Skip to content

Firmware diffing

Michael Messner edited this page Oct 4, 2023 · 21 revisions

Note: Preview information! Not finished! Currently not in EMBA included! Planned for v1.3.1 :)

The identification of the relevant changes between firmware releases is an essential step in bug hunting. For example, in exploit development you are interested in the changes between two firmware versions. The vulnerable version compared to the fixed version. As it is usually quite hard to extract enough useful information from the published advisories or the CVE details, the only possibility you have is to check the real differences between the relevant firmware releases. This allows you to tear down the fixed vulnerability and write an exploit for it.

EMBA can support you in your tear down process as it is able to identify the differences between different firmware versions using fuzzy hashing with ssdeep.

For this diff mechanisms we introduced the -o option. This allows the setup of a 2nd firmware.

image

The 2nd firmware is usually the newer firmware version (the fixed one). Start EMBA with the following options to perform the firmware diffing procedure:

sudo ./emba -f ~/DIR600B1_2_FW205b01.zip -o ~/DIR600B_FW206b01_FOR_Hardware_B.bin -l ~/emba_logs_dir600-diff

Note: EMBA does not perform a usual firmware analysis in this mode!

Overview of both firmware images

In diff mode EMBA first gives some details of both firmware images.

1st firmware overview:

image

2nd firmware overview:

image

Extraction of both firmware images

1st firmware extraction:

image

2nd firmware extraction:

image

Fuzz diffing firmware

Overview page:

image

ASCII diffing details:

image

Binary diffing details:

image

image