- Ghidra 10.2.2
- Python version > 3.6
- Replace the
ARMTHUMBinstructions.sincfile in<your_ghidra_path>/Ghidra/Processors/ARM/data/languages/with the one incode/folder - A MySQL database server to import the firmware database in
database/cortexm_firmware_merged_fw.sql - Firmware dataset: Link
- Firmware disassembly results: Link
Files marked with * are not required in replicating results.
├── code
│ ├── string_search
│ │ ├── search_string.py /* Search strings in the firmware image */
│ │ ├── strings.txt /* All strings to search */
│ │ ├── strings_mbed.txt /* String searching results for Mebd OS */
│ │ ├── strings_rtos.txt /* String searching results for RTOS */
│ │ ├── strings_smashing.txt /* String searching results for stack canary string */
│ │ ├── strings_stack.txt /* String searching results for stack string */
│ │ └── strings_zephyr.txt /* String searching results for Zephyr OS */
│ ├── ARMTHUMBinstructions.sinc /* Ghidra ARM THUMB ISA specification with stack limit register support */
│ ├── build_database.py* /* Build database from the directory */
│ ├── export_ascii.py /* Export ASCII disassembly from a raw binary image */
│ ├── export_elf_ascii.py* /* Export ASCII disassembly from an ELF image */
│ ├── get_base.sh /* Use FirmXRay tool to get base address of the binary */
│ ├── get_disass.py /* Execute Ghidra headless analyzer to export disassembly for all the fws in database */
│ ├── get_elf_text.sh* /* Export ASCII disassembly from all ELF images in a directory */
│ ├── match_reg.py /* Match regular expressions in all disassembly */
│ ├── merge_linked.py /* Merge linked firmware in the database */
│ ├── regex_pattern.py /* Regular expression patterns (used by match_reg.py) */
│ ├── rename_result.py* /* Rename the firmware name in the database batchly */
│ └── utilities.py* /* Utility functions */
├── database
│ ├── cortexm_firmware_merged_fw.sql /* Firmware database */
│ ├── fw_build.sql* /* SQL to build database */
│ └── queries.sql /* SQL queries for analysis results */
└── README.mdAll the firmware disassembly results are in the link above. To replicate the results, follow the steps:
- Download the full firmware dataset and install Ghidra properly. Import the firmware database to a local MySQL server.
- Use the tool in FirmXRay to analyze the dataset and get the base address of each firmware image. Update the
base_addrcolumn in the database with results. - Update the path variables and SQL info at the beginning of the
get_disass.pyscript. - Run the disassembler script with
python get_disass.py. This may take some time.
- Download the full firmware disassembly results or get them from the above steps. Install Ghidra properly. Import the firmware database to a local MySQL server.
- Update the path variable for results and the SQL info at the beginning of the
match_reg.pyscript. - Run the analyzing script with
python match_reg.py. - Update the SQL info at the beginning of the
merge_linked.pyscript and run it withpython merge_linked.py. This step is to merge the results of the linked firmware images (e.g., the bootloader and application images for the same device) to prevent duplicates. - Use the example queries in
queries.sqlto query the analysis results.