FirmWire is a full-system baseband firmware emulation platform for fuzzing, debugging, and root-cause analysis of smartphone baseband firmwares

              ___            __      __                         
-.     .-.   | __|(+) _ _ _ _\ \    / /(+) _ _ ___    .-.     .-
  \   /   \  | _|  | | '_| '  \ \/\/ /  | | '_/ -_)  /   \   /  
   '-'     '-|_|   | |_| |_|_|_\_/\_/   | |_| \___|-'     '-'   
             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~             

FirmWire

FirmWire is a full-system baseband firmware analysis platform that supports Samsung and MediaTek. It enables fuzzing, root-cause analysis, and debugging of baseband firmware images. See the FirmWire documentation to get started!

Experiments & Missing Parts?

Upon a vendor's request, the current public release of FirmWire is a preview version omitting some of the functionality described in the paper. We will publish the full version and automated scripts to replicate our experiments during NDSS'22 (April 24th-28th).

BibTeX

FirmWire thumbnail FirmWire is the result of a multi-year, cross university research effort. See the paper for more details.

If you are using FirmWire in an academic paper please use this to cite it:

@inproceedings{hernandez_firmwire_2022,
  title = {{FirmWire: Transparent Dynamic Analysis for Cellular Baseband Firmware}},
  shorttitle = {{FirmWire}},
  booktitle = {{ Symposium on Network and Distributed System Security (NDSS) }},
  author = {Hernandez, Grant and Muench, Marius and Maier, Dominik and Milburn, Alyssa and Park, Shinjo and Scharnowski, Tobias and Tucker, Tyler and Traynor, Patrick and Butler, Kevin R. B.},
  year = {2022}
}

FirmWire's License

FirmWire is licensed under BSD-3 and developed by "Team FirmWire", which currently consists of the authors on the NDSS paper unless stated otherwise. We expect FirmWire to be used for commercial purposes (e.g. private baseband vulnerability research, bug bounties, etc.). The license permits this. We (Team FirmWire) request that users in these settings notify us through public (e.g. issues) or private (e.g. email, Signal) means about your use. We are curious! If FirmWire or derived work helped you find a vulnerability, we'd also like to know in order to add it to the FirmWire trophy wall. Finally, one or more members of Team FirmWire may be willing to provide consulting services such as trainings, custom extensions to FirmWire, advice, and the like. Please reach out if interested.

Comments
  • MTK NV Data CREATEDIR

    MTK NV Data CREATEDIR

    When running FirmWire against any MTK images, the --mtk-loader-nv_data parameter is required (or ./mnt/vendor/nvdata needs to exist). If an empty path is supplied (or mkdir -p mnt/vendor/nvdata), then FirmWire crashes when trying to create the NVRAM subdirectory:

    [INFO] firmwire.vendor.mtk.machine: Activating SCPCCISM via affinity hook
    [1.59030][NO_TASK] 0x90278d4d [CCISMC] =========> ccismc_create  [CCISM_TR_TASK_CREATE]
    [1.59286][NO_TASK] 0x90278d4d [EMM RATCHG] >> CEmmRatChg::CEmmRatChg() [EMM_RATCHG_FUNC_constructor]
    [1.82042][NO_TASK] 0x90278d4d [CCCI_FS] ===> MD_FS_GetDiskInfo  [CCCIFS_TR_GETDKINFO_IN]
    [1.82046] last message matched ban pattern 'CCCI_FS'
    [1.82093][NO_TASK] 0x90151a1b [CCCI_FS GetDiskInfo] filename: Z:\
    [1.82094] last message matched ban pattern 'CCCI_FS'
    [1.93383] 12 total log lines omitted [NO_TASK=12]
    [1.93390][NO_TASK] 0x90150fd7 [CCCI_FS GetAttributes] filename: Z:\FAT2E4C5231.log
    [1.93391] last message matched ban pattern 'CCCI_FS'
    [1.97289] 11 total log lines omitted [NO_TASK=11]
    [1.97296][NO_TASK] 0x901509f7 [CCCI_FS Open] filename: Z:\NVRAM
    [1.97297] last message matched ban pattern 'CCCI_FS'
    [1.98623] 10 total log lines omitted [NO_TASK=10]
    [1.98631][NO_TASK] 0x90279111 nvram_init, step=6213dddc, para=62109724 [FUNC_NVRAM_INIT]
    [ERROR] firmwire.hw.peripheral.SHM_CCIF_Periph.SharedMemoryCCIF.FSD: Close: invalid handle value 4294967287
    [2.09281] 36 total log lines omitted [NO_TASK=36]
    [2.09287][NO_TASK] 0x901510b3 [CCCI_FS CreateDir] filename: Z:\NVRAM
    [2.09290] last message matched ban pattern 'CCCI_FS'
    [ERROR] firmwire.hw.peripheral.SHM_CCIF_Periph.SharedMemoryCCIF.FSD: Unhandled FSD operation 0x1007 (FSCCCIOp.CREATEDIR)
    Exception in thread Thread-1:
    Traceback (most recent call last):
      File "/usr/lib/python3.8/threading.py", line 932, in _bootstrap_inner
        self.run()
      File "/usr/local/lib/python3.8/dist-packages/avatar2/avatar2.py", line 522, in run
        handler(message)
      File "/usr/local/lib/python3.8/dist-packages/avatar2/watchmen.py", line 78, in watchtrigger
        ret = func(self, *args, **kwargs)
      File "/usr/local/lib/python3.8/dist-packages/avatar2/avatar2.py", line 491, in _handle_remote_memory_write_message
        success = mem_range.forwarded_to.write_memory(
      File "/usr/local/lib/python3.8/dist-packages/avatar2/peripherals/avatar_peripheral.py", line 66, in write_memory
        return intervals.pop().data(offset, size, value, **kwargs)
      File "/root/FirmWire/firmwire/vendor/mtk/hw/PCCIFPeripheral.py", line 500, in hw_write
        self.handleFSPacket(ring, packet)
      File "/root/FirmWire/firmwire/vendor/mtk/hw/PCCIFPeripheral.py", line 605, in _handleFSPacketEmu
        emu_resp = ring.parent.fsd_ctx["emu"].handle_packet(
      File "/root/FirmWire/firmwire/vendor/mtk/hw/FSD.py", line 573, in handle_packet
        resp_packs = self._handle_op(op, packs)
      File "/root/FirmWire/firmwire/vendor/mtk/hw/FSD.py", line 630, in _handle_op
        assert 0
    AssertionError
    

    Adding support for the CREATEDIR operation is trivial. Doing so causes the NV initialization routine to execute, which seeds the NV data. This subsequently allows the baseband to fully boot to the [SSIPC][ILM_MSG] waiting msg loop state. While this may not be ideal for all circumstances, it removes a major hurdle to analyze new images without seeding with arbitrary NV data snapshot.

    Apart from allowing the init procedures to auto-generate NV data, what's the recommended method for providing seed NV data? Extract from the AP archive, or from a running device? Any idea on the scope of applicability of NV data extracted from one FW/device to different FW builds, builds for different devices, or different chipsets? Unless relying on CREATEDIR seems optimal, I suggest adding some clarification in docs, as it will be helpful to others! If CREATEDIR is optimal, then it make be preferable to just automatically create ./mnt/vendor/nvdata when it is needed, but not present.

    I will issue a pull request against this Issue to add support for CREATEDIR. In my testing, this allows images to boot cleanly when given an empty NV data directory.

  • NV data mnt directory is missing with MT6768 SOC

    NV data mnt directory is missing with MT6768 SOC

    Hello, it is mentioned in the paper that FIRMWIRE supports the simulation of MT6768,but the following errors will be encountered when running it:

    [INFO] firmwire.vendor.mtk.loader: Parsing debug info...
    [INFO] firmwire.vendor.mtk.loader: SoC <MediaTekSOC MT6768 - 2020/04/22> (automatic)
    [INFO] firmwire.vendor.mtk.loader: Loaded MTK image with 19 sections
    [INFO] firmwire.vendor.mtk.loader: Loading cached MTK debug database...
    [INFO] firmwire.vendor.mtk.loader: Loaded database with 49507 trace entries
    [ERROR] firmwire.vendor.mtk.loader: NV data mnt directory is missing
    [ERROR] firmwire.loader: Loading failed!
    [ERROR] firmwire.loader: No more loaders to try
    [ERROR] firmwire: Failed to load firmware
    
  • missing shannon 5123 feature

    missing shannon 5123 feature

    Thanks for your hard work. I could see the below information from your paper, but I couldn't find the suporting S5123 chipset in FirmWire. "Supporting 5G Basebands. During our research, we also performed an initial assessment of Samsung’s 5G modem (the S5123 chipset)."

    Do you have any plan to update for supporting S5123 chipset including cortex-A seriese?

  • Missing functionality

    Missing functionality

    In the README.md, it says:

    Upon a vendor's request, the current public release of FirmWire is a preview version omitting some of the functionality described in the paper. We will publish the full version and automated scripts to replicate our experiments during NDSS'22 (April 24th-28th).

    Which functionality is currently missing, that will be published near the end of April?

  • Best practice of taking snapshots

    Best practice of taking snapshots

    What is a good address to take a snapshot at to keep the state of the baseband before calling the guest link methods?

    I used the address of the INTERACTIVE task in two scenarios, and both failed. First:

    ./firmwire.py -t glink --console -S modem.bin
    

    In jupyter console:

    self.snapshot_state_at_address(0x4b000001, 'interactive')
    # Send a message with glink.send_queue_op
    self.restore_snapshot('interactive')
    # Get segmentation fault in the first terminal
    

    Second:

    ./firmwire.py -t glink --console -S modem.bin
    

    In jupyter console (after enough time):

    self.qemu.stop() 
    self.snapshot('interactive')
    # Send a message with glink.send_queue_op and see logs from the target task.
    self.restore_snapshot('interactive')
    # Repeat the previous message with glink.send_queue_op and don't see any logs from the target task.
    

    Test modem.bin

  • Field information of struct `qitem_lte_rrc`

    Field information of struct `qitem_lte_rrc`

    I am reading the fuzz task for LTE RRC, and I have some questions about the queue item structure used in this fuzzer.

    1. What are the possible valid values for the field pdu_type?
    2. Does the field asn_pl follows the following ASN1 format from RRCConnectionReconfiguration payload? source
    RRCConnectionReconfiguration ::= SEQUENCE {
    rrc-TransactionIdentifier RRC-TransactionIdentifier,
    criticalExtensions CHOICE {
    c1 CHOICE{
    rrcConnectionReconfiguration-r8 RRCConnectionReconfiguration-r8-IEs,
    spare7 NULL,
    spare6 NULL, spare5 NULL, spare4 NULL,
    spare3 NULL, spare2 NULL, spare1 NULL
    },
    criticalExtensionsFuture SEQUENCE {}
    }
    }
    

    Can you provide an example queue item?

Piotr - IoT firmware emulation instrumentation for training and research

Piotr: Pythonic IoT exploitation and Research Introduction to Piotr Piotr is an emulation helper for Qemu that provides a convenient way to create, sh

Jan 5, 2022
Fuzzing tool (TFuzz): a fuzzing tool based on program transformation

T-Fuzz T-Fuzz consists of 2 components: Fuzzing tool (TFuzz): a fuzzing tool based on program transformation Crash Analyzer (CrashAnalyzer): a tool th

May 19, 2022
10th place solution for Google Smartphone Decimeter Challenge at kaggle.
10th place solution for Google Smartphone Decimeter Challenge at kaggle.

Under refactoring 10th place solution for Google Smartphone Decimeter Challenge at kaggle. Google Smartphone Decimeter Challenge Global Navigation Sat

May 6, 2022
Convert game ISO and archives to CD CHD for emulation on Linux.

tochd Convert game ISO and archives to CD CHD for emulation. Author: Tuncay D. Source: https://github.com/thingsiplay/tochd Releases: https://github.c

May 1, 2022
[CVPR 2021] Counterfactual VQA: A Cause-Effect Look at Language Bias
[CVPR 2021] Counterfactual VQA: A Cause-Effect Look at Language Bias

Counterfactual VQA (CF-VQA) This repository is the Pytorch implementation of our paper "Counterfactual VQA: A Cause-Effect Look at Language Bias" in C

May 3, 2022
CAUSE: Causality from AttribUtions on Sequence of Events

CAUSE: Causality from AttribUtions on Sequence of Events

Apr 21, 2022
Source code for our paper "Improving Empathetic Response Generation by Recognizing Emotion Cause in Conversations"
 Source code for our paper

Source code for our paper "Improving Empathetic Response Generation by Recognizing Emotion Cause in Conversations" this repository is maintained by bo

May 9, 2022
Imbalanced Gradients: A Subtle Cause of Overestimated Adversarial Robustness

Imbalanced Gradients: A Subtle Cause of Overestimated Adversarial Robustness Code for Paper "Imbalanced Gradients: A Subtle Cause of Overestimated Adv

Apr 26, 2022
MAME is a multi-purpose emulation framework.

MAME's purpose is to preserve decades of software history. As electronic technology continues to rush forward, MAME prevents this important "vintage" software from being lost and forgotten.

Oct 25, 2020
A general and strong 3D object detection codebase that supports more methods, datasets and tools (debugging, recording and analysis).

ALLINONE-Det ALLINONE-Det is a general and strong 3D object detection codebase built on OpenPCDet, which supports more methods, datasets and tools (de

May 11, 2022
Full body anonymization - Realistic Full-Body Anonymization with Surface-Guided GANs
Full body anonymization - Realistic Full-Body Anonymization with Surface-Guided GANs

Realistic Full-Body Anonymization with Surface-Guided GANs This is the official

May 10, 2022
Python interface for SmartRF Sniffer 2 Firmware

#TI SmartRF Packet Sniffer 2 Python Interface TI Makes available a nice packet sniffer firmware, which interfaces to Wireshark. You can see this proje

May 18, 2021
FIRM-AFL is the first high-throughput greybox fuzzer for IoT firmware.
FIRM-AFL is the first high-throughput greybox fuzzer for IoT firmware.

FIRM-AFL FIRM-AFL is the first high-throughput greybox fuzzer for IoT firmware. FIRM-AFL addresses two fundamental problems in IoT fuzzing. First, it

May 20, 2022
Square Root Bundle Adjustment for Large-Scale Reconstruction
Square Root Bundle Adjustment for Large-Scale Reconstruction

RootBA: Square Root Bundle Adjustment Project Page | Paper | Poster | Video | Code Table of Contents Citation Dependencies Installing dependencies on

May 7, 2022
Implementation of fast algorithms for Maximum Spanning Tree (MST) parsing that includes fast ArcMax+Reweighting+Tarjan algorithm for single-root dependency parsing.

Fast MST Algorithm Implementation of fast algorithms for (Maximum Spanning Tree) MST parsing that includes fast ArcMax+Reweighting+Tarjan algorithm fo

Feb 26, 2022
A simple root calculater for python

Root A simple root calculater Usage/Examples > python3 root.py 9 3 4 # Order: number - grid - number of decimals # Output: 2.08

Feb 10, 2022
Fast Differentiable Matrix Sqrt Root
Fast Differentiable Matrix Sqrt Root

Official Pytorch implementation of ICLR 22 paper Fast Differentiable Matrix Square Root

Apr 24, 2022
Sound and Cost-effective Fuzzing of Stripped Binaries by Incremental and Stochastic Rewriting
Sound and Cost-effective Fuzzing of Stripped Binaries by Incremental and Stochastic Rewriting

StochFuzz: A New Solution for Binary-only Fuzzing StochFuzz is a (probabilistically) sound and cost-effective fuzzing technique for stripped binaries.

Apr 7, 2022
Fuzzing the Kernel Using Unicornafl and AFL++
Fuzzing the Kernel Using Unicornafl and AFL++

Unicorefuzz Fuzzing the Kernel using UnicornAFL and AFL++. For details, skim through the WOOT paper or watch this talk at CCCamp19. Is it any good? ye

Apr 26, 2022