payatu.com
Open in
urlscan Pro
188.114.96.10
Public Scan
URL:
https://payatu.com/blog/hariprasad.kv/firmware-emulation
Submission: On May 23 via api from US — Scanned from DE
Submission: On May 23 via api from US — Scanned from DE
Form analysis 1 forms found in the DOM
<form novalidate="" class="news-letter-form ng-untouched ng-pristine ng-valid"><input type="textbox" name="emailTextBox" placeholder="Your E-Mail Address" class="subscribe-email ng-untouched ng-pristine ng-valid"><button class="subscribe-button"
disabled="">SUBSCRIBE</button></form>Text Content
Services Products Who we are Resources Contact Us We are Hiring
⌂Home › ☷All Blogs › ✍hariprasad.kv ›
Bare-metal Firmware Emulation - An Introduction To Unicorn Engine
hariprasad.kv18-May-2022
Hello everyone, in this blog series we will look into firmware emulation of
bare-metal devices with the help of a CPU emulator called Unicorn.
You may wonder, why go through the hassle of emulating firmware?
Well, emulation can assist in the security analysis of a device as it can
provide better debugging capabilities as compared to running the device on
actual hardware. It can also help in providing the firmware with unpredictable
input that in turn is helpful for testing methods like fuzzing. Or you might not
have a spare microcontroller lying around considering the chip shortage crisis
:P
This blog series will be split into 3 parts:
* Part 1 : Introduction to unicorn engine
* Part 2 : STM32 microcontroller internals
* Part 3 : Emulating a basic firmware
So let’s get started…
UNICORN ENGINE
Before we look into how to emulate a firmware, let’s first familiarize ourselves
with the emulation framework.
Unicorn is a lightweight multi-platform, multi-architecture CPU emulator
framework based on QEMU. It is an instruction emulator where we feed the code to
the engine and it will execute it. The setup for emulation and rules of how the
binary should be emulated should be defined by the user.
Let’s look at how we can perform a basic instruction emulation.
I will be using ARM architecture as it is one of the most commonly used
architectures in embedded systems. We will try to emulate instructions that
change the value of registers.
Let’s try to move a value into the r0 register using the mov instruction and try
to use arithmetic instructions like add on the register r1.
So, first, we need to generate machine code for the corresponding assembly
instructions. We can use keystone engine to achieve this. Keystone engine is a
multi-architecture assembler framework. We can use that to convert the ARM
assembly code to machine code.
For that, we need to initialize the keystone engine object with ARM
architecture.
from keystone import *
ks = Ks( KS_ARCH_ARM , KS_MODE_ARM)
The asm() returns a tuple with the machine code as the first element in a list
form and the number of instructions assembled. Since the machine code is in list
form we will use bytes() to convert to string of machine code.
bytes(ks.asm("mov r0,#0x15\nadd r1, r2, r3")[0])
b'\x15\x00\xa0\xe3\x03\x10\x82\xe0'
Now that we have the code to emulate, we will start defining the architecture of
the Unicorn.
uc = Uc( UC_ARCH_ARM , UC_MODE_ARM )
Next, we have to allocate memory for emulation. For this, we need to specify the
starting address and the size of the allocated memory using the mem_map
function. For this example, we will use 0x10000 and an allocated size of 2MB
ADDRESS = 0x10000
uc.mem_map( ADDRESS , 2 * 1024 * 1024 )
Now let’s copy our code to the allocated memory. For that, we will use the
mem_write function.
ARM_CODE = b'\x15\x00\xa0\xe3\x03\x10\x82\xe0'
uc.mem_write( 0x10000 , ARM_CODE )
Now we can initialize the registers with some values using the reg_write
function. You can specify the corresponding register constants UC_<ARCH
NAME>_REG_<REG NAME>. You
uc.reg_write( UC_ARM_REG_R0 , 0x01 )
uc.reg_write( UC_ARM_REG_R2 , 0x23 )
uc.reg_write( UC_ARM_REG_R3 , 0x45 )
Now that we have set up everything for the emulation we can start the emulation
with the emu_start function. We will specify the addresses where the emulation
starts and ends
uc.emu_start( ADDRESS , ADDRESS + len(ARM_CODE) )
Let’s put all of this together in a script and see what is the result
from unicorn import *
from unicorn.arm_const import *
ARM_CODE = b'\x15\x00\xa0\xe3\x03\x10\x82\xe0'
ADDRESS = 0x10000
print('[*] emulating code')
try:
uc = Uc( UC_ARCH_ARM , UC_MODE_ARM )
uc.mem_map( ADDRESS , 2 * 1024 * 1024 )
uc.mem_write( ADDRESS , ARM_CODE )
uc.reg_write( UC_ARM_REG_R0 , 0x01 )
uc.reg_write( UC_ARM_REG_R2 , 0x23 )
uc.reg_write( UC_ARM_REG_R3 , 0x45 )
uc.emu_start( ADDRESS , ADDRESS + len(ARM_CODE) )
print('[*] emulation complete\n[*] printing register values')
r0 = uc.reg_read( UC_ARM_REG_R0 )
r1 = uc.reg_read( UC_ARM_REG_R1 )
print( '>>> r0 = 0x%x\n>>> r1 = 0x%x' %( r0 , r1 ) )
except UcError as e:
print('ERROR: %s' % e)
The output:
$ python test.py
[*] emulating code
[*] emulation complete
[*] printing register values
>>> r0 = 0x15
>>> r1 = 0x68
We have now emulated basic ARM instructions and the output is as expected.
CONCLUSION
That’s all folks! This blog was aimed at giving a basic introduction to
instruction emulation with the Unicorn engine. Unicorn engine is a framework
that we can use and build our own custom emulator on top of it. It can emulate a
chunk of binary data if it is able to define the initial setup for the
emulation. It also provides the functionality of read/write from memory and
registers and the functionality of executing custom scripts during emulation is
really helpful for binary analysis. You can explore more about emulating with
the Unicorn engine here. In the next blog, we will next look into the internal
workings of an STM microcontroller. I hope you found this blog interesting, see
you in the next blog :D
REFERENCES
https://www.unicorn-engine.org/
https://www.unicorn-engine.org/docs/tutorial.html
https://github.com/unicorn-engine/unicorn/blob/master/bindings/python/sample_arm.py
https://eternal.red/2018/unicorn-engine-tutorial/
--------------------------------------------------------------------------------
ABOUT PAYATU
Payatu is a research-powered, CERT-In empaneled cybersecurity consulting company
specializing in security assessments of IoT product ecosystem, Web application &
Network with a proven track record of securing applications and infrastructure
for customers across 20+ countries.
Want to check the security posture of your organization? Browse through Payatu’s
services and get started with the most effective cybersecurity assessments.
Have any specific requirements in mind? Let us know about them here and someone
from our team will get in touch with you.
Get to know more about our process, methodology & team!
Get started today
☷All Blogs › ✍Latest Blogs
hariprasad.kv
18-May-2022
Bare-metal Firmware Emulation - An Introduction To Unicorn Engine
Hello everyone, in this blog series we will look into firmware emulation of
bare-metal devices with the help of a CPU emulator called Unicorn. You may
wonder, why go through the hassle of emulating fi
kumar.ashwin
17-May-2022
Top 5 Things To Look For When Choosing A Penetration Testing Vendor
The Cyber Security market has grown exponentially in the past decade and will
continue to grow to meet the ever-increasing demand. Every organization is
currently attempting to improve their security
gagan.aggarwal
28-April-2022
Transition to a Safer Card Industry with PCI DSS v4.0 - A Summary Report by
Payatu
On its journey to actively updating compliance standards to tackle modern-day
cyber security threats to the Payment Card Industry, the PCI SSC (Payment Card
Industry Security Standards Council) has up
☷All News › ⚑Latest News
Talk, Online 2022-05-28 14:36:10Z
Aseem Jakhar will be giving a talk at cyberstartersconference.
Workshop, Online 2022-05-13 14:42:16Z
Kartheek Lade will be conducting a workshop on “Car hacking 101”
Webinar, Online 2022-04-29 00:47:52Z
Amit prajapat will be delivering a webinar on “Gaining Access to Protected
Components In Android”.
Subscribe to Our Newsletter
SUBSCRIBE
or
FOLLOW OUR SOCIAL MEDIA HANDLES
Research Powered Cybersecurity Services and Training. Eliminate security threats
through our innovative and extensive security assessments.
Subscribe to our newsletter
Services
IoT Security TestingRed Team AssessmentProduct SecurityAI/ML Security AuditWeb
Security TestingMobile Security TestingDevSecOps ConsultingCode ReviewCloud
SecurityCritical Infrastructure
Products
EXPLIoTCloudFuzz
Conference
NullconHardwear.io
Resources
BlogE-BookAdvisoryMediaCase StudiesMasterClass SeriesSecurecode.wiki
About
About UsCareerNewsContact UsPayatu BanditsHardware-LabDisclosure Policy
All rights reserverved © 2021 Payatu