FirmAE: Automated Firmware Emulation and Vulnerability Analysis – Installation, Usage, and Zyxel Router Case Study

1. Introduction

FirmAE is a fully automated framework for firmware emulation and vulnerability analysis that improves the success rate of Firmadyne from 16.28% to 79.36% using five arbitration techniques. It simulates firmware images on a custom Linux kernel, performs pre‑emulation and final emulation, and automates logging, network reachability, and web service availability checks. Docker is used to parallelize emulations, allowing each firmware image to run in an isolated container.

2. Installation

On Ubuntu 18.04, install FirmAE with the following commands:

git clone --recursive https://github.com/pr0v3rbs/FirmAE

./download.sh

./install.sh

3. Usage

Initialize the environment:

./init.sh

Run emulation (pre‑emulation):

sudo ./run.sh -c <brand> <firmware>

Analysis mode (use FirmAE analyzer):

sudo ./run.sh -a <brand> <firmware>

Run mode (test network services or custom analyzers):

sudo ./run.sh -r <brand> <firmware>

After the run script finishes, you can debug the firmware:

sudo ./run.sh -d <brand> <firmware>

Kernel‑level boot debugging:

sudo ./run.sh -b <brand> <firmware>

4. Case Study: Emulating a Zyxel NWA1100‑NH_2.12 Firmware

The firmware completed emulation without errors, but the web service did not start. Investigation revealed that FirmAE started httpd while the firmware actually uses mini_httpd . By manually configuring and launching mini_httpd with a crafted mini_httpd.conf (e.g., dir=/usr/www , cgipat=cgi-bin/* , user=root , port=8081 ), the HTTP service became reachable.

Further analysis uncovered a missing log_maintain binary; adding its directory ( /etc/scripts/ ) to PATH resolved the issue:

export PATH=/etc/scripts/:$PATH

Login authentication relied on the chkpwd program. By patching the firmware binary to replace the instruction !srncmp(v84, "Access granted", 14) with strncmp(v84, "Access granted", 14) (changing bnez to beqz ), login succeeded.

Network request analysis showed a POST to /cgi-bin/ip . The actual handler was a dynamically generated cgiMain linked to /sbin/cgiMain . This insight enables further reverse‑engineering of the HTTP request handling logic.

5. Conclusion

FirmAE enables automated emulation of many IoT firmware images, facilitating reverse engineering and dynamic analysis. For firmware that cannot be fully automated, manual investigation—such as adjusting configuration files, patching binaries, and tracing service handlers—remains essential.

6. References

https://github.com/pr0v3rbs/FirmAE

https://syssec.kaist.ac.kr/pub/2020/kim_acsac2020.pdf

https://github.com/firmadyne/firmadyne