Firmware Static Analysis part1-Getting Familiar with tools

Hello everyone! As we all know, technology is constantly evolving, and compared to the old days, current firmware has become more complex, making it challenging to identify vulnerabilities. During our learning process, we discovered some cool and latest tools, along with simple tricks, to better understand firmware static analysis concepts. We are excited to share these insights in this article.

Firmware Intro:

Firmware is a type of software that is embedded in hardware devices to control their specific functionality. It is responsible for managing the hardware and providing the necessary instructions for the device to operate. Unlike general-purpose software that can be easily updated, firmware is typically stored in non-volatile memory and is more closely tied to the hardware it controls.

Firmware Static Analysis vs. Dynamic Analysis:

Static Analysis:

- Definition: Static analysis involves examining the firmware without executing it. It focuses on the code itself, looking for vulnerabilities, potential security issues, or understanding the logic of the firmware.

- Techniques: Static analysis techniques include code review, reverse engineering, and the use of static analysis tools. Analyzing the firmware's binary code or disassembled code can reveal insights into its behavior and potential security weaknesses.

- Vulnerabilities: These can include command injection, sensitive information and hardcoded data, private keys, debug symbols from binaries.

- Advantages: It can uncover vulnerabilities without executing the code, making it less risky. It provides a comprehensive view of the code structure. It is best to do static analysis as a part of the development stage of a product to decrease vulnerability exposure.

Dynamic Analysis:

- Definition: Dynamic analysis involves executing the firmware and observing its behavior in a controlled environment. This helps understand how the firmware responds to different inputs, interactions, and runtime conditions.

- Techniques: Dynamic analysis techniques include debugging, emulation, and monitoring the firmware's runtime behavior. Tools such as debuggers and emulators can be used to analyze the firmware during execution.

- Advantages: It allows for real-time observation of the firmware's behavior, helping identify runtime issues, interactions with external components, and potential security vulnerabilities.

Static Analysis Tools - Hands on:

1. Get Firmware Images:

- `Obtain the firmware images for analysis.`

• Download from Vendor Website: The easiest method is often to download firmware directly from the manufacturer's official website.
• Dump from Hardware: Extract firmware directly from the hardware device, if feasible.
• Open Source Intelligence (OSINT): Utilize OSINT techniques to find firmware, especially for older or less common devices.
• Online Firmware Repositories: Some websites host a collection of firmware files. For example, Firmware Center provides openly downloadable firmware for a variety of devices.

2. Firmware Extraction:

- `Use tools to extract the firmware contents. Common tools include:`

• Binwalk: For automated extraction and analysis of firmware images.
• unblob: A tool for extracting blobs from any kind of binary files or streams.
• Firmware Mod Kit (FMK): Useful for unpacking and modifying firmware.
• dd: A command-line tool for converting and copying files, often used for image extraction.
• Unsquashfs: For extracting squashfs filesystems, commonly found in firmware.
• unblob: A tool for extracting blobs from any kind of binary files or streams.

Target firmware we using OWASP IoT Goat

Source = About IoTGoat is a deliberately insecure firmware

• Binwalk:

• binwalk has ability to scan firmware and extracting also , this is legendary tool and still useful for modern firwmare extracting purpose also.

• Source = Binwalk Firmware Analysis Tool , [fixed dependencies]

• Generic scan

  binwalk -Bv firmware.bin
  binwalk -Bv firmware.bin | grep <word> - Filter by keyword's

• Identifying Endian and Architecture

  binwalk -Y <firmware>

• Extracting firmware

  binwalk -Mre <firmware>

• unblob:

• A tool for extracting blobs from any kind of binary files or streams.

• Installing and Usage

python3 -m pip install --user unblob

unblob -vvv  <firmware.bin>

• dd:
• A command-line tool for converting and copying files, often used for image extraction.

dd if=<input_file> of=<output_file> bs=1 skip=<offset> count=<size>

example , offset data you will get binwalk scan on firmware
dd if=firmware.bin of=extracted_segment.bin bs=1 skip=1024 count=2048

Where:

`if=<input_file>: Specifies the input file (e.g., the firmware file).`
`of=<output_file>: Specifies the output file for the extracted segment.`
`bs=1: Sets the block size to 1 byte for precise control.`
`skip=<offset>: Skips to the offset in bytes where the segment starts.`
`count=<size>: The number of bytes to copy (size of the segment).`

Rest of the tools do little R&D on your own

3. Analyze File System Structure

What it Entails:

• Identifying Sensitive Data: Searching for confidential information like user credentials, encryption keys, or personal data.
• Finding Interesting Binaries:Locating executables or scripts that might have security implications.
• here we use tool name called firmwalker_pro : Firmwalker_Pro

Example:

• Using tools like "tree" or "ls -R" on a Linux file system to visualize the structure.
• Using "find" command to locate files with certain extensions or properties (e.g.,find / -name “*.bin”).

4. Decompile Binaries

What it Entails:

• Extracting C Code: Using decompilers to convert binary code back into a higher-level language like C for easier analysis.

Example:

• Using tools like Ghidra or IDA Pro which can take a compiled binary and attempt to recreate the source code.

Download files from here , we haven't explored v5.0 yet, suggesting for now v4.0

https://github.com/avast/retdec/releases/tag/v4.0

for ubuntu users

wget https://github.com/avast/retdec/releases/download/v4.0/retdec-v4.0-ubuntu-64b.tar.xz

# tar -xvf retdec-v4.0-ubuntu-64b.tar.xz

# cd retdec/bin

# ./retdec-decompiler.py <binary>

5. Binary Analysis

What it Entails:

• Disassembling Tools: Breaking down executable binaries into assembly code to understand the low-level operations.

Example:

• Tools like Radare2 or Hopper can be used to disassemble binaries and analyze them at the assembly level.

6. Code Review

What it Entails:

• Manual Review: Examining the code line-by-line to spot vulnerabilities or bad practices.
• Static Analysis: Using tools to automatically detect issues in the code.

Example:

• Manual review might involve looking for common issues like buffer overflows or SQL injection vulnerabilities.
• Tools like SonarQube or Fortify can perform static code analysis.

7. Analyze Configuration and Script Files

What it Entails:

• Insecure Settings: Checking for settings that might make the system vulnerable.
• Bad Practices: Identifying practices like hard-coded passwords or open ports that shouldn't be.

Example:

• Inspecting configuration files for weak encryption settings or examining scripts for hard-coded credentials.

8. Search for Embedded Keys and Credentials

What it Entails:

• Strings and Grep: Using these tools to search through binaries and files for embedded credentials or keys.

Example:

• Running strings on a binary and piping the output to ``grep to search for patterns that look like keys or passwords (e.g., strings binary | grep 'password').

9. Check for Known Vulnerabilities

What it Entails:

• Vulnerability Databases: Comparing the system against known vulnerabilities.
• Tools Like FACT and EMBA: Using automated tools to assist in this process.

Example:

• FACT (Firmware Analysis and Comparison Tool) can be used to analyze firmware for known vulnerabilities.

• EMBA (Embedded Analyzer) focuses on Linux-based firmware and can check for a wide range of known issues.

  Read our following blog : []