel: False,                 Do_Rootfs: True
>>>> Zip archive data, at least v2.0 to extract, compressed size: 1197, uncompressed size: 2667, name: ReleaseNotes_WNAP320_fw_2.0.3.HTML
>> Recursing into archive ...
...SNIP...
Allocating group tables: done                            
Writing inode tables: done                            
Writing superblocks and filesystem accounting information: done

Warning: Recreating device nodes!
Removing /etc/scripts/sys_resetbutton!
loop deleted : /dev/loop28
[+] Image created!

mount

The mount command will mount the active image and provide a path to the temporary mount location. The file system can be unmount using the unmount command.

Changes made to the mounted file system will persist into the image.

Parameter

Description

None

emu:~$ mount
[+] loop device at /dev/mapper/loop28p1
[+] Successfully mounted at /tmp/tmpijag8vt0/file_system

remove_root_password

The remove_root_password command will attempt to remove the root password hidden in the /etc/passwd or /etc/shadow file.

Parameter

Description

None

emu:~$ remove_root_passwd
DEBUG:root:Removing root passwd from shadow and passwd
[+] loop device at /dev/mapper/loop30p1
loop deleted : /dev/loop30
[+] Removed root passwd

run

The run command will run the current emulator image and if any networking is configured, run the networking commands as well.

To exit the emulator Ctrl+a, x

Parameter

Description

None

emu:~$ run
DEBUG:root:Press Ctrl+a then x to exit
DEBUG:root:sudo QEMU_AUDIO_DRV=none qemu-system-mips -M malta -net nic,vlan=0 -net socket,vlan=0,listen=:2000 -net nic,vlan=1 -net socket,vlan=0,listen=:2001 -net nic,vlan=2 -net socket,vlan=0,listen=:2002 -net nic,vlan=3 -net socket,vlan=0,listen=:2003 -kernel /home/chris/projects/firmware_emulator/binaries/vmlinux.mips -drive if=ide,format=raw,file=/tmp/tmpxs8clt64/image.raw -append "firmadyne.syscall=0 root=/dev/sda1 console=ttyS0 nandsim.parts=64,64,64,64,64,64,64,64,64,64 rdinit=/firmadyne/preInit.sh rw debug ignore_loglevel print-fatal-signals=1" -m 1024 -nographic 
Ctrl A + X to leave
...Emulator TTY here...

setup_network

The setup_network command will run the firmware image and monitor for the router's attempt to network itself. On successful identification this information is captured and transferred to the image's networking config and will be used on future runs. It will run for 60 seconds.

Parameter

Description

None

emu:~$ setup_network
DEBUG:root:Getting network information
DEBUG:root:Getting serial from 60 second run
DEBUG:root:['qemu-system-mips', '-M', 'malta', '-net', 'nic,vlan=0', '-net', 'socket,vlan=0,listen=:2000', '-net', 'nic,vlan=1', '-net', 'socket,vlan=0,listen=:2001', '-net', 'nic,vlan=2', '-net', 'socket,vlan=0,listen=:2002', '-net', 'nic,vlan=3', '-net', 'socket,vlan=0,listen=:2003', '-kernel', '/home/chris/projects/firmware_emulator/binaries/vmlinux.mips', '-drive', 'if=ide,format=raw,file=/tmp/tmpxs8clt64/image.raw', '-append', 'firmadyne.syscall=1 root=/dev/sda1 console=ttyS0 nandsim.parts=64,64,64,64,64,64,64,64,64,64 rdinit=/firmadyne/preInit.sh rw debug ignore_loglevel print-fatal-signals=1', '-m', '1024', '-serial', 'file:/tmp/tmpxs8clt64/qemu.initial.serial.log', '-serial', 'unix:/tmp/tmpxs8clt64/serial.S1,server,nowait', '-monitor', 'unix:/tmp/tmpxs8clt64/monitor,server,nowait', '-display', 'none']
qemu-system-mips: -net nic,vlan=0: 'vlan' is deprecated. Please use 'netdev' instead.
qemu-system-mips: warning: vlan 3 is not connected to host network
qemu-system-mips: warning: vlan 2 is not connected to host network
qemu-system-mips: warning: vlan 1 is not connected to host network
DEBUG:root:done
[{'ip': '192.168.0.100', 'host_ip': '192.168.0.99', 'dev': 'eth0', 'vlan': None, 'mac': None, 'tap_dev': 'tap_0', 'host_net_dev': 'tap_0'}]
[+] Network is accessible!

unmount

The unmount command will unmount the active image

Changes made to the mounted file system will persist into the image.

Parameter

Description

None

emu:~$ unmount
loop deleted : /dev/loop30

Riposte
https://github.com/ChrisTheCoolHut/firmware_emulator