This is a firmware scraper that aims to download firmware images and associated metadata from supported device vendor websites. The original version is designed by https://github.com/firmadyne/scraper. The spiders are extended and updated.
To run a specific scraper, e.g. dlink:
scrapy crawl dlink
To run all scrapers with maximum 4 in parallel, using GNU Parallel:
The scriper is not fully tested when running in parallel.
parallel -j 4 scrapy crawl ::: `for i in ./firmware/spiders/*.py; do basename ${i%.*}; done`
The ./metadata folder contains the meta data of firmware images used in the paper. The json files include the download links, firmware categories, release time and etc.
- 360:
/metadata/360.json - AVM:
/metadata/avm.json - belkin:
/metadata/belkin.json - buffalo:
/metadata/buffalo.json - camius:
/metadata/camius.json - dlink:
/metadata/dlink.json - hikvision:
/metadata/hikvision.json - linksys:
/metadata/linksys.json - mercury:
/metadata/mercury.json - mikrotik:
/metadata/mikrotik.json - netcore:
/metadata/netcore.json - netgear: ```/metadata/netgear.json`
- openwrt:
/metadata/openwrt.json - router-tech:
/metadata/routertech.json - supermirco:
/metadata/supermirco.json - Tenda:
/metadata/tenda-zh.json/metadata/tenda-en.json - tenvis:
/metadata/tenvis.json - tomato-shibby:
/metadata/tomato.json - Tp-link:
/metadata/tplink-en.json/metadata/tplink-zh.json - Trendnet:
/metadata/trendnet.json - ubiquiti:
/metadata/ubiquiti.json - ublox:
/metadata/ublox.json - zyxel:
/metadata/zyxel.json
The ELF analyzer takes one file as input to check the mitigations adopted by the ELF binary. We use Binaryninja to disassemble statically-linked binary to verify Stack Canary and Fortify Source. We separate this functionality from elf_analyzer.py since BinaryNinja is a commercial tool unavailable to general public.
- elftools
- pwntools
- Binaryninja (optional)
Run with following command:
python3 elf_analyzer.py file_path
The output includes the mitigations adopted by the ELF binary
File name: /bin/ls
Arch: amd64-64
Dynamic linked: Yes
PIE/PIC: Yes
Protected with Canary: Yes
Protected with NX: Yes
Protected with full RELRO
Protected with Fortify Source: YesTo accurately verify Stack Canary & Fortify Source in statically-linked binary, run following command with Binaryninja correctly installed:
python3 stc_stack.py file_path
The kernel analyzer takes ELF format Linux kernel as input to check the Linux kernel version and the existence of kernel attack mitigations. vmlinux-to-elf can be used to transfer raw format Linux kernel to a fully analyzable ELF file.
The kernel_example folder contains a raw format Linux kernel its corresponding recovered ELF format Linux kernel. To check the mitigations, run the example with following:
bash kernel_analyzer.sh -f kernel_example/elf_kernel
If your research find one or several components of this work useful, please cite the following paper:
@article{yu2022building,
title={Building Embedded Systems Like It's 1996},
author={Yu, Ruotong and Del Nin, Francesca and Zhang, Yuchen and Huang, Shan and Kaliyar, Pallavi and Zakto, Sarah and Conti, Mauro and Portokalidis, Georgios and Xu, Jun},
journal={arXiv preprint arXiv:2203.06834},
year={2022}
}