firmadyne / firmadyne Goto Github PK

Platform for emulation and dynamic analysis of Linux-based firmware

License: MIT License

Ruby 5.66% Python 42.78% Shell 50.93% Dockerfile 0.64%

firmadyne's Introduction

Table of Contents
Introduction
Setup
- Extractor
- Database
- Binaries
- QEMU
Usage
FAQ
Compiling from Source
- Toolchain
- console
- libnvram
- Kernel
  - ARM
  - MIPS
Database
- Data
- Schema
Paper

Introduction

FIRMADYNE is an automated and scalable system for performing emulation and dynamic analysis of Linux-based embedded firmware. It includes the following components:

modified kernels (MIPS: v2.6, ARM: v4.1, v3.10) for instrumentation of firmware execution;
a userspace NVRAM library to emulate a hardware NVRAM peripheral;
an extractor to extract a filesystem and kernel from downloaded firmware;
a small console application to spawn an additional shell for debugging;
and a scraper to download firmware from 42+ different vendors.

We have also written the following three basic automated analyses using the FIRMADYNE system.

Accessible Webpages: This script iterates through each file within the filesystem of a firmware image that appears to be served by a webserver, and aggregates the results based on whether they appear to required authentication.
SNMP Information: This script dumps the contents of the public and private SNMP v2c communities to disk using no credentials.
Vulnerability Check: This script tests for the presence of 60 known vulnerabilities using exploits from Metasploit. In addition, it also checks for 14 previously-unknown vulnerabilities that we discovered. For more information, including affected products and CVE's, refer to analyses/README.md.

In our 2016 Network and Distributed System Security Symposium (NDSS) paper, titled Towards Automated Dynamic Analysis for Linux-based Embedded Firmware, we evaluated the FIRMADYNE system over a dataset of 23,035 firmware images, of which we were able to extract 9,486. Using 60 exploits from the Metasploit Framework, and 14 previously-unknown vulnerabilities that we discovered, we showed that 846 out of 1,971 (43%) firmware images were vulnerable to at least one exploit, which we estimate to affect 89+ different products. For more details, refer to our paper linked above.

Note: This project is a research tool, and is currently not production ready. In particular, some components are quite immature and rough. We suggest running the system within a virtual machine. No support is offered, but pull requests are greatly appreciated, whether for documentation, tests, or code!

Setup

First, clone this repository recursively and install its dependencies.

sudo apt-get install busybox-static fakeroot git dmsetup kpartx netcat-openbsd nmap python-psycopg2 python3-psycopg2 snmp uml-utilities util-linux vlan
git clone --recursive https://github.com/firmadyne/firmadyne.git

Extractor

The extractor depends on the binwalk tool, so we need to install that and its dependencies.

git clone https://github.com/ReFirmLabs/binwalk.git
cd binwalk
sudo ./deps.sh
sudo python ./setup.py install

For Python 2.x, sudo apt-get install python-lzma

sudo -H pip install git+https://github.com/ahupp/python-magic
sudo -H pip install git+https://github.com/sviehb/jefferson.
Optionally, instead of upstream sasquatch, our sasquatch fork can be used to prevent false positives by making errors fatal.

Database

Next, install, set up, and configure the database.

sudo apt-get install postgresql
sudo -u postgres createuser -P firmadyne, with password firmadyne
sudo -u postgres createdb -O firmadyne firmware
sudo -u postgres psql -d firmware < ./firmadyne/database/schema

Binaries

To download our pre-built binaries for all components, run the following script:

cd ./firmadyne; ./download.sh

Alternatively, refer to the instructions below to compile from source.

QEMU

To use QEMU provided by your distribution:

sudo apt-get install qemu-system-arm qemu-system-mips qemu-system-x86 qemu-utils

Note that emulation of x86-based firmware is not currently supported, but installing qemu-system-x86 resolves a packaging issue on certain Debian-based distributions.

Alternatively, use our modified version of qemu-linaro for certain firmware with an alphafs webserver that assumes a fixed memory mapping (not recommended), or upstream qemu.

Usage

Set FIRMWARE_DIR in firmadyne.config to point to the root of this repository.
Download a firmware image, e.g. v2.0.3 for Netgear WNAP320.
- wget http://www.downloads.netgear.com/files/GDC/WNAP320/WNAP320%20Firmware%20Version%202.0.3.zip
Use the extractor to recover only the filesystem, no kernel (-nk), no parallel operation (-np), populating the image table in the SQL server at 127.0.0.1 (-sql) with the Netgear brand (-b), and storing the tarball in images.
- ./sources/extractor/extractor.py -b Netgear -sql 127.0.0.1 -np -nk "WNAP320 Firmware Version 2.0.3.zip" images
Identify the architecture of firmware 1 and store the result in the image table of the database.
- ./scripts/getArch.sh ./images/1.tar.gz
Load the contents of the filesystem for firmware 1 into the database, populating the object and object_to_image tables.
- ./scripts/tar2db.py -i 1 -f ./images/1.tar.gz
Create the QEMU disk image for firmware 1.
- sudo ./scripts/makeImage.sh 1
Infer the network configuration for firmware 1. Kernel messages are logged to ./scratch/1/qemu.initial.serial.log.
- ./scripts/inferNetwork.sh 1
Emulate firmware 1 with the inferred network configuration. This will modify the configuration of the host system by creating a TAP device and adding a route.
- ./scratch/1/run.sh
The system should be available over the network, and is ready for analysis. Kernel messages are mirrored to ./scratch/1/qemu.final.serial.log. The filesystem for firmware 1 can be mounted to and unmounted from scratch/1/image with ./scripts/mount.sh 1 and ./scripts/umount.sh 1.
- ./analyses/snmpwalk.sh 192.168.0.100
- ./analyses/webAccess.py 1 192.168.0.100 log.txt
- mkdir exploits; ./analyses/runExploits.py -t 192.168.0.100 -o exploits/exploit -e x (requires Metasploit Framework)
- sudo nmap -O -sV 192.168.0.100
The default console should be automatically connected to the terminal. You may also login with root and password. Note that Ctrl-c is sent to the guest; use the QEMU monitor command Ctrl-a + x to terminate emulation.

FAQ

`run.sh` is not generated

This is a common error that is encountered when the network configuration is unable to be inferred. Follow the checklist below to figure out the cause.

inferNetwork.sh: Did this script find any network interfaces (e.g. Interfaces: [br0, 192.168.0.1])? If so, this is a bug; please report it. Otherwise, continue below.
qemu.initial.serial.log: Does this file end with Unable to mount root fs on unknown-block(8,1)? If so, the initial filesystem image was not generated correctly using kpartx. Try deleting the scratch directory corresponding to this firmware image, and restart at makeImage.sh. Otherwise, the initial emulation didn't produce any useful instrumentation. Try increasing the timeout in inferNetwork.sh from 60 to 120 and restarting at inferNetwork.sh.
qemu.initial.serial.log: Did the init process crash, and is this preceded by a failed NVRAM operation (e.g. nvram_get_buf: Unable to open key <foo>)? If so, see the FAQ entries below.

Log ends with "Kernel panic - not syncing: No working init found"

The firmware uses an initialization process with an unusual name. You'll need to manually inspect the filesystem to identify the correct one, then modify the script to specify its full path by appending a kernel boot parameter init=<path> to QEMU.

A process crashed, e.g. `do_page_fault() #2: sending SIGSEGV for invalid read access from 00000000`

It is likely that the process requested a NVRAM entry that FIRMADYNE does not have a default value for. This can be fixed by manually adding a source for NVRAM entries to NVRAM_DEFAULTS_PATH, an entry to NVRAM_DEFAULTS, or a file to OVERRIDE_POINT in libnvram. For more details, see the documentation for libnvram. Note that the first two options involve modifying config.h, which will require recompilation of libnvram.

How do I debug the emulated firmware?

With full-system QEMU emulation, compile a statically-linked gdbserver for the target architecture, copy it into the filesystem, attach it to the process of interest, and connect remotely using gdb-multiarch. You'll need a cross-compile toolchain; either use the crossbuild-essential-* packages supplied by Debian/Ubuntu, build it from scratch using e.g. buildroot, or look for GPL sources and/or pre-compiled binaries online. If you have IDA Pro, you can use IDA's pre-compiled debug servers (located in the dbgsrv subdirectory of the install), though they are not GDB-compatible.
With full-system QEMU emulation, pass the -s -S parameters to QEMU and connect to the stub using target remote localhost:1234 from gdb-multiarch. However, the debugger won't automatically know where kernel and userspace is in memory, so you may need to manually do add-symbol-file in gdb and break around try_to_run_init_process() in the kernel.
With user-mode QEMU emulation, chroot into the firmware image (optional), set LD_LIBRARY_PATH to contain the FIRMADYNE libnvram, and pass both the -L parameter with the correct path to the firmware /lib directory, and the binary of interest to QEMU. This is easiest to debug, because you can attach directly to the process using gdb-multiarch, and interact directly with the process, but the system state may not be accurate since the host kernel is being used. It is also somewhat insecure, because the emulated firmware can access the host filesystem and interact with the host kernel.

Compiling from Source

If you would like to compile the entire FIRMADYNE system from scratch without using our pre-built binaries, please follow the steps below.

Toolchain

In order to build any of the binaries used by FIRMADYNE, you will need three cross-compilation toolchains for the following architecture triples. Use only musl libc as the C runtime library for the toolchain; others have not been tested.

arm-linux-musleabi
mipseb-linux-musl
mipsel-linux-musl

To simplify the process of building cross-compilation toolchains with musl, we recommend using the musl-cross project. Follow the below steps to build these toolchains from source, or alternatively click here to download our pre-built toolchains.

git clone https://github.com/GregorR/musl-cross.git
Modify or set the following variables in defs.sh
- BINUTILS_URL=http://ftp.gnu.org/gnu/binutils/binutils-2.25.1.tar.bz2
- GCC_VERSION=5.3.0
- GMP_VERSION=6.0.0a
- MPC_VERSION=1.0.2
- MPFR_VERSION=3.1.3
- LIBELF_VERSION=master
- MUSL_DEFAULT_VERSION=1.1.12
- MUSL_GIT_VERSION=615629bd6fcd6ddb69ad762e679f088c7bd878e2
- LANG_CXX=no
- GCC_BUILTIN_PREREQS=yes
Modify or set the following variables in config.sh
- CFLAGS="-fPIC"
For little-endian MIPS, perform the following:
- set TRIPLE=mipsel-linux-musl in config.sh
- set LINUX_HEADERS_URL=https://mirrors.edge.kernel.org/pub/linux/kernel/v2.6/linux-2.6.39.4.tar.xz in defs.sh
- run ./clean.sh to clean out any previous builds
- run ./build.sh to build and install the toolchain into /opt/cross
For big-endian MIPS, perform the following:
- set TRIPLE=mipseb-linux-musl in config.sh
- set LINUX_HEADERS_URL=https://mirrors.edge.kernel.org/pub/linux/kernel/v2.6/linux-2.6.39.4.tar.xz in defs.sh
- run ./clean.sh to clean out any previous builds
- run ./build.sh to build and install the toolchain into /opt/cross
For little-endian ARM, perform the following:
- set TRIPLE=arm-linux-musleabi, GCC_BOOTSTRAP_CONFFLAGS="--with-arch=armv6 --with-float=softfp", and GCC_CONFFLAGS="--with-arch=armv6 --with-float=softfp" in config.sh
- set LINUX_HEADERS_URL=https://kernel.org/pub/linux/kernel/v4.x/linux-4.1.17.tar.xz in defs.sh
- run ./clean.sh to clean out any previous builds
- run ./build.sh to build and install the toolchain into /opt/cross
You should have the following directories, or wherever you installed the toolchains:
- /opt/cross/arm-linux-musleabi
- /opt/cross/mipseb-linux-musl
- /opt/cross/mipsel-linux-musl

console

cd ./firmadyne/sources/console
make clean && CC=/opt/cross/arm-linux-musleabi/bin/arm-linux-musleabi-gcc make && mv console ../../binaries/console.armel
make clean && CC=/opt/cross/mipseb-linux-musl/bin/mipseb-linux-musl-gcc make && mv console ../../binaries/console.mipseb
make clean && CC=/opt/cross/mipsel-linux-musl/bin/mipsel-linux-musl-gcc make && mv console ../../binaries/console.mipsel

libnvram

cd ./firmadyne/sources/libnvram
make clean && CC=/opt/cross/arm-linux-musleabi/bin/arm-linux-musleabi-gcc make && mv libnvram.so ../../binaries/libnvram.so.armel
make clean && CC=/opt/cross/mipseb-linux-musl/bin/mipseb-linux-musl-gcc make && mv libnvram.so ../../binaries/libnvram.so.mipseb
make clean && CC=/opt/cross/mipsel-linux-musl/bin/mipsel-linux-musl-gcc make && mv libnvram.so ../../binaries/libnvram.so.mipsel

Kernel

ARM

git clone https://github.com/firmadyne/kernel-v4.1.git && cd kernel-v4.1
mkdir -p build/armel
cp config.armel build/armel/.config
make ARCH=arm CROSS_COMPILE=/opt/cross/arm-linux-musleabi/bin/arm-linux-musleabi- O=./build/armel zImage -j8
cp build/armel/arch/arm/boot/zImage ../firmadyne/binaries/zImage.armel

MIPS

git clone https://github.com/firmadyne/kernel-v2.6.git && cd kernel-v2.6
For big-endian MIPS, perform the following:
1. mkdir -p build/mipseb
2. cp config.mipseb build/mipseb/.config
3. make ARCH=mips CROSS_COMPILE=/opt/cross/mipseb-linux-musl/bin/mipseb-linux-musl- O=./build/mipseb -j8
4. cp build/mipseb/vmlinux ../firmadyne/binaries/vmlinux.mipseb
For little-endian MIPS, perform the following:
1. mkdir -p build/mipsel
2. cp config.mipsel build/mipsel/.config
3. make ARCH=mips CROSS_COMPILE=/opt/cross/mipsel-linux-musl/bin/mipsel-linux-musl- O=./build/mipsel -j8
4. cp build/mipsel/vmlinux ../firmadyne/binaries/vmlinux.mipsel

Database

During development, the database was stored on a PostgreSQL server.

Data

Although we cannot redistribute binary firmware, the data used for our experiments is available here.

Schema

Below are descriptions of tables in the schema.

brand: Stores brand names for each vendor.

Column	Description
id	Primary key
name	Brand name

image: Stores information about each firmware image.

Column	Description
id	Primary key
filename	File name
brand_id	Foreign key to `brand`
hash	MD5
rootfs_extracted	Whether the primary filesystem was extracted
kernel_extracted	Whether the kernel was extracted
arch	Hardware architecture
kernel_version	Version of the extracted kernel

object: Stores information about each file in a filesystem.

Column	Description
id	Primary key
hash	MD5

object_to_image: Maps unique files to their firmware images.

Column	Description
id	Primary key
oid	Foreign key to `object`
iid	Foreign key to `image`
filename	Full path to the file
regular_file	Whether the file is regular
permissions	File permissions in octal
uid	Owner's user ID
gid	Group's group ID

product

Column	Description
id	Primary key
iid	Foreign key to `image`
url	Download URL
mib_filename	Filename of the SNMP MIB
mib_hash	MD5 of the SNP MIB
mib_url	Download URL of the SNMP MIB
sdk_filename	Filename of the source SDK
sdk_hash	MD5 of the source SDK
sdk_url	Download URL of the source SDK
product	Product name
version	Version string
build	Build string
date	Release date

Paper

The results discussed in our paper were produced using pre-release versions of the following:

toolchains:
- BINUTILS_URL=http://ftp.gnu.org/gnu/binutils/binutils-2.25.1.tar.bz2, GCC_VERSION=4.9.3, GMP_VERSION=6.0.0a, MPC_VERSION=1.0.2, MPFR_VERSION=3.1.3, LIBELF_VERSION=71bf774909fd654d8167a475333fa8f37fbbcb5d, MUSL_DEFAULT_VERSION=1.1.10, MUSL_GIT_VERSION=996d148bf14b477b07fa3691bffeb930c67b2b62, LANG_CXX=no
- ARM: LINUX_HEADERS_URL=https://kernel.org/pub/linux/kernel/v3.x/linux-3.10.84.tar.xz
- MIPS: LINUX_HEADERS_URL=https://kernel.org/pub/linux/kernel/v2.6/longterm/v2.6.32/linux-2.6.32.67.tar.xz
kernels:
- ARM: firmadyne-v3.10.92
- MIPS: firmadyne-v2.6.32.68 without e2b9f315547ea50a65baad4899a4780078ab273e and 26bb3636c987fc7e145af73ddea6c10fa93bdae9
console: c36ae8553fa4e9c82e8a65752906641d81c2360c
extractor: 5520c64bfa8554c5c17ab671aaed0fdeec91bf19
libnvram: b60e7d4d576b39dd46107058adb635d43e80e00d
qemu-linaro: 4753f5e8126a00cc0a8559bfd9b47d6340903323
binwalk: f2ce2992695fae5477c46980148c89e9c91a5cce
- jefferson: 090a33be0be4aac8eee8d825447c0eb18dc8b51a
- sasquatch: 287e4a8e059d3ee7a5f643211fcf00c292cd6f4d

firmadyne's People

Contributors

Stargazers

Watchers

Forkers

terry2012 ir2-d2 diegslva c4rt idkwim rickgray jilir chubbymaggie evilcry jaku johnjohnsp1 securextools iamckn sh4d0ws4int tun4 akpotter unprovable lucabongiorni huyanshuhan rkornmeyer nimdakey hankw507 extremecoders-re sjas kuailehaibin dfbravo hackershubnl ajblane enovella majinxin2003 geassdb fork42541 jack2949 hurryon sececter ivytin qorost misterch0c curehsu mikimotoh leocodefocus m-1-k-3 adde88 kissthink ognz binaryninja zeeshansultan bobtux uppentest sigma-random h5b draftbk hxp2k6 wubingwang jack51706 espreto phahok yuede yashodhank pwn4gepwn1e tloebner bhasbor cynesiz pfsun murthysagi lucyoa 04harsh08 jisupark ygemici dfbravo-test mingke24 njseclab flyawaytang shuixi2013 online-9 jivoi houcy ndcroos h0k5 elimbug66 b1gw00d prashast fredwzz zztian007 oblivia-simplex cndycc pombredanne mystery-college-of-the-adapts andruxa-smirnov bird8693 binee108 gitm00 dbrumley nodapcoder ufwt minhtranca zhuyue1314 any333 xiaohuajiao liming518110

firmadyne's Issues

get_scratch fails when run from command-line instead of script

The code for get_scratch in firmadyne.config is as follows:

get_scratch () {
    if check_number "${1}"; then
        echo "Error: Invalid image number!"
        exit 1
    fi

    echo "${SCRATCH_DIR}/${IID}/"
}

Shouldn't the last line use ${1} instead of ${IID}?

Luckily the code still works because the scripts that call this function set IID, but this function fails when I run it manually.

AttributeError: 'module' object has no attribute 'scan'

I'm getting this error whenever i try to emulate any firmware using firmadyne,can someone please help?

Enter the name or absolute path of the firmware you want to analyse : DVRF_v03.bin
Enter the brand of the firmware : Linksys
DVRF_v03.bin
Now going to extract the firmware. Hold on..
/root/Desktop/firmadyne/sources/extractor/extractor.py -b Linksys -sql 127.0.0.1 -np -nk "DVRF_v03.bin" images
Traceback (most recent call last):
File "/root/Desktop/firmadyne/sources/extractor/extractor.py", line 425, in extract
if analysis():
File "/root/Desktop/firmadyne/sources/extractor/extractor.py", line 472, in _check_archive
return self._check_recursive("archive")
File "/root/Desktop/firmadyne/sources/extractor/extractor.py", line 632, in _check_recursive
for module in binwalk.scan(self.item, "-e", "-r", "-y", fmt,signature=True, quiet=True):
AttributeError: 'module' object has no attribute 'scan'
test
The database ID is 1
Getting image type
tar: ./images/1.tar.gz: Cannot open: No such file or directory
tar: Error is not recoverable: exiting now
Traceback (most recent call last):
File "fat.py", line 113, in
main()
File "fat.py", line 105, in main
get_image_type(image_id)
File "fat.py", line 58, in get_image_type
output = subprocess.check_output(get_image_type_command, shell=True)
File "/usr/lib/python2.7/subprocess.py", line 544, in check_output
raise CalledProcessError(retcode, cmd, output=output)
subprocess.CalledProcessError: Command '/root/Desktop/firmadyne/scripts/getArch.sh ./images/1.tar.gz' returned non-zero exit status 1

Stuck in inferNetwork.sh

Hi,

I think the inferNetwork.sh got stuck and the "qemu.initial.serial.log" looks like this(I deleted some usefulness info):

[ 1.248000] Freeing prom memory: 956k freed
[ 1.264000] Freeing unused kernel memory: 220k freed
nvram_get_buf: console_loglevel
sem_lock: Triggering NVRAM initialization!
nvram_init: Initializing NVRAM...
sem_get: Key: 4101c036
sem_get: Key: 410d002b
nvram_set_default_builtin: Setting built-in default values!
nvram_set: console_loglevel = "7"
sem_get: Key: 410d002b
sem_get: Key: 410d002b
nvram_set: restore_defaults = "1"
sem_get: Key: 410d002b
sem_get: Key: 410d002b
nvram_set: sku_name = ""
sem_get: Key: 410d002b
sem_get: Key: 410d002b
nvram_set: wla_wlanstate = ""
sem_get: Key: 410d002b
sem_get: Key: 410d002b
nvram_set: lan_if = "br0"
sem_get: Key: 410d002b
sem_get: Key: 410d002b
nvram_set: lan_ipaddr = "192.168.0.50"
sem_get: Key: 410d002b
sem_get: Key: 410d002b
nvram_set: lan_bipaddr = "192.168.0.255"
sem_get: Key: 410d002b
sem_get: Key: 410d002b
nvram_set: lan_netmask = "255.255.255.0"
sem_get: Key: 410d002b
sem_get: Key: 410d002b
nvram_set: time_zone = "EST5EDT"
sem_get: Key: 410d002b
sem_get: Key: 410d002b
nvram_set: wan_hwaddr_def = "01:23:45:67:89:ab"
sem_get: Key: 410d002b
sem_get: Key: 410d002b
nvram_set: wan_ifname = "eth0"
sem_get: Key: 410d002b
sem_get: Key: 410d002b
nvram_set: lan_ifnames = "eth1 eth2 eth3 eth4"
sem_get: Key: 410d002b
sem_get: Key: 410d002b
nvram_set: ethConver = "1"
sem_get: Key: 410d002b
sem_get: Key: 410d002b
nvram_set: lan_proto = "dhcp"
sem_get: Key: 410d002b
sem_get: Key: 410d002b
nvram_set: wan_ipaddr = "0.0.0.0"
sem_get: Key: 410d002b
sem_get: Key: 410d002b
nvram_set: wan_netmask = "255.255.255.0"
sem_get: Key: 410d002b
sem_get: Key: 410d002b
nvram_set: wanif = "eth0"
sem_get: Key: 410d002b
sem_get: Key: 410d002b
nvram_set: time_zone_x = "0"
sem_get: Key: 410d002b
sem_get: Key: 410d002b
nvram_set: rip_multicast = "0"
sem_get: Key: 410d002b
sem_get: Key: 410d002b
nvram_set: bs_trustedip_enable = "0"
sem_get: Key: 410d002b
sem_get: Key: 410d002b
nvram_set_default: Loading built-in default values = 1!
nvram_set_default: Checking for symbol "router_defaults"...
nvram_set_default: Checking for symbol "Nvrams"...
nvram_set_default_image: Copying overrides from defaults folder!
sem_get: Key: 410d002b
cp: cannot stat '/firmadyne/libnvram.override/*': No such file or directory
sem_get: Key: 410d002b
sem_get: Key: 410d002b
sem_get: Key: 410d002b
nvram_get_buf: = "7"
nvram_get_buf: boot_board_hw
sem_get: Key: 410d002b
sem_get: Key: 410d002b
sem_get: Waiting for semaphore initialization (Key: 410d002b, Semaphore: 8001)...
sem_get: Waiting for semaphore initialization (Key: 410d002b, Semaphore: 8001)...
sem_get: Waiting for semaphore initialization (Key: 410d002b, Semaphore: 8001)...
sem_get: Waiting for semaphore initialization (Key: 410d002b, Semaphore: 8001)...
sem_get: Waiting for semaphore initialization (Key: 410d002b, Semaphore: 8001)...
sem_get: Waiting for semaphore initialization (Key: 410d002b, Semaphore: 8001)...
sem_get: Waiting for semaphore initialization (Key: 410d002b, Semaphore: 8001)...
sem_get: Waiting for semaphore initialization (Key: 410d002b, Semaphore: 8001)...
sem_get: Waiting for semaphore initialization (Key: 410d002b, Semaphore: 8001)...

It seems it has been always waiting for semaphore initialization. Finally, there is no "run.sh" in scratch, could you please show me some suggestion?

run.sh generate by makeNetwork.py uses wrong path for preInit.sh

The run.sh generated by makeNetwork.py uses the wrong path for preInit.sh in the rdinit kernel argument:

rdinit=/preInit.sh

The correct path should be:

rdinit=/firmadyne/preInit.sh

Which is the same path used by the run scripts in firmadyne/scripts/

netgear123456 login failure

After deleting the the file /etc/securetty,I still can't log in with root ang password.

Welcome to SDK.

Have a lot of fun...

netgear123456 login: root
Login incorrect

why?

netgear123456 login

when I ran ./scratch/1/run.sh,
netgear123456 login: [ 38.020000] brtrunk: no IPv6 routers present
[ 38.360000] eth0: no IPv6 routers present
Welcome to SDK.
Have a lot of fun...
netgear123456 login:

I want to know the default netgear username and password

wnap320 new Firmware wont emulate

Hi,

the old WNAP320 Firmware Version 2.0.3 could be emulated without a problem.

the new version (http://www.downloads.netgear.com/files/GDC/WNAP320/WNAP320_V3.5.5.0.zip)
does not create the run.sh because it cant find an interface.
it is the same FS as in the old, even the same default interface-ip (192.168.0.100) is set in the firmware.

Maybe you can give it a try =)

Kind Regards and awesome work what you all did!

Some issue about can't nc

I would like to use nc into the router's command line, but did not respond.

I have seen the console.c file, combined with the log does not seem to implement the final execl order, how to solve.

/libnvram.override not created - error in makeImage.sh

Here's a problem I ran into, while attempting to create an image with the latest git version of firmadyne:

$ sudo ./scripts/makeImage.sh 1
Querying database for architecture... Password for user firmadyne:
armel
----Running----
----Copying Filesystem Tarball----
----Creating QEMU Image----
Formatting '/home/fuzz/in/firmadyne//scratch//1//image.raw', fmt=raw size=1073741824
----Creating Partition Table----

Welcome to fdisk (util-linux 2.27.1).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.

Device does not contain a recognized partition table.
Created a new DOS disklabel with disk identifier 0xfaec4e5b.

Command (m for help): Created a new DOS disklabel with disk identifier 0xbf863f73.

Command (m for help): Partition type
p primary (0 primary, 0 extended, 4 free)
e extended (container for logical partitions)
Select (default p): Partition number (1-4, default 1): First sector (2048-2097151, default 2048): Last sector, +sectors or +size{K,M,G,T,P} (20482097151, default 2097151):
Created a new partition 1 of type 'Linux' and of size 1023 MiB.

Command (m for help): The partition table has been altered.
Syncing disks.

----Mounting QEMU Image----
add map loop0p1 (252:2): 0 2095104 linear 7:0 2048
----Creating Filesystem----
mke2fs 1.42.13 (17-May-2015)
Discarding device blocks: done
Creating filesystem with 261888 4k blocks and 65536 inodes
Filesystem UUID: 6472c364-3013-475b-b668-95a76aa17fc4
Superblock backups stored on blocks:
32768, 98304, 163840, 229376

Allocating group tables: done
Writing inode tables: done
Writing superblocks and filesystem accounting information: done

----Making QEMU Image Mountpoint----
----Mounting QEMU Image Partition 1----
----Extracting Filesystem Tarball----
----Creating FIRMADYNE Directories----
----Patching Filesystem (chroot)----
Creating /etc/TZ!
Creating /etc/hosts!
Creating /etc/passwd!
Warning: Recreating device nodes!
Removing /etc/scripts/sys_resetbutton!
Creating default rip_multicast!
/fixImage.sh: line 158: can't create /libnvram.override/rip_multicast: nonexistent directory
Creating default bs_trustedip_enable!
/fixImage.sh: line 163: can't create /libnvram.override/bs_trustedip_enable: nonexistent directory
Creating default filter_rule_tbl!
/fixImage.sh: line 168: can't create /libnvram.override/filter_rule_tbl: nonexistent directory
Creating default rip_enable!
/fixImage.sh: line 173: can't create /libnvram.override/rip_enable: nonexistent directory

The problem is that makeImage.sh creates "/firmware/nvram.override", while fixImage.sh looks for "/nvram.override". (note the missing "/firmadyne/"). It seems that removing "/firmadyne" from makeImage.sh doesn't fix everything, nor does adding "/firmadyne" to fixImage.sh. The error from the latter technique is:

nvram_set_default_image: Copying overrides from defaults folder!
sem_get: Key: 410c0019
cp: cannot remove '/libnvram/bs_trustedip_enable': No such file or
directory
cp: cannot remove '/libnvram/filter_rule_tbl': No such file or directory
cp: cannot remove '/libnvram/rip_enable': No such file or directory
cp: cannot remove '/libnvram/rip_multicast': No such file or directory
sem_get: Key: 410c0019
sem_get: Key: 410c0019
sem_get: Key: 410c0019
nvram_get_buf: = "0"
[ 3.005122] Kernel panic - not syncing: Attempted to kill init!
exitcode=0x00001600
[ 3.005122]
nvram_set_default_image: Copying overrides from defaults folder!
sem_get: Key: 410c0019
cp: cannot remove '/libnvram/bs_trustedip_enable': No such file or directory
cp: cannot remove '/libnvram/filter_rule_tbl': No such file or directory
cp: cannot remove '/libnvram/rip_enable': No such file or directory
cp: cannot remove '/libnvram/rip_multicast': No such file or directory
sem_get: Key: 410c0019
sem_get: Key: 410c0019
sem_get: Key: 410c0019
nvram_get_buf: = "0"
[ 3.005122] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00001600
[ 3.005122]
[ 3.005463] CPU: 0 PID: 1 Comm: init Tainted: G W 4.1.17+ #1
[ 3.005652] Hardware name: Generic DT based system
[ 3.005855] [] (unwind_backtrace) from [] (show_stack+0x10/0x14)
[ 3.006095] [] (show_stack) from [] (panic+0x70/0x1c8)
[ 3.006328] [] (panic) from [] (do_exit+0x3c0/0x774)
[ 3.006540] [] (do_exit) from [] (do_group_exit+0x0/0xa8)
[ 3.006780] [] (do_group_exit) from [] (ret_fast_syscall+0x0/0x3c)
[ 3.007207] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x00001600
[ 3.007207]

Firmware Login - inferNetwork

(title intentionally similar to #23, but i think this is a different problem..)

Everything worked fine for the latest version of the example firmware works as expected. However, when I try another firmware:

wget http://www.downloads.netgear.com/files/GDC/WNDR3400V3/WNDR3400v3-V1.0.1.4_1.0.52.zip

I can't connect to the network interface. Running the inferNetwork script gives me:

host@host-vm:/opt/firmadyne$ ./scripts/inferNetwork.sh 1
Querying database for architecture... Password for user firmadyne: 
mipsel
Running firmware 1: terminating after 60 secs...
Bad SWSTYLE=0x04
Inferring network...
Interfaces: [('br0', '192.168.1.1')]
Done!

Run.sh is generated. I'm seeing a lot of "unable to open key" errors, like this when I run the run.sh:

sem_get: Waiting for semaphore initialization (Key: 410e00f9, Semaphore: 8001)...
sem_get: Waiting for semaphore initialization (Key: 410e00f9, Semaphore: 8001)...
sem_get: Waiting for semaphore initialization (Key: 410e00f9, Semaphore: 8001)...
sem_get: Waiting for semaphore initialization (Key: 410e00f9, Semaphore: 8001)...
sem_get: Waiting for semaphore initialization (Key: 410e00f9, Semaphore: 8001)...
sem_get: Waiting for semaphore initialization (Key: 410e00f9, Semaphore: 8001)...
sem_get: Waiting for semaphore initialization (Key: 410e00f9, Semaphore: 8001)...
sem_get: Waiting for semaphore initialization (Key: 410e00f9, Semaphore: 8001)...
sem_get: Waiting for semaphore initialization (Key: 410e00f9, Semaphore: 8001)...
sem_get: Waiting for semaphore initialization (Key: 410e00f9, Semaphore: 8001)...
sem_unlock: Unable to get semaphore!
nvram_get_buf: Unable to open key: /firmadyne/libnvram/wl0_wep!

I was wondering if you're able to recreate this, and if this is a bug, or if this is specific to my setup?

Thanks!

run.sh is missing in scratch

i am getting this error
chroot: failed to run command ‘/busybox’: No such file or directory

when i trying to internetwork
Querying database for architecture... Password for user firmadyne:
mipseb
Running firmware 1 for 60 secs...
qemu-system-mips: pci_add_option_rom: failed to find romfile "efi-pcnet.rom"
qemu-system-mips: pci_add_option_rom: failed to find romfile "efi-pcnet.rom"
qemu-system-mips: pci_add_option_rom: failed to find romfile "efi-pcnet.rom"
qemu-system-mips: pci_add_option_rom: failed to find romfile "efi-pcnet.rom"
qemu-system-mips: pci_add_option_rom: failed to find romfile "vgabios-cirrus.bin"

and when i am going ahead with tutorial and trying to creat a tap device
i am getting the error
bash: ./scratch/1/run.sh: No such file or directory

any guidance will be of great help

FAT - Object has no attribute database

I keep getting this error and I am not sure what the issue is. I read that on Kali the Dlink firmware cannot be emulated so I tried a different one, and the error is still the same. Can someone help please?


root@wimo:~/tools/firmadyne# ./fat.py

	Welcome to the Firmware Analysis Toolkit - v0.1
	Offensive IoT Exploitation Training  - http://offensiveiotexploitation.com
	By Attify - https://attify.com  | @attifyme
	
Enter the name or absolute path of the firmware you want to analyse : Dlink_firmware.bin
Enter the brand of the firmware : Dlink
Dlink_firmware.bin
Now going to extract the firmware. Hold on..
/root/tools/firmadyne/sources/extractor/extractor.py -b Dlink -sql 127.0.0.1 -np -nk "Dlink_firmware.bin" images 
Traceback (most recent call last):
  File "/root/tools/firmadyne/sources/extractor/extractor.py", line 730, in <module>
    main()
  File "/root/tools/firmadyne/sources/extractor/extractor.py", line 727, in main
    extract.extract()
  File "/root/tools/firmadyne/sources/extractor/extractor.py", line 189, in extract
    self._extract_item(item)
  File "/root/tools/firmadyne/sources/extractor/extractor.py", line 197, in _extract_item
    ExtractionItem(self, path, 0).extract()
  File "/root/tools/firmadyne/sources/extractor/extractor.py", line 227, in __init__
    host=self.extractor.database)
  File "/usr/lib/python2.7/dist-packages/psycopg2/__init__.py", line 164, in connect
    conn = _connect(dsn, connection_factory=connection_factory, async=async)
psycopg2.OperationalError: FATAL:  password authentication failed for user "firmadyne"
FATAL:  password authentication failed for user "firmadyne"

Exception AttributeError: "'ExtractionItem' object has no attribute 'database'" in <bound method ExtractionItem.__del__ of <__main__.ExtractionItem object at 0x7f55bea2f590>> ignored
Traceback (most recent call last):
  File "./fat.py", line 113, in <module>
    main()
  File "./fat.py", line 100, in main
    extractor(firm_name,firm_brand)
  File "./fat.py", line 45, in extractor
    output = subprocess.check_output(extractor_command, shell=True)
  File "/usr/lib/python2.7/subprocess.py", line 574, in check_output
    raise CalledProcessError(retcode, cmd, output=output)
subprocess.CalledProcessError: Command '/root/tools/firmadyne/sources/extractor/extractor.py -b Dlink -sql 127.0.0.1 -np -nk "Dlink_firmware.bin" images ' returned non-zero exit status 1

Generated run.sh does not exit properly

The run.sh generated by inferNetwork.sh does not exist properly. When you use ctrl-a + x to exit QEMU, the cleanup function is not called. I suspected it is due to qemu command exiting with a non-zero status causing the run.sh to exit prematurely.

I added set +e before the following line in run.sh and the cleanup function was actually called. Now the issue I saw is that it seems to be called twice.

 ${QEMU} -m 256 -M ${QEMU_MACHINE} -kernel ${KERNEL} \
    -drive if=ide,format=raw,file=${IMAGE} -append "root=${QEMU_ROOTFS} console=ttyS0 nandsim.parts=64,64,64,64,64,64,64,64,64,64 rdinit=/preInit.sh rw debug ignore_loglevel print-fatal-signals=1 user_debug=31 firmadyne.syscall=8" \
    -nographic \
    -net nic,vlan=0 -net socket,vlan=0,listen=:2000 -net nic,vlan=1 -net tap,vlan=1,id=net0,ifname=${TAPDEV_0},script=no -net nic,vlan=2 -net socket,vlan=2,listen=:2002 -net nic,vlan=3 -net socket,vlan=3,listen=:2003 | tee ${WORK_DIR}/qemu.final.serial.log

/script/makeNetwork.py undefined var

when I tried to run ./scripts/makeImage.sh * with a D-Link firmware, it failed and gave such info:

./scripts/inferNetwork.sh 3
...
Inferring network...
Traceback (most recent call last):
 ...
  File ".../makeNetwork.py", line 117, in findMacChanges
    g = re.match(r"^ioctl_SIOCSIFHWADDR\[[^\]]+\]: dev:([^ ]+) mac:0x([0-9a-f]+) 0x([0-9a-f]+)", c)
NameError: global name 'c' is not defined

Then I checked the ./scripts/makeNetwork.py and found for c in candidates: should be added in line 117

makeNetwork.sh line 182 dev error

some firewares return dev is not eth0 or eth1 but ethlan, how can i modify it in line 193.

Printing debug output from libnvram

So I was using firmadyne to emulate a D-Link image, it emulates perfectly though I was interested in seeing the debug output emitted from libnvram. Looking at the code, it should print it if the DEBUG is defined which is the case in config.h. I even tried printing to stdout instead of stderr but still couldn't see any debug output being printed. I know the nvram functions are being triggered because I can see the default config file being copied over to the firmadyne library. Is there any other modification that I need to make in order to make the libnvram print it's debug output?

VLAN problem

I can not fix this. What could be the problem?

Creating TAP device tap1_0...
Set 'tap1_0' persistent and owned by uid 0
Initializing VLAN...
./run.sh: line 34: VLANID: unbound variable

arch='armel' can't emulate network successfully

I tested 4250 firmware images, including ASUS, D-Link, Netgear. I found in the database there is no any arch='armel' network emulation successfully.
Can you give a successful example that arch='armel' ?

Debugging firmware images that aren't successfully emulated

Hey @ddcc , I had a question regarding the debugging framework for binaries that aren't successfully emulated. I wanted to remotely debug a web server binary that was running as a part of the emulation but I was having trouble connecting to the gdb stub that I was running in QEMU. Do you have any pointers on as to how you go about debugging these binaries?

delete.sh uses the wrong TAP name when disabling the TAP device

From delete.sh:

sudo ifconfig tap${IID} down
sudo tunctl -d tap${IID}

From run.sh generate by makeNetwork.py:

TAPDEV_0=tap${IID}_0
sudo tunctl -t ${TAPDEV_0} -u ${USER}

The delete.sh should have the "_0" at the end.

Firmware not taking IP

I was trying to emulate the following firmware, and after a long night to install the required tools.
i ran in to a strange thing, it didn't get any ip and no interface was created.

Warning: invalid flag 0x0000 of partition table 4 will be corrected by w(rite)
mke2fs 1.42.12 (29-Aug-2014)
The file /dev/mapper/loop0p1 does not exist and no size was specified.
Please check the makeImage function
Everything is done for the image id 3
Setting up the network connection
Password for user firmadyne:
qemu: terminating on signal 2 from pid 8852
Querying database for architecture... mipseb
Running firmware 3: terminating after 60 secs...
Inferring network...
Interfaces: []
Done!

Running the firmware finally :

appreciate your assist on where i can start troubleshooting
PS: I'm using linux mint 64 bit

Few firmware doesn't work on Kali linux

Hello,
I tried to emulate a Dlink firmware in Ubuntu and it worked perfectly, but in kali the Network is up and it is not opening any login screen.
Nmap shows all 1000 ports are filtered.

MIPS kernel

Not really an issue, was just curious as to why you guys used this particular version of the kernel(v2.6.32.70) for emulating the firmwares. Is there some particular reason you guys didn't want to cross compile newer versions of the kernel?

Network is created with br0', '192.168.0.1' and 'br1', '192.168.7.1'. But the application is not hosted in the same address.

Enter the name or absolute path of the firmware you want to analyse : /root/Desktop/IOT/SecTu/Dlink/DIR880A1_FW103WWb11_f41b.bin
Enter the brand of the firmware : Dlink
/root/Desktop/IOT/SecTu/Dlink/DIR880A1_FW103WWb11_f41b.bin
Now going to extract the firmware. Hold on..
/root/tools/firmadyne/sources/extractor/extractor.py -b Dlink -sql 127.0.0.1 -np -nk "/root/Desktop/IOT/SecTu/Dlink/DIR880A1_FW103WWb11_f41b.bin" images
test
The database ID is 1
Getting image type
Password for user firmadyne:
Found image type of armel
Putting information to database
Traceback (most recent call last):
File "/root/tools/firmadyne/scripts/tar2db.py", line 100, in
main()
File "/root/tools/firmadyne/scripts/tar2db.py", line 97, in main
process(iid, infile)
File "/root/tools/firmadyne/scripts/tar2db.py", line 77, in process
insertObjectToImage(iid, file2oid, links, cur)
File "/root/tools/firmadyne/scripts/tar2db.py", line 57, in insertObjectToImage
for x in files2oids])
psycopg2.IntegrityError: duplicate key value violates unique constraint "object_to_image_oid_iid_filename_key"
DETAIL: Key (oid, iid, filename)=(1, 1, /htdocs/phplib/fatlady/SMS.php) already exists.

Tar2DBb''
Creating Image
Executing command

sudo /root/tools/firmadyne/scripts/makeImage.sh 1
Password for user firmadyne:
mke2fs 1.43.3 (04-Sep-2016)
/fixImage.sh: line 30: can't create /etc/passwd: nonexistent directory
device-mapper: remove ioctl on loop0p1 failed: Device or resource busy
Make Image output b"Querying database for architecture... armel\n----Running----\n----Copying Filesystem Tarball----\n----Creating QEMU Image----\nFormatting '/root/tools/firmadyne/scratch//1//image.raw', fmt=raw size=1073741824\n----Creating Partition Table----\n\nWelcome to fdisk (util-linux 2.28.2).\nChanges will remain in memory only, until you decide to write them.\nBe careful before using the write command.\n\nDevice does not contain a recognized partition table.\nCreated a new DOS disklabel with disk identifier 0x024286e8.\n\nCommand (m for help): Created a new DOS disklabel with disk identifier 0x5c31d996.\n\nCommand (m for help): Partition type\n p primary (0 primary, 0 extended, 4 free)\n e extended (container for logical partitions)\nSelect (default p): Partition number (1-4, default 1): First sector (2048-2097151, default 2048): Last sector, +sectors or +size{K,M,G,T,P} (2048-2097151, default 2097151): \nCreated a new partition 1 of type 'Linux' and of size 1023 MiB.\n\nCommand (m for help): The partition table has been altered.\nSyncing disks.\n\n----Mounting QEMU Image----\nadd map loop0p1 (254:0): 0 2095104 linear 7:0 2048\n----Creating Filesystem----\nDiscarding device blocks: 4096/261888\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08 \x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08done \nCreating filesystem with 261888 4k blocks and 65536 inodes\nFilesystem UUID: 38d55df2-d3b5-448e-b48f-af4d7993d3ed\nSuperblock backups stored on blocks: \n\t32768, 98304, 163840, 229376\n\nAllocating group tables: 0/8\x08\x08\x08 \x08\x08\x08done \nWriting inode tables: 0/8\x08\x08\x08 \x08\x08\x08done \nWriting superblocks and filesystem accounting information: 0/8\x08\x08\x08 \x08\x08\x08done\n\n----Making QEMU Image Mountpoint----\n----Mounting QEMU Image Partition 1----\n----Extracting Filesystem Tarball----\n----Creating FIRMADYNE Directories----\n----Patching Filesystem (chroot)----\nCreating /etc/TZ!\nCreating /etc/hosts!\nCreating /etc/passwd!\nRemoving /etc/scripts/sys_resetbutton!\n----Setting up FIRMADYNE----\n----Unmounting QEMU Image----\nloop deleted : /dev/loop0\n"
Everything is done for the image id 1
Setting up the network connection
Password for user firmadyne:
qemu-system-arm: terminating on signal 2 from pid 13316
b"Querying database for architecture... armel\nRunning firmware 1: terminating after 60 secs...\nInferring network...\nInterfaces: [('br0', '192.168.0.1'), ('br1', '192.168.7.1')]\nDone!\n"
Running the firmware finally :
Enter the name or absolute path of the firmware you want to analyse : /root/Desktop/IOT/SecTu/Dlink/DIR880A1_FW103WWb11_f41b.bin
Enter the brand of the firmware : Dlink
/root/Desktop/IOT/SecTu/Dlink/DIR880A1_FW103WWb11_f41b.bin
Now going to extract the firmware. Hold on..
/root/tools/firmadyne/sources/extractor/extractor.py -b Dlink -sql 127.0.0.1 -np -nk "/root/Desktop/IOT/SecTu/Dlink/DIR880A1_FW103WWb11_f41b.bin" images
test
The database ID is 1
Getting image type
Password for user firmadyne:
Found image type of armel
Putting information to database
Traceback (most recent call last):
File "/root/tools/firmadyne/scripts/tar2db.py", line 100, in
main()
File "/root/tools/firmadyne/scripts/tar2db.py", line 97, in main
process(iid, infile)
File "/root/tools/firmadyne/scripts/tar2db.py", line 77, in process
insertObjectToImage(iid, file2oid, links, cur)
File "/root/tools/firmadyne/scripts/tar2db.py", line 57, in insertObjectToImage
for x in files2oids])
psycopg2.IntegrityError: duplicate key value violates unique constraint "object_to_image_oid_iid_filename_key"
DETAIL: Key (oid, iid, filename)=(1, 1, /htdocs/phplib/fatlady/SMS.php) already exists.

Tar2DBb''
Creating Image
Executing command

No IP for interface when emulating netgear r6250 firmware

The title says it all I don't get any IP address when inferring network for a netgear r6250 firmware (specific version of v1.0.1.84_1.0.78). Binwalk unpacks the firmware successfully the issue seems just be that the no ip for interface br0. I notice you also mention that we should report this issue because it might be a bug hence I'm doing so. If you need anymore information just let me know and I can assist.

Thanks,
j3rg

It seems firmadyne can't find any network interfaces

While I test router firmware which are after 2015, It seems firmadyne can't find any network interfaces, what's wrong with this?

Your database schema doesn't record Network reachability, how do you generate table VII in paper?

Your database schema doesn't record Network reach-ability, how do you generate table VII in paper?

Can firmadyne do static analysis of extracted firmwares?

2 Bridge IPs and VLAN has no NIC

Hi @ddcc : I'm trying to run firmadyne with the DIR 868L-revB firmware and getting the following error:

mke2fs 1.42.9 (4-Feb-2014)
/fixImage.sh: line 30: can't create /etc/passwd: nonexistent directory
Everything is done for the image id 1
Setting up the network connection
Password for user firmadyne: 
qemu: terminating on signal 2 from pid 13758
Querying database for architecture... armel
Running firmware 1: terminating after 60 secs...
Inferring network...
Interfaces: [('br0', '192.168.0.1'), ('br1', '192.168.7.1')]
Done!

Running the firmware finally : 
Warning: hub port hub3port0 has no peer
Warning: vlan 3 with no nics
Warning: hub port hub2port0 has no peer
Warning: vlan 2 with no nics
Warning: hub port hub1port0 has no peer
Warning: vlan 1 with no nics
Warning: hub port hub0port0 has no peer
Warning: vlan 0 with no nics
Warning: netdev hub0port0 has no peer
Warning: netdev hub1port0 has no peer
Warning: netdev hub2port0 has no peer
Warning: netdev hub3port0 has no peer
Warning: requested NIC (anonymous, model unspecified) was not created (not supported by this machine?)
Warning: requested NIC (anonymous, model unspecified) was not created (not supported by this machine?)
Warning: requested NIC (anonymous, model unspecified) was not created (not supported by this machine?)
Warning: requested NIC (anonymous, model unspecified) was not created (not supported by this machine?)

None of the IPs assigned is accessible, as it is expected with two IPs.
Have you encountered anything similar earlier or have an idea of what could be causing this?

is it a mistake?

code in runExploits.py : 210 : ("snmpwalk -v2c -c public %(target)s .iso" "grep -qs ".4.1.1.1" %(output)s ")
does it miss a "," between these two strings?

ProgrammingError: relation "image" does not exist

Hi,
I have a problem when executing this script:

./sources/extractor/extractor.py -b Netgear -sql 127.0.0.1 -np -nk "WNAP320.zip" images

I obtained the following output:

File "./sources/extractor/extractor.py", line 345, in update_database
ProgrammingError: relation "image" does not exist
LINE 1: UPDATE image SET rootfs_extracted='True' WHERE id='WNAP320.z...

There is a problem when creating and populating the Database

Any idea?

inferNetwork.sh script failed on multiple firmwares

I run inferNetwork.sh with multiple firmwares but all failed to generate run.sh.

D-Link DIR-505L FIRMWARE_1.05
The script terminated with following error log

...
Inferring network...
Interfaces: [('br0', '192.168.0.1')]
Traceback (most recent call last):
  File ".../scripts//makeNetwork.py", line 367, in <module>
    main()
  File ".../scripts//makeNetwork.py", line 364, in main
    process(infile, iid, arch, endianness, makeQemuCmd, outfile)
  File ".../firmadyne//scripts//makeNetwork.py", line 282, in process
    for dev in brifs:
TypeError: 'NoneType' object is not iterable

D-Link DIR-815 FIRMWARE_1.02
This time the script run a success with:

qemu: terminating on signal 2 from pid 2508
Inferring network...
Interfaces: []
Done!

But there was still no run.sh either, and the qemu.initial.serial.log said:

[    1.536000] 1f00            1024 mtdblock0 (driver?)
[    1.536000] 1f01            1024 mtdblock1 (driver?)
[    1.536000] 1f02            1024 mtdblock2 (driver?)
[    1.536000] 1f03            1024 mtdblock3 (driver?)
[    1.536000] 1f04            1024 mtdblock4 (driver?)
[    1.536000] 1f05            1024 mtdblock5 (driver?)
[    1.536000] 1f06            1024 mtdblock6 (driver?)
[    1.536000] 1f07            1024 mtdblock7 (driver?)
[    1.536000] 1f08            1024 mtdblock8 (driver?)
[    1.536000] 1f09            1024 mtdblock9 (driver?)
[    1.536000] 1f0a          120832 mtdblock10 (driver?)
[    1.536000] 0800         1048576 sda driver: sd
[    1.540000]   0801         1047552 sda1
[    1.540000] No filesystem could mount root, tried:  ext3 ext2 ext4 cramfs squashfs vfat iso9660 romfs udf
[    1.540000] Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(8,1)

#6 seems having the same problem.

Binwalk 2.1.2b problem?

Hi there,

in my issue last time I mentioned I was trying to set it up on arch. Now I'm doing it again on an up to date ubuntu and I have some issue with binwalk. I noticed that it's the 2.1.2b version, same as when I was trying on Archlinux. I only got it working with 2.1.1 in Kali linux.
Note that I can still extract the firmware with binwalk -e and it works fine with both versions.

Here's a log:

root@ce1754c6970d:/home/firmadyne# python2.7 sources/extractor/extractor.py -b Netgear -sql 127.0.0.1 -np -nk "WNAP320 Firmware Version 2.0.3.zip" images
>> Database Image ID: 1

/home/firmadyne/WNAP320 Firmware Version 2.0.3.zip
>> MD5: 51eddc7046d77a752ca4b39fbda50aff
>> Tag: 1
>> Temp: /tmp/tmpSSTucI
>> Status: Kernel: True, Rootfs: False, Do_Kernel: False,                 Do_Rootfs: True

Signature Exception: list index out of range
----------------------------------------------------------------------------------------------------
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/binwalk/core/module.py", line 566, in main
    retval = self.run()
  File "/usr/local/lib/python2.7/dist-packages/binwalk/modules/signature.py", line 177, in run
    self.scan_file(fp)
  File "/usr/local/lib/python2.7/dist-packages/binwalk/modules/signature.py", line 160, in scan_file
    self.result(r=r)
  File "/usr/local/lib/python2.7/dist-packages/binwalk/core/module.py", line 461, in result
    getattr(self, dependency.attribute).callback(r)
  File "/usr/local/lib/python2.7/dist-packages/binwalk/modules/extractor.py", line 174, in callback
    (extraction_directory, dd_file, scan_extracted_files) = self.extract(r.offset, r.description, r.file.path, size, r.name)
  File "/usr/local/lib/python2.7/dist-packages/binwalk/modules/extractor.py", line 496, in extract
    output_directory = self.build_output_directory(file_name)
  File "/usr/local/lib/python2.7/dist-packages/binwalk/modules/extractor.py", line 434, in build_output_directory
    subdir = basedir.split(self.directory)[1][1:]
IndexError: list index out of range
----------------------------------------------------------------------------------------------------

>> Recursing into archive ...

Signature Exception: list index out of range
----------------------------------------------------------------------------------------------------
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/binwalk/core/module.py", line 566, in main
    retval = self.run()
  File "/usr/local/lib/python2.7/dist-packages/binwalk/modules/signature.py", line 177, in run
    self.scan_file(fp)
  File "/usr/local/lib/python2.7/dist-packages/binwalk/modules/signature.py", line 160, in scan_file
    self.result(r=r)
  File "/usr/local/lib/python2.7/dist-packages/binwalk/core/module.py", line 461, in result
    getattr(self, dependency.attribute).callback(r)
  File "/usr/local/lib/python2.7/dist-packages/binwalk/modules/extractor.py", line 174, in callback
    (extraction_directory, dd_file, scan_extracted_files) = self.extract(r.offset, r.description, r.file.path, size, r.name)
  File "/usr/local/lib/python2.7/dist-packages/binwalk/modules/extractor.py", line 496, in extract
    output_directory = self.build_output_directory(file_name)
  File "/usr/local/lib/python2.7/dist-packages/binwalk/modules/extractor.py", line 434, in build_output_directory
    subdir = basedir.split(self.directory)[1][1:]
IndexError: list index out of range
----------------------------------------------------------------------------------------------------

>> Recursing into compressed ...
>> Cleaning up /tmp/tmpSSTucI...

MIPS From Source

Working on Ubuntu 16.04.2 Xenial.
I've built the ARM kernel from source without any problems. I'm currently trying to build the big-endian MIPS kernel and I'm getting the following error.

Can't use 'defined(@array)' (Maybe you should just omit the defined()?) at /home/user/firmadyne/kernel-v2.6.32/kernel/timeconst.pl line 373.
CC arch/mips/math-emu/dp_tlong.o
/home/user/firmadyne/kernel-v2.6.32/kernel/Makefile:129: recipe for target 'kernel/timeconst.h' failed
make[2]: *** [kernel/timeconst.h] Error 255
/home/user/firmadyne/kernel-v2.6.32/Makefile:883: recipe for target 'kernel' failed
make[1]: *** [kernel] Error 2
make[1]: *** Waiting for unfinished jobs....

I've searched around for similar problems and most of them say I need to install BC; however, that has already been installed. Any help would be appreciated.

Firmware login - inferNetwork

Hi,

I successfully ran the firmware example following the readme.
Then I tried to do the same with another firmware.
I got stuck at the inferNetwork.sh step. It wasn't able to find an interface, so no run.sh file created. Then I looked up at the qemu initial logs and it seems that the firmware require a login and probably a password to go further. If I'm right, how can I give one via firmadyne ?

Here are the logs of inferNetwork :

root@kali:~/firmadyne# ./scripts/inferNetwork.sh 2
Querying database for architecture... Password for user firmadyne:
mipseb
Running firmware 2: terminating after 60 secs...
qemu-system-mips: terminating on signal 2 from pid 12420
Inferring network...
Interfaces: []
Done!

Here are my logs from qemu :

[ 1.916000] Status: 0000a413 USER EXL IE
[ 1.920000] Cause : 10800008
[ 1.920000] BadVA : 00000038
[ 1.920000] PrId : 00019300 (MIPS 24Kc)

(none) mips 1 Thu Feb 18 01:39:21 UTC 2016 (none)
(none) login:

Here is the link of the firmware :
http://static.tp-link.com/resources/software/TL-WR740N_V4_140520.zip

firmadyne.config not found error in inferNetwork.sh

I keep getting this error

Error: Could not find 'firmadyne.config'!

This is weird because firmadyne.config is present in the parent directory (the directory which contains the scripts directory).

So I commented out the part where it checks for the config file.
Then it ran partially and I got this error


> Running firmware 1: terminating after 60 secs...
> Error: Could not find 'firmadyne.config'!

bind: Address already in use

Hi,

when I run
./scripts/inferNetwork.sh 1
I get the following response:

Querying database for architecture... armel
Running firmware 1: terminating after 60 secs...
bind: Address already in use
qemu-system-arm: -netdev socket,listen=:2001,id=net2: Device 'socket' could not be initialized

What could be the reason?
Thanks a lot.

dict object has not attribute 'iteritem'

Hi there,

firstly that project looks great (: but I'm trying to use it in Archlinux. So I dowloaded the binaries with your scripts, installed few dependency and on step 5 I get this error:

└┼─$─┤▶ ./scripts/tar2db.py -i 1 -f ./images/1.tar.gz
Traceback (most recent call last):
  File "./scripts/tar2db.py", line 100, in <module>
    main()
  File "./scripts/tar2db.py", line 97, in main
    process(iid, infile)
  File "./scripts/tar2db.py", line 75, in process
    file2oid = [(fdict[h], oid) for (h, oid) in oids.iteritems()]
AttributeError: 'dict' object has no attribute 'iteritems'

So apparently that object would be empty? Any idea why? I'm using Python 3 btw, with Python2.7 I got a "cored.

I get a different error with Python 2


└┼─$─┤▶ python2.7 scripts/tar2db.py -i 1 -f ./images/1.tar.gz
Traceback (most recent call last):
  File "scripts/tar2db.py", line 100, in <module>
    main()
  File "scripts/tar2db.py", line 97, in main
    process(iid, infile)
  File "scripts/tar2db.py", line 77, in process
    insertObjectToImage(iid, file2oid, links, cur)
  File "scripts/tar2db.py", line 61, in insertObjectToImage
    for x in links])
psycopg2.IntegrityError: insert or update on table "object_to_image" violates foreign key constraint "object_to_image_oid_fkey"
DETAIL:  Key (oid)=(1) is not present in table "object".

Run.sh executed successfully, but could not connect to the firmware.

I downloaded the Ubuntu 14.04.5 LTS 32 bit to setup firmadyne from scratch. I have everything setup as per README.md, and run.sh was generated successfully for the firmware I am testing. However, upon running the run.sh (the console shows the firmware running successfully), I could not ping the emulated on the IP indicated in the run.sh, nor I could reach the web interface of the firmware (the firmware runs fine on AttifyOS thou).

I have check that the route was added successfully (tap1 created successfully) as the IP address is the same as per run.sh. I traced through qemu.final or qemu.inital log but I could not tell what went wrong.

#route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.153.2   0.0.0.0         UG    0      0        0 eth0
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 tap1
192.168.0.1     192.168.0.1     255.255.255.255 UGH   0      0        0 tap1
192.168.153.0   0.0.0.0         255.255.255.0   U     1      0        0 eth0

Below is the stripped version of the qemu.initial.serial.log：

#grep -iv firmadyne qemu.final.serial.log

[    0.000000] 
[    0.000000] LINUX started...
[    0.000000] bootconsole [early0] enabled
[    0.000000] CPU revision is: 00019300 (MIPS 24Kc)
[    0.000000] FPU revision is: 00739300
[    0.000000] Determined physical RAM map:
[    0.000000]  memory: 00001000 @ 00000000 (reserved)
[    0.000000]  memory: 000ef000 @ 00001000 (ROM data)
[    0.000000]  memory: 00606000 @ 000f0000 (reserved)
[    0.000000]  memory: 0f90a000 @ 006f6000 (usable)
[    0.000000] debug: ignoring loglevel setting.
[    0.000000] Wasting 57024 bytes for tracking 1782 unused pages
[    0.000000] Initrd not found or empty - disabling initrd
[    0.000000] Zone PFN ranges:
[    0.000000]   DMA      0x00000000 -> 0x00001000
[    0.000000]   Normal   0x00001000 -> 0x00010000
[    0.000000] Movable zone start PFN for each node
[    0.000000] early_node_map[1] active PFN ranges
[    0.000000]     0: 0x00000000 -> 0x00010000
[    0.000000] On node 0 totalpages: 65536
[    0.000000] free_area_init_node: node 0, pgdat 806923c0, node_mem_map 81000000
[    0.000000]   DMA zone: 32 pages used for memmap
[    0.000000]   DMA zone: 0 pages reserved
[    0.000000]   DMA zone: 4064 pages, LIFO batch:0
[    0.000000]   Normal zone: 480 pages used for memmap
[    0.000000]   Normal zone: 60960 pages, LIFO batch:15
[    0.000000] Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 65024
[    0.000000] PID hash table entries: 1024 (order: 0, 4096 bytes)
[    0.000000] Dentry cache hash table entries: 32768 (order: 5, 131072 bytes)
[    0.000000] Inode-cache hash table entries: 16384 (order: 4, 65536 bytes)
[    0.000000] Primary instruction cache 2kB, VIPT, 2-way, linesize 16 bytes.
[    0.000000] Primary data cache 2kB, 2-way, VIPT, no aliases, linesize 16 bytes
[    0.000000] Writing ErrCtl register=00000000
[    0.000000] Readback ErrCtl register=00000000
[    0.000000] Memory: 252524k/255016k available (4164k kernel code, 2252k reserved, 1550k data, 220k init, 0k highmem)
[    0.000000] Hierarchical RCU implementation.
[    0.000000] NR_IRQS:256
[    0.000000] CPU frequency 200.00 MHz
[    0.000000] Console: colour dummy device 80x25
[    0.000000] Calibrating delay loop... 1314.81 BogoMIPS (lpj=2629632)
[    0.104000] Mount-cache hash table entries: 512
[    0.112000] NET: Registered protocol family 16
[    0.120000] bio: create slab <bio-0> at 0
[    0.124000] vgaarb: loaded
[    0.124000] SCSI subsystem initialized
[    0.124000] libata version 3.00 loaded.
[    0.124000] usbcore: registered new interface driver usbfs
[    0.124000] usbcore: registered new interface driver hub
[    0.128000] usbcore: registered new device driver usb
[    0.128000] pci 0000:00:00.0: reg 14 32bit mmio pref: [0x1000000-0x1ffffff]
[    0.128000] pci 0000:00:0a.1: reg 20 io port: [0x00-0x0f]
[    0.128000] pci 0000:00:0a.2: reg 20 io port: [0x00-0x1f]
[    0.128000] pci 0000:00:0a.3: BAR 8: address space collision on of bridge [0x1100-0x110f]
[    0.132000] pci 0000:00:0a.3: quirk: region 1100-110f claimed by PIIX4 SMB
[    0.132000] pci 0000:00:0b.0: reg 10 io port: [0x00-0x1f]
[    0.132000] pci 0000:00:0b.0: reg 14 32bit mmio: [0x000000-0x00001f]
[    0.132000] pci 0000:00:0b.0: reg 30 32bit mmio pref: [0x000000-0x03ffff]
[    0.132000] pci 0000:00:12.0: reg 10 io port: [0x00-0x1f]
[    0.132000] pci 0000:00:12.0: reg 14 32bit mmio: [0x000000-0x00001f]
[    0.132000] pci 0000:00:12.0: reg 30 32bit mmio pref: [0x000000-0x03ffff]
[    0.132000] pci 0000:00:13.0: reg 10 io port: [0x00-0x1f]
[    0.132000] pci 0000:00:13.0: reg 14 32bit mmio: [0x000000-0x00001f]
[    0.132000] pci 0000:00:13.0: reg 30 32bit mmio pref: [0x000000-0x03ffff]
[    0.132000] pci 0000:00:14.0: reg 10 io port: [0x00-0x1f]
[    0.132000] pci 0000:00:14.0: reg 14 32bit mmio: [0x000000-0x00001f]
[    0.132000] pci 0000:00:14.0: reg 30 32bit mmio pref: [0x000000-0x03ffff]
[    0.132000] pci 0000:00:15.0: reg 10 32bit mmio pref: [0x000000-0x1ffffff]
[    0.132000] pci 0000:00:15.0: reg 14 32bit mmio: [0x000000-0x000fff]
[    0.132000] pci 0000:00:15.0: reg 30 32bit mmio pref: [0x000000-0x00ffff]
[    0.136000] vgaarb: device added: PCI:0000:00:15.0,decodes=io+mem,owns=none,locks=none
[    0.136000] pci 0000:00:0a.3: BAR 8: bogus alignment [0x1100-0x110f] flags 0x100
[    0.140000] cfg80211: Calling CRDA to update world regulatory domain
[    0.140000] Switching to clocksource MIPS
[    0.144000] Switched to NOHz mode on CPU #0
[    0.144000] NET: Registered protocol family 2
[    0.144000] IP route cache hash table entries: 2048 (order: 1, 8192 bytes)
[    0.144000] TCP established hash table entries: 8192 (order: 4, 65536 bytes)
[    0.144000] TCP bind hash table entries: 8192 (order: 3, 32768 bytes)
[    0.144000] TCP: Hash tables configured (established 8192 bind 8192)
[    0.144000] TCP reno registered
[    0.144000] NET: Registered protocol family 1
[    0.144000] PCI: Enabling device 0000:00:0a.2 (0000 -> 0001)
[    0.164000] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[    0.168000] Registering unionfs 2.6 (for 2.6.32.63)
[    0.168000] JFFS2 version 2.2. (NAND) © 2001-2006 Red Hat, Inc.
[    0.168000] ROMFS MTD (C) 2007 Red Hat, Inc.
[    0.168000] msgmni has been set to 493
[    0.180000] alg: No test for stdrng (krng)
[    0.244000] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 253)
[    0.244000] io scheduler noop registered
[    0.244000] io scheduler cfq registered (default)
[    0.280000] PCI: Enabling device 0000:00:15.0 (0000 -> 0002)
[    0.280000] cirrusfb 0000:00:15.0: Cirrus Logic chipset on PCI bus, RAM (4096 kB) at 0x10000000
[    0.528000] Console: switching to colour frame buffer device 80x30
[    0.556000] Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled
[    0.556000] serial8250.0: ttyS0 at I/O 0x3f8 (irq = 4) is a 16550A
[    0.556000] console [ttyS0] enabled, bootconsole disabled
[    0.556000] console [ttyS0] enabled, bootconsole disabled
[    0.560000] serial8250.0: ttyS1 at I/O 0x2f8 (irq = 3) is a 16550A
[    0.560000] serial8250.0: ttyS2 at MMIO 0x1f000900 (irq = 18) is a 16550A
[    0.564000] brd: module loaded
[    0.564000] loop: module loaded
[    0.564000] ata_piix 0000:00:0a.1: version 2.13
[    0.568000] PCI: Enabling device 0000:00:0a.1 (0000 -> 0001)
[    0.568000] PCI: Setting latency timer of device 0000:00:0a.1 to 64
[    0.572000] scsi0 : ata_piix
[    0.572000] scsi1 : ata_piix
[    0.572000] ata1: PATA max UDMA/33 cmd 0x1f0 ctl 0x3f6 bmdma 0x10a0 irq 14
[    0.576000] ata2: PATA max UDMA/33 cmd 0x170 ctl 0x376 bmdma 0x10a8 irq 15
[    0.580000] NAND device: Manufacturer ID: 0x98, Chip ID: 0x39 (Toshiba NAND 128MiB 1,8V 8-bit)
[    0.580000] flash size: 128 MiB
[    0.580000] page size: 512 bytes
[    0.580000] OOB area size: 16 bytes
[    0.580000] sector size: 16 KiB
[    0.580000] pages number: 262144
[    0.580000] pages per sector: 32
[    0.580000] bus width: 8
[    0.580000] bits in sector size: 14
[    0.580000] bits in page size: 9
[    0.580000] bits in OOB size: 4
[    0.580000] flash size with OOB: 135168 KiB
[    0.580000] page address bytes: 4
[    0.580000] sector address bytes: 3
[    0.580000] options: 0x62
[    0.588000] Scanning device for bad blocks
[    0.640000] Creating 11 MTD partitions on "NAND 128MiB 1,8V 8-bit":
[    0.640000] 0x000000000000-0x000000100000 : "NAND simulator partition 0"
[    0.640000] 0x000000100000-0x000000200000 : "NAND simulator partition 1"
[    0.640000] 0x000000200000-0x000000300000 : "NAND simulator partition 2"
[    0.640000] 0x000000300000-0x000000400000 : "NAND simulator partition 3"
[    0.644000] 0x000000400000-0x000000500000 : "NAND simulator partition 4"
[    0.644000] 0x000000500000-0x000000600000 : "NAND simulator partition 5"
[    0.644000] 0x000000600000-0x000000700000 : "NAND simulator partition 6"
[    0.644000] 0x000000700000-0x000000800000 : "NAND simulator partition 7"
[    0.644000] 0x000000800000-0x000000900000 : "NAND simulator partition 8"
[    0.648000] 0x000000900000-0x000000a00000 : "NAND simulator partition 9"
[    0.648000] 0x000000a00000-0x000008000000 : "NAND simulator partition 10"
[    0.648000] Intel(R) PRO/1000 Network Driver - version 7.3.21-k5-NAPI
[    0.648000] Copyright (c) 1999-2006 Intel Corporation.
[    0.648000] e1000e: Intel(R) PRO/1000 Network Driver - 1.0.2-k2
[    0.648000] e1000e: Copyright (c) 1999-2008 Intel Corporation.
[    0.652000] pcnet32.c:v1.35 21.Apr.2008 [email protected]
[    0.652000] PCI: Enabling device 0000:00:0b.0 (0000 -> 0003)
[    0.652000] PCI: Setting latency timer of device 0000:00:0b.0 to 64
[    0.652000] pcnet32: PCnet/PCI II 79C970A at 0x1020, 52:54:00:12:34:56 assigned IRQ 10.
[    0.656000] eth0: registered as PCnet/PCI II 79C970A
[    0.656000] PCI: Enabling device 0000:00:12.0 (0000 -> 0003)
[    0.656000] PCI: Setting latency timer of device 0000:00:12.0 to 64
[    0.660000] pcnet32: PCnet/PCI II 79C970A at 0x1040, 52:54:00:12:34:57 assigned IRQ 10.
[    0.660000] eth1: registered as PCnet/PCI II 79C970A
[    0.660000] PCI: Enabling device 0000:00:13.0 (0000 -> 0003)
[    0.664000] PCI: Setting latency timer of device 0000:00:13.0 to 64
[    0.664000] pcnet32: PCnet/PCI II 79C970A at 0x1060, 52:54:00:12:34:58 assigned IRQ 10.
[    0.664000] eth2: registered as PCnet/PCI II 79C970A
[    0.664000] PCI: Enabling device 0000:00:14.0 (0000 -> 0003)
[    0.668000] PCI: Setting latency timer of device 0000:00:14.0 to 64
[    0.668000] pcnet32: PCnet/PCI II 79C970A at 0x1080, 52:54:00:12:34:59 assigned IRQ 11.
[    0.668000] eth3: registered as PCnet/PCI II 79C970A
[    0.668000] pcnet32: 4 cards_found.
[    0.668000] PPP generic driver version 2.4.2
[    0.668000] PPP Deflate Compression module registered
[    0.676000] PPP MPPE Compression module registered
[    0.676000] NET: Registered protocol family 24
[    0.676000] PPPoL2TP kernel driver, V1.0
[    0.676000] tun: Universal TUN/TAP device driver, 1.6
[    0.676000] tun: (C) 1999-2004 Max Krasnyansky <[email protected]>
[    0.676000] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[    0.676000] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
[    0.676000] uhci_hcd: USB Universal Host Controller Interface driver
[    0.680000] PCI: Setting latency timer of device 0000:00:0a.2 to 64
[    0.680000] uhci_hcd 0000:00:0a.2: UHCI Host Controller
[    0.680000] uhci_hcd 0000:00:0a.2: new USB bus registered, assigned bus number 1
[    0.684000] uhci_hcd 0000:00:0a.2: irq 11, io base 0x00001000
[    0.684000] usb usb1: configuration #1 chosen from 1 choice
[    0.688000] hub 1-0:1.0: USB hub found
[    0.688000] hub 1-0:1.0: 2 ports detected
[    0.688000] Initializing USB Mass Storage driver...
[    0.688000] usbcore: registered new interface driver usb-storage
[    0.688000] USB Mass Storage support registered.
[    0.692000] serio: i8042 KBD port at 0x60,0x64 irq 1
[    0.692000] serio: i8042 AUX port at 0x60,0x64 irq 12
[    0.692000] mice: PS/2 mouse device common for all mice
[    0.696000] rtc_cmos rtc_cmos: rtc core: registered rtc_cmos as rtc0
[    0.696000] rtc0: alarms up to one day, 242 bytes nvram
[    0.700000] i2c /dev entries driver
[    0.700000] piix4_smbus 0000:00:0a.3: SMBus Host Controller at 0x1100, revision 0
[    0.700000] sdhci: Secure Digital Host Controller Interface driver
[    0.700000] sdhci: Copyright(c) Pierre Ossman
[    0.704000] usbcore: registered new interface driver hiddev
[    0.704000] usbcore: registered new interface driver usbhid
[    0.704000] usbhid: v2.6:USB HID core driver
[    0.704000] Netfilter messages via NETLINK v0.30.
[    0.704000] nf_conntrack version 0.5.0 (3949 buckets, 15796 max)
[    0.704000] ctnetlink v0.93: registering with nfnetlink.
[    0.704000] IPv4 over IPv4 tunneling driver
[    0.708000] GRE over IPv4 tunneling driver
[    0.708000] ip_tables: (C) 2000-2006 Netfilter Core Team
[    0.712000] arp_tables: (C) 2002 David S. Miller
[    0.712000] TCP cubic registered
[    0.712000] Initializing XFRM netlink socket
[    0.712000] NET: Registered protocol family 10
[    0.716000] ip6_tables: (C) 2000-2006 Netfilter Core Team
[    0.716000] IPv6 over IPv4 tunneling driver
[    0.716000] NET: Registered protocol family 17
[    0.720000] Bridge firewalling registered
[    0.720000] Ebtables v2.0 registered
[    0.720000] 802.1Q VLAN Support v1.8 Ben Greear <[email protected]>
[    0.720000] All bugs added by David S. Miller <[email protected]>
[    0.720000] lib80211: common routines for IEEE802.11 drivers
[    0.720000] lib80211_crypt: registered algorithm 'NULL'
[    0.724000] rtc_cmos rtc_cmos: setting system clock to 2016-12-10 02:13:05 UTC (1481335985)
[    0.732000] ata1.01: NODEV after polling detection
[    0.732000] ata2.01: NODEV after polling detection
[    0.736000] ata1.00: ATA-7: QEMU HARDDISK, 2.0.0, max UDMA/100
[    0.736000] ata1.00: 2097152 sectors, multi 16: LBA48 
[    0.736000] ata2.00: ATAPI: QEMU DVD-ROM, 2.0.0, max UDMA/100
[    0.740000] ata2.00: configured for UDMA/33
[    0.740000] ata1.00: configured for UDMA/33
[    0.748000] scsi 0:0:0:0: Direct-Access     ATA      QEMU HARDDISK    2.0. PQ: 0 ANSI: 5
[    0.748000] scsi 1:0:0:0: CD-ROM            QEMU     QEMU DVD-ROM     2.0. PQ: 0 ANSI: 5
[    0.752000] sd 0:0:0:0: [sda] 2097152 512-byte logical blocks: (1.07 GB/1.00 GiB)
[    0.752000] sd 0:0:0:0: [sda] Write Protect is off
[    0.752000] sd 0:0:0:0: [sda] Mode Sense: 00 3a 00 00
[    0.752000] sd 0:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
[    0.756000]  sda: sda1
[    0.760000] sd 0:0:0:0: [sda] Attached SCSI disk
[    0.796000] input: AT Raw Set 2 keyboard as /devices/platform/i8042/serio0/input/input0
[    1.000000] input: ImExPS/2 Generic Explorer Mouse as /devices/platform/i8042/serio1/input/input1
[    1.008000] EXT2-fs warning: mounting unchecked fs, running e2fsck is recommended
[    1.008000] VFS: Mounted root (ext2 filesystem) on device 8:1.
[    1.012000] Freeing prom memory: 956k freed
[    1.024000] Freeing unused kernel memory: 220k freed
init started:  BusyBox v1.00 (2010.11.23-11:52+0000) multi-call binary
Starting pid 47, console /dev/tts/0: '/etc/init.d/rcS'
[    1.120000] OFFSETS: offset of pid: 0x100 offset of comm: 0x1f0
[/etc/init.d/S03config.sh]
Mounting proc and var ...
/sys/module/ip_conntrack/parameters/hashsize: cannot create
Start xmldb ...
[/etc/scripts/misc/profile.sh] get ...
DEVCONF: unable to read config data (ret=-3) !
CAN NOT get devive config, generate default!
[/etc/scripts/misc/profile.sh] reset ...
[/etc/scripts/misc/defnodes.sh] ...
[/etc/defnodes/S10setext.sh] ...
PHP [/etc/defnodes/S11setnodes.php] ...
PHP [/etc/defnodes/S12features.php] ...
PHP [/etc/defnodes/S13flashspeed.php] ...
PHP [/etc/defnodes/S20setnodes.php] ...
[    3.368000] VFS: Can't find ext3 filesystem on dev mtdblock5.
[    3.368000] VFS: Can't find an ext2 filesystem on dev mtdblock5.
[    3.368000] EXT4-fs (mtdblock5): VFS: Can't find ext4 filesystem
[    3.368000] cramfs: wrong magic
[    3.368000] SQUASHFS error: Can't find a SQUASHFS superblock on mtdblock5
[    3.372000] FAT: bogus logical sector size 65535
[    3.372000] VFS: Can't find a valid FAT filesystem on dev mtdblock5.
[    3.376000] ISOFS: Unable to identify CD-ROM format.
[    3.376000] VFS: Can't find a romfs filesystem on dev mtdblock5.
[    3.396000] attempt to access beyond end of device
[    3.396000] mtdblock5: rw=0, want=2049, limit=2048
[    3.396000] UDF-fs: No VRS found
[    3.396000] UDF-fs: Rescanning with blocksize 2048
[    3.424000] attempt to access beyond end of device
[    3.424000] mtdblock5: rw=0, want=2052, limit=2048
[    3.424000] UDF-fs: No VRS found
[    3.424000] UDF-fs: No partition found (1)
mount: Mounting /dev/mtdblock/5 on /www/locale/alt failed: Invalid argument
PHP [/etc/defnodes/S40brand.php] ...
[/etc/scripts/misc/defnodes.sh] Done !!
[/etc/scripts/freset_setnodes.sh]
[/etc/scripts/misc/profile.sh] put ...
ok
[/etc/templates/timezone.sh] ...
zone : 5
gen : PST+08:00
[/etc/templates/logs.sh] ...
[/var/run/logs_run.sh] ...
[/etc/templates/webs.sh] start ...
[/var/run/webs_start.sh] ...
Starting HTTPD ...
[/etc/init.d/S03config.sh] done!
[/etc/init.d/S10system.sh]
start fresetd ...
Factory reset time : 5 secs
WPS command : [/etc/templates/wps.sh pbc &]
/dev/gpio: No such file or directory
start scheduled ...
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
PBS start WPS!
[/etc/templates/scheduled.sh] start ...
[/etc/templates/wps.sh] pbc ...
[/var/run/scheduled_start.sh] ...
Start scheduled ...
setup layout ...
/dev/gpio: No such file or directory
[/etc/scripts/layout.sh] start ...
/dev/gpio: No such file or directory
WPS: The AP is Unconfigured!   Using WPA/PSK (TKIP)
***** WPA_PSK = 1139AF6370158574648DE8A2CD99AF9A2CE04C169169455FF108C7078C8A5FC7
Using pre-config NW KEY!
***** WPA_PSK = 1139AF6370158574648DE8A2CD99AF9A2CE04C169169455FF108C7078C8A5FC7
[/var/run/layout_start.sh] ...
Start router layout ...
/proc/rt3052/vlan/untag_port_0: cannot create
/proc/rt3052/vlan/untag_port_1: cannot create
/proc/rt3052/vlan/untag_port_2: cannot create
/proc/rt3052/vlan/untag_port_3: cannot create
/proc/rt3052/vlan/untag_port_4: cannot create
/proc/rt3052/vlan/untag_port_6: cannot create
/proc/rt3052/vlan/vid_vlan_0: cannot create
/proc/rt3052/vlan/vid_vlan_1: cannot create
/proc/rt3052/vlan/mem_vlan_0: cannot create
/proc/rt3052/vlan/mem_vlan_1: cannot create
/proc/rt3052/vlan/mem_vlan_2: cannot create
/proc/rt3052/vlan/mem_vlan_3: cannot create
/proc/rt3052/vlan/mem_vlan_4: cannot create
/proc/rt3052/vlan/mem_vlan_5: cannot create
/dev/gpio: No such file or directory
/proc/rt3052/vlan/mem_vlan_6: cannot create
/proc/rt3052/vlan/mem_vlan_7: cannot create
/proc/rt3052/vlan/mem_vlan_8: cannot create
/proc/rt3052/vlan/mem_vlan_9: cannot create
/proc/rt3052/vlan/mem_vlan_10: cannot create
/proc/rt3052/vlan/mem_vlan_11: cannot create
/proc/rt3052/vlan/mem_vlan_12: cannot create
/proc/rt3052/vlan/mem_vlan_13: cannot create
/proc/rt3052/vlan/mem_vlan_14: cannot create
/proc/rt3052/vlan/mem_vlan_15: cannot create
/proc/rt3052/vlan/vid_port_0: cannot create
/proc/rt3052/vlan/vid_port_1: cannot create
/proc/rt3052/vlan/vid_port_2: cannot create
/proc/rt3052/vlan/vid_port_3: cannot create
/proc/rt3052/vlan/vid_port_4: cannot create
/proc/rt3052/vlan/vid_port_6: cannot create
/proc/rt3052/vlan/vlan_en_port_0: cannot create
/proc/rt3052/vlan/vlan_en_port_1: cannot create
/proc/rt3052/vlan/vlan_en_port_2: cannot create
/proc/rt3052/vlan/vlan_en_port_3: cannot create
/proc/rt3052/vlan/vlan_en_port_4: cannot create
/proc/rt3052/vlan/vlan_en_port_6: cannot create
[    6.512000] eth2: link up
Set name-type for VLAN subsystem. Should be visible in /proc/net/vlan/config
/dev/gpio: No such file or directory
[    6.596000] device eth2 entered promiscuous mode
[    6.616000] device eth2.0 entered promiscuous mode
[    6.616000] br0: port 1(eth2.0) entering forwarding state
start LAN ...
[/etc/templates/lan.sh] ...
/dev/gpio: No such file or directory
[/var/run/lan_start.sh] ...
Start LAN (br0/192.168.0.1/255.255.255.0)...
Start DHCP server (br0) ...
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
Start igmp ...
/dev/gpio: No such file or directory
No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
factory reset button pressed for 1 secs
/dev/gpio: No such file or directory
PBC pressed for 1 secs
[/etc/templates/igmpproxy.sh] start ...
[/var/run/igmpproxy_start.sh] ...
/proc/igmp_snoop: cannot create
IGMP proxy is not enabled!
enable LAN ports ...
/dev/gpio: No such file or directory
start WLAN ...
[/etc/templates/wlan.sh] start ...
Hello from hostapd.conf
/dev/gpio: No such file or directory
[/var/run/wlan_start.sh] ...
Start WLAN interface ra0 ...
restart WLAN driver ...
interface ra0 does not exist!
Using /lib/modules/rt2860v2_ap.ko
SIOCSIFTXQLEN: No such device
SIOCGIFFLAGS: No such device
/dev/gpio: No such file or directory
interface ra0 does not exist!
can't find port ra0 in bridge br0
/proc/net/br_forward_br0: cannot create
Configuration file: /var/run/hostapd.ra0.conf
/dev/gpio: No such file or directory
ralink driver initialization failed.
[/etc/templates/wps.sh] setie ...
WPS: wps is already running, send event [setup] !!
Start WLAN interface ra0 Done !!!
[/var/run/wlan_schedule_contrl.sh] ...
start Guest Zone
[/etc/templates/gzone.sh] ...
/dev/gpio: No such file or directory
[/etc/templates/enable_gzone.sh] ...
start RG ...
[/etc/templates/rg.sh] start ...
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
[/var/run/rg_start.sh] ...
/dev/gpio: No such file or directory
: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
factory reset button pressed for 2 secs
/dev/gpio: No such file or directory
PBC pressed for 2 secs
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
iptables: Unknown error -1
/dev/gpio: No such file or directory
iptables: Unknown error -1
iptables: Unknown error -1
/dev/gpio: No such file or directory
iptables: Unknown error -1
iptables: Unknown error -1
iptables: Unknown error -1
iptables: Unknown error -1
iptables: Unknown error -1
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
iptables: Unknown error -1
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
factory reset button pressed for 3 secs
/dev/gpio: No such file or directory
PBC pressed for 3 secs
iptables: Unknown error -1
/dev/gpio: No such file or directory
iptables: Unknown error -1
iptables: Unknown error -1
iptables: Unknown error -1
iptables: Unknown error -1
iptables: Unknown error -1
/dev/gpio: No such file or directory
/proc/sys/net/ipv4/ip_conntrack_max: cannot create
/dev/gpio: No such file or directory
Using /lib/modules/sw_tcpip.ko
Using /lib/modules/ifresetcnt.ko
insmod: /lib/modules/2.6.32.70: No such file or directory
insmod: ip_conntrack_ike_m.ko: no module by that name found
insmod: /lib/modules/2.6.32.70: No such file or directory
insmod: ip_conntrack_esp_m.ko: no module by that name found
insmod: /lib/modules/2.6.32.70: No such file or directory
insmod: ip_conntrack_proto_esp_m.ko: no module by that name found
insmod: /lib/modules/2.6.32.70: No such file or directory
insmod: ip_nat_proto_esp_m.ko: no module by that name found
Using /lib/modules/ipt_PERS.ko
WPS: Using Push Button !!
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
sendto_unsock(/var/run/portt.unixsocket, flush)
/proc/sys/net/ipv4/arp_flood_burst: cannot create
/proc/sys/net/ipv4/arp_flood_cost: cannot create
start DNRD ...
[/etc/templates/dnrd.sh] ...
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
[/var/run/dnrd_start.sh] ...
Start DNRD ...
Notice: caching turned off
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory

factory reset button pressed for 4 secs
/dev/gpio: No such file or directory
PBC pressed for 4 secs
Start telnetd ...
start UPNPD ...
[/etc/templates/upnpd.sh] ...
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
[/var/run/upnpd_start.sh] ...
Starting UPnP ...
[/var/run/upnp_alive.sh] ...
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
factory reset button pressed for 6 secs
/dev/gpio: No such file or directory
PBC pressed for 6 secs
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
factory reset button pressed for 7 secs
/dev/gpio: No such file or directory
PBC pressed for 7 secs
/dev/gpio: No such file or directory
start WAN ...
Set WAN port media type 0
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
factory reset button pressed for 8 secs
/dev/gpio: No such file or directory
PBC pressed for 8 secs
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
factory reset button pressed for 9 secs
/dev/gpio: No such file or directory
PBC pressed for 9 secs
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
[/etc/templates/wan.sh] start ...
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory

factory reset button pressed for 10 secs
/dev/gpio: No such file or directory
PBC pressed for 10 secs
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
[/var/run/wan_start.sh] ...
/proc/sys/net/ipv4/ip_personality_enable: cannot create
/proc/sys/net/ipv4/ip_personality_sport: cannot create
insmod: /lib/modules/2.6.32.70: No such file or directory
Using /lib/modules/sw_tcpip.ko
It is the DHCP mod start!!
DHCP client on WAN(eth2.2) CloneMAC() ...
/dev/gpio: No such file or directory
start LLD2D ...
[/etc/templates/lld2d.sh] ...
/dev/gpio: No such file or directory
[/var/run/lld2d_start.sh] ...
Start LLD2 daemon ...
start Neaps ...
/dev/gpio: No such file or directory
[/etc/templates/neaps.sh] start ...
[/var/run/neaps_start.sh] ...
Start Neap Server ...
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
start igmpproxy ...
/dev/gpio: No such file or directory
[/etc/templates/igmpproxy.sh] start ...
[/var/run/igmpproxy_stop.sh] ...
IGMP proxy is not started !
/dev/gpio: No such file or directory
[   16.056000] br0: no IPv6 routers present
[/var/run/igmpproxy_start.sh] ...
/proc/igmp_snoop: cannot create

/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
/dev/gpio: No such file or directory
factory reset button pressed for 11 secs
IGMP proxy is not enabled!
No such file or directory
PBC pressed for 11 secs
Change the STATUS LED...
[/etc/init.d/S10system.sh] done!
[/etc/init.d/S30final.sh]
Finally, free pagecache, dentries and inodes ...
/dev/gpio: No such file or directory
[/etc/init.d/S30final.sh] done!
rcS done!
Starting pid 954, console /dev/tts/0: '/bin/sh'


BusyBox v1.00 (2010.11.23-11:52+0000) Built-in shell (msh)
Enter 'help' for a list of built-in commands.

[   16.620000] eth2: no IPv6 routers present
[   16.748000] eth2.2: no IPv6 routers present
[   17.396000] eth2.0: no IPv6 routers present
[/var/run/upnp_alive.sh] ...

Appreciate if anyone could provide some pointers to this. Thank you.

Setting NVRAM default values without recompilation?

In #32 @ddcc mentioned that adding new NVRAM values requires adding them to config.h and recompiling the library. Can default values be added through the /firmadyne/libnvram.override/ folder instead?

The nvram_init function calls nvram_set_default which starts the process. nvram_set_default_builtin is called which uses the NVRAM_DEFAULTS macro to set the default values hard coded in nvram.h. Back in nvram_set_default the NVRAM_DEFAULTS_PATH is used which seems to load default values from files within the rootfs. Finally nvram_set_default_image is called which runs system("/bin/cp "OVERRIDE_POINT"* "MOUNT_POINT);

Is it possible to use nvram_set_default_image instead of nvram_set_default_builtin to load default values? Another folder can be used to store the default values and are copied over to the tmpfs used for NVRAM.

I'm want to remove the recompilation step when changing default values in NVRAM because I'm interested in scripting the process of finding missing default values and adding them.

Kernel panic - not syncing: No init found

This happens running a firmware which may be incomplete (i don't trust the source of the image i have), but it's curious enough:

[    0.688000] sd 0:0:0:0: [sda] Write Protect is off
[    0.688000] sd 0:0:0:0: [sda] Mode Sense: 00 3a 00 00
[    0.688000] scsi 1:0:0:0: CD-ROM            QEMU     QEMU DVD-ROM     2.0. PQ: 0 ANSI: 5
[    0.692000] sd 0:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
[    0.692000]  sda: sda1
[    0.700000] sd 0:0:0:0: [sda] Attached SCSI disk
[    0.720000] input: AT Raw Set 2 keyboard as /devices/platform/i8042/serio0/input/input0
[    0.924000] input: ImExPS/2 Generic Explorer Mouse as /devices/platform/i8042/serio1/input/input1
[    0.940000] VFS: Mounted root (ext2 filesystem) on device 8:1.
[    0.940000] Freeing prom memory: 956k freed
[    0.948000] Freeing unused kernel memory: 220k freed
[    0.960000] firmadyne: do_execve: /firmadyne/console
[    0.960000] OFFSETS: offset of pid: 0x100 offset of comm: 0x1f0
[    0.960000] Kernel panic - not syncing: No init found.  Try passing init= option to kernel.

it complains about missing init, also enforcing init=/bin/init in the kernel command line (which i verified it exists and is executable), simply says "cannot execute /bin/init" and goes with the same error.

I believe it's a misconfiguration of the image i'm using as input of all the process, because it has been quite a pain to get it extracted and something may be missing... have you ever seen something similar, something that could point out the right direction to search?

thanks!

'statSetsockopt : Protocol not available' Error

Running run.sh displays the following error when emulating several tp link router firmware from the Archer C2 and C20i. In the following we used Archer_C2(EU)_V1_160512.zip.

sh: can't create /proc/tplink/eth_forward: nonexistent directory
[ openSwitchForwarding ] 204:  get eth_forward status error

statSetsockopt
: Protocol not available
[ stat_getsockopt ] 219:  257 opt error

statSetsockopt
: Protocol not available
[ stat_getsockopt ] 219:  257 opt error

...

Any suggestions?

Our run.sh script an log files:

run.sh.tar.gz

qemu.initial.serial.log.tar.gz

qemu.final.serial.log.tar.gz

/libnvram.defaults not created

I've come across a bug that seems to break makeImage.sh. The error occurs when makeImage.sh is executing fixImage.sh. The output is below. It seems like the /libnvram.defaults directory is never created anywhere. Where is it supposed to be created?

I did attempt to have fixImage.sh create the directory if it was not already, but that causes other issues later when attempting to infer the network. (qemu.initial.serial.log will end with an "unable to mount" error as described in the troubleshooting section for not generating run.sh)

Querying database for architecture... Password for user firmadyne: 
armel
----Running----
----Copying Filesystem Tarball----
----Creating QEMU Image----
Formatting '/root/firmadyne//scratch//5//image.raw', fmt=raw size=1073741824
----Creating Partition Table----

Welcome to fdisk (util-linux 2.28.1).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.

Device does not contain a recognized partition table.
Created a new DOS disklabel with disk identifier 0xdaf8d020.

Command (m for help): Created a new DOS disklabel with disk identifier 0xb4cfdf9f.

Command (m for help): Partition type
   p   primary (0 primary, 0 extended, 4 free)
   e   extended (container for logical partitions)
Select (default p): Partition number (1-4, default 1): First sector (2048-2097151, default 2048): Last sector, +sectors or +size{K,M,G,T,P} (2048-2097151, default 2097151): 
Created a new partition 1 of type 'Linux' and of size 1023 MiB.

Command (m for help): The partition table has been altered.
Syncing disks.

----Mounting QEMU Image----
add map loop0p1 (252:0): 0 2095104 linear 7:0 2048
----Creating Filesystem----
mke2fs 1.42.13 (17-May-2015)
Discarding device blocks: done                            
Creating filesystem with 261888 4k blocks and 65536 inodes
Filesystem UUID: f6508bb1-f56f-4654-81fa-aa5f55c4bdd6
Superblock backups stored on blocks: 
	32768, 98304, 163840, 229376

Allocating group tables: done                            
Writing inode tables: done                            
Writing superblocks and filesystem accounting information: done

----Making QEMU Image Mountpoint----
----Mounting QEMU Image Partition 1----
----Extracting Filesystem Tarball----
----Creating FIRMADYNE Directories----
----Patching Filesystem (chroot)----
Creating /etc/TZ!
Creating /etc/passwd!
Warning: Recreating device nodes!
Removing /etc/scripts/sys_resetbutton!
Creating default rip_multicast!
/fixImage.sh: line 158: can't create /libnvram.defaults/rip_multicast: nonexistent directory
Creating default bs_trustedip_enable!
/fixImage.sh: line 163: can't create /libnvram.defaults/bs_trustedip_enable: nonexistent directory
Creating default filter_rule_tbl!
/fixImage.sh: line 168: can't create /libnvram.defaults/filter_rule_tbl: nonexistent directory
Creating default rip_enable!
/fixImage.sh: line 173: can't create /libnvram.defaults/rip_enable: nonexistent directory

How can I run Armeb Architecture

When i try to run an armeb arch there is not detected the "run.armeb.sh" file. Do I must to add this file?

Can't find ./scratch/1/run.sh !

Hi, i cant find the script ./scratch/1/run.sh too,
here is the result of your commands
Thanks

root@kali:~/firmadyne# ./scripts/inferNetwork.sh 1
Querying database for architecture... Password for user firmadyne:
mipseb
Running firmware 1: terminating after 60 secs...
main-loop: WARNING: I/O thread spun for 1000 iterations

and
root@kali:~/firmadyne# ./scratch/1/run.sh
-bash: ./scratch/1/run.sh: No such file or directory

how to set FIRMWARE_DIR

specify full path to FIRMADYNE repository

FIRMWARE_DIR=/home/cc/scraper/firmware/spiders/output/dlink/

FIRMWARE_DIR=/home/cc/firmadyne/

specify full paths to other directories

BINARY_DIR=/home/cc/firmadyne/binaries/
TARBALL_DIR=/home/cc/firmadyne/images/
SCRATCH_DIR=/home/cc/firmadyne/scratch/
SCRIPT_DIR=/home/cc/firmadyne/scripts/

when I set FIRMWARE_DIR=/home/cc/firmadyne/,it can extract the filesystem.But when i set FIRMWARE_DIR=/home/cc/scraper/firmware/spiders/output/dlink/,it failed to extract filesystem of the firmware in this directory。how should i do?

What's the username&password for the demo firmware

Question

When I run the command of `./scripts/run-debug.sh 1` , I meet the screen with `Welcome to SDK ...NETGEAR123456 login`, I try input 'admin' but it fails. What's the right username and password?

I also try to use ./scratch/1/run.sh and run command nc -U /tmp/qemu.1.S1 in the same time. But I can't see anything output and input seems no effect.

Do you find any vulnerability in your example(Netgear WNAP320 Firmware Version 2.0.3.zip) by using firmadyne

I can't find any vulnerability by using this:
mkdir exploits; ./analyses/runExploits.py -t 192.168.0.100 -o exploits/exploit -e x

where is the result, how to explain the result？

Can't ping host from within emulated system

I emulated a router, and from that router's management page I see

 Pinging 192.168.0.2 with 64 bytes of data:

 Request timed out.
 Request timed out.
 Request timed out.
 Request timed out.

 Ping statistics for 192.168.0.2
  Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)

Here's the tcpdump from the host.

$ sudo tcpdump -U -X -i tap1 icmp
[sudo] password for user: 
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tap1, link-type EN10MB (Ethernet), capture size 262144 bytes
04:56:56.092439 IP 0.0.0.0 > user-HP-Compaq-Elite-8300-CMT: ICMP echo request, id 411, seq 0, length 72
    0x0000:  4500 005c 0000 4000 4001 79f7 0000 0000  E..\..@[email protected].....
    0x0010:  c0a8 0002 0800 2602 019b 0000 1994 4d65  ......&.......Me
    0x0020:  5050 5050 5050 5050 5050 5050 5050 5050  PPPPPPPPPPPPPPPP
    0x0030:  5050 5050 5050 5050 5050 5050 5050 5050  PPPPPPPPPPPPPPPP
    0x0040:  5050 5050 5050 5050 5050 5050 5050 5050  PPPPPPPPPPPPPPPP
    0x0050:  5050 5050 5050 5050 5050 5050            PPPPPPPPPPPP
04:56:57.700227 IP 0.0.0.0 > user-HP-Compaq-Elite-8300-CMT: ICMP echo request, id 411, seq 1, length 72
    0x0000:  4500 005c 0000 4000 4001 79f7 0000 0000  E..\..@[email protected].....
    0x0010:  c0a8 0002 0800 9d8f 019b 0001 19ac d5be  ................
    0x0020:  5050 5050 5050 5050 5050 5050 5050 5050  PPPPPPPPPPPPPPPP
    0x0030:  5050 5050 5050 5050 5050 5050 5050 5050  PPPPPPPPPPPPPPPP
    0x0040:  5050 5050 5050 5050 5050 5050 5050 5050  PPPPPPPPPPPPPPPP
    0x0050:  5050 5050 5050 5050 5050 5050            PPPPPPPPPPPP
04:56:59.308334 IP 0.0.0.0 > user-HP-Compaq-Elite-8300-CMT: ICMP echo request, id 411, seq 2, length 72
    0x0000:  4500 005c 0000 4000 4001 79f7 0000 0000  E..\..@[email protected].....
    0x0010:  c0a8 0002 0800 13cf 019b 0002 19c5 5f65  .............._e
    0x0020:  5050 5050 5050 5050 5050 5050 5050 5050  PPPPPPPPPPPPPPPP
    0x0030:  5050 5050 5050 5050 5050 5050 5050 5050  PPPPPPPPPPPPPPPP
    0x0040:  5050 5050 5050 5050 5050 5050 5050 5050  PPPPPPPPPPPPPPPP
    0x0050:  5050 5050 5050 5050 5050 5050            PPPPPPPPPPPP
04:57:00.916516 IP 0.0.0.0 > user-HP-Compaq-Elite-8300-CMT: ICMP echo request, id 411, seq 3, length 72
    0x0000:  4500 005c 0000 4000 4001 79f7 0000 0000  E..\..@[email protected].....
    0x0010:  c0a8 0002 0800 89e7 019b 0003 19dd e933  ...............3
    0x0020:  5050 5050 5050 5050 5050 5050 5050 5050  PPPPPPPPPPPPPPPP
    0x0030:  5050 5050 5050 5050 5050 5050 5050 5050  PPPPPPPPPPPPPPPP
    0x0040:  5050 5050 5050 5050 5050 5050 5050 5050  PPPPPPPPPPPPPPPP
    0x0050:  5050 5050 5050 5050 5050 5050            PPPPPPPPPPPP

The source ip in the tcpdump is 0.0.0.0, and that probably explains why the host didn't reply. Any ideas on why this is the case?

FIRMWARE_DIR: unbound variable

Hi.

When I run the getArch.sh script, I get the following error:

hacker@hacker-VirtualBox:~/firmadyne$ ./scripts/getArch.sh ./images/1.tar.gz
./firmadyne.config: line 7: FIRMWARE_DIR: unbound variable

--
hacker@hacker-VirtualBox:/firmadyne$ pwd
/home/hacker/firmadyne
hacker@hacker-VirtualBox:/firmadyne$ cat firmadyne.config
#!/bin/sh

uncomment and specify full path to FIRMADYNE repository

#FIRMWARE_DIR=/home/hacker/firmadyne/

specify full paths to other directories

BINARY_DIR=${FIRMWARE_DIR}/binaries/
TARBALL_DIR=${FIRMWARE_DIR}/images/
SCRATCH_DIR=${FIRMWARE_DIR}/scratch/
SCRIPT_DIR=${FIRMWARE_DIR}/scripts/

functions to safely compute other paths

check_arch () {
ARCHS=("armel" "mipseb" "mipsel")

if [ -z "${1}" ]; then
    return 0
fi

match=0
for i in "${ARCHS[@]}"; do
    if [ "${1}" == "$i" ]; then
        match=1
    fi
done

if [ "${match}" -eq 0 ]; then
    return 0
fi

return 1

}

check_number () {
if [ "${1}" -ge 0 ]; then
return 1
fi

return 0

}

check_root () {
if [ "${EUID}" -eq 0 ]; then
return 1
fi

return 0

}

get_console () {
if check_arch "${1}"; then
echo "Error: Invalid architecture!"
exit 1
fi

echo "${BINARY_DIR}/console.${1}"

}

get_fs () {
if check_number "${1}"; then
echo "Error: Invalid image number!"
exit 1
fi

echo "`get_scratch "${1}"`/image.raw"

}

get_fs_mount () {
if check_number "${1}"; then
echo "Error: Invalid image number!"
exit 1
fi

echo "`get_scratch "${1}"`/image/"

}

get_kernel () {
if check_arch "${1}"; then
echo "Error: Invalid architecture!"
exit 1
fi

case "${1}" in
    armel)
        echo "${BINARY_DIR}/zImage.${1}"
        ;;
    mipseb)
        echo "${BINARY_DIR}/vmlinux.${1}"
        ;;
    mipsel)
        echo "${BINARY_DIR}/vmlinux.${1}"
        ;;
    *)
        echo "Error: Invalid architecture!"
        exit 1
esac

}

get_nvram () {
if check_arch "${1}"; then
echo "Error: Invalid architecture!"
exit 1
fi

echo "${BINARY_DIR}/libnvram.so.${1}"

}

get_qemu () {
if check_arch "${1}"; then
echo "Error: Invalid architecture!"
exit 1
fi

case "${1}" in
    armel)
        echo "qemu-system-arm"
        ;;
    mipseb)
        echo "qemu-system-mips"
        ;;
    mipsel)
        echo "qemu-system-mipsel"
        ;;
    *)
        echo "Error: Invalid architecture!"
        exit 1
esac

}

get_qemu_disk () {
if check_arch "${1}"; then
echo "Error: Invalid architecture!"
exit 1
fi

case "${1}" in
    armel)
        echo "/dev/vda1"
        ;;
    mipseb)
        echo "/dev/sda1"
        ;;
    mipsel)
        echo "/dev/sda1"
        ;;
    *)
        echo "Error: Invalid architecture!"
        exit 1
esac

}

get_qemu_machine () {
if check_arch "${1}"; then
echo "Error: Invalid architecture!"
exit 1
fi

case "${1}" in
    armel)
        echo "virt"
        ;;
    mipseb)
        echo "malta"
        ;;
    mipsel)
        echo "malta"
        ;;
    *)
        echo "Error: Invalid architecture!"
        exit 1
esac

}

get_scratch () {
if check_number "${1}"; then
echo "Error: Invalid image number!"
exit 1
fi

echo "${SCRATCH_DIR}/${IID}/"

}

get_device () {
echo "/dev/mapper/loop0p1"
}

What is the problem?

firmadyne / firmadyne Goto Github PK

firmadyne's Introduction

Table of Contents

Introduction

Setup

Extractor

Database

Binaries

QEMU

Usage

FAQ

run.sh is not generated

Log ends with "Kernel panic - not syncing: No working init found"

A process crashed, e.g. do_page_fault() #2: sending SIGSEGV for invalid read access from 00000000

How do I debug the emulated firmware?

Compiling from Source

Kernel

Database

Data

Paper

firmadyne's People

Contributors

Stargazers

Watchers

Forkers

firmadyne's Issues

specify full path to FIRMADYNE repository

FIRMWARE_DIR=/home/cc/firmadyne/

specify full paths to other directories

Question

When I run the command of ./scripts/run-debug.sh 1 , I meet the screen with Welcome to SDK ...NETGEAR123456 login, I try input 'admin' but it fails. What's the right username and password?

uncomment and specify full path to FIRMADYNE repository

specify full paths to other directories

functions to safely compute other paths

get_device () { echo "/dev/mapper/loop0p1" }

Recommend Projects

Recommend Topics

Recommend Org

`run.sh` is not generated

A process crashed, e.g. `do_page_fault() #2: sending SIGSEGV for invalid read access from 00000000`

When I run the command of `./scripts/run-debug.sh 1` , I meet the screen with `Welcome to SDK ...NETGEAR123456 login`, I try input 'admin' but it fails. What's the right username and password?

get_device () {
echo "/dev/mapper/loop0p1"
}