Fact full name firmware analysis and comparison tool is an automatic firmware testing platform with web end. Designed to automatically perform firmware security analysis (router, Internet of things, UEFI, webcam, drone, etc.). The tool is based on Python flask framework, adopts modular development and supports plug-in access, so it is very convenient for secondary development and optimization. Fact can automatically complete the firmware unpacking task and perform firmware analysis, including:
- Software identification
Software identification
- Which operating system is used?
Which operating system is used?
- Which programs exist?
Which programs exist?
- What versions are used?
What versions are used?
- Which services start at startup?
Which services start at startup?
- What are these vulnerabilities?
What are these vulnerabilities?
- Find user credentials
Find user credentials
- Detection of densified materials
Detection of densified materials
- Private key
Private key
- certificate
certificate
- CPU architecture (simulation and disassembly required)
CPU architecture (simulation and disassembly required)
- ...
...
Fact also automatically implements the firmware analogy, which can easily compare the changes between the old version and the new version. To find out where the developer has updated the new firmware, it can also identify whether it is the original firmware of the developer. For example: identify changed / identical files, identify changed software versions.
0x02 main function analysis
The business code of fact mainly consists of three parts: unpacking - firmware unpacking; analysis - firmware system analysis; comparison - firmware analogy. Each business code consists of two parts: scheduler task scheduler and multiple plugins plug-in set.
The general flow chart of fact is as follows:
The firmware unpacking workflow is as follows:
Among them, fact will call the "file" command when identifying the file type, and mark the file type with its own mime library. After determining the file type, the scheduler will select the correct plug-in to unpack the task.
The flow chart of firmware system analysis is as follows:
The scheduler will only call one plug-in at a time, and it will continue to call the next plug-in when the previous plug-in task is finished; the plug-in can work with multiple threads; the plug-in can call and view the binary results of the previous plug-in after execution.
Firmware system analogy workflow
The firmware system analogy task is separate from the firmware analysis task. The firmware that needs to be analogized needs to be analyzed first. You need to manually fill in the firmware UIDs to be analogized. Analogy work is a single thread work, which saves system resources relatively.
0x03 specific code analysis
The configuration file for fact is located in. / SRC / config / main.cfg
Because the code structure of the three business functions of fact is similar, take unpack function as an example to explain the code logic in detail. The unpack service is Co located as the backend service task, which is started by. / start? Face? Backend.py.
. / SRC / scheduler / unpacking.py will be responsible for creating and scheduling the unpacking task.
. / SRC. / unpacker / unpack.py is responsible for performing specific unpacking tasks.
0x04 directory structure analysis
Fact ├ core-master / SRC ├ - Analysis ├ - firmware analysis task script ├ - bootstrap └ - patches ├ - compare '' firmware analogy task script ├ - config '' configuration information ├ - helperfunctions' 'auxiliary task function ├ - intercom' 'data interaction definition ├ - Mime resource of mime' 'file type ├ - objects'' target type definition script ├ - plugins' 'plugins collection Ɏ - Analysis Ɏ Ɏ - Architecture Ɏ; detection Ɏ - Code Ɏ - Test Ɏ Ɏ - data Ɏ - view Ɏ - compare ɖ - unpacking Ɏ - scheduler' script Ɏ - static 'task statistics Ɏ - stor Age '' data interactive storage interface ├ - Test ├ - unpacker '' firmware unpacking task script └ - Web └ interface '' web side
FACT_CORE-MASTER/SRC
├─analysis '' 固件分析任务脚本
├─bootstrap
│ └─patches
├─compare ''固件类比任务脚本
├─config ''配置信息
├─helperFunctions '' 辅助任务函数
├─intercom ''数据交互定义
├─mime '' 文件类型的mime资源
├─objects '' 目标类型定义脚本
├─plugins '' 插件集合
│ ├─analysis
│ │ ├─architecture_detection
│ │ ├─code
│ │ ├─test
│ │ │ └─data
│ │ └─view
│ ├─compare
│ │
│ └─unpacking
│
├─scheduler '' 调度器脚本
├─statistic '' 任务统计
├─storage '' 数据交互存储接口
├─test
├─unpacker '' 固件解包任务脚本
└─web_interface '' WEB端
0x05 installation and use
The installation of fact is very simple. You can easily install a fact platform by referring to GitHub of fact. It is recommended to use Tsinghua source for installation. When installing, it is suggested to add - n parameter to install nginx at the same time. In the actual operation, the original version of the web end is all in English, which is more comfortable after being translated into Chinese...
0x06 postscript
The operation of the platform requires certain hardware configuration and large resource requirements; the code structure is rigorous, the logic is clear, and the core function workflow design is nice. The practical application of the scheduler and plug-in set provides great convenience for the secondary development; the web security is low, so it is not recommended to operate as a public service; a plug-in that automatically extracts the internal web path of the firmware and audits it is added Fang hasn't replied yet; it should be that he hasn't integrated the firmware, and hasn't found the relevant code for firmware emulation.
FACT: https://github.com/fkie-caoject