Advanced firmware emulation techniques using FAT and Firmadyne for hardware security research
Now that you've got a clear idea of what firmware emulation is and why it matters, it's time to actually dive in. We'll walk through setting up tools and running your first emulation session using Firmware Analysis Toolkit (FAT) and Firmadyne.
Once everything's set, run the following command to start emulating your firmware image:
sudo ./fat.py WNAP320\ Firmware\ Version\ 2.0.3.zip
Fig 1: Setting up Firmware Analysis Toolkit (FAT) environment in Ubuntu.
If you run into errors at this step — no stress. It happens. If FAT doesn't work out for your image, you can switch to Method 2: Firmadyne and keep moving forward.
Firmadyne is another super handy tool when it comes to firmware emulation. It's designed to automatically extract, set up, and emulate firmware in a controlled environment. The great thing about Firmadyne is that it makes analyzing firmware behavior much smoother and gives you flexibility to poke around, spot vulnerabilities, and see how things work under the hood.
Before getting started, make sure you've got these ready:
Alright, before you can start emulating firmware with Firmadyne, you'll need to get a few things sorted. Here's a simple step-by-step to get everything in place:
Firmadyne relies on several tools and dependencies. Run this command to install everything in one go:
sudo apt install busybox-static fakeroot git dmsetup kpartx netcat-openbsd nmap python3-psycopg2 snmp uml-utilities util-linux vlan python3-pip python3-magic
Some systems still ship with Python 2 as default. If that's the case for you, switch it to Python 3:
sudo update-alternatives --install /usr/bin/python python /usr/bin/python3 10
Now, grab Firmadyne source code from GitHub:
git clone --recursive https://github.com/firmadyne/firmadyne.git
Binwalk is essential for unpacking firmware images:
git clone https://github.com/ReFirmLabs/binwalk.git
Navigate to Binwalk folder and install its dependencies:
cd binwalk
sudo ./deps.sh
sudo python ./setup.py install
Firmadyne uses PostgreSQL to manage firmware data. Install it and set up database like this:
sudo apt install postgresql
sudo -u postgres createuser -P firmadyne
# (Enter a password for 'firmadyne' user)
sudo -u postgres createdb -O firmadyne firmware
sudo -u postgres psql -d firmware < ./firmadyne/database/schema
Download extra required resources for Firmadyne to work properly:
cd firmadyne
./download.sh
Finally, install QEMU along with necessary architecture support:
sudo apt install qemu-system-arm qemu-system-mips qemu-system-x86 qemu-utils
Fig 2: Editing Firmadyne Configuration file
Fig 3: Editing Configuration Paths in Firmadyne Script
Fig 4: Configuration path has been updated to /home/user/firmadyne
Firmadyne comes with a tool specifically for extracting firmware images. To extract NETGEAR firmware, run the following command on your router's binary file:
python3 ./sources/extractor/extractor.py -b Netgear -sql 127.0.0.1 -np --nk "$ZIP_FILE" images
This will unpack the firmware image and place the extracted files into the images directory, getting it ready for emulation.
Once the extraction process is done, you'll need to make sure it completed successfully. To check, just list the contents of the images directory:
ls images
If everything worked, you should see your extracted firmware files sitting there.
Fig 5: Extracting Netgear WNAP320 firmware
Got it here’s your humanized, clean, step-by-step version while preserving your original structure and tone:
You'll need to figure out the architecture of your firmware before emulating it. Run this command to let Firmadyne detect it:
./scripts/getArch.sh ./images/1.tar.gz
This will output the architecture type (like ARM, MIPS, etc.) for your firmware.
Next up, you'll need to push your extracted firmware data into Firmadyne database. Do it like this:
./scripts/tar2db.py -i 1 -f ./images/1.tar.gz
This step registers your firmware image with Firmadyne's backend so it can be used for emulation.
Finally, it's time to build the actual emulation image. Run:
sudo ./scripts/makeImage.sh 1
This prepares everything needed for the firmware to boot up inside an emulated environment.
Fig 6: Creating and formatting a image from extracted firmware
Once the emulation image is ready, you'll need to figure out the network settings it uses. Even though the output might look a little messy, this command will pull out essential network configuration details:
./scripts/inferNetwork.sh 1
Fig 7: Infers network interface and IP address (192.168.0.100)
And there it is you'll get the emulated device's IP address right here!
Before kicking things off, it's a good idea to check the files in the scratch directory where your emulated environment is set up. Run:
ls scratch/1/
Make sure everything's in place.
Alright time for the main event. Fire up the emulation with:
./scratch/1/run.sh
And just like that, your NETGEAR WNAP320 firmware is running in an emulated environment!
Fig 8: Running firmware in an emulated environment
Fig 9: Firmware has been emulated
Fig 10: Netgear WNAP320 ProSafe Access Point login page at 192.168.0.100
USERNAME: admin
PASSWORD: password
FINALLY!!! EMULATION IS DONE!!
Once your emulation is running smoothly, you can go ahead and set up a proxy on Firefox and start intercepting network traffic with Burp Suite. This lets you analyze how the device communicates, spot potential vulnerabilities, and play around with requests without touching the actual hardware.
Fig 11: Intercepting traffic on burp suite
And there you go you've just emulated firmware using Firmadyne. From setting up the environment, extracting firmware, to running it in a controlled setup it's a solid way to safely test and explore how devices behave. Once you've got it running, you can hook up tools like Burp Suite to intercept and inspect traffic, spotting anything unusual. Firmware emulation isn't as complicated as it sounds once you get the hang of it. Keep experimenting, and you'll keep finding new things to break (and fix).
Contact us for advanced firmware analysis and hardware security assessments.
GET ASSESSMENT