BIPI
BIPI

Firmware Analysis: Extracting, Emulating, and Exploiting Embedded Systems

Cybersecurity

Deep-dive firmware analysis workflow — extraction with binwalk, filesystem analysis, emulation with QEMU, identifying vulnerable libraries, and exploiting memory corruption in embedded C.

By Arjun Raghavan, Security & Systems Lead, BIPI · May 11, 2025 · 15 min read

#firmware-analysis#binwalk#embedded-security#qemu#memory-corruption

Firmware vulnerabilities are uniquely dangerous because they affect millions of identical devices simultaneously and are patched at a fraction of the rate of application software. A single buffer overflow in a router's HTTP server can persist across an entire product line for years.

Acquisition strategies

  • Vendor website: download OTA update packages directly
  • FCC ID database: manufacturers must file firmware with FCC for radio-certified devices
  • MITM during OTA update: intercept unencrypted HTTP firmware downloads
  • Hardware extraction: JTAG/UART dump or direct flash chip read
  • From running device: dd if=/dev/mtd0 over SSH if shell access exists

Extraction with binwalk

binwalk identifies and extracts embedded file systems, compressed archives, and executable code from firmware blobs. The -e flag extracts, -M recurses into nested archives, and -A searches for CPU architecture signatures.

  1. binwalk -Me firmware.bin for full recursive extraction
  2. Review _firmware.bin.extracted/ for squashfs, cramfs, or jffs2 roots
  3. unsquashfs squashfs-root.squashfs if binwalk does not auto-extract
  4. jefferson -d output jffs2.img for JFFS2 filesystems

Filesystem analysis

Treat the extracted filesystem as a rooted Linux install. Walk /etc for configuration files and credentials, /bin and /sbin for interesting binaries, and /var/www for web server source. Run checksec on every binary to understand exploitation difficulty.

Identifying vulnerable third-party components

Most firmware ships with BusyBox, OpenSSL, and uClibc at fixed versions that never get updated. Extract version strings and cross-reference against NVD. A router running OpenSSL 1.0.1e is trivially exploitable for Heartbleed — in 2025.

Emulation and dynamic testing

QEMU user-mode emulation runs individual binaries from extracted firmware. Full system emulation via Firmadyne or FirmAE boots the entire firmware image and makes web interfaces accessible for manual testing and fuzzing.

  • qemu-mips-static -L squashfs-root/ squashfs-root/bin/httpd
  • FirmAE: automated Firmadyne with higher emulation success rate
  • Patch binaries to disable hardware dependency checks blocking emulation
  • Fuzz HTTP endpoints with ffuf and custom wordlists built from firmware strings

Memory corruption exploitation

Embedded C binaries often lack stack canaries and ASLR due to limited resources. Classic stack buffer overflows with a ROP chain are viable. Identify vulnerable input processing with fuzzing, confirm with GDB under QEMU, then build the exploit.

majority
Consumer routers with known CVEs in embedded libraries
common
Firmware binaries compiled without stack canaries
5+ years
Average age of OpenSSL version in consumer router firmware
The firmware image on your router is a time capsule of 2018 security practices.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.