Table of Contents

• Introduction
• Setup
  • Binaries
• Usage
• Database
  • Schema
• Analyses

Introduction

Firmanal is an automated firmware analysis tool based on Firmadyne, and it currently only works on Arch Linux.

Setup

After cloning this repository, edit the MAIN_DIR variable in the configure.sh. Then execute the setup.sh, which will set up the environment.

./scripts/setup.sh

Binaries

All pre-built binaries (console, libnvram, kernels) have been included in this repository.

You may, if you want, compile those binaries by yourself using the ./scripts/compile_bin.sh.

Usage

1. Set MAIN_DIR in configure.sh to point to the root of this repository.
2. Download a firmware image, e.g. v2.0.3 for Netgear WNAP320.
   • wget http://www.downloads.netgear.com/files/GDC/WNAP320/WNAP320%20Firmware%20Version%202.0.3.zip
3. Use the extractor to recover only the filesystem, no kernel (-nk), no parallel operation (-np), populating the image table in the SQL server at 127.0.0.1 (-sql) with the Netgear brand (-b), and storing the tarball in images.
   • ./scripts/extractor.py -b Netgear -sql 127.0.0.1 -np -nk "WNAP320 Firmware Version 2.0.3.zip" images
4. Load the contents of the filesystem for firmware 1 into the database, populating the object and object_to_image tables.
   • ./db/import.py -i 1 -f ./images/1.tar.gz
5. Create the QEMU disk image for firmware 1.
   • sudo ./qemu/scripts/makeImage.sh 1
6. Infer the network configuration for firmware 1. Kernel messages are logged to ./qemu/vm/1/qemu.initial.serial.log.
   • ./qemu/scripts/inferNetwork.sh 1
7. Emulate firmware 1 with the inferred network configuration. This will modify the configuration of the host system by creating a TAP device and adding a route. Use Ctrl-a + x to terminate the guest.
   • ./qemu/vm/1/run.sh
8. The system should be available over the network, and is ready for analysis. Kernel messages are logged to ./qemu/vm/1/qemu.final.serial.log.
   • ./anal/dynamic/snmpwalk.sh 192.168.0.100
   • ./anal/dynamic/webAccess.py 1 192.168.0.100 log.txt
   • mkdir exploits && ./anal/metasploit/runExploits.py -t 192.168.0.100 -o exploits -e all (requires Metasploit Framework)
   • sudo nmap -O -sV 192.168.0.100
9. The following scripts can be used to mount/unmount the filesystem of firmware 1. Ensure that the emulated firmware is not running, and remember to unmount before performing any other operations.
   • sudo ./qemu/scripts/mount.sh 1
   • sudo ./qemu/scripts/umount.sh 1
10. To delete the firmware, use the delete.sh.

• ./scripts/delete.sh 1

Database

During development, the database was stored on a PostgreSQL server.

Schema

Below are descriptions of tables in the schema.

• brand: Stores brand names for each vendor.

• image: Stores information about each firmware image.

• object: Stores information about each file in a filesystem.

• object_to_image: Maps unique files to their firmware images.

• product

Analyses

(TODO)