Does bincat support analysis the firmware peripheral?

[DerZc]

I want to do taint analysis of ARM firmware, such as firmware of router. The taint source is the input get from peripheral, which is specific memory address, i.e., 0x40000000-0x50000000. Then find all the instructions that are tainted. Can I do that analysis with bincan, and how can I do?

[DerZc]

I add 'mem[0x400FF000*8192] = |00|?0xFF' in configuration, and if set 0x40000000-0x50000000 as |00|?0xFF will need lot of memory, then set this memory as tainted. Bincat can run but throw exception '[ABORT] armv7: at 0xb494: software interrupt not implemented (swi=af00b580)'. Could please help me how can I ignore or skep this exception.

[szennou]

To taint from 0x40000000 to 0x50000000 excluded which is 268435456 byte wide, you'll have to add *mem[0x40000000268435456] = |00|!0xFF (note the '!'*) This will both initialize the memory to zero and taint it. If you want to let the memory unitialized but taint it, add: "mem[0x40000000268435456] = |00|?0xFF!0xFF"

Note this is a lot of memory to make analysed by bincat. You should split that large chunk into pieces and make them analysed sequentially to measure their impact on the code.

[DerZc]

@szennou I got it. Thank you very much. Could you please teach me how to ignore the exception I mentioned.

[szennou]

In the [analyzer] section, add nop = 0xb494 You can add a list of addresses to nop separated by commas, see _doc/initformat.md

[DerZc]

But in fact this address is the entry of the main function, I don't know why there is this exception.

[szennou]

Could be due to a bincat's bug but we cannot help without the binary :-/

[DerZc]

I just skip the function at 0xb494, then start analysis from the main task. I meet this exception. "[ABORT] armv7: at 0x1b84: MSR (Banked register) (d1232b00): ARM instruction not implemented yet". The binary as that:

.text:00001B78 ; void __cdecl main_task(uint32_t param)
.text:00001B78                 EXPORT main_task
.text:00001B78 main_task                               ; DATA XREF: .data:os_thread_def_main_task↓o
.text:00001B78
.text:00001B78 pSetFlags       = -0x10
.text:00001B78 param           = -4
.text:00001B78
.text:00001B78                 PUSH    {R7,LR}
.text:00001B7A                 SUB     SP, SP, #0x10
.text:00001B7C                 ADD     R7, SP, #8
.text:00001B7E                 STR     R0, [R7,#8+param]
.text:00001B80                 LDR     R3, =bIsInitialized.7189
.text:00001B82                 LDRB    R3, [R3]
.text:00001B84                 CMP     R3, #0
.text:00001B86                 BNE     loc_1BD0
.text:00001B88                 BL      hardware_init
.text:00001B8C                 BL      MEM_Init
.text:00001B90                 BL      TMR_Init
.text:00001B94                 BL      LED_Init
.text:00001B98                 BL      Phy_Init
.text:00001B9C                 BL      SerialManager_Init
.text:00001BA0                 BL      SecLib_Init

[DerZc]

frdmkw41z_wireless_examples_smac_wireless_messenger_bm.zip I upload the file I want to analysis, it just a sample of frdmkw41z board with arm instruction.

[szennou]

Please give us also the configuration file you're using

[DerZc]

init.zip I use the default configuration. Then just taint the memory "mem[0x400FF000*8192]", 0x400FF000 is the base address of GPIO.

[szennou]

There was a bug in the plugin that generates the config file from IDA. Commit 30719af6473db64b32cca262ebb31df6d0fc20d3 fixes this issue. You'll have to resinstall the plugin (see manual) after the checkout Note that our coverage of the thumb instructions does not currently cover the whole set of instructions of your firmware. We'll add them in the coming days

[DerZc]

I got it, Thank you very much!