Skip to content

Latest commit

 

History

History
56 lines (37 loc) · 2.03 KB

README.md

File metadata and controls

56 lines (37 loc) · 2.03 KB

FirmPin

A tool for simulation, dynamic analysis and fuzzing of IoT firmware. 

Combination of TriforceAFL, firmadyne and DECAF.

It is a Pintool-like framework, and provides the instrumentation at basic block level, system call level and memory access level for both user level and kernel level programs.

Build

Tested on Ubuntu 16.04

DECAF:

DECAF
It is included in qemu_mode/qemu dir. In our case, run ./configure --target-list=mipsel-softmmu Run make

Firmadyne: we use its custom kernel and libnvram to emulate IoT firmware.

	cd firmadyne 
	See README in firmadyne and do as it says.(NOTICE: need to set FIRMWARE_DIR in firmadyne.config
	Here, we test DIR-815_FIRMWARE_1.01.ZIP, a router firmware image based on mipsel cpu arch.
	run "../qemu_mode/qemu/qemu-img convert -f raw -O qcow2 ./scratch/2/image.raw ./scratch/2/image.qcow2"		
	Finally, we replace the run.sh in scratch/(num)/ with our modified one (In firmadyne_dev dir).

TriforceAFL: AFL fuzzing with full-system emulation

	Run make

Usage:

	cd firmadyne
	Run ./scratch/(num)/run.sh 
	In another terminal, run 'telnet 127.0.0.1 4444', into qemu monitor console.
	FirmFuzzer plugin:
		load_plugin ../qemu_mode/qemu/plugins/callbacktests/callbacktests.so
		do_callbacktests httpd
		do_callbacktests hedwig.cgi
		When firmware system initialization is completed and poll system call is executed, 
		open a Browser, type a request "192.168.0.1/hedwig.cgi" in url, 
		the fuzz process will be started.
	MalScalpel plugin:
		load_plugin ../qemu_mode/qemu/plugins/unpacker/unpacker.so
		trace_by_name mirai.mpsl
		Then, telnet into system "telnet 192.168.0.1" with username "Alphanetworks" and password "wrgnd08_dlob_dir815"
		Run "/FILE_LOAD/mirai.mpsl", the plugin works.

Plugin Development

please see wiki for details.