search

🎮Dynamic Analysis with Emulation

hashtag
FirmAE

The FirmAE3 tool extends the capability of FIRMADYNE4 to allow for the emulation of more firmware by using various arbitrations for services and the QEMU hypervisor. The focus of the arbitrations is to allow the running of web services, as that is a common attack vector. The beauty of this approach is that you do not have to buy the hardware to test the firmware. This powerful approach allows for scaled testing in parallel. The authors of FirmAE had a success rate of 79.36 percent on 1,124 devices and found 12 new 0-days, 5 which is not bad at all.

hashtag
Setting Up FirmAE

hashtag
Install Packages

sudo apt install build-essential git telnet

hashtag
Install FirmAE

git clone https://github.com/pr0v3rbs/FirmAE.git

cd FirmAE

./download.sh

./install.sh

./init.sh

hashtag
Emulating Firmware

First, using the run.sh script, check any firmware . This step will extract the image, get the architecture, infer the network config, and associate an ID in the database for the analysis (this may take a while, so be patient):

hashtag
Run the Emulator with Debugging Enabled

hashtag
Reset the Database and Environment

At this point, the firmware should be running on the preceding IP as a tap device. You should also be able to connect to this virtual interface from the machine on which you are running QEMU. From within the VM, open a web browser and try to connect to the inferred IP, as shown next. You may need to wait a minute for the web service to fully start after the emulator launches the firmware.

Screenshot

hashtag
REFERENCES

PreviousExploiting Embedded DevicesNextFirmware Analysis

Last updated