-
-
Notifications
You must be signed in to change notification settings - Fork 237
Firmware diffing
The identification of the relevant changes between firmware releases is an essential step in bug hunting. For example, in exploit development you are sometimes interested in the changes between two firmware versions - The vulnerable version compared to the fixed version. As it is usually quite hard to extract enough useful information from the published advisories or the CVE details, the only possibility is to check the real differences between the relevant firmware releases. This allows a tear down of the fixed vulnerability and probably write an exploit for it.
EMBA can support you in your tear down process as it is able to identify the differences between different firmware versions using fuzzy hashing with ssdeep.
For this diff mechanisms we introduced the -o
option. This allows the setup of a 2nd firmware.
The 2nd firmware is usually the newer firmware version (the fixed one). Start EMBA with the following options to perform the firmware diffing procedure:
sudo ./emba -f ~/DIR600B1_2_FW205b01.zip -o ~/DIR600B_FW206b01_FOR_Hardware_B.bin -l ~/emba_logs_dir600-diff
Note: EMBA does not perform a usual firmware analysis in this mode! After the diffing check you can also perform your usual firmware analysis of the firmware images.
In diff mode EMBA first gives some details of both firmware images. This is similar to the already known P02 module but for both firmware images.
In the following screenshot some details of the firmware images are shown. Currently, the available details are the output of the file command, entropy analysis, checksum and a the output of the first few bytes as hexdump:
For further analysis it is needed to extract both firmware images before comparing them. As usual we are using Unblob as our main extractor:
Finally EMBA tries to find every file from the first directory/firmware als in the second extracted firmware directory. If the file is available we automatically check if it is a binary or something clear text.
The overview page is the main page of the firmware diffing results. It shows if a file is modified, if it is something kind of ascii or binary and finally it links to further results:
EMBA - firmware security scanning at its best
Sponsor EMBA and EMBArk:
The EMBA environment is free and open source!
We put a lot of time and energy into these tools and related research to make this happen. It's now possible for you to contribute as a sponsor!
If you like EMBA you have the chance to support future development by becoming a Sponsor
Thank You ❤️ Get a Sponsor
You can also buy us some beer here ❤️ Buy me a coffee
To show your love for EMBA with nice shirts or other merch you can check our Spreadshop
EMBA - firmware security scanning at its best