Question: When the firmware kernel is not available, how to arbitrate.

[newthis]

In most cases when the firmware kernel is not available, how to extract the init processes information to improve firmadyne.

[0xdkay]

To clarify, we did not extract the init program from the kernel, but extract the path of the init program. In our paper, we used the kernel information for the images that have the kernel.

Some firmware images may include the kernel, although the kernel cannot be nicely extracted. For those cases, you can still run the strings command and search for the "init=/" string after decompressing the image. Of course, not all kernel images have such paths because they can search the default path.

Meanwhile, I believe that most of firmware images share similar init paths. Therefore, you can collect the path strings in the firmware images that have the kernel, and then use the paths for the images that do not have the kernel.

Could you specify the cases or provide any more explanation?

[pr0v3rbs]

Especially, on the OpenWRT project-based firmware need to init with preinit init program. (OpenWRT docs) And the such init program information exist in the kernel command (e.g., dlink DIR-550A_v1.10KRb09 - root=/dev/mtdblock%d console=ttyS0,115200 init=/sbin/preinit, netgear WNDR3800-V1.0.0.18 - console=ttyS0,115200 root=31:09 rootfstype=squashfs init=/etc/preinit ...)

You can extract the kernel data (Not complete one) to find the kernel command by using extractor.py without a -nk (no kernel) option.

However, the document indicates that use /etc/preinit program, some firmware images use /sbin/preinit, /sbin/preinitMT, and so on.

If FirmAE cannot infer kernel command from the kernel data, then it finds the init programs from the extracted filesystem and tries first-emulation with found init programs. Please check the inferFile.sh.