After getting "[*] Completed initializing core docker", I run sudo ./docker-helper.py -ec "tp-link" "Archer_VR600v1_0.1.0_0.9.1_up_boot\(160217\)_2016-02-17_14.52.21.zip" but I get the error

Traceback (most recent call last): File "/home/asd/Desktop/FirmAE/./docker-helper.py", line 9, in <module> import scripts.util as util File "/home/asd/Desktop/FirmAE/scripts/util.py", line 4, in <module> import psycopg2 File "/usr/lib/python3/dist-packages/psycopg2/__init__.py", line 104 connection_factory=None, cursor_factory=None, async=False, **kwargs): ^ SyntaxError: invalid syntax

The arrow is under "async".

First, thx for FirmAE tool. Very Useful.
Then, I find a problem when facing a firmware image cannot be emulated, FirmAE will enter an infinite loop in firmae.config code. Details below.
There is a "check_network" function in firmae.config.

while [ ${CURRENT_TIME} -le $[${START_TIME} + ${CHECK_TIMEOUT}] ]
    do
        for IP in "${IPS[@]}"
        do
            if (curl --max-time 2 --output /dev/null --silent http://${IP} || curl --max-time 2 --output /dev/null --silent https://${IP}); then
                t_end="$(date -u +%s.%N)"
                if (! ${WEB_RESULT}); then
                    WEB_TIME="$(bc <<< "$t_end-$t_start")"
                fi
                if (! ${PING_RESULT}); then
                    PING_TIME=${WEB_TIME}
                fi
                PING_RESULT=true
                WEB_RESULT=true
                RET_IP=${IP}
            fi
            if (ping -c 1 ${IP} > /dev/null); then
                t_end="$(date -u +%s.%N)"
                if (! ${PING_RESULT}); then
                    PING_TIME="$(bc <<< "$t_end-$t_start")"
                fi
                PING_RESULT=true
                RET_IP=${IP}
            fi
            sleep 1
            CURRENT_TIME=$(date +%s | bc)
        done
        if (${WEB_RESULT}); then
            break
        fi
    done

When the ${IPS[@]} is empty, IP is NONE and the for-loop will not be executed. So the CURRENT_TIME will always equals START_TIME. Therefore, the WHILE will be an infinite-loop and never break.
So the simple solution put the code out of the FOR-loop and in the WHILE-loop.

while [ ${CURRENT_TIME} -le $[${START_TIME} + ${CHECK_TIMEOUT}] ]
    do
    CURRENT_TIME=$(date +%s | bc)
    ......
    done

Waiting 4 reply. Thx Again~.

I got an error but I don't know what happened. I need help.

I install software on a pure Ubuntu system (Ubuntu 18.04.6 LTS)
I have finished download.sh and install.sh but I got an run-time error when I run it.

What should I do next?

ubuntu@ubuntu:~/work/FirmAE$ sudo ./run.sh -r dir600 ../DIR600NA1_FW102CNb01.bin 
[*] ../DIR600NA1_FW102CNb01.bin emulation start!!!
Traceback (most recent call last):
  File "./sources/extractor/extractor.py", line 780, in <module>
    main()
  File "./sources/extractor/extractor.py", line 777, in main
    extract.extract()
  File "./sources/extractor/extractor.py", line 203, in extract
    self._extract_item(item)
  File "./sources/extractor/extractor.py", line 211, in _extract_item
    ExtractionItem(self, path, 0, None, self.debug).extract()
  File "./sources/extractor/extractor.py", line 474, in extract
    self._check_recursive(module, entry)
  File "./sources/extractor/extractor.py", line 730, in _check_recursive
    if new_item.extract():
  File "./sources/extractor/extractor.py", line 474, in extract
    self._check_recursive(module, entry)
  File "./sources/extractor/extractor.py", line 729, in _check_recursive
    self.debug)
  File "./sources/extractor/extractor.py", line 244, in __init__
    host=self.extractor.database)
  File "/home/ubuntu/.local/lib/python3.6/site-packages/psycopg2/__init__.py", line 122, in connect
    conn = _connect(dsn, connection_factory=connection_factory, **kwasync)
KeyboardInterrupt

During checking emulation using command: sudo ./run.sh -r DCS dcs930l_v108_b4.bin, I'm receiving following error:

[*] dcs930l_v108_b4.bin emulation start!!!
Traceback (most recent call last):
File "./sources/extractor/extractor.py", line 291, in generate_tag
cur.execute("SELECT id FROM brand WHERE name=%s", (brand, ))
psycopg2.errors.UndefinedTable: relation "brand" does not exist
LINE 1: SELECT id FROM brand WHERE name='DCS'
^

Traceback (most recent call last):
File "./sources/extractor/extractor.py", line 366, in update_database
"' WHERE id=%s", (self.tag, ))
psycopg2.errors.UndefinedTable: relation "image" does not exist
LINE 1: UPDATE image SET rootfs_extracted='True' WHERE id='dcs930l_v...
^

[-] extractor.py failed!

Please suggest to avoid the above error.

Hi, I run the debug.py script to connect a shell in a running qemu vm.
However, both the port 31337 and 31338 connection failed. Do I need to make use of
busybox nc to establish those ports in qemu vm, or that FirmAE has done that automatically? The code snippet is below:

def connect_shell(self):
if not self.telnetInit:
self.initalize_telnet()
subprocess.call(['telnet',self.targetIP,'31338'])

def connect(self):
self.sock = socket(AF_INET, SOCK_STREAM)
print('[] connecting...')
self.sock.connect((self.targetIP, 31337))
print('[] connected')

Hello,
I'm having some network emulation issues when using FirmAE to emulate the D-Link firmware, I can't get the IP address.

Hi, I was trying to figure out that why I choose option 4 to debug a running program but then I found out that gdbserver binary worked wrong:

That means gdbserver not even run, it just simply exit. Of course I tried to run full command with gdb server like

gdbserver <host>:<port> --attach <pid>

But then I list running process, I cannot see gdbserver running. Other things work well as expected!

After I checked, gdbserver is an empty file:

Update: I found out that when executing download.sh, few binaries cannot download but because wget write the name to folder so executing download.sh again will not download binary. I have to delete empty file and run download.sh again, everything works well now!

Thanks for the author's work。I don’t know how to use the fuzzer in FirmAE in the process of reproducing the paper.I don’t know how to use the fuzzer in FirmAE in the process of reproducing the paper.

I've installed FirmAE on a Linux Mint 20.1 which already had binwalk installed. I've used the build.sh and install.sh scripts, but I'm not sure if FirmAE is using the system's Binwalk or if it's using another.

At extraction binwalk shows this warning message of converting an external symlink to /dev/null, which I think is bad for the emulation:

WARNING: Symlink points outside of the extraction directory: /tmp/tmpbeeef6ux/_openwrt-21.02.1-ramips-mt76x8-tplink_tl-wr840n-v4-squashfs-sysupgrade.bin.extracted/squashfs-root/sbin/modinfo -> /usr/sbin/kmodloader; changing link target to /dev/null for security purposes.

In a chroot or emulated environment this security risk shouldn't apply

Currently I'm using the --preserve-symlinks flag for binwalk at the extractor script

If i want to change the fuzzer to AFL, do you know how to do it?
Thanks a lot!

Unable to download the binary files required in makeImage.sh file. It seems that those files
can not be downloaded from https://github.com/pr0v3rbs/FirmAE/releases/tag/v1.0 manually,
only the source code can be downloaded.

I didn't do anything, but I got KeyboardInterrupt

$ sudo ./run.sh -c linksys ./FW_WRT32X_1.0.180404.58.img
[*] FirmAE_dataset/linksys_latest/FW_WRT32X_1.0.180404.58.img emulation start!!!
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/binwalk/core/module.py", line 548, in main
    self.init()
  File "/usr/lib/python3/dist-packages/binwalk/modules/signature.py", line 98, in init
    self.magic.load(f)
  File "/usr/lib/python3/dist-packages/binwalk/core/magic.py", line 795, in load
    self.parse(lines)
  File "/usr/lib/python3/dist-packages/binwalk/core/magic.py", line 842, in parse
    self.signatures.sort(key=lambda x: x.confidence, reverse=True)
  File "/usr/lib/python3/dist-packages/binwalk/core/magic.py", line 842, in <lambda>
    self.signatures.sort(key=lambda x: x.confidence, reverse=True)
KeyboardInterrupt

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "./sources/extractor/extractor.py", line 778, in <module>
    main()
  File "./sources/extractor/extractor.py", line 775, in main
    extract.extract()
  File "./sources/extractor/extractor.py", line 203, in extract
    self._extract_item(item)
  File "./sources/extractor/extractor.py", line 211, in _extract_item
    ExtractionItem(self, path, 0, None, self.debug).extract()
  File "./sources/extractor/extractor.py", line 474, in extract
    self._check_recursive(module, entry)
  File "./sources/extractor/extractor.py", line 728, in _check_recursive
    if new_item.extract():
  File "./sources/extractor/extractor.py", line 474, in extract
    self._check_recursive(module, entry)
  File "./sources/extractor/extractor.py", line 728, in _check_recursive
    if new_item.extract():
  File "./sources/extractor/extractor.py", line 474, in extract
    self._check_recursive(module, entry)
  File "./sources/extractor/extractor.py", line 728, in _check_recursive
    if new_item.extract():
  File "./sources/extractor/extractor.py", line 446, in extract
    signature=True, quiet=True):
  File "/usr/lib/python3/dist-packages/binwalk/__init__.py", line 8, in scan
    objs = m.execute()
  File "/usr/lib/python3/dist-packages/binwalk/core/module.py", line 729, in execute
    obj = self.run(module)
  File "/usr/lib/python3/dist-packages/binwalk/core/module.py", line 767, in run
    raise e
  File "/usr/lib/python3/dist-packages/binwalk/core/module.py", line 749, in run
    obj.main()
  File "/usr/lib/python3/dist-packages/binwalk/core/module.py", line 548, in main
    self.init()
KeyboardInterrupt

I can use binwalk alone to extract firmware

$ binwalk -e  ./FW_WRT32X_1.0.180404.58.img

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             POSIX tar archive (GNU), owner user name: "de-armada-385-linksys-venom/"

~/FirmAE/_FW_WRT32X_1.0.180404.58.img.extracted/sysupgrade-armada-385-linksys-venom$ ll
total 10496
drwxr-xr-x 2 cuc cuc    4096 11月  5  2017 ./
drwxrwxr-x 3 cuc cuc    4096 5月   6 14:39 ../
-rw-r--r-- 1 cuc cuc      31 11月  5  2017 CONTROL
-rwxr-xr-x 1 cuc cuc 2076997 11月  5  2017 kernel*
-rw-r--r-- 1 cuc cuc 8650756 11月  5  2017 root

I don't know which step went wrong, Is it my problem with binwalk installation?

Hi,

awesome research. Are you planning to publish the collected firmwares that this was ran on or at least the URI's (maybe script) that can be used to scrape them? E.g: AnalysisSet, LatestSet,CamSet?
Alternatively, any tip on how to collect such a repo of fw's or a pointer to similar projects would be appreciated.

Best regards,
Attila

Just tested this on 2 freshly installed Ubuntu machines. When trying to run FirmAE, binwalk seems to throw some errors related to its running uid.

sudo ./run.sh -c dlink ../Downloads/dataset/dlink/DIR822B1_FW200KRb06.bin 
[*] ../Downloads/dataset/dlink/DIR822B1_FW200KRb06.bin emulation start!!!
 
Extractor Exception: Binwalk extraction uses many third party utilities, which may not be secure. If you wish to have extraction utilities executed as the current user, use '--run-as=root' (binwalk itself must be run as root).
----------------------------------------------------------------------------------------------------
Traceback (most recent call last):
  File "/usr/local/lib/python3.9/dist-packages/binwalk/core/module.py", line 258, in __init__
    self.load()
  File "/usr/local/lib/python3.9/dist-packages/binwalk/modules/extractor.py", line 147, in load
    raise ModuleException("Binwalk extraction uses many third party utilities, which may not be secure. If you wish to have extraction utilities executed as the current user, use '--run-as=%s' (binwalk itself must be run as root)." % user_info.pw_name)
binwalk.core.exceptions.ModuleException: Binwalk extraction uses many third party utilities, which may not be secure. If you wish to have extraction utilities executed as the current user, use '--run-as=root' (binwalk itself must be run as root).

Fuzzer log files are very large, so how do you know if there are CI and BOF vulnerabilities? Thanks.

Good day,

For a while I've been trying to emulate my firmware of the Netgear WNDR3800.
I get the following error.

Do you have a sollution for this?

Thanks in advance for any help.

Regards alex

465baac this commit makes emulation failure about many firmware.

I finally could start the emulation but don't know how to stop it. I have to delete the scratch folder and then restart to stop it. Any command line for it?

root@attifyos:/home/iot/tools/firmAE/FirmAE# ./run.sh -c dlink /home/iot/tools/firmware-analysis-toolkit/DIR816.img
[*] /home/iot/tools/firmware-analysis-toolkit/DIR816.img emulation start!!!

General Error: Cannot open file --run-as=root (CWD: /tmp/tmpuhbydzva) : [Errno 2] No such file or directory: '--run-as=root'

General Error: Cannot open file --preserve-symlinks (CWD: /tmp/tmpuhbydzva) : [Errno 2] No such file or directory: '--preserve-symlinks'

Traceback (most recent call last):
File "./sources/extractor/extractor.py", line 446, in extract
File "/usr/local/lib/python3.6/dist-packages/binwalk/init.py", line 10, in scan
objs = m.execute()
File "/usr/local/lib/python3.6/dist-packages/binwalk/core/module.py", line 784, in execute
obj = self.run(module)
File "/usr/local/lib/python3.6/dist-packages/binwalk/core/module.py", line 803, in run
obj = self.load(module, kwargs)
File "/usr/local/lib/python3.6/dist-packages/binwalk/core/module.py", line 834, in load
argv.update(self.dependencies(module, argv['enabled']))
File "/usr/local/lib/python3.6/dist-packages/binwalk/core/module.py", line 866, in dependencies
raise ModuleException("Failed to load " + dependency.name + " module")
binwalk.core.exceptions.ModuleException: Failed to load General module

General Error: Cannot open file --run-as=root (CWD: /tmp/tmpmm1kal4s) : [Errno 2] No such file or directory: '--run-as=root'

General Error: Cannot open file --preserve-symlinks (CWD: /tmp/tmpmm1kal4s) : [Errno 2] No such file or directory: '--preserve-symlinks'

Traceback (most recent call last):
File "./sources/extractor/extractor.py", line 446, in extract
File "/usr/local/lib/python3.6/dist-packages/binwalk/init.py", line 10, in scan
objs = m.execute()
File "/usr/local/lib/python3.6/dist-packages/binwalk/core/module.py", line 784, in execute
obj = self.run(module)
File "/usr/local/lib/python3.6/dist-packages/binwalk/core/module.py", line 803, in run
obj = self.load(module, kwargs)
File "/usr/local/lib/python3.6/dist-packages/binwalk/core/module.py", line 834, in load
argv.update(self.dependencies(module, argv['enabled']))
File "/usr/local/lib/python3.6/dist-packages/binwalk/core/module.py", line 866, in dependencies
raise ModuleException("Failed to load " + dependency.name + " module")
binwalk.core.exceptions.ModuleException: Failed to load General module
[-] Extracting root filesystem failed!
root@attifyos:/home/iot/tools/firmAE/FirmAE#

Hey,

Im working on a project in which i have to emulate the firmware of Foscam C2.

this firmware was a hell to extract but i got it.

the problem im running into is the following:

is there a way to solve this ?

as sh and init are rwx but it still hangs on them.

I use the command : sudo ./run.sh -c , but when I look the qemu initial log in the scratch dir, it says the kernel is too old, I'm using firmAE in Ubuntu18.04

hi, thanks for your great work in FirmAE,
dap1360.zip

reecently I was trying to emulate the d-link dap1360. however, the /bin/webs program cannot be started with error "read hw setting header failed". I decompile this program and found this program is trying to directly the mtdblock0 device, which I found is related to the nand flash. As your paper have described before, some linksys routers also have the same problem. So I was wondering is there way to emulate and read/write infomation in this device or assign some default values to to emulate the nand flash read/write process.
I attached the firmware and the decompile screen shot of the webs program below, please check it and give me some idaes about this , thks a lot!

when i tried to emulate FW_RT_ACRH17_300438250243.ZIP from asus with FirmAE, it failed by "/dev/nvram: No such device or address", had you met this situation ? And how do you deal with it? Thanks!

Hi, I would like to recompile libnvram.so to try a few things. May I know which are the versions of cross-compilers that FirmAE used to compile the libnvram.so?

Thank you!

Thank you for your work, it is exciting to use it. For different firmwares, the reasons for simulation fail processes are different. As your paper mentioned that Boost，Network，NVRAM，watchdog，symlink factosr have been considered to solve the problem. I wonder how to find the fail reason for a new firmware because there still many firmwares couldn't be simulation successfully. By debugging or something else? Looking forward to your reply!

I've had mixed results when using run.sh, but even when run.sh is successful in analyzing firmware, the docker container implementation seems to fail. This was a test I did using firmware from a D-Link DSC-923L IP Camera. It's not shown in this screen shot, but the run.sh execution continued to running nmap and then on to the fuzzing stage. It is currently still running the fuzzer. Running standard Ubuntu 18.04LTS in an ESXI VM with 28 CPUs and 112 GB of RAM.

On Kali 2023.1 the following warning is produced then the -d option is used.

/home/kali/tools/FirmAE/./debug.py:7: DeprecationWarning: 'telnetlib' is deprecated and slated for removal in Python 3.13
  import telnetlib

It seems the library needs to be updated with an alternative version.

In most cases when the firmware kernel is not available, how to extract the init processes information to improve firmadyne.

I have been looking at your FirmAE program, for IOT devices. its really great!
I have installed it on a ubuntu and everything seem to work!
Thanks for these perfect piece of software!

I only have some questions. These might seem very stupid, and im sorry for that but im new to this industry, so still learning!

I have run the example dlink router driver. but it wasnt completely clear to my if you can also manually test for xxs or command injection, or this is only possible automatically with the -a command?

if i execute the -a command, "sudo ./run.sh -a " the webserver is accessible on 192.168.0.1, but it also starts doing alot of automated tests, like the nmap scan etc

is it also possible to just do a complete dynamic emulation? and test manually without starting all the automated tests? because when i start emulation with "sudo ./run.sh -c " it works but i cant access anything on 192.168.0.1, but maybe im doing something wrong?

ubuntu@ubuntu:~/FirmAE$ sudo ./run.sh -c dlink DIR-868L_fw_revB_2-05b02_eu_multi_20161117.zip
[*] DIR-868L_fw_revB_2-05b02_eu_multi_20161117.zip emulation start!!!

thank you in advance for your reply, and thank you for this great piece of software!

Hey there,
I tried run my firmwork with FirmAE like following:

sudo ./run.sh -c auto ~/Desktop/IoT/TOTOLINK/TOTOLINK_C8189R-1C_A3000RU_IP04325_8197F_SPI_16M128M_V5.9c.5185_B20201128_ALL.web 
[*] /home/kali/Desktop/IoT/TOTOLINK/TOTOLINK_C8189R-1C_A3000RU_IP04325_8197F_SPI_16M128M_V5.9c.5185_B20201128_ALL.web emulation start!!!
[*] extract done!!!
[*] get architecture done!!!
mke2fs 1.46.5 (30-Dec-2021)
find: /sbin: No such file or directory
e2fsck 1.46.5 (30-Dec-2021)
[*] infer network start!!!

But it given no IP and break off here.
After wait for a long time(half an hour at least)，sometimes I input Ctrl-C ，it gives me a IP 192.168.31.1 and sometimes nothing given.
Can you help me to solve this problem?Thanks.

In testing with Archer VR600v v170814 firmware which is downloadable from https://static.tp-link.com/Archer_VR600v(EU)_V2_170814.zip .

Trying to run the firmware I would always get "Kernel panic - not syncing: No working init found. Try passing init= option to kernel. See Linux Documentation/init.txt for guidance."

In attempting to resolve this I noticed many of the binaries where not marked as executable. I modified the image.raw file by mounting it and blindly changing the permission of everything via and chmod -R 777

After the image.raw was modified I commented out lines 189,190 in run.sh so it would not overwrite my modified image.

With that changed FirmAE is able to get the firmware to boot somewhat, its progressing past the init errors but seemingly the webserver is not starting or finding the network (which so far I have not been able to figure out - any help would be appreciated).

I don't know how commonly executable have incorrect permissions but this might be something worth checking before trying to emulate a given firmware.

Hello,
The router firmware I am trying to emulate relies on Linux kernel 3.4, so I was wondering how I could compile this kernel in order to make it work with FirmAE.
Thank you

Hello, I have been trying to use this project to emulate a router firmware I found. I sadly don't have access to a physical version of the device so I'm having to result to emulation. Everything seemed to go fine with creating the image but then it fails to successfully boot under QEMU. I ma rather new to firmware RE so I'm not quite sure what to make of the error log. Is there something here that sticks out as being the culprit?

[    0.000000] Linux version 4.1.17+ (firmae@ubuntu) (gcc version 5.3.0 (GCC) ) #17 Sat Oct 31 17:56:16 KST 2020

[    0.000000] earlycon: Early serial console at I/O port 0x3f8 (options '38400n8')

[    0.000000] bootconsole [uart0] enabled

[    0.000000] CPU0 revision is: 00019300 (MIPS 24Kc)

[    0.000000] FPU revision is: 00739300

[    0.000000] Software DMA cache coherency enabled

[    0.000000] Determined physical RAM map:

[    0.000000]  memory: 00001000 @ 00000000 (reserved)

[    0.000000]  memory: 000ef000 @ 00001000 (ROM data)

[    0.000000]  memory: 00798000 @ 000f0000 (reserved)

[    0.000000]  memory: 0f777000 @ 00888000 (usable)

[    0.000000] debug: ignoring loglevel setting.

[    0.000000] Wasting 69888 bytes for tracking 2184 unused pages

[    0.000000] Initrd not found or empty - disabling initrd

[    0.000000] Zone ranges:

[    0.000000]   DMA      [mem 0x0000000000000000-0x0000000000ffffff]

[    0.000000]   Normal   [mem 0x0000000001000000-0x000000000fffefff]

[    0.000000] Movable zone start for each node

[    0.000000] Early memory node ranges

[    0.000000]   node   0: [mem 0x0000000000000000-0x000000000fffefff]

[    0.000000] Initmem setup node 0 [mem 0x0000000000000000-0x000000000fffefff]

[    0.000000] On node 0 totalpages: 65535

[    0.000000] free_area_init_node: node 0, pgdat 8081d5b0, node_mem_map 81000000

[    0.000000]   DMA zone: 32 pages used for memmap

[    0.000000]   DMA zone: 0 pages reserved

[    0.000000]   DMA zone: 4096 pages, LIFO batch:0

[    0.000000]   Normal zone: 480 pages used for memmap

[    0.000000]   Normal zone: 61439 pages, LIFO batch:15

[    0.000000] Primary instruction cache 2kB, VIPT, 2-way, linesize 16 bytes.

[    0.000000] Primary data cache 2kB, 2-way, VIPT, no aliases, linesize 16 bytes

[    0.000000] pcpu-alloc: s0 r0 d32768 u32768 alloc=1*32768

[    0.000000] pcpu-alloc: [0] 0 

[    0.000000] Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 65023

[    0.000000] Kernel command line: firmadyne.syscall=1 root=/dev/sda1 console=ttyS0 nandsim.parts=64,64,64,64,64,64,64,64,64,64 rdinit=/firmadyne/preInit.sh rw debug ignore_loglevel print-fatal-signals=1 FIRMAE_NET=true FIRMAE_NVRAM=true FIRMAE_KERNEL=true FIRMAE_ETC=true user_debug=31

[    0.000000] found FIRMAE_KERNEL=t

[    0.000000] set the LD_PRELOAD=/firmadyne/libnvram_ioctl.so

[    0.000000] PID hash table entries: 1024 (order: 0, 4096 bytes)

[    0.000000] Dentry cache hash table entries: 32768 (order: 5, 131072 bytes)

[    0.000000] Inode-cache hash table entries: 16384 (order: 4, 65536 bytes)

[    0.000000] Writing ErrCtl register=00000000

[    0.000000] Readback ErrCtl register=00000000

[    0.000000] Memory: 251112K/262140K available (5361K kernel code, 248K rwdata, 1672K rodata, 260K init, 157K bss, 11028K reserved, 0K cma-reserved)

[    0.000000] NR_IRQS:256

[    0.000000] CPU frequency 333.34 MHz

[    0.000000] clocksource MIPS: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 11467490205 ns

[    0.000085] sched_clock: 32 bits at 166MHz, resolution 5ns, wraps every 12884819965ns

[    0.003631] Console: colour dummy device 80x25

[    0.005694] Calibrating delay loop... 

[    0.808641] spurious 8259A interrupt: IRQ7.

[    0.935842] 502.78 BogoMIPS (lpj=1005568)

[    0.936521] pid_max: default: 32768 minimum: 301

[    0.939036] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes)

[    0.939172] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes)

[    0.957407] clocksource jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 7645041785100000 ns

[    0.961562] NET: Registered protocol family 16

[    0.969337] clocksource pit: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 1601818034827 ns

[    0.979783] vgaarb: loaded

[    0.980638] SCSI subsystem initialized

[    0.981095] libata version 3.00 loaded.

[    0.981702] usbcore: registered new interface driver usbfs

[    0.982678] usbcore: registered new interface driver hub

[    0.982873] usbcore: registered new device driver usb

[    0.983288] pps_core: LinuxPPS API ver. 1 registered

[    0.983407] pps_core: Software ver. 5.3.6 - Copyright 2005-2007 Rodolfo Giometti <[email protected]>

[    0.983616] PTP clock support registered

[    0.984380] PCI host bridge to bus 0000:00

[    0.984776] pci_bus 0000:00: root bus resource [mem 0x10000000-0x17ffffff]

[    0.984935] pci_bus 0000:00: root bus resource [io  0x1000-0x1fffff]

[    0.985098] pci_bus 0000:00: root bus resource [??? 0x00000000 flags 0x0]

[    0.985251] pci_bus 0000:00: No busn resource found for root bus, will use [bus 00-ff]

[    0.985984] pci 0000:00:00.0: [11ab:4620] type 00 class 0x060000

[    0.986564] pci 0000:00:00.0: [Firmware Bug]: reg 0x14: invalid BAR (can't size)

[    0.986986] pci 0000:00:00.0: [Firmware Bug]: reg 0x18: invalid BAR (can't size)

[    0.987112] pci 0000:00:00.0: [Firmware Bug]: reg 0x1c: invalid BAR (can't size)

[    0.987232] pci 0000:00:00.0: [Firmware Bug]: reg 0x20: invalid BAR (can't size)

[    0.987385] pci 0000:00:00.0: [Firmware Bug]: reg 0x24: invalid BAR (can't size)

[    0.988546] pci 0000:00:0a.0: [8086:7110] type 00 class 0x060100

[    0.989033] pci 0000:00:0a.1: [8086:7111] type 00 class 0x010180

[    0.989282] pci 0000:00:0a.1: reg 0x20: [io  0x0000-0x000f]

[    0.989432] pci 0000:00:0a.1: legacy IDE quirk: reg 0x10: [io  0x01f0-0x01f7]

[    0.989565] pci 0000:00:0a.1: legacy IDE quirk: reg 0x14: [io  0x03f6]

[    0.989693] pci 0000:00:0a.1: legacy IDE quirk: reg 0x18: [io  0x0170-0x0177]

[    0.989821] pci 0000:00:0a.1: legacy IDE quirk: reg 0x1c: [io  0x0376]

[    0.990113] pci 0000:00:0a.2: [8086:7112] type 00 class 0x0c0300

[    0.990249] pci 0000:00:0a.2: reg 0x20: [io  0x0000-0x001f]

[    0.990464] pci 0000:00:0a.3: [8086:7113] type 00 class 0x068000

[    0.991446] pci 0000:00:0a.3: quirk: [io  0x1000-0x103f] claimed by PIIX4 ACPI

[    0.991599] pci 0000:00:0a.3: quirk: [io  0x1100-0x110f] claimed by PIIX4 SMB

[    0.991928] pci 0000:00:12.0: [1013:00b8] type 00 class 0x030000

[    0.992058] pci 0000:00:12.0: reg 0x10: [mem 0x00000000-0x01ffffff pref]

[    0.992192] pci 0000:00:12.0: reg 0x14: [mem 0x00000000-0x00000fff]

[    0.992309] pci 0000:00:12.0: reg 0x30: [mem 0x00000000-0x0000ffff pref]

[    0.992649] vgaarb: device added: PCI:0000:00:12.0,decodes=io+mem,owns=none,locks=none

[    0.992845] pci 0000:00:13.0: [8086:100e] type 00 class 0x020000

[    0.992968] pci 0000:00:13.0: reg 0x10: [mem 0x00000000-0x0001ffff]

[    0.993078] pci 0000:00:13.0: reg 0x14: [io  0x0000-0x003f]

[    0.993252] pci 0000:00:13.0: reg 0x30: [mem 0x00000000-0x0007ffff pref]

[    0.993475] pci 0000:00:14.0: [8086:100e] type 00 class 0x020000

[    0.993585] pci 0000:00:14.0: reg 0x10: [mem 0x00000000-0x0001ffff]

[    0.993691] pci 0000:00:14.0: reg 0x14: [io  0x0000-0x003f]

[    0.993796] pci 0000:00:14.0: reg 0x30: [mem 0x00000000-0x0007ffff pref]

[    0.994050] pci 0000:00:15.0: [8086:100e] type 00 class 0x020000

[    0.994162] pci 0000:00:15.0: reg 0x10: [mem 0x00000000-0x0001ffff]

[    0.994268] pci 0000:00:15.0: reg 0x14: [io  0x0000-0x003f]

[    0.994372] pci 0000:00:15.0: reg 0x30: [mem 0x00000000-0x0007ffff pref]

[    0.994581] pci 0000:00:16.0: [8086:100e] type 00 class 0x020000

[    0.994690] pci 0000:00:16.0: reg 0x10: [mem 0x00000000-0x0001ffff]

[    0.994797] pci 0000:00:16.0: reg 0x14: [io  0x0000-0x003f]

[    0.994900] pci 0000:00:16.0: reg 0x30: [mem 0x00000000-0x0007ffff pref]

[    0.995280] pci_bus 0000:00: busn_res: [bus 00-ff] end is updated to 00

[    0.996688] pci 0000:00:12.0: BAR 0: assigned [mem 0x10000000-0x11ffffff pref]

[    0.996972] pci 0000:00:13.0: BAR 6: assigned [mem 0x12000000-0x1207ffff pref]

[    0.997152] pci 0000:00:14.0: BAR 6: assigned [mem 0x12080000-0x120fffff pref]

[    0.997276] pci 0000:00:15.0: BAR 6: assigned [mem 0x12100000-0x1217ffff pref]

[    0.997398] pci 0000:00:16.0: BAR 6: assigned [mem 0x12180000-0x121fffff pref]

[    0.997518] pci 0000:00:13.0: BAR 0: assigned [mem 0x12200000-0x1221ffff]

[    0.997635] pci 0000:00:14.0: BAR 0: assigned [mem 0x12220000-0x1223ffff]

[    0.997761] pci 0000:00:15.0: BAR 0: assigned [mem 0x12240000-0x1225ffff]

[    0.997899] pci 0000:00:16.0: BAR 0: assigned [mem 0x12260000-0x1227ffff]

[    0.998034] pci 0000:00:12.0: BAR 6: assigned [mem 0x12280000-0x1228ffff pref]

[    0.998157] pci 0000:00:12.0: BAR 1: assigned [mem 0x12290000-0x12290fff]

[    0.998312] pci 0000:00:13.0: BAR 1: assigned [io  0x1040-0x107f]

[    0.998438] pci 0000:00:14.0: BAR 1: assigned [io  0x1080-0x10bf]

[    0.998550] pci 0000:00:15.0: BAR 1: assigned [io  0x10c0-0x10ff]

[    0.998664] pci 0000:00:16.0: BAR 1: assigned [io  0x1400-0x143f]

[    0.998769] pci 0000:00:0a.2: BAR 4: assigned [io  0x1440-0x145f]

[    0.998874] pci 0000:00:0a.1: BAR 4: assigned [io  0x1460-0x146f]

[    1.005850] cfg80211: Calling CRDA to update world regulatory domain

[    1.007619] Switched to clocksource MIPS

[    1.014937] NET: Registered protocol family 2

[    1.019322] TCP established hash table entries: 2048 (order: 1, 8192 bytes)

[    1.019531] TCP bind hash table entries: 2048 (order: 1, 8192 bytes)

[    1.019971] TCP: Hash tables configured (established 2048 bind 2048)

[    1.020352] UDP hash table entries: 256 (order: 0, 4096 bytes)

[    1.020532] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)

[    1.021568] NET: Registered protocol family 1

[    1.022252] PCI: Enabling device 0000:00:0a.2 (0000 -> 0001)

[    1.022874] PCI: CLS 0 bytes, default 16

[    1.030236] futex hash table entries: 256 (order: -1, 3072 bytes)

[    1.035025] squashfs: version 4.0 (2009/01/31) Phillip Lougher

[    1.035371] jffs2: version 2.2. (NAND) © 2001-2006 Red Hat, Inc.

[    1.036070] romfs: ROMFS MTD (C) 2007 Red Hat, Inc.

[    1.042234] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 251)

[    1.042478] io scheduler noop registered

[    1.042662] io scheduler cfq registered (default)

[    1.042857] firmadyne: devfs: 1, execute: 1, procfs: 1, syscall: 1

[    1.043453] firmadyne: Cannot register character device: gpio, 0xfc, 0x0!

[    1.044154] firmadyne: Cannot register character device: watchdog, 0xa, 0x82!

[    1.044834] firmadyne: Cannot register character device: wdt, 0xfd, 0x0!

[    1.083358] PCI: Enabling device 0000:00:12.0 (0000 -> 0002)

[    1.084716] cirrusfb 0000:00:12.0: Cirrus Logic chipset on PCI bus, RAM (4096 kB) at 0x10000000

[    1.162485] Console: switching to colour frame buffer device 80x30

[    1.172406] Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled

[    1.175383] console [ttyS0] disabled

[    1.184113] serial8250.0: ttyS0 at I/O 0x3f8 (irq = 4, base_baud = 115200) is a 16550A

[    1.185037] console [ttyS0] enabled

[    1.185037] console [ttyS0] enabled

[    1.185325] bootconsole [uart0] disabled

[    1.185325] bootconsole [uart0] disabled

[    1.191648] serial8250.0: ttyS1 at I/O 0x2f8 (irq = 3, base_baud = 115200) is a 16550A

[    1.206141] brd: module loaded

[    1.210737] loop: module loaded

[    1.211864] ata_piix 0000:00:0a.1: version 2.13

[    1.212604] PCI: Enabling device 0000:00:0a.1 (0000 -> 0001)

[    1.218690] scsi host0: ata_piix

[    1.219451] scsi host1: ata_piix

[    1.219814] ata1: PATA max UDMA/33 cmd 0x1f0 ctl 0x3f6 bmdma 0x1460 irq 14

[    1.220256] ata2: PATA max UDMA/33 cmd 0x170 ctl 0x376 bmdma 0x1468 irq 15

[    1.222156] [nandsim] warning: read_byte: unexpected data output cycle, state is STATE_READY return 0x0

[    1.222350] [nandsim] warning: read_byte: unexpected data output cycle, state is STATE_READY return 0x0

[    1.222511] [nandsim] warning: read_byte: unexpected data output cycle, state is STATE_READY return 0x0

[    1.222666] [nandsim] warning: read_byte: unexpected data output cycle, state is STATE_READY return 0x0

[    1.222821] [nandsim] warning: read_byte: unexpected data output cycle, state is STATE_READY return 0x0

[    1.222976] [nandsim] warning: read_byte: unexpected data output cycle, state is STATE_READY return 0x0

[    1.223357] nand: device found, Manufacturer ID: 0x98, Chip ID: 0x39

[    1.223487] nand: Toshiba NAND 128MiB 1,8V 8-bit

[    1.223596] nand: 128 MiB, SLC, erase size: 16 KiB, page size: 512, OOB size: 16

[    1.225030] flash size: 128 MiB

[    1.225111] page size: 512 bytes

[    1.225177] OOB area size: 16 bytes

[    1.225247] sector size: 16 KiB

[    1.225309] pages number: 262144

[    1.225372] pages per sector: 32

[    1.225434] bus width: 8

[    1.225485] bits in sector size: 14

[    1.225552] bits in page size: 9

[    1.225621] bits in OOB size: 4

[    1.225688] flash size with OOB: 135168 KiB

[    1.225766] page address bytes: 4

[    1.225830] sector address bytes: 3

[    1.225897] options: 0x42

[    1.227605] Scanning device for bad blocks

[    1.272906] Creating 11 MTD partitions on "NAND 128MiB 1,8V 8-bit":

[    1.273851] 0x000000000000-0x000000100000 : "NAND simulator partition 0"

[    1.275800] 0x000000100000-0x000000200000 : "NAND simulator partition 1"

[    1.276824] 0x000000200000-0x000000300000 : "NAND simulator partition 2"

[    1.277333] 0x000000300000-0x000000400000 : "NAND simulator partition 3"

[    1.277837] 0x000000400000-0x000000500000 : "NAND simulator partition 4"

[    1.278342] 0x000000500000-0x000000600000 : "NAND simulator partition 5"

[    1.278895] 0x000000600000-0x000000700000 : "NAND simulator partition 6"

[    1.279431] 0x000000700000-0x000000800000 : "NAND simulator partition 7"

[    1.279945] 0x000000800000-0x000000900000 : "NAND simulator partition 8"

[    1.281123] 0x000000900000-0x000000a00000 : "NAND simulator partition 9"

[    1.281652] 0x000000a00000-0x000008000000 : "NAND simulator partition 10"

[    1.283817] tun: Universal TUN/TAP device driver, 1.6

[    1.284046] tun: (C) 1999-2004 Max Krasnyansky <[email protected]>

[    1.284569] pcnet32: pcnet32.c:v1.35 21.Apr.2008 [email protected]

[    1.284807] e1000: Intel(R) PRO/1000 Network Driver - version 7.3.21-k8-NAPI

[    1.284940] e1000: Copyright (c) 1999-2006 Intel Corporation.

[    1.285172] PCI: Enabling device 0000:00:13.0 (0000 -> 0003)

[    1.405801] e1000 0000:00:13.0 eth0: (PCI:33MHz:32-bit) 52:54:00:12:34:56

[    1.406128] e1000 0000:00:13.0 eth0: Intel(R) PRO/1000 Network Connection

[    1.406349] PCI: Enabling device 0000:00:14.0 (0000 -> 0003)

[    1.428089] ata2.01: NODEV after polling detection

[    1.428423] ata1.01: NODEV after polling detection

[    1.429425] ata2.00: ATAPI: QEMU DVD-ROM, 2.5+, max UDMA/100

[    1.430565] ata1.00: ATA-7: QEMU HARDDISK, 2.5+, max UDMA/100

[    1.430697] ata1.00: 2097152 sectors, multi 16: LBA48 

[    1.431209] ata2.00: configured for UDMA/33

[    1.499460] ata1.00: configured for UDMA/33

[    1.505959] scsi 0:0:0:0: Direct-Access     ATA      QEMU HARDDISK    2.5+ PQ: 0 ANSI: 5

[    1.510142] scsi 1:0:0:0: CD-ROM            QEMU     QEMU DVD-ROM     2.5+ PQ: 0 ANSI: 5

[    1.511531] sd 0:0:0:0: [sda] 2097152 512-byte logical blocks: (1.07 GB/1.00 GiB)

[    1.513627] sd 0:0:0:0: [sda] Write Protect is off

[    1.513750] sd 0:0:0:0: [sda] Mode Sense: 00 3a 00 00

[    1.514101] sd 0:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA

[    1.517724]  sda: sda1

[    1.520326] sd 0:0:0:0: [sda] Attached SCSI disk

[    1.538731] e1000 0000:00:14.0 eth1: (PCI:33MHz:32-bit) 52:54:00:12:34:57

[    1.538878] e1000 0000:00:14.0 eth1: Intel(R) PRO/1000 Network Connection

[    1.539058] PCI: Enabling device 0000:00:15.0 (0000 -> 0003)

[    1.667937] e1000 0000:00:15.0 eth2: (PCI:33MHz:32-bit) 52:54:00:12:34:58

[    1.668120] e1000 0000:00:15.0 eth2: Intel(R) PRO/1000 Network Connection

[    1.668304] PCI: Enabling device 0000:00:16.0 (0000 -> 0003)

[    1.776264] e1000 0000:00:16.0 eth3: (PCI:33MHz:32-bit) 52:54:00:12:34:59

[    1.776427] e1000 0000:00:16.0 eth3: Intel(R) PRO/1000 Network Connection

[    1.776720] e1000e: Intel(R) PRO/1000 Network Driver - 2.3.2-k

[    1.776832] e1000e: Copyright(c) 1999 - 2014 Intel Corporation.

[    1.777174] PPP generic driver version 2.4.2

[    1.777626] PPP Deflate Compression module registered

[    1.778004] PPP MPPE Compression module registered

[    1.778114] NET: Registered protocol family 24

[    1.778368] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver

[    1.778533] ehci-pci: EHCI PCI platform driver

[    1.778754] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver

[    1.778903] ohci-pci: OHCI PCI platform driver

[    1.779113] uhci_hcd: USB Universal Host Controller Interface driver

[    1.780162] uhci_hcd 0000:00:0a.2: UHCI Host Controller

[    1.780813] uhci_hcd 0000:00:0a.2: new USB bus registered, assigned bus number 1

[    1.781451] uhci_hcd 0000:00:0a.2: irq 11, io base 0x00001440

[    1.786257] hub 1-0:1.0: USB hub found

[    1.786649] hub 1-0:1.0: 2 ports detected

[    1.789733] usbcore: registered new interface driver usb-storage

[    1.790308] mousedev: PS/2 mouse device common for all mice

[    1.792120] rtc_cmos rtc_cmos: rtc core: registered rtc_cmos as rtc0

[    1.792512] rtc_cmos rtc_cmos: alarms up to one day, 242 bytes nvram

[    1.793501] i2c /dev entries driver

[    1.793781] piix4_smbus 0000:00:0a.3: SMBus Host Controller at 0x1100, revision 0

[    1.794586] sdhci: Secure Digital Host Controller Interface driver

[    1.794705] sdhci: Copyright(c) Pierre Ossman

[    1.794982] hidraw: raw HID events driver (C) Jiri Kosina

[    1.796104] usbcore: registered new interface driver usbhid

[    1.796242] usbhid: USB HID core driver

[    1.796528] Netfilter messages via NETLINK v0.30.

[    1.797016] nf_conntrack version 0.5.0 (3923 buckets, 15692 max)

[    1.798216] ctnetlink v0.93: registering with nfnetlink.

[    1.799018] ipip: IPv4 over IPv4 tunneling driver

[    1.801910] ip_tables: (C) 2000-2006 Netfilter Core Team

[    1.803213] arp_tables: (C) 2002 David S. Miller

[    1.804101] Initializing XFRM netlink socket

[    1.804435] NET: Registered protocol family 10

[    1.810666] ip6_tables: (C) 2000-2006 Netfilter Core Team

[    1.811943] sit: IPv6 over IPv4 tunneling driver

[    1.813996] NET: Registered protocol family 17

[    1.814428] bridge: automatic filtering via arp/ip/ip6tables has been deprecated. Update your scripts to load br_netfilter if you need this.

[    1.814709] Bridge firewalling registered

[    1.814822] Ebtables v2.0 registered

[    1.815646] 8021q: 802.1Q VLAN Support v1.8

[    1.818019] rtc_cmos rtc_cmos: setting system clock to 2023-03-23 15:13:09 UTC (1679584389)

[    1.836361] EXT2-fs (sda1): warning: mounting unchecked fs, running e2fsck is recommended

[    1.838512] VFS: Mounted root (ext2 filesystem) on device 8:1.

[    1.839460] Freeing YAMON memory: 956k freed

[    1.865607] Freeing unused kernel memory: 260K (8081f000 - 80860000)

[    1.914046] firmadyne: sys_reboot[PID: 48 (init)]: magic1:fee1dead, magic2:28121969, cmd:0

[    1.966430] firmadyne: do_execve: /firmadyne/console

[    1.966597] OFFSETS: offset of pid: 0x198 offset of comm: 0x278

mkdir: Cannot create directory `/dev/pts': File exists

Mount DEV File System....OK

Mount PROC File System....OK

[    2.187023] EXT3-fs (loop0): error: can't find ext3 filesystem on dev loop0.

[    2.199397] EXT2-fs (loop0): error: can't find an ext2 filesystem on dev loop0.

[    2.200817] EXT4-fs (loop0): VFS: Can't find ext4 filesystem

[    2.202760] cramfs: wrong magic

[    2.204742] squashfs: SQUASHFS error: Can't find a SQUASHFS superblock on loop0

[    2.206262] FAT-fs (loop0): invalid media value (0x2a)

[    2.206401] FAT-fs (loop0): Can't find a valid FAT filesystem

[    2.209407] MTD: Attempt to mount non-MTD device "/dev/loop0"

[    2.210066] romfs: VFS: Can't find a romfs filesystem on dev loop0.

[    2.218651] UDF-fs: warning (device loop0): udf_load_vrs: No VRS found

[    2.218851] UDF-fs: warning (device loop0): udf_fill_super: No partition found (2)

mount: Mounting /sqfs.img on /sqfs failed: Invalid argument

Mount Main SQFS File System....OK

[    2.272167] random: nonblocking pool is initialized

[    2.285900] EXT3-fs (loop0): error: can't find ext3 filesystem on dev loop0.

[    2.292409] EXT2-fs (loop0): error: can't find an ext2 filesystem on dev loop0.

[    2.300645] EXT4-fs (loop0): VFS: Can't find ext4 filesystem

[    2.302205] cramfs: wrong magic

[    2.308364] squashfs: SQUASHFS error: Can't find a SQUASHFS superblock on loop0

[    2.316598] FAT-fs (loop0): invalid media value (0x2a)

[    2.316732] FAT-fs (loop0): Can't find a valid FAT filesystem

[    2.318251] MTD: Attempt to mount non-MTD device "/dev/loop0"

[    2.323984] romfs: VFS: Can't find a romfs filesystem on dev loop0.

[    2.325450] UDF-fs: warning (device loop0): udf_load_vrs: No VRS found

[    2.325608] UDF-fs: warning (device loop0): udf_fill_super: No partition found (2)

mount: Mounting /modsqfs.img on /modsqfs failed: Invalid argument

Mount Module SQFS File System....OK

Mount CFG JFFS2 File System....OK

Mount LOG JFFS2 File System....OK

umount: /modsqfs: Invalid argument

[    2.870177] firmadyne: sys_socket[PID: 163 (ifconfig)]: family:2, type:1, protocol:0

[    2.871518] 

do_page_fault(): sending SIGSEGV to cli for invalid read access from 7fca3000

[    2.871817] epc = 774f096c in libsal.so.0.0[774ce000+7f000]

[    2.872098] ra  = 774f096c in libsal.so.0.0[774ce000+7f000]

[    2.872219] 

[    2.872564] potentially unexpected fatal signal 11.

[    2.872775] CPU: 0 PID: 59 Comm: cli Not tainted 4.1.17+ #17

[    2.872929] task: 8f09e048 ti: 8f0cc000 task.ti: 8f0cc000

[    2.873040] $ 0   : 00000000 7743fb45 ffffffff ffffffff

[    2.873181] $ 4   : 7fca18a0 ffffffff 000004f8 00000000

[    2.873292] $ 8   : 00000000 00000000 00000001 00000008

[    2.873405] $12   : 00000000 76d3d1b0 00000000 00000001

[    2.873515] $16   : 7fca2ca0 7fca18a0 00000005 00000000

[    2.873617] $20   : 00000000 00000000 7fca2274 00000000

[    2.873718] $24   : 76cd6d44 773e18b0                  

[    2.873845] $28   : 77429af0 7fca1888 00000001 774f096c

[    2.873956] Hi    : 00000249

[    2.874017] Lo    : 0001cbed

[    2.874138] epc   : 774f096c 0x774f096c

[    2.874217] ra    : 774f096c 0x774f096c

[    2.874290] Status: 0000a413	USER EXL IE 

[    2.874457] Cause : 10800008

[    2.874524] BadVA : 7fca3000

[    2.874592] PrId  : 00019300 (MIPS 24Kc)

[    2.882360] firmadyne: __inet_insert_ifa[PID: 163 (ifconfig)]: device:lo ifa:0x7f000001

[    2.886231] firmadyne: __inet_insert_ifa[PID: 163 (ifconfig)]: device:lo ifa:0x7f000001

[    2.903010] firmadyne: sys_socket[PID: 164 (route)]: family:2, type:1, protocol:0

[    2.915364] firmadyne: sys_socket[PID: 165 (ifconfig)]: family:2, type:1, protocol:0

[    2.916150] firmadyne: __inet_insert_ifa[PID: 165 (ifconfig)]: device:eth0 ifa:0xc0a801fe

[    2.919797] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready

[    2.919968] 8021q: adding VLAN 0 to HW filter on device eth0

[    2.920900] e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX

[    2.922025] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready

[    3.163265] 

do_page_fault(): sending SIGSEGV to initd for invalid write access to 7f862000

[    3.163842] epc = 77eaab70 in libsal.so.0.0[77e89000+7f000]

[    3.164086] ra  = 77eaab4c in libsal.so.0.0[77e89000+7f000]

[    3.164195] 

[    3.164263] potentially unexpected fatal signal 11.

[    3.164373] CPU: 0 PID: 168 Comm: initd Not tainted 4.1.17+ #17

[    3.326041] 

do_page_fault(): sending SIGSEGV to cli for invalid read access from 7f8a4000

[    3.326495] epc = 773fd96c in libsal.so.0.0[773db000+7f000]

[    3.326826] ra  = 773fd96c in libsal.so.0.0[773db000+7f000]

[    3.326938] 

[    3.326988] potentially unexpected fatal signal 11.

[    3.327083] CPU: 0 PID: 213 Comm: cli Not tainted 4.1.17+ #17

[    3.327187] task: 8f09ea68 ti: 8f0a4000 task.ti: 8f0a4000

[    3.327279] $ 0   : 00000000 7738cc46 00000000 00000000

[    3.327384] $ 4   : 00000001 00000000 00000001 00000000

[    3.327505] $ 8   : 00000000 00000000 00000001 8f19ef80

[    3.327612] $12   : 8f0a5d1e 00000001 00008000 0000001c

[    3.327897] $16   : 7f8a3ca0 7f8a2d90 00000005 00000000

[    3.328002] $20   : 00000000 00000000 7f8a3764 00000000

[    3.328104] $24   : 00010000 76bd8290                  

[    3.328208] $28   : 77336af0 7f8a2d78 00000001 773fd96c

[    3.328311] Hi    : 00000000

[    3.328365] Lo    : 00000000

[    3.328422] epc   : 773fd96c 0x773fd96c

[    3.328508] ra    : 773fd96c 0x773fd96c

[    3.328579] Status: 0000a413	USER EXL IE 

[    3.328661] Cause : 10800008

[    3.328713] BadVA : 7f8a4000

[    3.328766] PrId  : 00019300 (MIPS 24Kc)

SIGSEGV

# [    4.154263] cfg80211: Calling CRDA to update world regulatory domain

[    7.297278] cfg80211: Calling CRDA to update world regulatory domain

[   10.441320] cfg80211: Calling CRDA to update world regulatory domain

[   13.586478] cfg80211: Calling CRDA to update world regulatory domain

[   16.729864] cfg80211: Calling CRDA to update world regulatory domain

[   19.874426] cfg80211: Calling CRDA to update world regulatory domain

[   23.027537] cfg80211: Calling CRDA to update world regulatory domain

[   26.173870] cfg80211: Calling CRDA to update world regulatory domain

[   29.317903] cfg80211: Calling CRDA to update world regulatory domain

[   32.461231] cfg80211: Calling CRDA to update world regulatory domain

[   35.606512] cfg80211: Exceeded CRDA call max attempts. Not calling CRDA

When i check the qemu.final.serial.log, i found that the rdinit doesn't be executed. And the kernel used the default path (/sbin/init) to init the image.
I found something, which may be related with this problem.
[ 0.000000] Initrd not found or empty - disabling initrd
[ 2.089000] firmadyne: do_sys_open[PID: 1 (swapper)]: file:/dev/console
[ 2.091432] firmadyne: vfs_mknod[PID: 1 (swapper)]: file:ram major:1 minor:0
[ 2.091617] firmadyne: do_sys_open[PID: 1 (swapper)]: file:/dev/ram
[ 2.091832] firmadyne: do_sys_open[PID: 1 (swapper)]: file:/initrd.image
[ 2.092081] firmadyne: close[PID: 1 (swapper)]: fd:3
[ 2.092392] firmadyne: vfs_unlink[PID: 1 (swapper)]: file:ram
[ 2.092704] firmadyne: vfs_mknod[PID: 1 (swapper)]: file:root major:8 minor:1
[ 2.093032] firmadyne: do_mount[PID: 1 (swapper)]: mountpoint:/root, device:/dev/root, type:ext3
[ 2.095511] firmadyne: do_fork[PID: 2 (kthreadd)]: clone_flags:0x800712, stack_size:0x8f485b00
[ 2.095719] firmadyne: do_fork_ret[PID: 2 (kthreadd)] = -47
[ 2.097562] firmadyne: do_mount[PID: 1 (swapper)]: mountpoint:/root, device:/dev/root, type:ext2
[ 2.099468] EXT2-fs (sda1): warning: mounting unchecked fs, running e2fsck is recommended
[ 2.100492] VFS: Mounted root (ext2 filesystem) on device 8:1.

The origin log is followed.
[ 0.000000] Linux version 4.1.17+ (firmae@ubuntu) (gcc version 5.3.0 (GCC) ) #28 Sat Oct 31 17:56:39 KST 2020
[ 0.000000] earlycon: Early serial console at I/O port 0x3f8 (options '38400n8')
[ 0.000000] bootconsole [uart0] enabled
[ 0.000000] CPU0 revision is: 00019300 (MIPS 24Kc)
[ 0.000000] FPU revision is: 00739300
[ 0.000000] Software DMA cache coherency enabled
[ 0.000000] Determined physical RAM map:
[ 0.000000] memory: 00001000 @ 00000000 (reserved)
[ 0.000000] memory: 000ef000 @ 00001000 (ROM data)
[ 0.000000] memory: 00788000 @ 000f0000 (reserved)
[ 0.000000] memory: 0f788000 @ 00878000 (usable)
[ 0.000000] debug: ignoring loglevel setting.
[ 0.000000] Wasting 69376 bytes for tracking 2168 unused pages
[ 0.000000] Initrd not found or empty - disabling initrd
[ 0.000000] Zone ranges:
[ 0.000000] DMA [mem 0x0000000000000000-0x0000000000ffffff]
[ 0.000000] Normal [mem 0x0000000001000000-0x000000000fffffff]
[ 0.000000] Movable zone start for each node
[ 0.000000] Early memory node ranges
[ 0.000000] node 0: [mem 0x0000000000000000-0x000000000fffffff]
[ 0.000000] Initmem setup node 0 [mem 0x0000000000000000-0x000000000fffffff]
[ 0.000000] On node 0 totalpages: 65536
[ 0.000000] free_area_init_node: node 0, pgdat 808155b0, node_mem_map 81000000
[ 0.000000] DMA zone: 32 pages used for memmap
[ 0.000000] DMA zone: 0 pages reserved
[ 0.000000] DMA zone: 4096 pages, LIFO batch:0
[ 0.000000] Normal zone: 480 pages used for memmap
[ 0.000000] Normal zone: 61440 pages, LIFO batch:15
[ 0.000000] Primary instruction cache 2kB, VIPT, 2-way, linesize 16 bytes.
[ 0.000000] Primary data cache 2kB, 2-way, VIPT, no aliases, linesize 16 bytes
[ 0.000000] pcpu-alloc: s0 r0 d32768 u32768 alloc=1*32768
[ 0.000000] pcpu-alloc: [0] 0
[ 0.000000] Built 1 zonelists in Zone order, mobility grouping on. Total pages: 65024
[ 0.000000] Kernel command line: root=/dev/sda1 console=ttyS0 nandsim.parts=64,64,64,64,64,64,64,64,64,64 rdinit=/firmadyne/lxf_test_init.sh rw debug ignore_loglevel print-fatal-signals=1 FIRMAE_NETWORK=true FIRMAE_NVRAM=true FIRMAE_KERNEL=true FIRMAE_ETC=true user_debug=0 firmadyne.sysc
[ 0.000000] found FIRMAE_KERNEL=t
[ 0.000000] set the LD_PRELOAD=/firmadyne/libnvram_ioctl.so
[ 0.000000] PID hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.000000] Dentry cache hash table entries: 32768 (order: 5, 131072 bytes)
[ 0.000000] Inode-cache hash table entries: 16384 (order: 4, 65536 bytes)
[ 0.000000] Writing ErrCtl register=00000000
[ 0.000000] Readback ErrCtl register=00000000
[ 0.000000] Memory: 251180K/262144K available (5331K kernel code, 246K rwdata, 1672K rodata, 228K init, 157K bss, 10964K reserved, 0K cma-reserved)
[ 0.000000] NR_IRQS:256
[ 0.000000] CPU frequency 200.00 MHz
[ 0.000000] clocksource MIPS: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112618227 ns
[ 0.000053] sched_clock: 32 bits at 99MHz, resolution 10ns, wraps every 21474851834ns
[ 0.002072] Console: colour dummy device 80x25
[ 0.004687] Calibrating delay loop... 2045.95 BogoMIPS (lpj=4091904)
[ 0.043577] pid_max: default: 32768 minimum: 301
[ 0.044050] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.044182] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.055698] clocksource jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 7645041785100000 ns
[ 0.058189] NET: Registered protocol family 16
[ 0.065513] clocksource pit: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 1601818034827 ns
[ 0.073834] vgaarb: loaded
[ 0.074401] SCSI subsystem initialized
[ 0.074802] libata version 3.00 loaded.
[ 0.075221] usbcore: registered new interface driver usbfs
[ 0.075441] usbcore: registered new interface driver hub
[ 0.075602] usbcore: registered new device driver usb
[ 0.075898] pps_core: LinuxPPS API ver. 1 registered
[ 0.075993] pps_core: Software ver. 5.3.6 - Copyright 2005-2007 Rodolfo Giometti [email protected]
[ 0.076243] PTP clock support registered
[ 0.076767] PCI host bridge to bus 0000:00
[ 0.077019] pci_bus 0000:00: root bus resource [mem 0x10000000-0x17ffffff]
[ 0.077179] pci_bus 0000:00: root bus resource [io 0x1000-0x1fffff]
[ 0.077330] pci_bus 0000:00: root bus resource [??? 0x00000000 flags 0x0]
[ 0.077479] pci_bus 0000:00: No busn resource found for root bus, will use [bus 00-ff]
[ 0.077925] pci 0000:00:00.0: [11ab:4620] type 00 class 0x060000
[ 0.078330] pci 0000:00:00.0: [Firmware Bug]: reg 0x14: invalid BAR (can't size)
[ 0.078475] pci 0000:00:00.0: [Firmware Bug]: reg 0x18: invalid BAR (can't size)
[ 0.078680] pci 0000:00:00.0: [Firmware Bug]: reg 0x1c: invalid BAR (can't size)
[ 0.078816] pci 0000:00:00.0: [Firmware Bug]: reg 0x20: invalid BAR (can't size)
[ 0.078959] pci 0000:00:00.0: [Firmware Bug]: reg 0x24: invalid BAR (can't size)
[ 0.079670] pci 0000:00:0a.0: [8086:7110] type 00 class 0x060100
[ 0.080035] pci 0000:00:0a.1: [8086:7111] type 00 class 0x010180
[ 0.080236] pci 0000:00:0a.1: reg 0x20: [io 0x0000-0x000f]
[ 0.080368] pci 0000:00:0a.1: legacy IDE quirk: reg 0x10: [io 0x01f0-0x01f7]
[ 0.080505] pci 0000:00:0a.1: legacy IDE quirk: reg 0x14: [io 0x03f6]
[ 0.080634] pci 0000:00:0a.1: legacy IDE quirk: reg 0x18: [io 0x0170-0x0177]
[ 0.080768] pci 0000:00:0a.1: legacy IDE quirk: reg 0x1c: [io 0x0376]
[ 0.081034] pci 0000:00:0a.2: [8086:7112] type 00 class 0x0c0300
[ 0.081173] pci 0000:00:0a.2: reg 0x20: [io 0x0000-0x001f]
[ 0.081391] pci 0000:00:0a.3: [8086:7113] type 00 class 0x068000
[ 0.081815] pci 0000:00:0a.3: quirk: [io 0x1000-0x103f] claimed by PIIX4 ACPI
[ 0.081969] pci 0000:00:0a.3: quirk: [io 0x1100-0x110f] claimed by PIIX4 SMB
[ 0.082273] pci 0000:00:12.0: [1013:00b8] type 00 class 0x030000
[ 0.082406] pci 0000:00:12.0: reg 0x10: [mem 0x00000000-0x01ffffff pref]
[ 0.082533] pci 0000:00:12.0: reg 0x14: [mem 0x00000000-0x00000fff]
[ 0.082729] pci 0000:00:12.0: reg 0x30: [mem 0x00000000-0x0000ffff pref]
[ 0.083017] vgaarb: device added: PCI:0000:00:12.0,decodes=io+mem,owns=none,locks=none
[ 0.083271] pci 0000:00:13.0: [8086:100e] type 00 class 0x020000
[ 0.083397] pci 0000:00:13.0: reg 0x10: [mem 0x00000000-0x0001ffff]
[ 0.083517] pci 0000:00:13.0: reg 0x14: [io 0x0000-0x003f]
[ 0.083627] pci 0000:00:13.0: reg 0x30: [mem 0x00000000-0x0003ffff pref]
[ 0.083853] pci 0000:00:14.0: [8086:100e] type 00 class 0x020000
[ 0.083974] pci 0000:00:14.0: reg 0x10: [mem 0x00000000-0x0001ffff]
[ 0.084092] pci 0000:00:14.0: reg 0x14: [io 0x0000-0x003f]
[ 0.084219] pci 0000:00:14.0: reg 0x30: [mem 0x00000000-0x0003ffff pref]
[ 0.084451] pci 0000:00:15.0: [8086:100e] type 00 class 0x020000
[ 0.084570] pci 0000:00:15.0: reg 0x10: [mem 0x00000000-0x0001ffff]
[ 0.084689] pci 0000:00:15.0: reg 0x14: [io 0x0000-0x003f]
[ 0.084800] pci 0000:00:15.0: reg 0x30: [mem 0x00000000-0x0003ffff pref]
[ 0.085023] pci 0000:00:16.0: [8086:100e] type 00 class 0x020000
[ 0.085153] pci 0000:00:16.0: reg 0x10: [mem 0x00000000-0x0001ffff]
[ 0.085275] pci 0000:00:16.0: reg 0x14: [io 0x0000-0x003f]
[ 0.085387] pci 0000:00:16.0: reg 0x30: [mem 0x00000000-0x0003ffff pref]
[ 0.085690] pci_bus 0000:00: busn_res: [bus 00-ff] end is updated to 00
[ 0.086268] pci 0000:00:12.0: BAR 0: assigned [mem 0x10000000-0x11ffffff pref]
[ 0.086484] pci 0000:00:13.0: BAR 6: assigned [mem 0x12000000-0x1203ffff pref]
[ 0.086647] pci 0000:00:14.0: BAR 6: assigned [mem 0x12040000-0x1207ffff pref]
[ 0.086854] pci 0000:00:15.0: BAR 6: assigned [mem 0x12080000-0x120bffff pref]
[ 0.087058] pci 0000:00:16.0: BAR 6: assigned [mem 0x120c0000-0x120fffff pref]
[ 0.087206] pci 0000:00:13.0: BAR 0: assigned [mem 0x12100000-0x1211ffff]
[ 0.087381] pci 0000:00:14.0: BAR 0: assigned [mem 0x12120000-0x1213ffff]
[ 0.087521] pci 0000:00:15.0: BAR 0: assigned [mem 0x12140000-0x1215ffff]
[ 0.087651] pci 0000:00:16.0: BAR 0: assigned [mem 0x12160000-0x1217ffff]
[ 0.087779] pci 0000:00:12.0: BAR 6: assigned [mem 0x12180000-0x1218ffff pref]
[ 0.087911] pci 0000:00:12.0: BAR 1: assigned [mem 0x12190000-0x12190fff]
[ 0.088055] pci 0000:00:13.0: BAR 1: assigned [io 0x1040-0x107f]
[ 0.088210] pci 0000:00:14.0: BAR 1: assigned [io 0x1080-0x10bf]
[ 0.088340] pci 0000:00:15.0: BAR 1: assigned [io 0x10c0-0x10ff]
[ 0.088459] pci 0000:00:16.0: BAR 1: assigned [io 0x1400-0x143f]
[ 0.088574] pci 0000:00:0a.2: BAR 4: assigned [io 0x1440-0x145f]
[ 0.088688] pci 0000:00:0a.1: BAR 4: assigned [io 0x1460-0x146f]
[ 0.092513] cfg80211: Calling CRDA to update world regulatory domain
[ 0.093461] Switched to clocksource MIPS
[ 0.099765] NET: Registered protocol family 2
[ 0.101697] TCP established hash table entries: 2048 (order: 1, 8192 bytes)
[ 0.102037] TCP bind hash table entries: 2048 (order: 1, 8192 bytes)
[ 0.102223] TCP: Hash tables configured (established 2048 bind 2048)
[ 0.102487] UDP hash table entries: 256 (order: 0, 4096 bytes)
[ 0.102647] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
[ 0.103264] NET: Registered protocol family 1
[ 0.103636] PCI: Enabling device 0000:00:0a.2 (0000 -> 0001)
[ 0.104206] PCI: CLS 0 bytes, default 16
[ 0.108546] futex hash table entries: 256 (order: -1, 3072 bytes)
[ 0.110911] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[ 0.111190] jffs2: version 2.2. (NAND) © 2001-2006 Red Hat, Inc.
[ 0.111528] romfs: ROMFS MTD (C) 2007 Red Hat, Inc.
[ 0.115156] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 251)
[ 0.115352] io scheduler noop registered
[ 0.115491] io scheduler cfq registered (default)
[ 0.115647] firmadyne: devfs: 1, execute: 1, procfs: 1, syscall: 255
[ 0.116129] firmadyne: Cannot register character device: gpio, 0xfc, 0x0!
[ 0.116727] firmadyne: Cannot register character device: watchdog, 0xa, 0x82!
[ 0.116869] firmadyne: Cannot register character device: wdt, 0xfd, 0x0!
[ 0.156180] PCI: Enabling device 0000:00:12.0 (0000 -> 0002)
[ 0.156792] cirrusfb 0000:00:12.0: Cirrus Logic chipset on PCI bus, RAM (4096 kB) at 0x10000000
[ 0.420931] Console: switching to colour frame buffer device 80x30
[ 0.434710] Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled
[ 0.436165] console [ttyS0] disabled
[ 0.461458] serial8250.0: ttyS0 at I/O 0x3f8 (irq = 4, base_baud = 115200) is a 16550A
[ 0.462079] console [ttyS0] enabled
[ 0.462079] console [ttyS0] enabled
[ 0.462294] bootconsole [uart0] disabled
[ 0.462294] bootconsole [uart0] disabled
[ 0.487200] serial8250.0: ttyS1 at I/O 0x2f8 (irq = 3, base_baud = 115200) is a 16550A
[ 0.512399] serial8250.0: ttyS2 at MMIO 0x1f000900 (irq = 20, base_baud = 230400) is a 16550A
[ 0.521444] brd: module loaded
[ 0.525227] loop: module loaded
[ 0.525767] ata_piix 0000:00:0a.1: version 2.13
[ 0.526122] PCI: Enabling device 0000:00:0a.1 (0000 -> 0001)
[ 0.529259] firmadyne: do_fork[PID: 2 (kthreadd)]: clone_flags:0x800712, stack_size:0x8fe99580
[ 0.529723] firmadyne: do_fork_ret[PID: 2 (kthreadd)] = -35
[ 0.529934] firmadyne: do_fork[PID: 2 (kthreadd)]: clone_flags:0x800712, stack_size:0x8fe99400
[ 0.530121] firmadyne: do_fork_ret[PID: 2 (kthreadd)] = -36
[ 0.530377] scsi host0: ata_piix
[ 0.530965] firmadyne: do_fork[PID: 2 (kthreadd)]: clone_flags:0x800712, stack_size:0x8fe9cb80
[ 0.531162] firmadyne: do_fork_ret[PID: 2 (kthreadd)] = -37
[ 0.531320] firmadyne: do_fork[PID: 2 (kthreadd)]: clone_flags:0x800712, stack_size:0x8fe9ca00
[ 0.531508] firmadyne: do_fork_ret[PID: 2 (kthreadd)] = -38
[ 0.531635] scsi host1: ata_piix
[ 0.531929] ata1: PATA max UDMA/33 cmd 0x1f0 ctl 0x3f6 bmdma 0x1460 irq 14
[ 0.532081] ata2: PATA max UDMA/33 cmd 0x170 ctl 0x376 bmdma 0x1468 irq 15
[ 0.533262] [nandsim] warning: read_byte: unexpected data output cycle, state is STATE_READY return 0x0
[ 0.533468] [nandsim] warning: read_byte: unexpected data output cycle, state is STATE_READY return 0x0
[ 0.533732] [nandsim] warning: read_byte: unexpected data output cycle, state is STATE_READY return 0x0
[ 0.533907] [nandsim] warning: read_byte: unexpected data output cycle, state is STATE_READY return 0x0
[ 0.534080] [nandsim] warning: read_byte: unexpected data output cycle, state is STATE_READY return 0x0
[ 0.534267] [nandsim] warning: read_byte: unexpected data output cycle, state is STATE_READY return 0x0
[ 0.534557] nand: device found, Manufacturer ID: 0x98, Chip ID: 0x39
[ 0.534688] nand: Toshiba NAND 128MiB 1,8V 8-bit
[ 0.534791] nand: 128 MiB, SLC, erase size: 16 KiB, page size: 512, OOB size: 16
[ 0.535262] flash size: 128 MiB
[ 0.535335] page size: 512 bytes
[ 0.535401] OOB area size: 16 bytes
[ 0.535472] sector size: 16 KiB
[ 0.535536] pages number: 262144
[ 0.535601] pages per sector: 32
[ 0.535665] bus width: 8
[ 0.535718] bits in sector size: 14
[ 0.535788] bits in page size: 9
[ 0.535858] bits in OOB size: 4
[ 0.535924] flash size with OOB: 135168 KiB
[ 0.536007] page address bytes: 4
[ 0.536091] sector address bytes: 3
[ 0.536182] options: 0x42
[ 0.537663] Scanning device for bad blocks
[ 0.591211] firmadyne: do_fork[PID: 2 (kthreadd)]: clone_flags:0x800712, stack_size:0x8feaca80
[ 0.591429] firmadyne: do_fork_ret[PID: 2 (kthreadd)] = -39
[ 0.593232] firmadyne: do_fork[PID: 2 (kthreadd)]: clone_flags:0x800712, stack_size:0x8feac980
[ 0.593468] firmadyne: do_fork_ret[PID: 2 (kthreadd)] = -40
[ 0.593737] firmadyne: do_fork[PID: 2 (kthreadd)]: clone_flags:0x800712, stack_size:0x8feac880
[ 0.593931] firmadyne: do_fork_ret[PID: 2 (kthreadd)] = -41
[ 0.594088] firmadyne: do_fork[PID: 40 (kworker/u2:2)]: clone_flags:0x800712, stack_size:0x8feacc00
[ 0.594288] firmadyne: do_fork_ret[PID: 40 (kworker/u2:2)] = -42
[ 0.594449] firmadyne: do_fork[PID: 42 (kworker/u2:2)]: clone_flags:0x800112, stack_size:0x8feacc00
[ 0.594677] firmadyne: do_fork_ret[PID: 42 (kworker/u2:2)] = -43
[ 0.595175] firmadyne: do_execve[PID: 43 (kworker/u2:2)]: argv: /sbin/modprobe -q -- ofpart, envp: HOME=/ TERM=linux PATH=/sbin:/usr/sbin:/bin:/usr/bin

[ANALYZE] [PID: 43 (kworker/u2:2)]: /sbin/modprobe -q -- ofpart
envp: HOME=/ TERM=linux PATH=/sbin:/usr/sbin:/bin:/usr/bin

[ 0.596227] firmadyne: do_exit[PID: 43 (kworker/u2:2)]: code:0
[ 0.596758] firmadyne: do_exit[PID: 42 (kworker/u2:2)]: code:0
[ 0.597024] Creating 11 MTD partitions on "NAND 128MiB 1,8V 8-bit":
[ 0.597262] 0x000000000000-0x000000100000 : "NAND simulator partition 0"
[ 0.598779] 0x000000100000-0x000000200000 : "NAND simulator partition 1"
[ 0.599388] 0x000000200000-0x000000300000 : "NAND simulator partition 2"
[ 0.599948] 0x000000300000-0x000000400000 : "NAND simulator partition 3"
[ 0.600527] 0x000000400000-0x000000500000 : "NAND simulator partition 4"
[ 0.601091] 0x000000500000-0x000000600000 : "NAND simulator partition 5"
[ 0.601659] 0x000000600000-0x000000700000 : "NAND simulator partition 6"
[ 0.602380] 0x000000700000-0x000000800000 : "NAND simulator partition 7"
[ 0.602946] 0x000000800000-0x000000900000 : "NAND simulator partition 8"
[ 0.603541] 0x000000900000-0x000000a00000 : "NAND simulator partition 9"
[ 0.604140] 0x000000a00000-0x000008000000 : "NAND simulator partition 10"
[ 0.606272] tun: Universal TUN/TAP device driver, 1.6
[ 0.606383] tun: (C) 1999-2004 Max Krasnyansky [email protected]
[ 0.606733] pcnet32: pcnet32.c:v1.35 21.Apr.2008 [email protected]
[ 0.606947] e1000: Intel(R) PRO/1000 Network Driver - version 7.3.21-k8-NAPI
[ 0.607103] e1000: Copyright (c) 1999-2006 Intel Corporation.
[ 0.607295] PCI: Enabling device 0000:00:13.0 (0000 -> 0003)
[ 0.944250] ata2.01: NODEV after polling detection
[ 0.945075] ata2.00: ATAPI: QEMU DVD-ROM, 2.5+, max UDMA/100
[ 0.945739] ata1.01: NODEV after polling detection
[ 0.946153] ata1.00: ATA-7: QEMU HARDDISK, 2.5+, max UDMA/100
[ 0.946283] ata1.00: 2097152 sectors, multi 16: LBA48
[ 0.946786] ata2.00: configured for UDMA/33
[ 0.947432] ata1.00: configured for UDMA/33
[ 0.951043] scsi 0:0:0:0: Direct-Access ATA QEMU HARDDISK 2.5+ PQ: 0 ANSI: 5
[ 0.953600] sd 0:0:0:0: [sda] 2097152 512-byte logical blocks: (1.07 GB/1.00 GiB)
[ 0.954734] scsi 1:0:0:0: CD-ROM QEMU QEMU DVD-ROM 2.5+ PQ: 0 ANSI: 5
[ 0.955974] sd 0:0:0:0: [sda] Write Protect is off
[ 0.956097] sd 0:0:0:0: [sda] Mode Sense: 00 3a 00 00
[ 0.957060] sd 0:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
[ 0.959177] sda: sda1
[ 0.960791] sd 0:0:0:0: [sda] Attached SCSI disk
[ 0.981404] e1000 0000:00:13.0 eth0: (PCI:33MHz:32-bit) 52:54:00:12:34:56
[ 0.981747] e1000 0000:00:13.0 eth0: Intel(R) PRO/1000 Network Connection
[ 0.981929] PCI: Enabling device 0000:00:14.0 (0000 -> 0003)
[ 1.348610] e1000 0000:00:14.0 eth1: (PCI:33MHz:32-bit) 52:54:00:12:34:57
[ 1.349062] e1000 0000:00:14.0 eth1: Intel(R) PRO/1000 Network Connection
[ 1.349338] PCI: Enabling device 0000:00:15.0 (0000 -> 0003)
[ 1.717923] e1000 0000:00:15.0 eth2: (PCI:33MHz:32-bit) 52:54:00:12:34:58
[ 1.718335] e1000 0000:00:15.0 eth2: Intel(R) PRO/1000 Network Connection
[ 1.718609] PCI: Enabling device 0000:00:16.0 (0000 -> 0003)
[ 2.061263] e1000 0000:00:16.0 eth3: (PCI:33MHz:32-bit) 52:54:00:12:34:59
[ 2.061454] e1000 0000:00:16.0 eth3: Intel(R) PRO/1000 Network Connection
[ 2.061723] e1000e: Intel(R) PRO/1000 Network Driver - 2.3.2-k
[ 2.061839] e1000e: Copyright(c) 1999 - 2014 Intel Corporation.
[ 2.062169] PPP generic driver version 2.4.2
[ 2.062518] PPP Deflate Compression module registered
[ 2.062772] PPP MPPE Compression module registered
[ 2.062882] NET: Registered protocol family 24
[ 2.063046] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[ 2.063197] ehci-pci: EHCI PCI platform driver
[ 2.063401] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
[ 2.063540] ohci-pci: OHCI PCI platform driver
[ 2.063713] uhci_hcd: USB Universal Host Controller Interface driver
[ 2.064585] uhci_hcd 0000:00:0a.2: UHCI Host Controller
[ 2.064844] uhci_hcd 0000:00:0a.2: new USB bus registered, assigned bus number 1
[ 2.065249] uhci_hcd 0000:00:0a.2: irq 11, io base 0x00001440
[ 2.068330] hub 1-0:1.0: USB hub found
[ 2.068589] hub 1-0:1.0: 2 ports detected
[ 2.070355] usbcore: registered new interface driver usb-storage
[ 2.070830] mousedev: PS/2 mouse device common for all mice
[ 2.071168] firmadyne: do_fork[PID: 2 (kthreadd)]: clone_flags:0x800712, stack_size:0x8f432b00
[ 2.071392] firmadyne: do_fork_ret[PID: 2 (kthreadd)] = -44
[ 2.072320] rtc_cmos rtc_cmos: rtc core: registered rtc_cmos as rtc0
[ 2.072565] rtc_cmos rtc_cmos: alarms up to one day, 242 bytes nvram
[ 2.072790] i2c /dev entries driver
[ 2.072988] piix4_smbus 0000:00:0a.3: SMBus Host Controller at 0x1100, revision 0
[ 2.073597] sdhci: Secure Digital Host Controller Interface driver
[ 2.073741] sdhci: Copyright(c) Pierre Ossman
[ 2.073967] hidraw: raw HID events driver (C) Jiri Kosina
[ 2.075046] usbcore: registered new interface driver usbhid
[ 2.075164] usbhid: USB HID core driver
[ 2.075397] Netfilter messages via NETLINK v0.30.
[ 2.075706] nf_conntrack version 0.5.0 (3924 buckets, 15696 max)
[ 2.076342] ctnetlink v0.93: registering with nfnetlink.
[ 2.076876] ipip: IPv4 over IPv4 tunneling driver
[ 2.078639] ip_tables: (C) 2000-2006 Netfilter Core Team
[ 2.079431] arp_tables: (C) 2002 David S. Miller
[ 2.080008] Initializing XFRM netlink socket
[ 2.080248] NET: Registered protocol family 10
[ 2.081540] firmadyne: do_fork[PID: 2 (kthreadd)]: clone_flags:0x800712, stack_size:0x8f45ab80
[ 2.081733] firmadyne: do_fork_ret[PID: 2 (kthreadd)] = -45
[ 2.083207] ip6_tables: (C) 2000-2006 Netfilter Core Team
[ 2.083954] sit: IPv6 over IPv4 tunneling driver
[ 2.085437] NET: Registered protocol family 17
[ 2.085776] bridge: automatic filtering via arp/ip/ip6tables has been deprecated. Update your scripts to load br_netfilter if you need this.
[ 2.086083] Bridge firewalling registered
[ 2.086182] Ebtables v2.0 registered
[ 2.086762] 8021q: 802.1Q VLAN Support v1.8
[ 2.088000] firmadyne: do_fork[PID: 2 (kthreadd)]: clone_flags:0x800712, stack_size:0x80a10580
[ 2.088210] firmadyne: do_fork_ret[PID: 2 (kthreadd)] = -46
[ 2.088709] rtc_cmos rtc_cmos: setting system clock to 2021-07-22 03:54:47 UTC (1626926087)
[ 2.089000] firmadyne: do_sys_open[PID: 1 (swapper)]: file:/dev/console
[ 2.091432] firmadyne: vfs_mknod[PID: 1 (swapper)]: file:ram major:1 minor:0
[ 2.091617] firmadyne: do_sys_open[PID: 1 (swapper)]: file:/dev/ram
[ 2.091832] firmadyne: do_sys_open[PID: 1 (swapper)]: file:/initrd.image
[ 2.092081] firmadyne: close[PID: 1 (swapper)]: fd:3
[ 2.092392] firmadyne: vfs_unlink[PID: 1 (swapper)]: file:ram
[ 2.092704] firmadyne: vfs_mknod[PID: 1 (swapper)]: file:root major:8 minor:1
[ 2.093032] firmadyne: do_mount[PID: 1 (swapper)]: mountpoint:/root, device:/dev/root, type:ext3
[ 2.095511] firmadyne: do_fork[PID: 2 (kthreadd)]: clone_flags:0x800712, stack_size:0x8f485b00
[ 2.095719] firmadyne: do_fork_ret[PID: 2 (kthreadd)] = -47
[ 2.097562] firmadyne: do_mount[PID: 1 (swapper)]: mountpoint:/root, device:/dev/root, type:ext2
[ 2.099468] EXT2-fs (sda1): warning: mounting unchecked fs, running e2fsck is recommended
[ 2.100492] VFS: Mounted root (ext2 filesystem) on device 8:1.
[ 2.100687] firmadyne: do_mount[PID: 1 (swapper)]: mountpoint:/, device:., type:(null)
[ 2.101419] Freeing YAMON memory: 956k freed
[ 2.109002] Freeing unused kernel memory: 228K (80817000 - 80850000)
[ 2.109181] firmadyne: do_execve[PID: 1 (swapper)]: argv: /sbin/init, envp: HOME=/ TERM=linux LD_PRELOAD=/firmadyne/libnvram_ioctl.so FIRMAE_NETWORK=true FIRMAE_NVRAM=true FIRMAE_KERNEL=true FIRMAE_ETC=true user_debug=0

[ANALYZE] [PID: 1 (swapper)]: /sbin/init
envp: HOME=/ TERM=linux LD_PRELOAD=/firmadyne/libnvram_ioctl.so FIRMAE_NETWORK=true FIRMAE_NVRAM=true FIRMAE_KERNEL=true FIRMAE_ETC=true user_debug=0

[ 2.113744] spurious 8259A interrupt: IRQ7.
[ 2.117034] firmadyne: mmap_region[PID: 1 (init)]: addr:0x400000 -> 0x46c000, file:busybox
[ 2.119160] firmadyne: mmap_region[PID: 1 (init)]: addr:0x7731b000 -> 0x77332000, file:ld-uClibc-0.9.33.2.so
[ 2.122624] firmadyne: do_sys_open[PID: 1 (init)]: file:/firmadyne/libnvram_ioctl.so
[ 2.123927] firmadyne: mmap_region[PID: 1 (init)]: addr:0x77303000 -> 0x7730b000, file:libnvram_ioctl.so
[ 2.124672] firmadyne: close[PID: 1 (init)]: fd:3
[ 2.125313] firmadyne: do_sys_open[PID: 1 (init)]: file:/lib/libcrypt.so.0
[ 2.126148] firmadyne: mmap_region[PID: 1 (init)]: addr:0x772dc000 -> 0x772e2000, file:libcrypt-0.9.33.2.so
[ 2.126703] firmadyne: close[PID: 1 (init)]: fd:3
[ 2.126882] firmadyne: do_sys_open[PID: 1 (init)]: file:/lib/libm.so.0
[ 2.127392] firmadyne: mmap_region[PID: 1 (init)]: addr:0x772b7000 -> 0x772cc000, file:libm-0.9.33.2.so
[ 2.128626] firmadyne: close[PID: 1 (init)]: fd:3
[ 2.128782] firmadyne: do_sys_open[PID: 1 (init)]: file:/lib/libc.so.0
[ 2.129229] firmadyne: mmap_region[PID: 1 (init)]: addr:0x77200000 -> 0x7729f000, file:libuClibc-0.9.33.2.so
[ 2.129979] firmadyne: close[PID: 1 (init)]: fd:3
[ 2.130155] firmadyne: do_sys_open[PID: 1 (init)]: file:/lib/libc.so.0
[ 2.130380] firmadyne: close[PID: 1 (init)]: fd:3
[ 2.130592] firmadyne: do_sys_open[PID: 1 (init)]: file:/lib/libc.so.0
[ 2.130754] firmadyne: close[PID: 1 (init)]: fd:3
[ 2.134806] firmadyne: vfs_ioctl[PID: 1 (init)]: cmd:0x0 arg:0x540d
[ 2.135267] firmadyne: vfs_ioctl[PID: 1 (init)]: cmd:0x1 arg:0x540d
[ 2.136973] firmadyne: do_fork[PID: 1 (init)]: clone_flags:0x4112, stack_size:0x0
[ 2.137329] firmadyne: sys_reboot[PID: 48 (init)]: magic1:fee1dead, magic2:28121969, cmd:0
[ 2.137599] firmadyne: do_exit[PID: 48 (init)]: code:0
[ 2.137809] firmadyne: do_fork_ret[PID: 1 (init)] = -48
[ 2.138254] firmadyne: do_sys_open[PID: 1 (init)]: file:/dev/null
[ 2.138983] firmadyne: close[PID: 1 (init)]: fd:3
[ 2.139181] firmadyne: vfs_ioctl[PID: 1 (init)]: cmd:0x0 arg:0x5484
[ 2.139572] firmadyne: vfs_ioctl[PID: 1 (init)]: cmd:0x0 arg:0x540d
[ 2.139752] firmadyne: vfs_ioctl[PID: 1 (init)]: cmd:0x0 arg:0x540e
[ 2.140119] firmadyne: vfs_ioctl[PID: 1 (init)]: cmd:0x0 arg:0x540d

init started: BusyBox v1.12.1 (2018-02-03 16:38:35 CST)
[ 2.142525] firmadyne: do_sys_open[PID: 1 (init)]: file:/etc_ro/inittab
[ 2.143085] firmadyne: vfs_ioctl[PID: 1 (init)]: cmd:0x3 arg:0x540d
[ 2.144541] firmadyne: close[PID: 1 (init)]: fd:3
[ 2.145034] firmadyne: do_fork[PID: 1 (init)]: clone_flags:0x4112, stack_size:0x0
[ 2.145354] firmadyne: vfs_ioctl[PID: 49 (init)]: cmd:0x0 arg:0x540d
[ 2.145494] firmadyne: vfs_ioctl[PID: 49 (init)]: cmd:0x0 arg:0x540e
[ 2.145653] firmadyne: vfs_ioctl[PID: 49 (init)]: cmd:0x0 arg:0x540d

starting pid 49, tty '': '/etc_ro/rcS'
[ 2.146298] firmadyne: do_execve[PID: 49 (init)]: argv: /etc_ro/rcS, envp: HOME=/ TERM=vt102 LD_PRELOAD=/firmadyne/libnvram_ioctl.so FIRMAE_NETWORK=true FIRMAE_NVRAM=true FIRMAE_KERNEL=true FIRMAE_ETC=true user_debug=0 PATH=/sbin:/usr/sbin:/bin:/usr/bin SHELL=/bin/sh USER=root

[ANALYZE] [PID: 49 (init)]: /etc_ro/rcS
envp: HOME=/ TERM=vt102 LD_PRELOAD=/firmadyne/libnvram_ioctl.so FIRMAE_NETWORK=true FIRMAE_NVRAM=true FIRMAE_KERNEL=true FIRMAE_ETC=true user_debug=0 PATH=/sbin:/usr/sbin:/bin:/usr/bin SHELL=/bin/sh USER=root

This commit (72ea38a#diff-51cfe2dbf4ebe3abefbff1b390e13dd28451865067c40ff27ee33bb3d164a710R512) makes failure on first learning phase.

Fix the issue by making a dummy script before start learning phase.

How do I unmount an image? I can't connect to the IP even though the script says network and web service reachable. I can't see mount anywhere in run.sh
The error is

sudo ./run.sh -a netgear firmwares/firm
mount: FirmAE/scratch/4/image: /dev/loop3p1 already mount on FirmAE/scratch/4/image
None false false -1 -1 
None false false -1 -1 

Hi, I recompiled libnvram with mips-linux-gnu-gcc, but get error like this:
Error relocating /firmadyne/libnvram_ioctl.so: __fprintf_chk: symbol not found during emulation. And finally the emulation terminated with kernel panic.
So, how could I recompiled the library. ThankU

I run the command sudo ./docker-helper.py -ed wr940nv6_us_211111.bin and get a docker shell. Then I go to FirmAE folder and run the command sudo ./run.sh -c tplink wr940nv6_us_211111.bin and sudo ./run.sh -d tplink wr940nv6_us_211111.bin .

After minutes, I found my host disk was full. After checking, I got this:

$ du -h ./scratch --max-depth=1 
303M	./scratch/2
102M	./scratch/1
16G	./scratch

$ ls -lh ./scratch
total 16G
drwxrwxrwx 3 root root 4.0K 8月  11 12:57 1
drwxrwxrwx 3 root root 4.0K 8月   9 17:42 2
-rw-r--r-- 1 root root  16G 8月  11 13:19 wr940nv6_us_211111.bin.log

Maybe in the file wr940nv6_us_211111.bin.log is all of this:

$ head -50 wr940nv6_us_211111.bin.log
[*] /work/firmwares/wr940nv6_us_211111.bin emulation start!!!
[*] extract done!!!
[*] get architecture done!!!
[*] /work/firmwares/wr940nv6_us_211111.bin already succeed emulation!!!

[IID] 1
[MODE] debug
[+] Network reachable on 192.168.0.1!
[+] Web service on 192.168.0.1
[+] Run debug!
Creating TAP device tap1_0...
Set 'tap1_0' persistent and owned by uid 0
Bringing up TAP device...
Starting emulation of firmware... 192.168.0.1 true true 126.927614079 230.085847769
[*] firmware - wr940nv6_us_211111
[*] IP - 192.168.0.1
[*] connecting to netcat (192.168.0.1:31337)
[+] netcat connected
------------------------------
|       FirmAE Debugger      |
------------------------------
1. connect to socat
2. connect to shell
3. tcpdump
4. run gdbserver
5. file transfer
6. exit
> 

------------------------------
|       FirmAE Debugger      |
------------------------------
1. connect to socat
2. connect to shell
3. tcpdump
4. run gdbserver
5. file transfer
6. exit
> 

$ tail scratch/wr940nv6_us_211111.bin.log 
------------------------------
|       FirmAE Debugger      |
------------------------------
1. connect to socat
2. connect to shell
3. tcpdump
4. run gdbserver
5. file transfer
6. exit
> %                      

And I can't connect to shell in docker mode. Hope to fix these bugs. Thanks.

Hello, First of all thank you for the great project.

After all the setup process, when I run the command sudo ./run.sh -r dlink /home/iot/Desktop/DIR823A1_FW100WWb05.bin

I get these lines:
[*] /home/iot/Desktop/DIR823A1_FW100WWb05.bin emulation start!!! [*] extract done!!! [*] get architecture done!!! mke2fs 1.44.1 (24-Mar-2018) /dev/loop3p1 is mounted; will not make a filesystem here!
Do you have any idea how can I fix the problem?
Thank you!

Hi , I came across a firmware which belongs to netgear （WMS5316_FW_V2.1.7），
The architecture of the firmware is mips64 , but the mips kernel provided by FirmAE is mips32.
Is there some script or tool which can compile the mips64 architecture kernel

I emulate a firmware of dlink which has a default ip address of 192.168.1.1, so firmAE created a tap and assign 192.168.1.0/24 to this interface. Howerver, my host Ubuntu's network is also 192.168.1.0/24 and I am not allowed to configure my host network. Hence, I can not access web interface of the firmware. Is there any solution?

After i selected the gdb-server to remote debug, i launched the gdb-multiarch to connect the target ip and port, since gdb-multiarch need to access firmware's filesysterm, so i typed "sysroot /filepath" to get the right of accessing, but it till not working, and i have try to mount firmware's filesysterm by executing /script/mount.sh, and it nothing changes. how can i fix it ?

When I run init.sh, it comes to an error.

./init.sh

• sudo service postgresql restart
  Failed to restart postgresql.service: Unit postgresql.service not found.

I should install postgresql by myself?

Hello,

I follow the README but got some issue when trying to emulate the firmware.

My command: sudo ./run.sh -c dlink ./firmwares/DIR868L_B1_FW205WWb02.bin
Result:

[*] ./firmwares/DIR868L_B1_FW205WWb02.bin emulation start!!!
[-] extract failed

I found out the ./install.sh need to be run with sudo because my postgres server wasn't initialized correctly (no user firmadyne, no database firmware were existing).

After creating initialized the database correctly, it went further.

I'm running Ubuntu 20.04 on WSL2.

Running -d allows for debugging of running processes such as web service, but is there a way to debug the booting sequence itself? I notice many online resources attach -s and -S to QEMU and access it from gdb-multiarch vmlinux followed by target remote :1234. When I do this, continuing from gdb is indeed able to control the execution of the kernel (qemu.final.serial.log only gets updated when it is running in gdb), but no symbols are loaded.

Would like to clarify if it is possible to load the symbols into gdb when debugging so I can add "hbreak start_kernel" and use lx commands. I noticed there are some binaries in the FirmAE/binaries folder, especially the gdb.arm/mips and vmlinux.mips/zImage ones. Could I clarify if these may be used to debug the firmware/get symbols into gdb, or if I need to source for an external symbol file/library?

Also wondering if it's possible to have a shell into the emulated firmware image while doing this, as run.sh -d doesn't seem to work when I append -s and -S to the QEMU call in scratch//run.sh ("OSError: [Errno 113] No route to host").

Thank you!

I can't use the tool for wsl on18.04.5,what should i do?

FirmAE finds some files related to init work. And FirmAE modifies the file, unless it is a symbol link file or a ELF file. But FirmAE doesn't use this file as init file.

Hi, when I try to emulate the Asus firmware, the httpd service gets started successfully but when I try to access the httpd service on the emulated environment, it keeps on throwing a "404 File not found error". Is there anything else I need to do in order to make it work?
Thanks!

Hi,

Thanks for your effort for this project! I'm trying to emulate the asus firmware using FirmAE. However FirmAE wasn't able to start the asus web server. May I know how I can manually start the asus web server using FirmAE?

Hi,

The download URL of unstuff changes, it's abinwalk dependencies in 2.3.3.
binwalk chose to remove it at commit 2129463a2953574542ef09495d2750e1c1e390af but FirmAE uses 2.3.3. Therefore during install.sh, binwalk's installation silently fails.

It's possible to either wait for a new binwalk release or fix the URL in install.sh with the following patch:

diff --git a/install.sh b/install.sh
index 029c768..3be3f37 100755
--- a/install.sh
+++ b/install.sh
@@ -26,6 +26,7 @@ sudo apt-get install -y busybox-static bash-static fakeroot dmsetup kpartx netca
 wget https://github.com/ReFirmLabs/binwalk/archive/refs/tags/v2.3.3.tar.gz && \
   tar -xf v2.3.3.tar.gz && \
   cd binwalk-2.3.3 && \
+  sed -i 's/sdtraces/sdtraces\/BottinHTML/g' deps.sh && \
   echo y | ./deps.sh && \
   sudo python3 setup.py install
 sudo apt-get install -y mtd-utils gzip bzip2 tar arj lhasa p7zip p7zip-full cabextract fusecram cramfsswap squashfs-tools sleuthkit default-jdk cpio lzop lzma srecord zlib1g-dev liblzma-dev liblzo2-dev unzip

It would also be nice to add support for catching errors in install.sh.