attify / firmware-analysis-toolkit Goto Github PK
View Code? Open in Web Editor NEWToolkit to emulate firmware and analyse it for security vulnerabilities
License: MIT License
firmware-analysis-toolkit's People
Contributors
Stargazers
Watchers
Forkers
3mrgnc3 codedevloper cys3c ankushgoel27 tabishimran bhasbor tloebner shekkbuilder 0xhack susantaroy2002 murthysagi suryaprakash50 cyberlight louwangzhiyuy fespinozadeveloper houcy akpotter shuixi2013 enascimento ashlondon curioustauseef franksx momodou86 minkione netfairy cyberheartmi9 kzwkt securitym0nk whb224117 m00zh33 bird8693 4n6strider stjoannou kisbuddy techlord-rce minhtranca idkwim fingerleakers koolshare gowabby sn0wdown yan-1-20 b03201003 jesterxu jrelo mhanne0915 angusding ufwt hotelzululima miracle963 crackercat mr-wrmsr carlhuth p0prxx yangshouguo mmg1 elllusion pdkyll husinul happyholic1203 username4github lhlsec qq431169079 hitmoon leonw7 blue24xin xrxz yqyunjie dalianxiang zsdlove fengjixuchui c002 will03 primmus modulexcite zzzsleepsin gitmesam 0r10nv heikipikker linux0ne fiappy saeidzoka hanstudio hjzmc slowmistio gavz jermainlaforce kalier seronsecurity janette88 w4nn4die colorlight 0817iot shahid1996 ttimasdf rob-rychs hexfocus keyman9848 5l1v3r1 luyjfirmware-analysis-toolkit's Issues
Error running fat.py with Netgear R9000 firmware
I followed all of the instructions in the README. FIRMWARE_DIR is set to the proper location (in my case that is at /home/test/firmadyne/. I also copied fat.py and reset.py into the firmadyne directory.
python fat.py /home/test/R9000-V1.0.4.12.img
__ _
/ _| | |
| |_ __ _ | |_
| _| / _` | | __|
| | | (_| | | |_
|_| \__,_| \__|
Welcome to the Firmware Analysis Toolkit - v0.2
Offensive IoT Exploitation Training - http://offensiveiotexploitation.com
By Attify - https://attify.com | @attifyme
[?] Enter the name or absolute path of the firmware you want to analyse : /home/test/R9000-V1.0.4.12.img
[?] Enter the brand of the firmware : netgear
[+] Now going to extract the firmware. Hold on..
[+] Firmware : /home/test/R9000-V1.0.4.12.img
[+] Brand : netgear
[+] Database image ID : 1
[+] Identifying architecture
[+] Architecture : armel
[+] Storing filesystem in database
[+] Building QEMU disk image
Traceback (most recent call last):
File "fat.py", line 122, in <module>
main()
File "fat.py", line 116, in main
make_image(arch, image_id)
File "fat.py", line 82, in make_image
child.expect(pexpect.EOF)
File "/home/test/.local/lib/python2.7/site-packages/pexpect/spawnbase.py", line 341, in expect
timeout, searchwindowsize, async_)
File "/home/test/.local/lib/python2.7/site-packages/pexpect/spawnbase.py", line 369, in expect_list
return exp.expect_loop(timeout)
File "/home/test/.local/lib/python2.7/site-packages/pexpect/expect.py", line 119, in expect_loop
return self.timeout(e)
File "/home/test/.local/lib/python2.7/site-packages/pexpect/expect.py", line 82, in timeout
raise TIMEOUT(msg)
pexpect.exceptions.TIMEOUT: Timeout exceeded.
<pexpect.pty_spawn.spawn object at 0x7f80968bf650>
command: /usr/bin/sudo
args: ['/usr/bin/sudo', '/home/test/firmadyne/scripts/makeImage.sh', '1', 'armel']
buffer (last 100 chars): '[sudo] password for test: \r\nSorry, try again.\r\n[sudo] password for test: '
before (last 100 chars): '[sudo] password for test: \r\nSorry, try again.\r\n[sudo] password for test: '
after: <class 'pexpect.exceptions.TIMEOUT'>
match: None
match_index: None
exitstatus: None
flag_eof: False
pid: 17515
child_fd: 5
closed: False
timeout: 30
delimiter: <class 'pexpect.exceptions.EOF'>
logfile: None
logfile_read: None
logfile_send: None
maxread: 2000
ignorecase: False
searchwindowsize: None
delaybeforesend: 0.05
delayafterclose: 0.1
delayafterterminate: 0.1
searcher: searcher_re:
0: EOF
Can't found 1.tar.gz
when I use fat.py, it show that:
root@ubuntu:/home/oit/firmware-analysis-toolkit/firmadyne# python fat.py
__ _
/ _| | |
| |_ __ _ | |_
| _| / _` | | __|
| | | (_| | | |_
|_| \__,_| \__|
Welcome to the Firmware Analysis Toolkit - v0.2
Offensive IoT Exploitation Training - http://offensiveiotexploitation.com
By Attify - https://attify.com | @attifyme
[?] Enter the name or absolute path of the firmware you want to analyse : 0.bin
[?] Enter the brand of the firmware : Linksys
[+] Now going to extract the firmware. Hold on..
[+] Firmware : 0.bin
[+] Brand : Linksys
[+] Database image ID : 1
[+] Identifying architecture
[+] Architecture : ./images/1.tar.gz: Cannot open: No such file or directory
Traceback (most recent call last):
File "fat.py", line 122, in <module>
main()
File "fat.py", line 114, in main
arch = identify_arch(image_id)
File "fat.py", line 62, in identify_arch
child.expect("Password for user firmadyne: ")
File "/usr/lib/python2.7/dist-packages/pexpect/__init__.py", line 1418, in expect
timeout, searchwindowsize)
File "/usr/lib/python2.7/dist-packages/pexpect/__init__.py", line 1433, in expect_list
timeout, searchwindowsize)
File "/usr/lib/python2.7/dist-packages/pexpect/__init__.py", line 1521, in expect_loop
raise EOF(str(err) + '\n' + str(self))
pexpect.EOF: End Of File (EOF). Exception style platform.
<pexpect.spawn object at 0xb748176c>
version: 3.1
command: /home/oit/firmware-analysis-toolkit/firmadyne/scripts/getArch.sh
args: ['/home/oit/firmware-analysis-toolkit/firmadyne/scripts/getArch.sh', './images/1.tar.gz']
searcher: <pexpect.searcher_re object at 0xb748180c>
buffer (last 100 chars): ''
before (last 100 chars): 'mages/1.tar.gz: Cannot open: No such file or directory\r\ntar: Error is not recoverable: exiting now\r\n'
after: <class 'pexpect.EOF'>
match: None
match_index: None
exitstatus: 1
flag_eof: True
pid: 12799
child_fd: 3
closed: False
timeout: 30
delimiter: <class 'pexpect.EOF'>
logfile: None
logfile_read: None
logfile_send: None
maxread: 2000
ignorecase: False
searchwindowsize: None
delaybeforesend: 0.05
delayafterclose: 0.1
delayafterterminate: 0.1
And I try to run: ./sources/extractor/extractor.py -b Linksys -sql 127.0.0.1 -np -nk "0.bin" images
it shows:
root@ubuntu:/home/oit/firmware-analysis-toolkit/firmadyne# ./sources/extractor/extractor.py -b Linksys -sql 127.0.0.1 -np -nk "0.bin" images
>> Database Image ID: 1
/home/oit/firmware-analysis-toolkit/firmadyne/0.bin
>> MD5: 7fbac72ff1ba352a37dff33255494896
Traceback (most recent call last):
File "./sources/extractor/extractor.py", line 730, in <module>
main()
File "./sources/extractor/extractor.py", line 727, in main
extract.extract()
File "./sources/extractor/extractor.py", line 189, in extract
self._extract_item(item)
File "./sources/extractor/extractor.py", line 197, in _extract_item
ExtractionItem(self, path, 0).extract()
File "./sources/extractor/extractor.py", line 403, in extract
if self._check_blacklist():
File "./sources/extractor/extractor.py", line 441, in _check_blacklist
mime=True)
File "./sources/extractor/extractor.py", line 102, in magic
mymagic = magic.Magic(mime)
File "/usr/local/lib/python2.7/dist-packages/magic.py", line 75, in __init__
self.setparam(MAGIC_PARAM_NAME_MAX, 64)
File "/usr/local/lib/python2.7/dist-packages/magic.py", line 112, in setparam
return magic_setparam(self.cookie, param, val)
File "/usr/local/lib/python2.7/dist-packages/magic.py", line 312, in magic_setparam
return _magic_setparam(cookie, param, byref(v))
File "/usr/local/lib/python2.7/dist-packages/magic.py", line 216, in errorcheck_negative_one
raise MagicException(err)
magic.MagicException: None
Clear-text password in script
Both fat.py and reset.py require us to set a clear text password in the source code.
Is there a workaround for that?
Failed on Architecture Step
I am beating my head on this, trying to get it to run for the first time. I followed the procedures here: https://securityonline.info/firmware-analysis-toolkit/. The firmadify database setup was missing which I completed using steps in the git homepage.
When running, I get the following:
[?] Enter the name or absolute path of the firmware you want to analyse : /firmware/DIR645A1_FW105B01.bin
[?] Enter the brand of the firmware : dlink
[+] Now going to extract the firmware. Hold on..
[+] Firmware : /firmware/DIR645A1_FW105B01.bin
[+] Brand : dlink
[+] Database image ID : 1
[+] Identifying architecture
[+] Architecture : Could not find 'firmadyne.config'!
Traceback (most recent call last):
File "./fat.py", line 121, in
main()
File "./fat.py", line 113, in main
arch = identify_arch(image_id)
File "./fat.py", line 61, in identify_arch
child.expect("Password for user firmadyne: ")
File "/usr/local/lib/python2.7/dist-packages/pexpect/spawnbase.py", line 341, in expect
timeout, searchwindowsize, async_)
File "/usr/local/lib/python2.7/dist-packages/pexpect/spawnbase.py", line 369, in expect_list
return exp.expect_loop(timeout)
File "/usr/local/lib/python2.7/dist-packages/pexpect/expect.py", line 117, in expect_loop
return self.eof(e)
File "/usr/local/lib/python2.7/dist-packages/pexpect/expect.py", line 63, in eof
raise EOF(msg)
pexpect.exceptions.EOF: End Of File (EOF). Exception style platform.
<pexpect.pty_spawn.spawn object at 0x7f86ceae1650>
command: /tools/firmadyne//scripts/getArch.sh
args: ['/tools/firmadyne//scripts/getArch.sh', './images/1.tar.gz']
buffer (last 100 chars): ''
after: <class 'pexpect.exceptions.EOF'>
match: None
match_index: None
exitstatus: 1
flag_eof: True
pid: 18582
child_fd: 5
closed: False
timeout: 30
delimiter: <class 'pexpect.exceptions.EOF'>
logfile: None
logfile_read: None
logfile_send: None
maxread: 2000
ignorecase: False
searchwindowsize: None
delaybeforesend: 0.05
delayafterclose: 0.1
delayafterterminate: 0.1
searcher: searcher_re:
0: re.compile('Password for user firmadyne: ')
Here are my settings from fat.py:
#Configurations - change this according to your system
firmadyne_path = "/tools/firmadyne"
binwalk_path = "/tools/binwalk"
root_pass = "root"
firmadyne_pass = "firmadyne"
And my settings from firmadyne.conf (which is located in /tools/firmadyne/)
#uncomment and specify full path to FIRMADYNE repository
FIRMWARE_DIR=/tools/firmadyne
Thank you in advance for your help!
[question] How can I run this firmwares?
Nowadays, we can find most of firmwares are encrypted.. :(
gegul@unknown:~/firmware$ binwalk XNB-8000_1.40.02_20191024_R484.img
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 OpenSSL encryption, salted, salt: 0x5E8D51B0FE9D135F
22995601 0x15EE291 MySQL MISAM compressed data file Version 5
42268529 0x284F771 MySQL ISAM index file Version 11
Is there any idea to decrypt or run this firmware ?
or must run firmware with device?
Network interface not working and no IP assigned.
I'm getting the following error:--
__ _
/ _| | |
| |_ __ _ | |_
| _| / _` | | __|
| | | (_| | | |_
|_| \__,_| \__|
Welcome to the Firmware Analysis Toolkit - v0.2
Offensive IoT Exploitation Training - http://offensiveiotexploitation.com
By Attify - https://attify.com | @attifyme
[?] Enter the name or absolute path of the firmware you want to analyse : /home/r00tb3/Desktop/dir-816/firmware/AP699E8C.CW125A-5-DLINK-R1B011D81870(0519085924)(1).img
[?] Enter the brand of the firmware : dlink
[+] Now going to extract the firmware. Hold on..
[+] Firmware : /home/r00tb3/Desktop/dir-816/firmware/AP699E8C.CW125A-5-DLINK-R1B011D81870(0519085924)(1).img
[+] Brand : dlink
[+] Database image ID : 1
[+] Identifying architecture
[+] Architecture : mipsel
[+] Storing filesystem in database
[+] Building QEMU disk image
[+] Setting up the network connection, please standby
[+] Network interfaces : []
[+] Running the firmware finally
[+] command line : sudo /home/r00tb3/re-tools/firmware-analysis-toolkit/firmadyne/scratch/1/run.sh
[*] Press ENTER to run the firmware...^CTraceback (most recent call last):
Why isn't it enabling any network interface?
How do I get this working and get and IP assigned to it?
Waiting for replies!!
expecting for password
In this line
https://github.com/attify/firmware-analysis-toolkit/blob/master/fat.py#L82
I got error because of pexpect wait for the password.
buffer (last 100 chars): b'Password for user firmadyne: '
before (last 100 chars): b'Password for user firmadyne: '
after: <class 'pexpect.exception.TIMEOUT'>
Netgear firmware unable to simulate in the firmadyne
Unable to simulate Netgear firmware, not if there any thing wrong on .chk file extension.
Here I am sharing some details about my blocker,
- Tried on 2 netgear firmware version - "D8500-V1.0.3.39_1.0.1.chk" and "R7000-V1.0.9.28_10.2.32.chk"
- attaching the error screenshot.
Please let me know if you need any further details to investigate this issue.
Firmware not emulating or showing on network after running
Dear Sir,
So I have the following output;
Welcome to the Firmware Analysis Toolkit - v0.1
Offensive IoT Exploitation Training - http://offensiveiotexploitation.com
By Attify - https://attify.com | @attifyme
Enter the name or absolute path of the firmware you want to analyse : Dlink_firmware.bin
Enter the brand of the firmware : Dlink
Dlink_firmware.bin
Now going to extract the firmware. Hold on..
/root/tools/firmadyne/sources/extractor/extractor.py -b Dlink -sql 127.0.0.1 -np -nk "Dlink_firmware.bin" images
test
The database ID is 1
Getting image type
Password for user firmadyne:
Found image type of mipsel
Putting information to database
Tar2DB
Creating Image
Executing command
sudo /root/tools/firmadyne/scripts/makeImage.sh 1
Password for user firmadyne:
mke2fs 1.43.3 (04-Sep-2016)
Please check the makeImage function
Everything is done for the image id 1
Setting up the network connection
Password for user firmadyne:
qemu-system-mipsel: terminating on signal 2 from pid 1925
Querying database for architecture... mipsel
Running firmware 1: terminating after 60 secs...
Inferring network...
Interfaces: [('br0', '192.168.0.1')]
Done!
Running the firmware finally :
But nothing is coming up, demonstrated like so;
root@kali:~# nmap 192.168.0.1
Starting Nmap 7.31 ( https://nmap.org ) at 2016-11-08 20:11 GMT
Nmap scan report for 192.168.0.1
Host is up (0.00045s latency).
All 1000 scanned ports on 192.168.0.1 are filtered
MAC Address: 00:DE:FA:19:C0:02 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 34.69 seconds
Any tips on where to start debugging this?
Cheers,
P.
Not working with Qemu 3.X
Its not working with Qemu 3.X versions because there is no VLAN parameters in new version but it still use it for making network. is there any update for qemo 3?
Image extraction failed
I'm trying to emulate the firmware provided in your blog post
And it failed somewhere:
[+] Firmware: WNAP320.zip
[+] Extracting the firmware...
[!] Image extraction failed
What can I do now?
Emulation run fail
Hi,
The emulation fails with the following errors:
...
[+] Cleaning previous images and created files by firmadyne
[+] All done. Go ahead and run fat.py to continue firmware analysis
Remember the password for the database is firmadyne
/home/oit/tools/firmadyne [git::master *] [oit@ubuntu] [15:19]
> sudo ./fat.py
Welcome to the Firmware Analysis Toolkit - v0.1
Offensive IoT Exploitation Training - http://offensiveiotexploitation.com
By Attify - https://attify.com | @attifyme
Enter the name or absolute path of the firmware you want to analyse : /home/oit/private/private.bin
Enter the brand of the firmware : private
/home/oit/private/private.bin
Now going to extract the firmware. Hold on..
/home/oit/tools/firmadyne/sources/extractor/extractor.py -b private -sql 127.0.0.1 -np -nk "/home/oit/private/private.bin" images
test
The database ID is 1
Getting image type
Password for user firmadyne:
Found image type of mipsel
Putting information to database
Tar2DB
Creating Image
Executing command
sudo /home/oit/tools/firmadyne/scripts/makeImage.sh 1
Password for user firmadyne:
Device contains neither a valid DOS partition table, nor Sun, SGI or OSF disklabel
Building a new DOS disklabel with disk identifier 0xc7513c37.
Changes will remain in memory only, until you decide to write them.
After that, of course, the previous content won't be recoverable.
Warning: invalid flag 0x0000 of partition table 4 will be corrected by w(rite)
Building a new DOS disklabel with disk identifier 0x0d2d9eb9.
Changes will remain in memory only, until you decide to write them.
After that, of course, the previous content won't be recoverable.
Warning: invalid flag 0x0000 of partition table 4 will be corrected by w(rite)
mke2fs 1.42.9 (4-Feb-2014)
Please check the makeImage function
Everything is done for the image id 1
Setting up the network connection
Password for user firmadyne:
qemu: terminating on signal 2 from pid 8721
Querying database for architecture... mipsel
Running firmware 1: terminating after 60 secs...
Inferring network...
Interfaces: []
Done!
Running the firmware finally :
sudo: /home/oit/tools/firmadyne/scratch/1/run.sh: command not found
Traceback (most recent call last):
File "./fat.py", line 113, in <module>
main()
File "./fat.py", line 109, in main
final_run(image_id)
File "./fat.py", line 89, in final_run
print subprocess.check_output(final_run_cmd, shell=True)
File "/usr/lib/python2.7/subprocess.py", line 573, in check_output
raise CalledProcessError(retcode, cmd, output=output)
subprocess.CalledProcessError: Command 'sudo /home/oit/tools/firmadyne/scratch/1/run.sh' returned non-zero exit status 1
/home/oit/tools/firmadyne [git::master *] [oit@ubuntu] [15:21]
>
AttifyOS VM is running in VMWare Fusion, with one NIC eth0 (tried with NAT, Bridged, Host-Only, separately)..
Attempts to use loopback network address (127.0.0.0) instead of a valid interface?
Not sure what would be causing this, everything appears to be working correctly aside from the fact that it tries to spin up the connection on 127.0.0.0 (see the output below) rather than on one of the two other available interfaces.
[+] Firmware: R6950.bin
[+] Extracting the firmware...
[+] Image ID: 2
[+] Identifying architecture...
[+] Architecture: mipsel
[+] Building QEMU disk image...
[+] Setting up the network connection, please standby...
[+] Network interfaces: [('lo', '127.0.0.0')]
[+] All set! Press ENTER to run the firmware...
[+] When running, press Ctrl + A X to terminate qemu
Duplicate ID 'net0' for netdev
when I run run.sh, it shows that """qemu-system-mipsel: -netdev tap,id=net0,ifname=tap1_0,script=no: Duplicate ID 'net0' for netdev"""
Creating TAP device tap1_0...
Set 'tap1_0' persistent and owned by uid 0
Bringing up TAP device...
Adding route to 192.168.1.1...
Starting firmware emulation... use Ctrl-a + x to exit
binenv
qemu-system-mipsel: -netdev tap,id=net0,ifname=tap1_0,script=no: Duplicate ID 'net0' for netdev
Deleting route...
Bringing down TAP device...
Deleting TAP device tap1_0...
Set 'tap1_0' nonpersistent
Set 'tap1_0' nonpersistent
Doesn't give an Network IP
hey there,
im not getting any Network interface ip.
i tried multiple setup.
(vmware) LTS 18.04, 20
and linux sub system.
none of them are giving an ip
i tried multiple firmware i found online .
and no one of them are giving an ip.
not sure what to do.
also tried to go there https://github.com/firmadyne/firmadyne
and follow the guide , it did not work aswell.
Installation script running on Ubuntu 20.04 has some issues with the packages
If you can check that issue and try to solve it because I really like this tool.
./images/1.tar.gz: Cannot open: No such file or directory
I keep running into the same issue, having installed your toolkit and all dependencies a couple of different ways now. The only other issue regarding this error was closed in the same day with the resolution being to reinstall, which hasn't worked.
[+] Database image ID : 1
[+] Identifying architecture
[+] Architecture : ./images/1.tar.gz: Cannot open: No such file or directory
Traceback (most recent call last):
File "fat.py", line 122, in
main()
File "fat.py", line 114, in main
arch = identify_arch(image_id)
File "fat.py", line 62, in identify_arch
child.expect("Password for user firmadyne: ")
File "/usr/local/lib/python2.7/dist-packages/pexpect/spawnbase.py", line 341, in expect
timeout, searchwindowsize, async_)
File "/usr/local/lib/python2.7/dist-packages/pexpect/spawnbase.py", line 369, in expect_list
return exp.expect_loop(timeout)
File "/usr/local/lib/python2.7/dist-packages/pexpect/expect.py", line 117, in expect_loop
return self.eof(e)
File "/usr/local/lib/python2.7/dist-packages/pexpect/expect.py", line 63, in eof
raise EOF(msg)
pexpect.exceptions.EOF: End Of File (EOF). Exception style platform.
<pexpect.pty_spawn.spawn object at 0x7f5bbcb43110>
command: /home/labuser/firmadyne/scripts/getArch.sh
args: ['/home/labuser/firmadyne/scripts/getArch.sh', './images/1.tar.gz']
buffer (last 100 chars): ''
before (last 100 chars): 'mages/1.tar.gz: Cannot open: No such file or directory\r\ntar: Error is not recoverable: exiting now\r\n'
after: <class 'pexpect.exceptions.EOF'>
match: None
match_index: None
exitstatus: 1
flag_eof: True
pid: 8064
child_fd: 5
closed: False
timeout: 30
delimiter: <class 'pexpect.exceptions.EOF'>
logfile: None
logfile_read: None
logfile_send: None
maxread: 2000
ignorecase: False
searchwindowsize: None
delaybeforesend: 0.05
delayafterclose: 0.1
delayafterterminate: 0.1
searcher: searcher_re:
0: re.compile('Password for user firmadyne: ')
What am I doing wrong?
The command was not found or was not executable: sudo
Hi
I am trying to run fat.py using following command only to be informed that sudo command is not executable.
$ python /usr/local/bin/fat.py openwrt-ar71xx-generic-mr600-squashfs-factory.bin
[?] Enter the name or absolute path of the firmware you want to analyse : openwrt-ar71xx-generic-mr600-squashfs-factory.bin
[?] Enter the brand of the firmware : op
[+] Now going to extract the firmware. Hold on..
[+] Firmware : openwrt-ar71xx-generic-mr600-squashfs-factory.bin
[+] Brand : op
[+] Database image ID : 1
[+] Identifying architecture
[+] Architecture : mipseb
[+] Storing filesystem in database
[!] Filesystem already exists
[+] Building QEMU disk image
Traceback (most recent call last):
File "/usr/local/bin/fat.py", line 122, in
main()
File "/usr/local/bin/fat.py", line 116, in main
make_image(arch, image_id)
File "/usr/local/bin/fat.py", line 80, in make_image
child = pexpect.spawn(makeimage_cmd)
File "/usr/local/lib/python2.7/dist-packages/pexpect/pty_spawn.py", line 204, in init
self._spawn(command, args, preexec_fn, dimensions)
File "/usr/local/lib/python2.7/dist-packages/pexpect/pty_spawn.py", line 276, in _spawn
'executable: %s.' % self.command)
pexpect.exceptions.ExceptionPexpect: The command was not found or was not executable: sudo.
Is it due to i have copied fat.py in the location /usr/local/bin ? Any inputs will be highly appreciated.
Regards
firmware not emulating
Hi Adi, I have a problem when emulating a firmware, i receive this error, i did reset.sh as advised in another post but problem still exist sudo python fat.py Welcome to the Firmware Analysis Toolkit - v0.1 Offensive IoT Exploitation Training - http://offensiveiotexploitation.com By Attify - https://attify.com | @attifyme Enter the name or absolute path of the firmware you want to analyse : /home/oit/Desktop/TE/HG8245HV300R018C00SPC108_common_all.bin Enter the brand of the firmware : huawei /home/oit/Desktop/TE/HG8245HV300R018C00SPC108_common_all.bin Now going to extract the firmware. Hold on.. /home/oit/tools/fat//sources/extractor/extractor.py -b huawei -sql 127.0.0.1 -np -nk "/home/oit/Desktop/TE/HG8245HV300R018C00SPC108_common_all.bin" images test The database ID is 1 Getting image type Password for user firmadyne: Found image type of armel Putting information to database Tar2DB Creating Image Executing command sudo /home/oit/tools/fat//scripts/makeImage.sh 1 Password for user firmadyne: Device contains neither a valid DOS partition table, nor Sun, SGI or OSF disklabel Building a new DOS disklabel with disk identifier 0xa5dd6c4f. Changes will remain in memory only, until you decide to write them. After that, of course, the previous content won't be recoverable. Warning: invalid flag 0x0000 of partition table 4 will be corrected by w(rite) Building a new DOS disklabel with disk identifier 0x5ceea72e. Changes will remain in memory only, until you decide to write them. After that, of course, the previous content won't be recoverable. Warning: invalid flag 0x0000 of partition table 4 will be corrected by w(rite) mke2fs 1.42.9 (4-Feb-2014) mknod: /dev/null: File exists mknod: /dev/zero: File exists mknod: /dev/tty: File exists mknod: /dev/console: File exists Please check the makeImage function Everything is done for the image id 1 Setting up the network connection Password for user firmadyne: qemu: terminating on signal 2 from pid 6589 Querying database for architecture... armel Running firmware 1: terminating after 60 secs... Inferring network... Interfaces: [] Done! Running the firmware finally : sudo: /home/oit/tools/fat//scratch/1/run.sh: command not found Traceback (most recent call last): File "fat.py", line 113, in main() File "fat.py", line 109, in main final_run(image_id) File "fat.py", line 89, in final_run print subprocess.check_output(final_run_cmd, shell=True) File "/usr/lib/python2.7/subprocess.py", line 573, in check_output raise CalledProcessError(retcode, cmd, output=output) subprocess.CalledProcessError: Command 'sudo /home/oit/tools/fat//scratch/1/run.sh' returned non-zero exit status 1
also below is output of binwalk
DECIMAL HEXADECIMAL DESCRIPTION
67019 0x105CB Squashfs filesystem, little endian, version 4.0, compression:xz, size: 5979560 bytes, 1259 inodes, blocksize: 1048576 bytes, created: 2017-08-08 04:10:50
6047179 0x5C45CB uImage header, header size: 64 bytes, header CRC: 0xD3292F09, created: 2017-08-08 04:10:13, image size: 1438876 bytes, Data Address: 0x81208000, Entry Point: 0x81208000, data CRC: 0xFC9BD3F6, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: lzma, image name: "Linux-2.6.30"
6047243 0x5C460B LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 3857792 bytes
When building the qemu image, there will be a timeout
Hi,
When I building the qemu disk image, there will be a timeout.
How can I do to fix it?
Thank you
Huawei Firmware Extraction
Hello @adi0x90 , @extremecoders-re
I'm trying to identify a Huawei modem firmware binary using binwalk but it doesn't recognize it as jiffs, squash etc
$ binwalk -v Huawei.bin
Scan Time: 2018-01-22 21:34:10
Target File: /media/data/tmp/Huawei.bin
MD5 Checksum: e1ddf1d896631b07331b5188d5b31ca2
Signatures: 344
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
4992299 0x4C2D2B MySQL ISAM index file Version 1
It's definitely not MySQL ISAM index file :)
So, how can I go further? Is there an option to force binwalk to extract it as jiffs file system or squash?
Here is the file:
binwalk opcodes result:
$ binwalk -A Huawei.bin
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
12713598 0xC1FE7E ARM instructions, function prologue
16463970 0xFB3862 ARM instructions, function prologue
Entropy:
$ binwalk -E Huawei.bin
DECIMAL HEXADECIMAL ENTROPY
--------------------------------------------------------------------------------
0 0x0 Rising entropy edge (0.996797)
So, how can I go further? Is there any other software or suggestion in firmware-analysis-kit?
no IPv6 routers present
/ _| | |
| |_ __ _ | |_
| _| / _` | | __|
| | | (_| | | |_
|_| \__,_| \__|
Welcome to the Firmware Analysis Toolkit - v0.2
Offensive IoT Exploitation Training - http://offensiveiotexploitation.com
By Attify - https://attify.com | @attifyme
[?] Enter the name or absolute path of the firmware you want to analyse : wnap320.zip
[?] Enter the brand of the firmware : wnap320.zip
[+] Now going to extract the firmware. Hold on..
[+] Firmware : wnap320.zip
[+] Brand : netgear
/home/john/firmadyne/sources/extractor/extractor.py -b netgear -sql 127.0.0.1 -np -nk "wnap320.zip" images
[+] Database image ID : 1
[+] Identifying architecture
/home/john/firmadyne/scripts/getArch.sh ./images/1.tar.gz
[+] Architecture : mipseb
[+] Storing filesystem in database
[+] Building QEMU disk image
[+] Setting up the network connection, please standby
[+] Network interfaces : [('brtrunk', '192.168.0.100')]
[+] Running the firmware finally
[+] command line : sudo /home/john/firmadyne/scratch/1/run.sh
[*] Press ENTER to run the firmware...
Creating TAP device tap1_0...
Set 'tap1_0' persistent and owned by uid 0
Bringing up TAP device...
123456
Adding route to 192.168.0.100...
Starting firmware emulation... use Ctrl-a + x to exit
[ 0.000000] Linux version 2.6.32.70 (vagrant@vagrant-ubuntu-trusty-64) (gcc version 5.3.0 (GCC) ) #1 Thu Feb 18 01:39:21 UTC 2016
[ 0.000000]
[ 0.000000] LINUX started...
[ 0.000000] bootconsole [early0] enabled
[ 0.000000] CPU revision is: 00019300 (MIPS 24Kc)
[ 0.000000] FPU revision is: 00739300
[ 0.000000] Determined physical RAM map:
[ 0.000000] memory: 00001000 @ 00000000 (reserved)
[ 0.000000] memory: 000ef000 @ 00001000 (ROM data)
[ 0.000000] memory: 0061e000 @ 000f0000 (reserved)
[ 0.000000] memory: 0f8f1000 @ 0070e000 (usable)
[ 0.000000] debug: ignoring loglevel setting.
[ 0.000000] Wasting 57792 bytes for tracking 1806 unused pages
[ 0.000000] Initrd not found or empty - disabling initrd
[ 0.000000] Zone PFN ranges:
[ 0.000000] DMA 0x00000000 -> 0x00001000
[ 0.000000] Normal 0x00001000 -> 0x0000ffff
[ 0.000000] Movable zone start PFN for each node
[ 0.000000] early_node_map[1] active PFN ranges
[ 0.000000] 0: 0x00000000 -> 0x0000ffff
[ 0.000000] On node 0 totalpages: 65535
[ 0.000000] free_area_init_node: node 0, pgdat 806aa3c0, node_mem_map 81000000
[ 0.000000] DMA zone: 32 pages used for memmap
[ 0.000000] DMA zone: 0 pages reserved
[ 0.000000] DMA zone: 4064 pages, LIFO batch:0
[ 0.000000] Normal zone: 480 pages used for memmap
[ 0.000000] Normal zone: 60959 pages, LIFO batch:15
[ 0.000000] Built 1 zonelists in Zone order, mobility grouping on. Total pages: 65023
[ 0.000000] Kernel command line: root=/dev/sda1 console=ttyS0 nandsim.parts=64,64,64,64,64,64,64,64,64,64 rdinit=/firmadyne/preInit.sh rw debug ignore_loglevel print-fatal-signals=1 user_debug=31 firmadyne.syscall=0
[ 0.000000] PID hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.000000] Dentry cache hash table entries: 32768 (order: 5, 131072 bytes)
[ 0.000000] Inode-cache hash table entries: 16384 (order: 4, 65536 bytes)
[ 0.000000] Primary instruction cache 2kB, VIPT, 2-way, linesize 16 bytes.
[ 0.000000] Primary data cache 2kB, 2-way, VIPT, no aliases, linesize 16 bytes
[ 0.000000] Writing ErrCtl register=00000000
[ 0.000000] Readback ErrCtl register=00000000
[ 0.000000] Memory: 252428k/254916k available (4260k kernel code, 2252k reserved, 1549k data, 220k init, 0k highmem)
[ 0.000000] Hierarchical RCU implementation.
[ 0.000000] NR_IRQS:256
[ 0.000000] CPU frequency 200.00 MHz
[ 0.000000] Console: colour dummy device 80x25
[ 0.004000] Calibrating delay loop... 1126.40 BogoMIPS (lpj=2252800)
[ 0.104000] Mount-cache hash table entries: 512
[ 0.120000] NET: Registered protocol family 16
[ 0.132000] bio: create slab at 0
[ 0.132000] vgaarb: loaded
[ 0.136000] SCSI subsystem initialized
[ 0.136000] libata version 3.00 loaded.
[ 0.140000] usbcore: registered new interface driver usbfs
[ 0.140000] usbcore: registered new interface driver hub
[ 0.144000] usbcore: registered new device driver usb
[ 0.148000] pci 0000:00:00.0: reg 14 32bit mmio pref: [0x1000000-0x1ffffff]
[ 0.152000] pci 0000:00:0a.1: reg 20 io port: [0x00-0x0f]
[ 0.152000] pci 0000:00:0a.2: reg 20 io port: [0x00-0x1f]
[ 0.156000] pci 0000:00:0a.3: BAR 8: address space collision on of bridge [0x1100-0x110f]
[ 0.160000] pci 0000:00:0a.3: quirk: region 1100-110f claimed by PIIX4 SMB
[ 0.160000] pci 0000:00:0b.0: reg 10 io port: [0x00-0x1f]
[ 0.164000] pci 0000:00:0b.0: reg 14 32bit mmio: [0x000000-0x00001f]
[ 0.164000] pci 0000:00:0b.0: reg 30 32bit mmio pref: [0x000000-0x03ffff]
[ 0.168000] pci 0000:00:12.0: reg 10 io port: [0x00-0x1f]
[ 0.172000] pci 0000:00:12.0: reg 14 32bit mmio: [0x000000-0x00001f]
[ 0.172000] pci 0000:00:12.0: reg 30 32bit mmio pref: [0x000000-0x03ffff]
[ 0.176000] pci 0000:00:13.0: reg 10 io port: [0x00-0x1f]
[ 0.176000] pci 0000:00:13.0: reg 14 32bit mmio: [0x000000-0x00001f]
[ 0.176000] pci 0000:00:13.0: reg 30 32bit mmio pref: [0x000000-0x03ffff]
[ 0.180000] pci 0000:00:14.0: reg 10 io port: [0x00-0x1f]
[ 0.180000] pci 0000:00:14.0: reg 14 32bit mmio: [0x000000-0x00001f]
[ 0.180000] pci 0000:00:14.0: reg 30 32bit mmio pref: [0x000000-0x03ffff]
[ 0.184000] pci 0000:00:15.0: reg 10 32bit mmio pref: [0x000000-0x1ffffff]
[ 0.184000] pci 0000:00:15.0: reg 14 32bit mmio: [0x000000-0x000fff]
[ 0.184000] pci 0000:00:15.0: reg 30 32bit mmio pref: [0x000000-0x00ffff]
[ 0.188000] vgaarb: device added: PCI:0000:00:15.0,decodes=io+mem,owns=none,locks=none
[ 0.192000] pci 0000:00:0a.3: BAR 8: bogus alignment [0x1100-0x110f] flags 0x100
[ 0.200000] cfg80211: Calling CRDA to update world regulatory domain
[ 0.204000] Switching to clocksource MIPS
[ 0.204000] NET: Registered protocol family 2
[ 0.208000] Switched to NOHz mode on CPU #0
[ 0.208000] IP route cache hash table entries: 2048 (order: 1, 8192 bytes)
[ 0.216000] TCP established hash table entries: 8192 (order: 4, 65536 bytes)
[ 0.224000] TCP bind hash table entries: 8192 (order: 3, 32768 bytes)
[ 0.228000] TCP: Hash tables configured (established 8192 bind 8192)
[ 0.228000] TCP reno registered
[ 0.232000] NET: Registered protocol family 1
[ 0.232000] PCI: Enabling device 0000:00:0a.2 (0000 -> 0001)
[ 0.260000] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[ 0.264000] Registering unionfs 2.6 (for 2.6.32.63)
[ 0.268000] JFFS2 version 2.2. (NAND) © 2001-2006 Red Hat, Inc.
[ 0.272000] ROMFS MTD (C) 2007 Red Hat, Inc.
[ 0.272000] msgmni has been set to 493
[ 0.292000] alg: No test for stdrng (krng)
[ 0.324000] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 253)
[ 0.328000] io scheduler noop registered
[ 0.328000] io scheduler cfq registered (default)
[ 0.332000] firmadyne: devfs: 1, execute: 1, procfs: 1, syscall: 0
[ 0.336000] firmadyne: Cannot register character device: watchdog, 0xa, 0x82!
[ 0.340000] firmadyne: Cannot register character device: wdt, 0xfd, 0x0!
[ 0.388000] PCI: Enabling device 0000:00:15.0 (0000 -> 0002)
[ 0.392000] cirrusfb 0000:00:15.0: Cirrus Logic chipset on PCI bus, RAM (4096 kB) at 0x10000000
[ 0.640000] Console: switching to colour frame buffer device 80x30
[ 0.664000] Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled
[ 0.672000] serial8250.0: ttyS0 at I/O 0x3f8 (irq = 4) is a 16550A
[ 0.676000] console [ttyS0] enabled, bootconsole disabled
[ 0.676000] console [ttyS0] enabled, bootconsole disabled
[ 0.688000] serial8250.0: ttyS1 at I/O 0x2f8 (irq = 3) is a 16550A
[ 0.696000] brd: module loaded
[ 0.700000] loop: module loaded
[ 0.700000] ata_piix 0000:00:0a.1: version 2.13
[ 0.704000] PCI: Enabling device 0000:00:0a.1 (0000 -> 0001)
[ 0.708000] PCI: Setting latency timer of device 0000:00:0a.1 to 64
[ 0.720000] scsi0 : ata_piix
[ 0.724000] scsi1 : ata_piix
[ 0.724000] ata1: PATA max UDMA/33 cmd 0x1f0 ctl 0x3f6 bmdma 0x10a0 irq 14
[ 0.728000] ata2: PATA max UDMA/33 cmd 0x170 ctl 0x376 bmdma 0x10a8 irq 15
[ 0.740000] NAND device: Manufacturer ID: 0x98, Chip ID: 0x39 (Toshiba NAND 128MiB 1,8V 8-bit)
[ 0.744000] flash size: 128 MiB
[ 0.752000] page size: 512 bytes
[ 0.756000] OOB area size: 16 bytes
[ 0.756000] sector size: 16 KiB
[ 0.760000] pages number: 262144
[ 0.760000] pages per sector: 32
[ 0.764000] bus width: 8
[ 0.764000] bits in sector size: 14
[ 0.764000] bits in page size: 9
[ 0.768000] bits in OOB size: 4
[ 0.768000] flash size with OOB: 135168 KiB
[ 0.772000] page address bytes: 4
[ 0.772000] sector address bytes: 3
[ 0.776000] options: 0x62
[ 0.780000] Scanning device for bad blocks
[ 0.844000] Creating 11 MTD partitions on "NAND 128MiB 1,8V 8-bit":
[ 0.852000] 0x000000000000-0x000000100000 : "NAND simulator partition 0"
[ 0.856000] 0x000000100000-0x000000200000 : "NAND simulator partition 1"
[ 0.860000] 0x000000200000-0x000000300000 : "NAND simulator partition 2"
[ 0.864000] 0x000000300000-0x000000400000 : "NAND simulator partition 3"
[ 0.868000] 0x000000400000-0x000000500000 : "NAND simulator partition 4"
[ 0.872000] 0x000000500000-0x000000600000 : "NAND simulator partition 5"
[ 0.876000] 0x000000600000-0x000000700000 : "NAND simulator partition 6"
[ 0.884000] 0x000000700000-0x000000800000 : "NAND simulator partition 7"
[ 0.888000] 0x000000800000-0x000000900000 : "NAND simulator partition 8"
[ 0.892000] 0x000000900000-0x000000a00000 : "NAND simulator partition 9"
[ 0.896000] 0x000000a00000-0x000008000000 : "NAND simulator partition 10"
[ 0.900000] Intel(R) PRO/1000 Network Driver - version 7.3.21-k5-NAPI
[ 0.904000] Copyright (c) 1999-2006 Intel Corporation.
[ 0.904000] e1000e: Intel(R) PRO/1000 Network Driver - 1.0.2-k2
[ 0.908000] e1000e: Copyright (c) 1999-2008 Intel Corporation.
[ 0.916000] pcnet32.c:v1.35 21.Apr.2008 [email protected]
[ 0.920000] PCI: Enabling device 0000:00:0b.0 (0000 -> 0003)
[ 0.924000] PCI: Setting latency timer of device 0000:00:0b.0 to 64
[ 0.928000] pcnet32: PCnet/PCI II 79C970A at 0x1020, 52:54:00:12:34:56 assigned IRQ 10.
[ 0.932000] eth0: registered as PCnet/PCI II 79C970A
[ 0.936000] PCI: Enabling device 0000:00:12.0 (0000 -> 0003)
[ 0.940000] PCI: Setting latency timer of device 0000:00:12.0 to 64
[ 0.944000] pcnet32: PCnet/PCI II 79C970A at 0x1040, 52:54:00:12:34:57 assigned IRQ 10.
[ 0.952000] eth1: registered as PCnet/PCI II 79C970A
[ 0.956000] PCI: Enabling device 0000:00:13.0 (0000 -> 0003)
[ 0.960000] PCI: Setting latency timer of device 0000:00:13.0 to 64
[ 0.964000] pcnet32: PCnet/PCI II 79C970A at 0x1060, 52:54:00:12:34:58 assigned IRQ 10.
[ 0.968000] eth2: registered as PCnet/PCI II 79C970A
[ 0.972000] PCI: Enabling device 0000:00:14.0 (0000 -> 0003)
[ 0.976000] PCI: Setting latency timer of device 0000:00:14.0 to 64
[ 0.984000] pcnet32: PCnet/PCI II 79C970A at 0x1080, 52:54:00:12:34:59 assigned IRQ 11.
[ 0.992000] eth3: registered as PCnet/PCI II 79C970A
[ 0.992000] pcnet32: 4 cards_found.
[ 0.996000] PPP generic driver version 2.4.2
[ 1.000000] PPP Deflate Compression module registered
[ 1.004000] ata1.01: NODEV after polling detection
[ 1.008000] ata2.01: NODEV after polling detection
[ 1.020000] ata1.00: ATA-7: QEMU HARDDISK, 2.5+, max UDMA/100
[ 1.024000] ata1.00: 2097152 sectors, multi 16: LBA48
[ 1.028000] ata2.00: ATAPI: QEMU DVD-ROM, 2.5+, max UDMA/100
[ 1.032000] ata2.00: configured for UDMA/33
[ 1.036000] ata1.00: configured for UDMA/33
[ 1.044000] scsi 0:0:0:0: Direct-Access ATA QEMU HARDDISK 2.5+ PQ: 0 ANSI: 5
[ 1.060000] scsi 1:0:0:0: CD-ROM QEMU QEMU DVD-ROM 2.5+ PQ: 0 ANSI: 5
[ 1.068000] sd 0:0:0:0: [sda] 2097152 512-byte logical blocks: (1.07 GB/1.00 GiB)
[ 1.072000] sd 0:0:0:0: [sda] Write Protect is off
[ 1.076000] sd 0:0:0:0: [sda] Mode Sense: 00 3a 00 00
[ 1.076000] sd 0:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
[ 1.096000] sda: sda1
[ 1.104000] sd 0:0:0:0: [sda] Attached SCSI disk
[ 1.112000] PPP MPPE Compression module registered
[ 1.116000] NET: Registered protocol family 24
[ 1.124000] PPPoL2TP kernel driver, V1.0
[ 1.124000] tun: Universal TUN/TAP device driver, 1.6
[ 1.128000] tun: (C) 1999-2004 Max Krasnyansky [email protected]
[ 1.132000] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[ 1.136000] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
[ 1.140000] uhci_hcd: USB Universal Host Controller Interface driver
[ 1.144000] PCI: Setting latency timer of device 0000:00:0a.2 to 64
[ 1.152000] uhci_hcd 0000:00:0a.2: UHCI Host Controller
[ 1.156000] uhci_hcd 0000:00:0a.2: new USB bus registered, assigned bus number 1
[ 1.160000] uhci_hcd 0000:00:0a.2: irq 11, io base 0x00001000
[ 1.164000] usb usb1: configuration #1 chosen from 1 choice
[ 1.168000] hub 1-0:1.0: USB hub found
[ 1.172000] hub 1-0:1.0: 2 ports detected
[ 1.172000] Initializing USB Mass Storage driver...
[ 1.176000] usbcore: registered new interface driver usb-storage
[ 1.180000] USB Mass Storage support registered.
[ 1.188000] serio: i8042 KBD port at 0x60,0x64 irq 1
[ 1.192000] serio: i8042 AUX port at 0x60,0x64 irq 12
[ 1.192000] mice: PS/2 mouse device common for all mice
[ 1.200000] rtc_cmos rtc_cmos: rtc core: registered rtc_cmos as rtc0
[ 1.204000] rtc0: alarms up to one day, 242 bytes nvram
[ 1.208000] i2c /dev entries driver
[ 1.208000] piix4_smbus 0000:00:0a.3: SMBus Host Controller at 0x1100, revision 0
[ 1.212000] sdhci: Secure Digital Host Controller Interface driver
[ 1.220000] sdhci: Copyright(c) Pierre Ossman
[ 1.224000] usbcore: registered new interface driver hiddev
[ 1.228000] usbcore: registered new interface driver usbhid
[ 1.232000] usbhid: v2.6:USB HID core driver
[ 1.232000] Netfilter messages via NETLINK v0.30.
[ 1.236000] nf_conntrack version 0.5.0 (3947 buckets, 15788 max)
[ 1.240000] ctnetlink v0.93: registering with nfnetlink.
[ 1.240000] IPv4 over IPv4 tunneling driver
[ 1.244000] GRE over IPv4 tunneling driver
[ 1.252000] ip_tables: (C) 2000-2006 Netfilter Core Team
[ 1.256000] arp_tables: (C) 2002 David S. Miller
[ 1.260000] TCP cubic registered
[ 1.264000] Initializing XFRM netlink socket
[ 1.264000] NET: Registered protocol family 10
[ 1.272000] ip6_tables: (C) 2000-2006 Netfilter Core Team
[ 1.272000] IPv6 over IPv4 tunneling driver
[ 1.276000] NET: Registered protocol family 17
[ 1.280000] Bridge firewalling registered
[ 1.284000] Ebtables v2.0 registered
[ 1.288000] 802.1Q VLAN Support v1.8 Ben Greear [email protected]
[ 1.292000] All bugs added by David S. Miller [email protected]
[ 1.296000] lib80211: common routines for IEEE802.11 drivers
[ 1.300000] lib80211_crypt: registered algorithm 'NULL'
[ 1.304000] rtc_cmos rtc_cmos: setting system clock to 2019-11-08 07:48:34 UTC (1573199314)
[ 1.308000] input: AT Raw Set 2 keyboard as /devices/platform/i8042/serio0/input/input0
[ 1.520000] input: ImExPS/2 Generic Explorer Mouse as /devices/platform/i8042/serio1/input/input1
main-loop: WARNING: I/O thread spun for 1000 iterations
[ 1.552000] EXT2-fs warning: mounting unchecked fs, running e2fsck is recommended
[ 1.560000] VFS: Mounted root (ext2 filesystem) on device 8:1.
[ 1.564000] Freeing prom memory: 956k freed
[ 1.576000] Freeing unused kernel memory: 220k freed
456
[ 1.636000] firmadyne: sys_reboot[PID: 45 (init)]: magic1:fee1dead, magic2:28121969, cmd:0
[ 1.680000] firmadyne: do_execve: /firmadyne/console
[ 1.688000] OFFSETS: offset of pid: 0x100 offset of comm: 0x1f0
Mounting etc to ramfs. [DONE]
Mounting var to jffs2. [FAILED]
Checking SSH keys. [DONE]
[ 4.008000] EXT2-fs error (device sda1): ext2_lookup: deleted inode referenced: 24646
Checking for run file. [DONE]
Starting System Logger. [DONE]
Starting Kernel Logger. [ 5.052000] klogd/101: potentially unexpected fatal signal 10.
[ 5.056000]
[ 5.056000] Cpu 0
[ 5.056000] $ 0 : 00000000 00000001 00000008 ffffffff
[ 5.064000] $ 4 : 00000000 00000000 00000000 7fbe6f70
[ 5.068000] $ 8 : 00000000 00000000 00000000 7fbe6d98
[ 5.068000] $12 : 2ab3c868 2ab4f004 00000000 00000044
[ 5.072000] $16 : 7fbe6ed8 ffffffff 7fbe75e8 7fbe75e8
[ 5.076000] $20 : 7fbe758b 2ab4fc40 7fbe6fd0 00000000
[ 5.080000] $24 : 00000000 2ab25bc0
[ 5.080000] $28 : 2ab57440 7fbe6de8 ffffffff 2ab225c8
[ 5.084000] Hi : 00000001
[ 5.084000] Lo : 00000000
[ 5.088000] epc : 2ab22648 0x2ab22648
[ 5.088000] Not tainted
[ 5.092000] ra : 2ab225c8 0x2ab225c8
[ 5.096000] Status: 0000a413 USER EXL IE
[ 5.100000] Cause : 10800010
[ 5.100000] BadVA : ffffffff
[ 5.100000] PrId : 00019300 (MIPS 24Kc)
[DONE]
Starting Panel LED. [DONE]
Starting watchdog. Error in opening the device.
: No such device
[DONE]
Error in opening the device
: No such device
Starting Reset Detect. [DONE]
WN802T_SYS_RESET_DETECT_IOC returned err
Checking Manufac. data [DEFAULT]
Erase Total 1 Units
Performing Flash Erase of length 16384 at offset 0x0 done
[ 7.276000] nand_do_write_ops: Attempt to write not page aligned data
Error Writing device /dev/mtd5.
Checking board file. [CREATED]
Loading Ethernet module. [GENMAC]
BusyBox v1.11.0 (2011-06-23 15:54:48 IST) multi-call binary
Usage: ifconfig [-a] interface [address]
Configure a network interface
Options:
[[-]broadcast [ADDRESS]] [[-]pointopoint [ADDRESS]]
[netmask ADDRESS] [dstaddr ADDRESS]
[outfill NN] [keepalive NN]
[hw ether|infiniband ADDRESS] [metric NN] [mtu NN]
[[-]trailers] [[-]arp] [[-]allmulti]
[multicast] [[-]promisc] [txqueuelen NN] [[-]dynamic]
[mem_start NN] [io_addr NN] [irq NN]
[up|down] ...
[DONE]
Checking database. [DONE]
Verifing checksum. [DONE]
Loading Bridge module. [DONE]
/etc/init.d/rcS: /etc/init.d/S020bridge.sh: line 39: cannot create /proc/sys/net/bridge/bridge-nf-enabled: nonexistent directory
Loading wlan modules. [DONE]
Creating vap interface. /usr/local/bin/wlanconfig: ioctl: No such device
ifconfig: SIOCSIFTXQLEN: No such device
/usr/local/bin/wlanconfig: ioctl: No such device
ifconfig: SIOCSIFTXQLEN: No such device
/usr/local/bin/wlanconfig: ioctl: No such device
ifconfig: SIOCSIFTXQLEN: No such device
/usr/local/bin/wlanconfig: ioctl: No such device
ifconfig: SIOCSIFTXQLEN: No such device
/usr/local/bin/wlanconfig: ioctl: No such device
ifconfig: SIOCSIFTXQLEN: No such device
/usr/local/bin/wlanconfig: ioctl: No such device
ifconfig: SIOCSIFTXQLEN: No such device
/usr/local/bin/wlanconfig: ioctl: No such device
ifconfig: SIOCSIFTXQLEN: No such device
/usr/local/bin/wlanconfig: ioctl: No such device
ifconfig: SIOCSIFTXQLEN: No such device
[DONE]
Creating wds interface. /usr/local/bin/wlanconfig: ioctl: No such device
ifconfig: SIOCSIFMTU: No such device
/usr/local/bin/wlanconfig: ioctl: No such device
ifconfig: SIOCSIFMTU: No such device
/usr/local/bin/wlanconfig: ioctl: No such device
ifconfig: SIOCSIFMTU: No such device
/usr/local/bin/wlanconfig: ioctl: No such device
ifconfig: SIOCSIFMTU: No such device
[DONE]
Starting configd. [DONE]
Starting web server. [DONE]
Starting Translator... start-stop-daemon: cannot start /usr/bin/log_ro: No such file or directory
[syslog]
Starting Translator... [password]
Starting Translator... [ssh]
Starting Translator... [snmp]
Starting Translator... [telnet]
Starting Translator... [dns]
Starting Translator... [ 18.548000] device eth0 entered promiscuous mode
[ 18.568000] eth0: link up
[ 18.572000] brtrunk: port 1(eth0) entering learning state
set cascaded bridge failed: Operation not supported
route: SIOCADDRT: Invalid argument
[bridge_and_vlan_translator]
Starting Translator... [ 18.840000] do_page_fault() #2: sending SIGSEGV to hostapd_tr for invalid read access from
[ 18.840000] 00000004 (epc == 2aafc7d0, ra == 00416804)
[ 18.848000] Cpu 0
[ 18.848000] $ 0 : 00000000 00000001 00000004 00000000
[ 18.852000] $ 4 : 00000004 00419f18 00000000 00000001
[ 18.856000] $ 8 : 2ab25004 0042e0b8 00000031 fffffff0
[ 18.860000] $12 : 8f04feb0 00000234 06ca3695 2aad9578
[ 18.864000] $16 : 7ffbd560 7ffbd3f0 7fbdf3e4 ffffffff
[ 18.868000] $20 : 7ffbd4b4 00401834 00000001 004019f0
[ 18.872000] $24 : 00000002 2aafc7d0
[ 18.876000] $28 : 00435880 7ffbce48 7ffbce48 00416804
[ 18.876000] Hi : 00000005
[ 18.880000] Lo : 19999999
[ 18.880000] epc : 2aafc7d0 0x2aafc7d0
[ 18.880000] Not tainted
[ 18.880000] ra : 00416804 0x416804
[ 18.884000] Status: 0000a413 USER EXL IE
[ 18.884000] Cause : 10800008
[ 18.884000] BadVA : 00000004
[ 18.888000] PrId : 00019300 (MIPS 24Kc)
[ 18.888000] Modules linked in:
[ 18.888000] Process hostapd_tr (pid: 519, threadinfo=8f04e000, task=8f03b6e0, tls=00000000)
[ 18.892000] Stack : 696e6773 3a646863 7073536e 64446e73 00435880 2e302e30 00000000 74656d3a
[ 18.900000] 64686370 73536574 7ffbce78 00402404 00419f18 0041a030 6e732030 2e302e30
[ 18.904000] 00435880 79737465 2f746d70 2f686f73 74617064 2e636f6e 662e7769 6669302e
[ 18.908000] 74656d70 00302e30 2e302e30 0a737973 74656d3a 64686370 73536574 74696e67
[ 18.912000] 733a6468 6370734c 65617365 54696d65 20383634 30300a0a 73797374 656d3a6c
[ 18.916000] ...
[ 18.916000] Call Trace:
[ 18.920000]
[ 18.920000]
[ 18.920000] Code: 00000000 00000000 00000000 <90830000> 90a20000 24840001 14600003 24a50001 03e00008
[ 18.928000] hostapd_tr/519: potentially unexpected fatal signal 11.
[ 18.928000]
[ 18.928000] Cpu 0
[ 18.932000] $ 0 : 00000000 00000001 00000004 00000000
[ 18.936000] $ 4 : 00000004 00419f18 00000000 00000001
[ 18.936000] $ 8 : 2ab25004 0042e0b8 00000031 fffffff0
[ 18.940000] $12 : 8f04feb0 00000234 06ca3695 2aad9578
[ 18.940000] $16 : 7ffbd560 7ffbd3f0 7fbdf3e4 ffffffff
[ 18.944000] $20 : 7ffbd4b4 00401834 00000001 004019f0
[ 18.944000] $24 : 00000002 2aafc7d0
[ 18.948000] $28 : 00435880 7ffbce48 7ffbce48 00416804
[ 18.948000] Hi : 00000005
[ 18.948000] Lo : 19999999
[ 18.952000] epc : 2aafc7d0 0x2aafc7d0
[ 18.952000] Not tainted
[ 18.952000] ra : 00416804 0x416804
[ 18.956000] Status: 0000a413 USER EXL IE
[ 18.960000] Cause : 10800008
[ 18.960000] BadVA : 00000004
[ 18.960000] PrId : 00019300 (MIPS 24Kc)
Segmentation fault
[hostapd_tr]
Starting Translator... [nmbd_tr]
Starting Translator... sh: cannot create /proc/sys/net/bridge/bridge-http-redirect-flush-mac: nonexistent directory
sh: cannot create /proc/sys/net/bridge/bridge-http-redirect-enabled: nonexistent directory
[http_redirect_tr]
Starting Translator... [dhcp]
Starting Translator... kill: cannot kill pid 594: No such process
[ntp]
Starting Translator... [timezone]
tarting Translator... [sc_radio]
kill: cannot kill pid 607: No such process
Error in opening the device.
: No such device
System initilization is .. [DONE...]
[ 20.432000] EXT2-fs error (device sda1): ext2_lookup: deleted inode referenced: 24646
[ 20.436000] EXT2-fs error (device sda1): ext2_lookup: deleted inode referenced: 24646
[ 20.444000] EXT2-fs error (device sda1): ext2_lookup: deleted inode referenced: 24646
Welcome to SDK.
Have a lot of fun...
netgear123456 login: [ 23.576000] brtrunk: port 1(eth0) entering forwarding state
[ 29.196000] brtrunk: no IPv6 routers present
[ 29.232000] eth0: no IPv6 routers present
Can not simulate netgear in the firmadyne
Enter the name or absolute path of the firmware you want to analyse : /home/oit/tools/firmadyne/images/WNAP320.zip
Enter the brand of the firmware : netgear
/home/oit/tools/firmadyne/images/WNAP320.zip
Now going to extract the firmware. Hold on..
/home/oit/tools/firmadyne/sources/extractor/extractor.py -b netgear -sql 127.0.0.1 -np -nk "/home/oit/tools/firmadyne/images/WNAP320.zip" images
test
The database ID is 1
Getting image type
Password for user firmadyne:
Found image type of mipseb
Putting information to database
Traceback (most recent call last):
File "/home/oit/tools/firmadyne/scripts/tar2db.py", line 100, in
main()
File "/home/oit/tools/firmadyne/scripts/tar2db.py", line 97, in main
process(iid, infile)
File "/home/oit/tools/firmadyne/scripts/tar2db.py", line 77, in process
insertObjectToImage(iid, file2oid, links, cur)
File "/home/oit/tools/firmadyne/scripts/tar2db.py", line 57, in insertObjectToImage
for x in files2oids])
psycopg2.IntegrityError: duplicate key value violates unique constraint "object_to_image_oid_iid_filename_key"
DETAIL: Key (oid, iid, filename)=(1, 1, /home/www/clearLog.php) already exists.
Already done earlier
Creating Image
Executing command
sudo /home/oit/tools/firmadyne/scripts/makeImage.sh 1
[sudo] password for oit:
Sorry, try again.
[sudo] password for oit:
Sorry, try again.
[sudo] password for oit:
Password for user firmadyne:
Device contains neither a valid DOS partition table, nor Sun, SGI or OSF disklabel
Building a new DOS disklabel with disk identifier 0x7bb73f9e.
Changes will remain in memory only, until you decide to write them.
After that, of course, the previous content won't be recoverable.
Warning: invalid flag 0x0000 of partition table 4 will be corrected by w(rite)
Building a new DOS disklabel with disk identifier 0xf1567678.
Changes will remain in memory only, until you decide to write them.
After that, of course, the previous content won't be recoverable.
Warning: invalid flag 0x0000 of partition table 4 will be corrected by w(rite)
mke2fs 1.42.9 (4-Feb-2014)
Please check the makeImage function
Everything is done for the image id 1
Setting up the network connection
Password for user firmadyne:
bind: Address already in use
qemu-system-mips: -net socket,vlan=1,listen=:2001: Device 'socket' could not be initialized
Traceback (most recent call last):
File "./fat.py", line 113, in
main()
File "./fat.py", line 108, in main
network_setup(image_id)
File "./fat.py", line 83, in network_setup
output = subprocess.check_output(network_cmd, shell=True)
File "/usr/lib/python2.7/subprocess.py", line 573, in check_output
raise CalledProcessError(retcode, cmd, output=output)
subprocess.CalledProcessError: Command 'sudo /home/oit/tools/firmadyne/scripts/inferNetwork.sh 1' returned non-zero exit status 1
Image extraction failed
Hi there!, first I wanna thank you guys gave me to use this great thing.
I have met a problem as title, it messaged out 'Image extraction failed' when I executed fat.py
/firmware/firmware-analysis-toolkit$ ./fat.py ../WF2785_v1.8.36.bin
__ _
/ _| | |
| |_ __ _ | |_
| _| / _` | | __|
| | | (_| | | |_
|_| \__,_| \__|
Welcome to the Firmware Analysis Toolkit - v0.3
Offensive IoT Exploitation Training http://bit.do/offensiveiotexploitation
By Attify - https://attify.com | @attifyme
[+] Firmware: WF2785_v1.8.36.bin
[+] Extracting the firmware...
[!] Image extraction failed
I have been trying some firmwares and I got same message as I wrote.
However, when I executed /firmadyne/sources/extractor/extractor.py, it looks like this
/firmware/WF2785_v1.8.36.bin
>> MD5: db7855f9a2a0317402068839761d15f2
>> Tag: WF2785_v1.8.36.bin_db7855f9a2a0317402068839761d15f2
>> Temp: /tmp/tmp07cylyzj
>> Status: Kernel: False, Rootfs: False, Do_Kernel: True, Do_Rootfs: True
>> Recursing into archive ...
>>>> Squashfs filesystem, little endian, version 4.0, compression:xz, size: 4350976 bytes, 763 inodes, blocksize: 131072 bytes, created: invalid timestamp
>>>> Found Linux filesystem in /tmp/tmp07cylyzj/_WF2785_v1.8.36.bin.extracted/squashfs-root!
>>>> gzip compressed data, maximum compression, from Unix, last modified: 2020-02-26 03:44:26
>>>> Found Linux filesystem in /tmp/tmp07cylyzj/_WF2785_v1.8.36.bin.extracted/squashfs-root!
>> Cleaning up /tmp/tmp07cylyzj...
I think it works.
How can I solve this problem?
Can you help in this error
iot@I:~/firmware-analysis-toolkit$ sudo ./fat.py
Welcome to the Firmware Analysis Toolkit - v0.1
Offensive IoT Exploitation Training - http://offensiveiotexploitation.com
By Attify - https://attify.com | @attifyme
Enter the name or absolute path of the firmware you want to analyse : DIR.bin
Enter the brand of the firmware : Dlink
DIR.bin
Now going to extract the firmware. Hold on..
/home/iot/firmware-analysis-toolkit/firmadyne/sources/extractor/extractor.py -b Dlink -sql 127.0.0.1 -np -nk "DIR.bin" images
Traceback (most recent call last):
File "/home/iot/firmware-analysis-toolkit/firmadyne/sources/extractor/extractor.py", line 17, in <module>
import magic
ImportError: No module named magic
Traceback (most recent call last):
File "./fat.py", line 113, in <module>
main()
File "./fat.py", line 100, in main
extractor(firm_name,firm_brand)
File "./fat.py", line 45, in extractor
output = subprocess.check_output(extractor_command, shell=True)
File "/usr/lib/python2.7/subprocess.py", line 574, in check_output
raise CalledProcessError(retcode, cmd, output=output)
subprocess.CalledProcessError: Command '/home/iot/firmware-analysis-toolkit/firmadyne/sources/extractor/extractor.py -b Dlink -sql 127.0.0.1 -np -nk "DIR.bin" images ' returned non-zero exit status 1
Not working on ubuntu 17.04
I get the interface tap1_0, but 192.168.0.1 doesn't ping
can't run fat to ananlysis firmware
Hi All,
when i running sudo ./fat.sh then i got following error
[+] Architecture : line 7: ./firmadyne.config: Permission denied
Traceback (most recent call last):
File "./fat.py", line 122, in
main()
File "./fat.py", line 114, in main
arch = identify_arch(image_id)
File "./fat.py", line 62, in identify_arch
child.expect("Password for user firmadyne: ")
File "/usr/local/lib/python2.7/dist-packages/pexpect/spawnbase.py", line 341, in expect
timeout, searchwindowsize, async_)
File "/usr/local/lib/python2.7/dist-packages/pexpect/spawnbase.py", line 369, in expect_list
return exp.expect_loop(timeout)
File "/usr/local/lib/python2.7/dist-packages/pexpect/expect.py", line 117, in expect_loop
return self.eof(e)
File "/usr/local/lib/python2.7/dist-packages/pexpect/expect.py", line 63, in eof
raise EOF(msg)
pexpect.exceptions.EOF: End Of File (EOF). Exception style platform.
<pexpect.pty_spawn.spawn object at 0x7f4a16241610>
command: /home/bill/firmware-analysis-toolkit/firmadyne/scripts/getArch.sh
args: ['/home/bill/firmware-analysis-toolkit/firmadyne/scripts/getArch.sh', './images/1.tar.gz']
buffer (last 100 chars): ''
after: <class 'pexpect.exceptions.EOF'>
and i use user permission to install so how to check the issue? Thanks
Error running fat.py with openwrt firmware
this is my problem:
./fat.py
Welcome to the Firmware Analysis Toolkit - v0.1
Offensive IoT Exploitation Training - http://offensiveiotexploitation.com
By Attify - https://attify.com | @attifyme
Enter the name or absolute path of the firmware you want to analyse : homerouter.bin
Enter the brand of the firmware : asd
homerouter.bin
Now going to extract the firmware. Hold on..
/home/oit/tools/fat//sources/extractor/extractor.py -b asd -sql 127.0.0.1 -np -nk "homerouter.bin" images
test
The database ID is 5
Getting image type
Password for user firmadyne:
Found image type of mipseb
Putting information to database
Traceback (most recent call last):
File "/home/oit/tools/fat//scripts/tar2db.py", line 100, in
main()
File "/home/oit/tools/fat//scripts/tar2db.py", line 97, in main
process(iid, infile)
File "/home/oit/tools/fat//scripts/tar2db.py", line 77, in process
insertObjectToImage(iid, file2oid, links, cur)
File "/home/oit/tools/fat//scripts/tar2db.py", line 57, in insertObjectToImage
for x in files2oids])
psycopg2.IntegrityError: duplicate key value violates unique constraint "object_to_image_oid_iid_filename_key"
DETAIL: Key (oid, iid, filename)=(3800, 5, /etc/uci-defaults/04_led_migration) already exists.
Already done earlier
Creating Image
Executing command
sudo /home/oit/tools/fat//scripts/makeImage.sh 5
Password for user firmadyne:
Device contains neither a valid DOS partition table, nor Sun, SGI or OSF disklabel
Building a new DOS disklabel with disk identifier 0x0fd25194.
Changes will remain in memory only, until you decide to write them.
After that, of course, the previous content won't be recoverable.
Warning: invalid flag 0x0000 of partition table 4 will be corrected by w(rite)
Building a new DOS disklabel with disk identifier 0x80288bfb.
Changes will remain in memory only, until you decide to write them.
After that, of course, the previous content won't be recoverable.
Warning: invalid flag 0x0000 of partition table 4 will be corrected by w(rite)
mke2fs 1.42.9 (4-Feb-2014)
Please check the makeImage function
Everything is done for the image id 5
Setting up the network connection
Password for user firmadyne:
qemu: terminating on signal 2 from pid 8417
Querying database for architecture... mipseb
Running firmware 5: terminating after 60 secs...
Inferring network...
Interfaces: []
Done!
Running the firmware finally :
sudo: /home/oit/tools/fat//scratch/5/run.sh: command not found
Traceback (most recent call last):
File "./fat.py", line 113, in
main()
File "./fat.py", line 109, in main
final_run(image_id)
File "./fat.py", line 89, in final_run
print subprocess.check_output(final_run_cmd, shell=True)
File "/usr/lib/python2.7/subprocess.py", line 573, in check_output
raise CalledProcessError(retcode, cmd, output=output)
subprocess.CalledProcessError: Command 'sudo /home/oit/tools/fat//scratch/5/run.sh' returned non-zero exit status 1
thanks
pexpect tripping during extraction
Hi,
I installed the firmware analysis toolkit and it will die as show below -- I'm showing the example device image from your instructions but can also reproduce this using other images.
I'm running this on an up to date Kali Linux.
__ _
/ _| | |
| |_ __ _ | |_
| _| / _` | | __|
| | | (_| | | |_
|_| \__,_| \__|
Welcome to the Firmware Analysis Toolkit - v0.2
Offensive IoT Exploitation Training - http://offensiveiotexploitation.com
By Attify - https://attify.com | @attifyme
[?] Enter the name or absolute path of the firmware you want to analyse : /root/Desktop/WNAP320 Firmware Version 2.0.3.zip
[?] Enter the brand of the firmware : netgear
[+] Now going to extract the firmware. Hold on..
[+] Firmware : /root/Desktop/WNAP320 Firmware Version 2.0.3.zip
[+] Brand : netgear
Traceback (most recent call last):
File "./fat.py", line 122, in <module>
main()
File "./fat.py", line 109, in main
image_id = run_extractor(firm_name, firm_brand)
File "./fat.py", line 48, in run_extractor
child.expect("Database Image ID: ")
File "/usr/lib/python2.7/dist-packages/pexpect/spawnbase.py", line 321, in expect
timeout, searchwindowsize, async)
File "/usr/lib/python2.7/dist-packages/pexpect/spawnbase.py", line 345, in expect_list
return exp.expect_loop(timeout)
File "/usr/lib/python2.7/dist-packages/pexpect/expect.py", line 105, in expect_loop
return self.eof(e)
File "/usr/lib/python2.7/dist-packages/pexpect/expect.py", line 50, in eof
raise EOF(msg)
pexpect.exceptions.EOF: End Of File (EOF). Exception style platform.
<pexpect.pty_spawn.spawn object at 0x7ff20f3ff410>
command: /root/device-simulator/firmware-analysis-toolkit/firmadyne/sources/extractor/extractor.py
args: ['/root/device-simulator/firmware-analysis-toolkit/firmadyne/sources/extractor/extractor.py', '-b', 'netgear', '-sql', '127.0.0.1', '-np', '-nk', '/root/Desktop/WNAP320 Firmware Version 2.0.3.zip', 'images']
buffer (last 100 chars): ''
before (last 100 chars): 'bound method ExtractionItem.__del__ of <__main__.ExtractionItem object at 0x7effcf4f5e90>> ignored\r\n'
after: <class 'pexpect.exceptions.EOF'>
match: None
match_index: None
exitstatus: None
flag_eof: True
pid: 4899
child_fd: 5
closed: False
timeout: None
delimiter: <class 'pexpect.exceptions.EOF'>
logfile: None
logfile_read: None
logfile_send: None
maxread: 2000
ignorecase: False
searchwindowsize: None
delaybeforesend: 0.05
delayafterclose: 0.1
delayafterterminate: 0.1
searcher: searcher_re:
0: re.compile("Database Image ID: ")
Unable to emulate repacked firmware(using firmware mod kit) on fat
Hello. When I try to emulate the repacked firmware using fmk, I am unable to emulate the firmware. It shows following errors at the end
root@ubuntu:/home/oit/tools/fat# ./fat.py
Welcome to the Firmware Analysis Toolkit - v0.1
Offensive IoT Exploitation Training - http://offensiveiotexploitation.com
By Attify - https://attify.com | @attifyme
Enter the name or absolute path of the firmware you want to analyse : new-firmware.bin
Enter the brand of the firmware : netgear
new-firmware.bin
Now going to extract the firmware. Hold on..
/home/oit/tools/fat//sources/extractor/extractor.py -b netgear -sql 127.0.0.1 -np -nk "new-firmware.bin" images
test
The database ID is 1
Getting image type
Password for user firmadyne:
Found image type of mipsel
Putting information to database
Tar2DB
Creating Image
Executing command
sudo /home/oit/tools/fat//scripts/makeImage.sh 1
Password for user firmadyne:
Device contains neither a valid DOS partition table, nor Sun, SGI or OSF disklabel
Building a new DOS disklabel with disk identifier 0xd60a0292.
Changes will remain in memory only, until you decide to write them.
After that, of course, the previous content won't be recoverable.
Warning: invalid flag 0x0000 of partition table 4 will be corrected by w(rite)
Building a new DOS disklabel with disk identifier 0xc370d1a5.
Changes will remain in memory only, until you decide to write them.
After that, of course, the previous content won't be recoverable.
Warning: invalid flag 0x0000 of partition table 4 will be corrected by w(rite)
mke2fs 1.42.9 (4-Feb-2014)
Please check the makeImage function
Everything is done for the image id 1
Setting up the network connection
Password for user firmadyne:
qemu: terminating on signal 2 from pid 4220
Querying database for architecture... mipsel
Running firmware 1: terminating after 60 secs...
Inferring network...
Interfaces: []
Done!
Running the firmware finally :
sudo: /home/oit/tools/fat//scratch/1/run.sh: command not found
Traceback (most recent call last):
File "./fat.py", line 113, in
main()
File "./fat.py", line 109, in main
final_run(image_id)
File "./fat.py", line 89, in final_run
print subprocess.check_output(final_run_cmd, shell=True)
File "/usr/lib/python2.7/subprocess.py", line 573, in check_output
raise CalledProcessError(retcode, cmd, output=output)
subprocess.CalledProcessError: Command 'sudo /home/oit/tools/fat//scratch/1/run.sh' returned non-zero exit status 1
I am running official ubuntu vm provided via dropbox link
can't emulate an "armel" firmware
Hey there. I'm emulating an armel-based firmware but I got following errors:
[+] Firmware: ALEOS_4.4.6.002_LS300_OpenSIM_UpdatePack.zip
[+] Extracting the firmware...
[+] Image ID: 1
[+] Identifying architecture...
[+] Architecture:
[+] Building QEMU disk image...
[+] Setting up the network connection, please standby...
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/pexpect/spawnbase.py", line 150, in read_nonblocking
s = os.read(self.child_fd, size)
OSError: [Errno 5] Input/output error
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/pexpect/expect.py", line 99, in expect_loop
incoming = spawn.read_nonblocking(spawn.maxread, timeout)
File "/usr/lib/python3/dist-packages/pexpect/pty_spawn.py", line 465, in read_nonblocking
return super(spawn, self).read_nonblocking(size)
File "/usr/lib/python3/dist-packages/pexpect/spawnbase.py", line 155, in read_nonblocking
raise EOF('End Of File (EOF). Exception style platform.')
pexpect.exceptions.EOF: End Of File (EOF). Exception style platform.
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "./fat.py", line 174, in <module>
main()
File "./fat.py", line 169, in main
infer_network(arch, image_id, qemu_dir)
File "./fat.py", line 115, in infer_network
child.expect_exact("Interfaces:", timeout=None)
File "/usr/lib/python3/dist-packages/pexpect/spawnbase.py", line 390, in expect_exact
return exp.expect_loop(timeout)
File "/usr/lib/python3/dist-packages/pexpect/expect.py", line 105, in expect_loop
return self.eof(e)
File "/usr/lib/python3/dist-packages/pexpect/expect.py", line 50, in eof
raise EOF(msg)
pexpect.exceptions.EOF: End Of File (EOF). Exception style platform.
<pexpect.pty_spawn.spawn object at 0x7f4c2ef5c2e8>
command: /home/iot/tools/firmware-analysis-toolkit/firmadyne/scripts/inferNetwork.sh
args: ['/home/iot/tools/firmware-analysis-toolkit/firmadyne/scripts/inferNetwork.sh', '1', '']
buffer (last 100 chars): b''
before (last 100 chars): b'Error: Invalid architecture!\r\n'
after: <class 'pexpect.exceptions.EOF'>
match: None
match_index: None
exitstatus: 1
flag_eof: True
pid: 63653
child_fd: 5
closed: False
timeout: 30
delimiter: <class 'pexpect.exceptions.EOF'>
logfile: None
logfile_read: None
logfile_send: None
maxread: 2000
ignorecase: False
searchwindowsize: None
delaybeforesend: 0.05
delayafterclose: 0.1
delayafterterminate: 0.1
searcher: searcher_string:
0: "b'Interfaces:'"
Does anyone know why these errors occourred?
do you think that changing the mac address while emulating possible?
Unable to execute the execute extractor.py
When I run the fat.py, the program start and then I put the firmware and the brand. Then the error occurred as described below.
"""
Traceback (most recent call last):
File "fat.py", line 122, in
main()
File "fat.py", line 109, in main
image_id = run_extractor(firm_name, firm_brand)
File "fat.py", line 47, in run_extractor
child = pexpect.spawn(extractor_cmd, timeout=None)
File "/usr/local/lib/python2.7/dist-packages/pexpect/pty_spawn.py", line 204, in init
self._spawn(command, args, preexec_fn, dimensions)
File "/usr/local/lib/python2.7/dist-packages/pexpect/pty_spawn.py", line 276, in _spawn
'executable: %s.' % self.command)
pexpect.exceptions.ExceptionPexpect: The command was not found or was not executable: /home/firmadyne/sources/extractor/extractor.py.
"""
Architecture : Could not find 'firmadyne.config'!
Hi
I have installed firmware analysis toolkit along with all dependencies in Ubuntu 16.04. The directory structure is like below.
/fat
/firmadyne
/firmwalker
/firmware-analysis-toolkit
/firmware-mod-kit
Changes the firmadyne path in /fat/firmware-analysis-toolkit/fat.py
....
FIRMWARE_DIR=/fat/firmadyne/
# specify full paths to other directories
BINARY_DIR=${FIRMWARE_DIR}/binaries/
TARBALL_DIR=${FIRMWARE_DIR}/images/
SCRATCH_DIR=${FIRMWARE_DIR}/scratch/
SCRIPT_DIR=${FIRMWARE_DIR}/scripts/
....
firmadyne.config is in /fat/firmadyne/firmadyne.config and FIRMWARE_DIR points to /fat/firmadyne
Executed the fat.py using following command:
$ python /fat/firmware-analysis-toolkit/fat.py topo.bin
But the above command produces Could not find 'firmadyne.config with following output.
[?] Enter the name or absolute path of the firmware you want to analyse : topo.bin
[?] Enter the brand of the firmware : lk
[+] Now going to extract the firmware. Hold on..
[+] Firmware : topo.bin
[+] Brand : lk
[+] Database image ID : 1
[+] Identifying architecture
[+] Architecture : Could not find 'firmadyne.config'!
Traceback (most recent call last):
File "/fat/firmware-analysis-toolkit/fat.py", line 122, in <module>
main()
File "/fat/firmware-analysis-toolkit/fat.py", line 114, in main
arch = identify_arch(image_id)
File "/fat/firmware-analysis-toolkit/fat.py", line 62, in identify_arch
child.expect("Password for user firmadyne: ")
File "/usr/local/lib/python2.7/dist-packages/pexpect/spawnbase.py", line 341, in expect
timeout, searchwindowsize, async_)
File "/usr/local/lib/python2.7/dist-packages/pexpect/spawnbase.py", line 369, in expect_list
return exp.expect_loop(timeout)
File "/usr/local/lib/python2.7/dist-packages/pexpect/expect.py", line 117, in expect_loop
return self.eof(e)
File "/usr/local/lib/python2.7/dist-packages/pexpect/expect.py", line 63, in eof
raise EOF(msg)
pexpect.exceptions.EOF: End Of File (EOF). Exception style platform.
<pexpect.pty_spawn.spawn object at 0x7f6ed2ad5650>
command: /fat/firmadyne/scripts/getArch.sh
args: ['/fat/firmadyne/scripts/getArch.sh', './images/1.tar.gz']
buffer (last 100 chars): ''
after: <class 'pexpect.exceptions.EOF'>
match: None
match_index: None
exitstatus: 1
flag_eof: True
pid: 889
child_fd: 5
closed: False
timeout: 30
delimiter: <class 'pexpect.exceptions.EOF'>
logfile: None
logfile_read: None
logfile_send: None
maxread: 2000
ignorecase: False
searchwindowsize: None
delaybeforesend: 0.05
delayafterclose: 0.1
delayafterterminate: 0.1
searcher: searcher_re:
0: re.compile('Password for user firmadyne: ')
The output contains following line which signifies that firmadyne path has been found but may be for other reasons fat.py unable to continue.
command: /fat/firmadyne/scripts/getArch.sh
args: ['/fat/firmadyne/scripts/getArch.sh', './images/1.tar.gz']
What is wrong with the above setings ? Does all files needs to be in the same folder for firmadyne
and firmware-analysis-toolkit ?
Error : Brand doesn't exist
Hi,
When I try to run fat.py I am getting Below error
firmware-mod-kit instructions
It appears that the firmware-mod-kit installation instructions are incomplete. After doing a git clone and setting the binwalk path using unsquashfs_all.sh on the Dlink firmware from the Offsensive IoT course fails. After investigation it appears that the binaries for each version of squshfs filesystem need to be compiled. Running a ./configure and make in the src directory results in:
make[2]: Entering directory '/root/tools/firmware-analysis-toolkit/firmware-mod-kit/src/others/squashfs-2.2-r2-7z'
g++ mksquashfs.o read_fs.o sort.o -L. -llzma -lpthread -o mksquashfs
mksquashfs.o: In function `linux_opendir':
/root/tools/firmware-analysis-toolkit/firmware-mod-kit/src/others/squashfs-2.2-r2-7z/mksquashfs.c:1384: undefined reference to `add_dir_entry'
mksquashfs.o: In function `encomp_opendir':
/root/tools/firmware-analysis-toolkit/firmware-mod-kit/src/others/squashfs-2.2-r2-7z/mksquashfs.c:1399: undefined reference to `add_dir_entry'
/root/tools/firmware-analysis-toolkit/firmware-mod-kit/src/others/squashfs-2.2-r2-7z/mksquashfs.c:1416: undefined reference to `add_dir_entry'
mksquashfs.o: In function `single_opendir':
/root/tools/firmware-analysis-toolkit/firmware-mod-kit/src/others/squashfs-2.2-r2-7z/mksquashfs.c:1431: undefined reference to `add_dir_entry'
/root/tools/firmware-analysis-toolkit/firmware-mod-kit/src/others/squashfs-2.2-r2-7z/mksquashfs.c:1451: undefined reference to `add_dir_entry'
collect2: error: ld returned 1 exit status
Makefile:18: recipe for target 'mksquashfs' failed
make[2]: *** [mksquashfs] Error 1
make[2]: Leaving directory '/root/tools/firmware-analysis-toolkit/firmware-mod-kit/src/others/squashfs-2.2-r2-7z'
Makefile:2: recipe for target 'all' failed
make[1]: *** [all] Error 2
make[1]: Leaving directory '/root/tools/firmware-analysis-toolkit/firmware-mod-kit/src/others'
Makefile:7: recipe for target 'all' failed
make: *** [all] Error 2
I have been able to compile src/others/squashfs-3.2-r2-lzma individually to be able to follow along with the video but this doesn't appear to work out of the box the way the instructions describe.
Incomplete link for firmware-mod-kit installation.
git clone https://github.com/brianpow/firmware-mod-kit to be replaced with
git clone https://github.com/brianpow/firmware-mod-kit.git
FAT issue
root@kali:~/Downloads/IOT-tools/firmware-analysis-toolkit# python fat.py
Welcome to the Firmware Analysis Toolkit - v0.1
Offensive IoT Exploitation Training - http://offensiveiotexploitation.com
By Attify - https://attify.com | @attifyme
Enter the name or absolute path of the firmware you want to analyse : /root/Downloads/IOT-tools/exercisefiles/firmware/Dlink_firmware.bin
Enter the brand of the firmware : DLink
/root/Downloads/IOT-tools/exercisefiles/firmware/Dlink_firmware.bin
Now going to extract the firmware. Hold on..
/root/Downloads/IOT-tools/firmadyne/sources/extractor/extractor.py -b DLink -sql 127.0.0.1 -np -nk "/root/Downloads/IOT-tools/exercisefiles/firmware/Dlink_firmware.bin" images
Traceback (most recent call last):
File "/root/Downloads/IOT-tools/firmadyne/sources/extractor/extractor.py", line 730, in
main()
File "/root/Downloads/IOT-tools/firmadyne/sources/extractor/extractor.py", line 727, in main
extract.extract()
File "/root/Downloads/IOT-tools/firmadyne/sources/extractor/extractor.py", line 189, in extract
self._extract_item(item)
File "/root/Downloads/IOT-tools/firmadyne/sources/extractor/extractor.py", line 197, in _extract_item
ExtractionItem(self, path, 0).extract()
File "/root/Downloads/IOT-tools/firmadyne/sources/extractor/extractor.py", line 227, in init
host=self.extractor.database)
File "/usr/lib/python2.7/dist-packages/psycopg2/init.py", line 164, in connect
conn = _connect(dsn, connection_factory=connection_factory, async=async)
psycopg2.OperationalError: could not connect to server: Connection refused
Is the server running on host "127.0.0.1" and accepting
TCP/IP connections on port 5432?
Exception AttributeError: "'ExtractionItem' object has no attribute 'database'" in <bound method ExtractionItem.del of <main.ExtractionItem object at 0x7f48f838e710>> ignored
Traceback (most recent call last):
File "fat.py", line 113, in
main()
File "fat.py", line 100, in main
extractor(firm_name,firm_brand)
File "fat.py", line 45, in extractor
output = subprocess.check_output(extractor_command, shell=True)
File "/usr/lib/python2.7/subprocess.py", line 574, in check_output
raise CalledProcessError(retcode, cmd, output=output)
subprocess.CalledProcessError: Command '/root/Downloads/IOT-tools/firmadyne/sources/extractor/extractor.py -b DLink -sql 127.0.0.1 -np -nk "/root/Downloads/IOT-tools/exercisefiles/firmware/Dlink_firmware.bin" images ' returned non-zero exit status 1
qemu-system-mips: Invalid parameter 'vlan'
Hi
When I Setting up the network connection, there was an error.
[?] Enter the name or absolute path of the firmware you want to analyse : /opt/firmware/Netgear.zip
[?] Enter the brand of the firmware : Netgear
[+] Now going to extract the firmware. Hold on..
[+] Firmware : /opt/firmware/Netgear.zip
[+] Brand : Netgear
[+] Database image ID : 1
[+] Identifying architecture
[+] Architecture : mipseb
[+] Storing filesystem in database
[!] Filesystem already exists
[+] Building QEMU disk image
[+] Setting up the network connection, please standby
Traceback (most recent call last):
File "./fat.py", line 122, in <module>
main()
File "./fat.py", line 117, in main
setup_network(arch, image_id)
File "./fat.py", line 90, in setup_network
child.expect("Interfaces:", timeout=None)
File "/usr/local/lib/python2.7/dist-packages/pexpect/spawnbase.py", line 341, in expect
timeout, searchwindowsize, async_)
File "/usr/local/lib/python2.7/dist-packages/pexpect/spawnbase.py", line 369, in expect_list
return exp.expect_loop(timeout)
File "/usr/local/lib/python2.7/dist-packages/pexpect/expect.py", line 117, in expect_loop
return self.eof(e)
File "/usr/local/lib/python2.7/dist-packages/pexpect/expect.py", line 63, in eof
raise EOF(msg)
pexpect.exceptions.EOF: End Of File (EOF). Exception style platform.
<pexpect.pty_spawn.spawn object at 0xb7213fac>
command: /usr/bin/sudo
args: ['/usr/bin/sudo', '/opt/firmware-analysis-toolkit/firmadyne/scripts/inferNetwork.sh', '1', 'mipseb']
buffer (last 100 chars): ''
before (last 100 chars): "Running firmware 1: terminating after 60 secs...\r\nqemu-system-mips: Invalid parameter 'vlan'\r\nroot\r\n"
after: <class 'pexpect.exceptions.EOF'>
match: None
match_index: None
exitstatus: 1
flag_eof: True
pid: 2431
child_fd: 5
closed: False
timeout: 30
delimiter: <class 'pexpect.exceptions.EOF'>
logfile: None
logfile_read: None
logfile_send: None
maxread: 2000
ignorecase: False
searchwindowsize: None
delaybeforesend: 0.05
delayafterclose: 0.1
delayafterterminate: 0.1
searcher: searcher_re:
0: re.compile('Interfaces:')
How can I solve it?
Thank you~
Architecture : line 7: FIRMWARE_DIR: unbound variable
I used DIR850LB1_FW210WWb03.bin to test but only get this result, how can I fix it ?
[+] Architecture : line 7: FIRMWARE_DIR: unbound variable
Traceback (most recent call last):
File "fat.py", line 122, in
main()
File "fat.py", line 114, in main
arch = identify_arch(image_id)
File "fat.py", line 62, in identify_arch
child.expect("Password for user firmadyne: ")
File "/usr/local/lib/python2.7/dist-packages/pexpect/spawnbase.py", line 341, in expect
timeout, searchwindowsize, async_)
File "/usr/local/lib/python2.7/dist-packages/pexpect/spawnbase.py", line 369, in expect_list
return exp.expect_loop(timeout)
File "/usr/local/lib/python2.7/dist-packages/pexpect/expect.py", line 117, in expect_loop
return self.eof(e)
File "/usr/local/lib/python2.7/dist-packages/pexpect/expect.py", line 63, in eof
raise EOF(msg)
pexpect.exceptions.EOF: End Of File (EOF). Exception style platform.
<pexpect.pty_spawn.spawn object at 0xb71b16ec>
command: /home/zander/firmadyne/scripts/getArch.sh
args: ['/home/zander/firmadyne/scripts/getArch.sh', './images/1.tar.gz']
buffer (last 100 chars): ''
after: <class 'pexpect.exceptions.EOF'>
match: None
match_index: None
exitstatus: 1
flag_eof: True
pid: 2750
child_fd: 5
closed: False
timeout: 30
delimiter: <class 'pexpect.exceptions.EOF'>
logfile: None
logfile_read: None
logfile_send: None
maxread: 2000
ignorecase: False
searchwindowsize: None
delaybeforesend: 0.05
delayafterclose: 0.1
delayafterterminate: 0.1
searcher: searcher_re:
0: re.compile('Password for user firmadyne: ')
Cannot access interface through assigned IP address
I am using Ubuntu 18.04LTE, The installation and setup worked lawlessly and a IP is generated:
[+] Building QEMU disk image...
[+] Setting up the network connection, please standby...
[+] Network interfaces: [('br0', '192.168.0.1')]
..
..
[ 2.656000] 802.1Q VLAN Support v1.8 Ben Greear [email protected]
[ 2.660000] All bugs added by David S. Miller [email protected]
[ 2.660000] lib80211: common routines for IEEE802.11 drivers
[ 2.660000] lib80211_crypt: registered algorithm 'NULL'
[ 2.664000] rtc_cmos rtc_cmos: setting system clock to 2020-05-22 13:04:24 UTC (1590152664)
[ 2.668000] input: AT Raw Set 2 keyboard as /devices/platform/i8042/serio0/input/input0
[ 2.872000] input: ImExPS/2 Generic Explorer Mouse as /devices/platform/i8042/serio1/input/input1
[ 2.904000] EXT2-fs warning: mounting unchecked fs, running e2fsck is recommended
[ 2.904000] VFS: Mounted root (ext2 filesystem) on device 8:1.
[ 2.908000] Freeing prom memory: 956k freed
[ 2.924000] Freeing unused kernel memory: 220k freed
[ 2.932000] Warning: unable to open an initial console.
[ 2.968000] firmadyne: sys_reboot[PID: 1 (init)]: magic1:fee1dead, magic2:28121969, cmd:0
[ 2.996000] firmadyne: do_execve: /firmadyne/console
[ 2.996000] OFFSETS: offset of pid: 0x100 offset of comm: 0x1f0
[ 7.620000] ADDRCONF(NETDEV_UP): eth0: link is not ready
[ 7.624000] e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX
[ 7.624000] ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[ 7.716000] device eth0.3 entered promiscuous mode
[ 7.720000] device eth0 entered promiscuous mode
[ 7.720000] br0: port 1(eth0.3) entering forwarding state
[ 7.728000] device eth0.4 entered promiscuous mode
[ 7.728000] br0: port 2(eth0.4) entering forwarding state
[ 7.736000] device eth0.5 entered promiscuous mode
[ 7.736000] br0: port 3(eth0.5) entering forwarding state
[ 7.748000] device eth0.6 entered promiscuous mode
[ 7.748000] br0: port 4(eth0.6) entering forwarding state
But, when i try to access the ip through curl or by browser it generates a error:
curl: (7) Failed to connect to 192.168.0.1 port 80: Connection refused
I tried changing port to 2000,2001 also but the problem remained same. I have crosschecked all the settings and everything seems fine.
Firmware-mod-kit issues under Kali : Failed while building
Issue when running firmware-mod-kit (it goes to compile the tools on first run);
root@iot-kali:~/tools/firmware-mod-kit# ./extract-firmware.sh ./Dlink_firmware.bin
Firmware Mod Kit (extract) 0.99, (c)2011-2013 Craig Heffner, Jeremy Collake
Preparing tools ...
bff_huffman_decompress.c: In function ‘unpack_parse_header’:
bff_huffman_decompress.c:167:14: warning: implicit declaration of function ‘read’ [-Wimplicit-function-declaration]
bytesread = read(in, hdr + prelen, PACK_HEADER_LENGTH - prelen);
^~~~
bff_huffman_decompress.c: In function ‘unpack’:
bff_huffman_decompress.c:318:22: warning: implicit declaration of function ‘dup’ [-Wimplicit-function-declaration]
unpack_parse_header(dup(in), dup(out), pre, prelen, bytes_in, &unpackd);
^~~
mksquashfs.o: In function `linux_opendir':
/root/tools/firmware-mod-kit/src/others/squashfs-2.2-r2-7z/mksquashfs.c:1384: undefined reference to `add_dir_entry'
mksquashfs.o: In function `encomp_opendir':
/root/tools/firmware-mod-kit/src/others/squashfs-2.2-r2-7z/mksquashfs.c:1399: undefined reference to `add_dir_entry'
/root/tools/firmware-mod-kit/src/others/squashfs-2.2-r2-7z/mksquashfs.c:1416: undefined reference to `add_dir_entry'
mksquashfs.o: In function `single_opendir':
/root/tools/firmware-mod-kit/src/others/squashfs-2.2-r2-7z/mksquashfs.c:1431: undefined reference to `add_dir_entry'
/root/tools/firmware-mod-kit/src/others/squashfs-2.2-r2-7z/mksquashfs.c:1451: undefined reference to `add_dir_entry'
collect2: error: ld returned 1 exit status
Makefile:18: recipe for target 'mksquashfs' failed
make[2]: *** [mksquashfs] Error 1
Makefile:2: recipe for target 'all' failed
make[1]: *** [all] Error 2
Makefile:7: recipe for target 'all' failed
make: *** [all] Error 2
Tools build failed! Check pre-requisites. Quitting...
Error:Traceback.
I'm getting the following error:--
Traceback (most recent call last):
File "fat.py", line 122, in <module>
main()
File "fat.py", line 109, in main
image_id = run_extractor(firm_name, firm_brand)
File "fat.py", line 48, in run_extractor
child.expect("Database Image ID: ")
File "/usr/local/lib/python2.7/dist-packages/pexpect/spawnbase.py", line 341, in expect
timeout, searchwindowsize, async_)
File "/usr/local/lib/python2.7/dist-packages/pexpect/spawnbase.py", line 369, in expect_list
return exp.expect_loop(timeout)
File "/usr/local/lib/python2.7/dist-packages/pexpect/expect.py", line 114, in expect_loop
return self.eof(e)
File "/usr/local/lib/python2.7/dist-packages/pexpect/expect.py", line 61, in eof
raise EOF(msg)
pexpect.exceptions.EOF: End Of File (EOF). Exception style platform.
<pexpect.pty_spawn.spawn object at 0x7fb43855b650>
Tried with python2.7/3/3.5 it runs only with 2.7 with the error above.
After going through closed issues I figured out to move the fat.py and reset.py to firmadyne directory and start the PostgreSQL service but now I get the following error:--
./sources/extractor/extractor.py -b dlink -sql 127.0.0.1 -np -nk "/home/myuser/Desktop/dir-816/firmware/AP699E8C.CW125A-5-DLINK-R1B011D81870(0519085924)(1).img" images
Traceback (most recent call last):
File "./sources/extractor/extractor.py", line 730, in <module>
main()
File "./sources/extractor/extractor.py", line 727, in main
extract.extract()
File "./sources/extractor/extractor.py", line 189, in extract
self._extract_item(item)
File "./sources/extractor/extractor.py", line 197, in _extract_item
ExtractionItem(self, path, 0).extract()
File "./sources/extractor/extractor.py", line 227, in __init__
host=self.extractor.database)
File "/usr/lib/python2.7/dist-packages/psycopg2/__init__.py", line 164, in connect
conn = _connect(dsn, connection_factory=connection_factory, async=async)
psycopg2.OperationalError: FATAL: password authentication failed for user "firmadyne"
FATAL: password authentication failed for user "firmadyne"
Exception AttributeError: "'ExtractionItem' object has no attribute 'database'" in <bound method ExtractionItem.__del__ of <__main__.ExtractionItem object at 0x7fec81217fd0>> ignored
To bypass the authentication error this worked for me :--
sudo apt-get install postgresql
sudo -u postgres createuser -P firmadyne, with password firmadyne
sudo -u postgres createdb -O firmadyne firmware
After that running fat.py gives me EOF error again:--
[?] Enter the name or absolute path of the firmware you want to analyse : /home/myuser/Desktop/dir-816/firmware/AP699E8C.CW125A-5-DLINK-R1B011D81870(0519085924)(1).img
[?] Enter the brand of the firmware : dlink
[+] Now going to extract the firmware. Hold on..
[+] Firmware : /home/myuser/Desktop/dir-816/firmware/AP699E8C.CW125A-5-DLINK-R1B011D81870(0519085924)(1).img
[+] Brand : dlink
Traceback (most recent call last):
File "fat.py", line 122, in <module>
main()
File "fat.py", line 109, in main
image_id = run_extractor(firm_name, firm_brand)
File "fat.py", line 48, in run_extractor
child.expect("Database Image ID: ")
File "/usr/local/lib/python2.7/dist-packages/pexpect/spawnbase.py", line 341, in expect
timeout, searchwindowsize, async_)
File "/usr/local/lib/python2.7/dist-packages/pexpect/spawnbase.py", line 369, in expect_list
return exp.expect_loop(timeout)
File "/usr/local/lib/python2.7/dist-packages/pexpect/expect.py", line 114, in expect_loop
return self.eof(e)
File "/usr/local/lib/python2.7/dist-packages/pexpect/expect.py", line 61, in eof
raise EOF(msg)
pexpect.exceptions.EOF: End Of File (EOF). Exception style platform.
<pexpect.pty_spawn.spawn object at 0x7fb5113f88d0>
command: /home/myuser/re-tools/firmadyne/sources/extractor/extractor.py
args: ['/home/myuser/re-tools/firmadyne/sources/extractor/extractor.py', '-b', 'dlink', '-sql', '127.0.0.1', '-np', '-nk', '/home/myuser/Desktop/dir-816/firmware/AP699E8C.CW125A-5-DLINK-R1B011D81870(0519085924)(1).img', 'images']
buffer (last 100 chars): ''
before (last 100 chars): '/dir-816/firmware/AP699E8C.CW125A-5-DLINK-R1B011D81870(0519085924)(1).img\r\n>> Skipping: completed!\r\n'
after: <class 'pexpect.exceptions.EOF'>
match: None
match_index: None
exitstatus: None
flag_eof: True
pid: 26330
child_fd: 5
closed: False
timeout: None
delimiter: <class 'pexpect.exceptions.EOF'>
logfile: None
logfile_read: None
logfile_send: None
maxread: 2000
ignorecase: False
searchwindowsize: None
delaybeforesend: 0.05
delayafterclose: 0.1
delayafterterminate: 0.1
searcher: searcher_re:
0: re.compile("Database Image ID: ")
I guess the problem is with the database ID but I don't know how to resolve!!
Please help me resolve.
Thanks!
how to use gdb in FAT
Sir, May I ask you that how can I use gdb in FAT? I don not know how to use gdbserver and gdb-multiarch to debug in FAT. There are something wrong with the debug communication that I can not debug the firmware program like HTTPD. Could you please share your way to figure it out ? Thank you very much !
Read wlan sta info failed!
When I press ENTER it start emulating the firmware. But it then traps into a dead cycle, which says
[ 576.316000] firmadyne: ioctl: 0x6 [ 576.316000] firmadyne: ioctl: 0x6 device ioctl:: Operation not supported Read wlan sta info failed!
again and again. But 192.168.0.1 works well.
What can I do to fix it ?
pexpect.exceptions.EOF
Hi,
anyone experienced the error below?
Traceback (most recent call last):
File "fat.py", line 122, in <module>
main()
File "fat.py", line 109, in main
image_id = run_extractor(firm_name, firm_brand)
File "fat.py", line 48, in run_extractor
child.expect("Database Image ID: ")
File "/usr/local/lib/python2.7/dist-packages/pexpect/spawnbase.py", line 327, in expect
timeout, searchwindowsize, async_)
File "/usr/local/lib/python2.7/dist-packages/pexpect/spawnbase.py", line 355, in expect_list
return exp.expect_loop(timeout)
File "/usr/local/lib/python2.7/dist-packages/pexpect/expect.py", line 102, in expect_loop
return self.eof(e)
File "/usr/local/lib/python2.7/dist-packages/pexpect/expect.py", line 49, in eof
raise EOF(msg)
pexpect.exceptions.EOF: End Of File (EOF). Exception style platform.
<pexpect.pty_spawn.spawn object at 0x7fcc42f568d0>
command: /home/who/firmadyne/sources/extractor/extractor.py
args: ['/home/who/firmadyne/sources/extractor/extractor.py', '-b', 'aztech', '-sql', '127.0.0.1', '-np', '-nk', 'firmware.w', 'images']
buffer (last 100 chars): ''
before (last 100 chars): 'bound method ExtractionItem.__del__ of <__main__.ExtractionItem object at 0x7f0cdda3a050>> ignored\r\n'
after: <class 'pexpect.exceptions.EOF'>
match: None
match_index: None
exitstatus: None
flag_eof: True
pid: 32431
child_fd: 5
closed: False
timeout: None
delimiter: <class 'pexpect.exceptions.EOF'>
logfile: None
logfile_read: None
logfile_send: None
maxread: 2000
ignorecase: False
searchwindowsize: None
delaybeforesend: 0.05
delayafterclose: 0.1
delayafterterminate: 0.1
searcher: searcher_re:
0: re.compile("Database Image ID: ")
any advices is greatly appreciated. :-)
ssh port is not open after emulating firmware using fat.py
I used to emulate firmware using fat.py, but now ssh port is not open after emulating the same firmware. Earlier it used to work for the same firmware.
Firmware - kkeps.bin
what is AttifyOS's password?
what is AttifyOS's password?
ERROR: ld.so: object '/firmadyne/libnvram.so' from LD_PRELOAD cannot be preloaded (internal error): ignored
Hi guys, I submitted an issue to Firmadyne regarding the libnvram.so. Also tried fat.py here and got the same error. I've been debugging this for a while and still have no clue. Thanks for your help!
Architecture : ./images/1.tar.gz: Cannot open: No such file or directory
when i run fat.py
i meet this error.
root@ubuntu:~/firmware-analysis-toolkit/firmadyne# sudo python fat.py
__ _
/ _| | |
| |_ __ _ | |_
| _| / _` | | __|
| | | (_| | | |_
|_| \__,_| \__|
Welcome to the Firmware Analysis Toolkit - v0.2
Offensive IoT Exploitation Training - http://offensiveiotexploitation.com
By Attify - https://attify.com | @attifyme
[?] Enter the name or absolute path of the firmware you want to analyse : wnap320.zip
[?] Enter the brand of the firmware : fff
[+] Now going to extract the firmware. Hold on..
[+] Firmware : wnap320.zip
[+] Brand : fff
[+] Database image ID : 1
[+] Identifying architecture
[+] Architecture : ./images/1.tar.gz: Cannot open: No such file or directory
Traceback (most recent call last):
File "fat.py", line 122, in <module>
main()
File "fat.py", line 114, in main
arch = identify_arch(image_id)
File "fat.py", line 62, in identify_arch
child.expect("Password for user firmadyne: ")
File "/usr/lib/python2.7/dist-packages/pexpect/__init__.py", line 1418, in expect
timeout, searchwindowsize)
File "/usr/lib/python2.7/dist-packages/pexpect/__init__.py", line 1433, in expect_list
timeout, searchwindowsize)
File "/usr/lib/python2.7/dist-packages/pexpect/__init__.py", line 1521, in expect_loop
raise EOF(str(err) + '\n' + str(self))
pexpect.EOF: End Of File (EOF). Exception style platform.
<pexpect.spawn object at 0x7f31750b26d0>
version: 3.1
command: /root/firmware-analysis-toolkit/firmadyne/scripts/getArch.sh
args: ['/root/firmware-analysis-toolkit/firmadyne/scripts/getArch.sh', './images/1.tar.gz']
searcher: <pexpect.searcher_re object at 0x7f31750b2710>
buffer (last 100 chars): ''
before (last 100 chars): 'tar: Error is not recoverable: exiting now\r\n'
after: <class 'pexpect.EOF'>
match: None
match_index: None
exitstatus: None
flag_eof: True
pid: 27475
child_fd: 3
closed: False
timeout: 30
delimiter: <class 'pexpect.EOF'>
logfile: None
logfile_read: None
logfile_send: None
maxread: 2000
ignorecase: False
searchwindowsize: None
delaybeforesend: 0.05
delayafterclose: 0.1
delayafterterminate: 0.1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.