No border binaries found, exiting...

r0pb3rt commented 4 years ago

Hi, I ran in an issue using the Docker container trying Karonte with an fw for the TP-LINK TL-WR841. Steps to reproduce:

$ git clone https://github.com/ucsb-seclab/karonte.git
$ cd karonte
$ docker run -it -v `pwd`:/data badnack/karonte /bin/bash
(karonte) karonte@d963df435825:/data$ ls firmware/
TL-WR841Nv14_EU_0.9.1_4.16_up_boot_180319-rel57291_.bin  TL-WR841Nv14_EU_0.9.1_4.16_up_boot_180319-rel57291_.json

My config:

(karonte) karonte@d963df435825:/data$ cat firmware/TL-WR841Nv14_EU_0.9.1_4.16_up_boot_180319-rel57291_.json
{
  "bin": [],
  "pickle_parsers": "",
  "stats": "True",
  "data_keys": [],
  "base_addr": "",
  "eg_source_addr": "",
  "fw_path": "./firmware/TL-WR841Nv14_EU_0.9.1_4.16_up_boot_180319-rel57291_.bin",
  "angr_explode_bins": [],
  "glob_var": [],
  "arch": "",
  "only_string": ""
}

The issue:

(karonte) karonte@d963df435825:/data$ python2 tool/karonte.py firmware/TL-WR841Nv14_EU_0.9.1_4.16_up_boot_180319-rel57291_.json 
/home/karonte/.virtualenvs/karonte/local/lib/python2.7/site-packages/cffi/cparser.py:164: UserWarning: Global variable 'r' in cdef(): for consistency with C it should have a storage class specifier (usually 'extern')
  "(usually 'extern')" % (decl.name,))
INFO      | 2020-01-01 22:51 | Karonte  |  Logging at: /tmp/Karonte.txt_19
INFO      | 2020-01-01 22:51 | Karonte  |  Firmware directory: /tmp/fw/TL-WR841Nv14_EU_0.9.1_4.16_up_boot_180319-rel57291_.bin._unpacked
INFO      | 2020-01-01 22:51 | Karonte  |  Candidates pickled in /tmp/karonte/pickles/parser//_tmp_fw_TL-WR841Nv14_EU_091_416_up_boot_180319-rel57291_bin_unpacked.pk
ERROR     | 2020-01-01 22:51 | Karonte  |  No border binaries found, exiting...
INFO      | 2020-01-01 22:51 | Karonte  |  Finished, results in /tmp/Karonte.txt_19
0

Did I messed up the config somehow?

Is maybe binwalk in the Docker container broken ?

(karonte) karonte@d963df435825:/data$ $ binwalk    
bash: binwalk: command not found

badnack commented 4 years ago

It might be that the firmware is composed by MIPS binaries, and the angr verison that we used for this version of Karonte had poor support for MIPS.

r0pb3rt commented 4 years ago

I've retried with a ARM based model (Netgear R7800), without success:

karonte/firmware$ wget http://www.downloads.netgear.com/files/GDC/R7800/R7800-V1.0.2.68.zip
karonte/firmware$ unzip R7800-V1.0.2.68.zip 
Archive:  R7800-V1.0.2.68.zip
  inflating: R7800-V1.0.2.68.img     
  inflating: R7800-V1.0.2.68_Release_Notes.html  
karonte/firmware$ nano fw.json 
karonte/firmware$ cat fw.json 
{
  "bin": [],
  "pickle_parsers": "",
  "stats": "True",
  "data_keys": [],
  "base_addr": "",
  "eg_source_addr": "",
  "fw_path": "./firmware/R7800-V1.0.2.68.img",
  "angr_explode_bins": [],
  "glob_var": [],
  "arch": "",
  "only_string": ""
}
karonte/firmware$ cd ..
karonte$ docker run -it -v `pwd`:/data badnack/karonte /bin/bash
(karonte) karonte@958e90214ea2:~$ cd /data/                            
(karonte) karonte@958e90214ea2:/data$ ls firmware/
R7800-V1.0.2.68.img  R7800-V1.0.2.68.zip  R7800-V1.0.2.68_Release_Notes.html fw.json
(karonte) karonte@958e90214ea2:/data$ python2 tool/karonte.py firmware/fw.json 
/home/karonte/.virtualenvs/karonte/local/lib/python2.7/site-packages/cffi/cparser.py:164: UserWarning: Global variable 'r' in cdef(): for consistency with C it should have a storage class specifier (usually 'extern')
  "(usually 'extern')" % (decl.name,))
INFO      | 2020-01-03 08:19 | Karonte  |  Logging at: /tmp/Karonte.txt_50
INFO      | 2020-01-03 08:19 | Karonte  |  Firmware directory: /tmp/fw/R7800-V1.0.2.68.img._unpacked
INFO      | 2020-01-03 08:19 | Karonte  |  Candidates pickled in /tmp/karonte/pickles/parser//_tmp_fw_R7800-V10268img_unpacked.pk
ERROR     | 2020-01-03 08:19 | Karonte  |  No border binaries found, exiting...
INFO      | 2020-01-03 08:19 | Karonte  |  Finished, results in /tmp/Karonte.txt_50
0
(karonte) karonte@958e90214ea2:/data$ cat /tmp/Karonte.txt_50 
Logging started. Time: 1578039596.3

Border Binaries Sesults

==============

Total firmware Binaries: 0
Total Basic block in the firmware sample: 0
Parser time 0.000607967376709 seconds

Border binary finder module did not find any border binaries.

==============

Analysis Terminated.
(karonte) karonte@958e90214ea2:/data$

Not sure about it, but maybe fails the ./extract_here.sh on non-tar files? From a brief look on the code in tool/utils.py it seems so.

Could you also check if binwalk is available in the docker container? As stated above, it seems missing. Also from the Docker digest I can't find any reference to an installation, see https://hub.docker.com/layers/badnack/karonte/latest/images/sha256-5eaca547bf978112fa4fe71e4d057d49e8a1269a8baf8ec36aefacb41bcc19f7

badnack commented 4 years ago

It might be that binwalk is not present in the docker, as you said before.

Try to install it and run it again.

On Fri, Jan 3, 2020, 12:48 PM r0pb3rt notifications@github.com wrote:

I've retried with a ARM based model (Netgear R7800), without success:

karonte/firmware$ wget http://www.downloads.netgear.com/files/GDC/R7800/R7800-V1.0.2.68.zip karonte/firmware$ unzip R7800-V1.0.2.68.zip Archive: R7800-V1.0.2.68.zip inflating: R7800-V1.0.2.68.img inflating: R7800-V1.0.2.68_Release_Notes.html karonte/firmware$ nano fw.json karonte/firmware$ cat fw.json { "bin": [], "pickle_parsers": "", "stats": "True", "data_keys": [], "base_addr": "", "eg_source_addr": "", "fw_path": "./firmware/R7800-V1.0.2.68.img", "angr_explode_bins": [], "glob_var": [], "arch": "", "only_string": "" } karonte/firmware$ cd .. karonte$ docker run -it -v pwd:/data badnack/karonte /bin/bash (karonte) karonte@958e90214ea2:~$ cd /data/ (karonte) karonte@958e90214ea2:/data$ ls firmware/ R7800-V1.0.2.68.img R7800-V1.0.2.68.zip R7800-V1.0.2.68_Release_Notes.html fw.json (karonte) karonte@958e90214ea2:/data$ python2 tool/karonte.py firmware/fw.json /home/karonte/.virtualenvs/karonte/local/lib/python2.7/site-packages/cffi/cparser.py:164: UserWarning: Global variable 'r' in cdef(): for consistency with C it should have a storage class specifier (usually 'extern') "(usually 'extern')" % (decl.name,)) INFO | 2020-01-03 08:19 | Karonte | Logging at: /tmp/Karonte.txt_50 INFO | 2020-01-03 08:19 | Karonte | Firmware directory: /tmp/fw/R7800-V1.0.2.68.img._unpacked INFO | 2020-01-03 08:19 | Karonte | Candidates pickled in /tmp/karonte/pickles/parser//_tmp_fw_R7800-V10268img_unpacked.pk ERROR | 2020-01-03 08:19 | Karonte | No border binaries found, exiting... INFO | 2020-01-03 08:19 | Karonte | Finished, results in /tmp/Karonte.txt_50 0 (karonte) karonte@958e90214ea2:/data$ cat /tmp/Karonte.txt_50 Logging started. Time: 1578039596.3

Border Binaries Sesults

==============

Total firmware Binaries: 0 Total Basic block in the firmware sample: 0 Parser time 0.000607967376709 seconds

Border binary finder module did not find any border binaries.

==============

Analysis Terminated. (karonte) karonte@958e90214ea2:/data$

Not sure about it, but maybe fails the ./extract_here.sh on non-tar files? From a brief look on the code in tool/utils.py it seems so.

Could you also check if binwalk is available in the docker container? As stated above, it seems missing. Also from the Docker digest I can't find any reference to an installation, see https://hub.docker.com/layers/badnack/karonte/latest/images/sha256-5eaca547bf978112fa4fe71e4d057d49e8a1269a8baf8ec36aefacb41bcc19f7

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/ucsb-seclab/karonte/issues/2?email_source=notifications&email_token=AAH5GZCHV2Q6VGOMRFRHWDTQ34QXDA5CNFSM4KB5ES4KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEIA6XGY#issuecomment-570551195, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAH5GZCSZQNCBCAJZPRS7TLQ34QXDANCNFSM4KB5ES4A .

badnack commented 4 years ago

I've added binwalk

ucsb-seclab / karonte

No border binaries found, exiting... #2