ECMO receives an firmware image and it can successfully re-host the Linux kernel inside the image to get the shell. Due to the variety of peripherals in embedded firmware images. It is rather hard to build a general emulator that supports all kinds of machines. The basic idea of ECMO is to transplant the peripherals by support ones into the target Linux kernel, hence solve the problem of peripheral variety.
ECMO is implemented based on luaqemu
This repo contains the following directories
configs dtbs images luaqemu pyqemulog.zip rootfs scripts ventilator
This directory contains the required configurations including the configuration for each machine and Linux source code. There are two different configurations in ECMO. One is for a specific machine. Another is for Linux kernel source code. For example, configs/oxnas.cfg is the file for machine oxnas. There are several different kinds sections in this configuration.
- global sections describes the path, memory size, load address, lua script path, etc.
- qemu section describes the path of luaqemu , the log options, runtime args, etc.
- rewrite section describes the initialization addresses of the transplanted driver.
- elf section describes the elf information of the transplanted driver.
- extern_addrs describes the addresses that will be rewritten inside the transplanted driver. These addresses contains the function pointers of the functions inside Linux kernel. They will be invoked by the drivers.
- internal_addrs/pointers describes the addresses that will be rewritten according to the load address of the transplanted driver.
configs/3.18.cfg is the file for Linux kernel version 3.18. It contains the required source code information, which will be used by ECMO to detect the required function pointers.
configs/template.cfg is the template configuration files. You can modify it to support more machines.
This directory contains the required device tree blobs. From Linux version larger than 3.x, the Linux kernel receives a dtb to describe its hardware devices.
For example, dtbs/oxnas_test.dtb is the dtb file for machine oxnas. dtb files can be extracted from the firmware images with binwalk.
This directory contains the uImage/zImage files unpacked from the firmware image. We now only support uImage or zImage.
This is a python module that will be used by ECMO to analyze the trace of QEMU. Unpack it and use python3 setup.py to install this module.
This directory contains the root file systems, which will be mounted to the target Linux kernel . For example, rootfs/armel.cpio.rootfs is compiled from buildroot to support Linux 3.18.
This directory contains the related scripts. scripts/main.py is the python script to launch ECMO. scripts/match.py is the script to identify the required function pointers in the Linux kernel. scripts/*.lua is the script generated by ECMO. These are lua scripts that will be used by Luaqemu to emulate the target machines.
This directory contains the driver of the peripherals, which will be transplanted into the target Linux kernel. scripts/*.lua will load it into the emulated memory, rewrite the required function pointers according to the configuration.
There is an example image in the provided source code. You can simply type
python3 scripts/main.py configs/oxnas.cfg
ECMO will analysis the firmware configured in configs/oxnas.cfg and automatically finish the re-hosting process. You can also try the online service