therealsaumil / emux Goto Github PK

View Code? Open in Web Editor NEW

676.0 26.0 87.0 694.33 MB

EMUX Firmware Emulation Framework (formerly ARMX)

License: Mozilla Public License 2.0

Shell 7.39% Python 92.61%

firmware arm mips qemu iot exploitlab emulation

emux's Introduction

EMUX (formerly ARMX) Firmware Emulation Framework

by Saumil Shah @therealsaumil

April 2022

Welcome, MIPS!

With the addition of MIPS, ARMX has changed its name to EMUX! Try out the Damn Vulnerable MIPS Router exercises included with the new EMUX Docker image.

A brand new Docker container running EMUX. Going ahead, all official EMUX releases shall be released as Docker images. Lightweight, Compact, Easy.

Shut up and give me the g00diez

Github: https://github.com/therealsaumil/emux

A brand new EMUX Docker image is ready for use! The old "Preview VM" is now discontinued in favour of the Docker image.

QUICK INSTALL STEPS

Step 0 - Ensure that Docker is installed and running!

Test if Docker is working by running hello-world

docker run hello-world

Note: Ubuntu (and other Linux distros) users, ensure that your current user has privileges to run Docker as an administrator:

sudo groupadd docker
sudo gpasswd -a $USER docker
sudo usermod -aG docker $USER

Step 1 - Clone the EMUX repository

git clone --depth 1 --single-branch  https://github.com/therealsaumil/emux.git

Step 2 - Build the EMUX docker volume and image

cd emux
./build-emux-volume
./build-emux-docker

Note: If build-emux-docker fails, try and run it again by disabling DOCKER_BUILDKIT

- DOCKER_BUILDKIT=1 docker build -t $OWNERNAME/$IMAGENAME:$TAGNAME \
                                 -f Dockerfile-emux .
+ DOCKER_BUILDKIT=0 docker build -t $OWNERNAME/$IMAGENAME:$TAGNAME \
                                 -f Dockerfile-emux .

Step 3 - Run EMUX!

Open a terminal, and start the emux-docker container:

./run-emux-docker

You will be greeted with a purple shell prompt [EMUX-DOCKER 🐳:~$]. After a while, it is common to have many terminals attached to the container. Coloured shell prompts makes it easy to remember where you are.

Next, start the EMUX launcher:

[EMUX-DOCKER 🐳:~$] launcher

and select any emulated device that you wish to run.

Step 4 - Launch the emulated device's userland processes.

Next, open a new terminal and attach to the running emux-docker container:

./emux-docker-shell

All attached container shells have a blue shell prompt. Invoke the userspace command to bring up the userland processes of the emulated target:

[emux-docker shell 🐚:~$] userspace

Read the documentation for more details.

INTRODUCING

The EMUX Firmware Emulation Framework is a collection of scripts, kernels and filesystems to be used with QEMU to emulate ARM and MIPS Linux IoT devices. EMUX is aimed to facilitate IoT research by virtualising as much of the physical device as possible. It is the closest we can get to an actual IoT VM.

Devices successfully emulated with EMUX so far:

Damn Vulnerable ARM Router
Damn Vulnerable MIPS Router (Little Endian) [NEW!]
Damn Vulnerable MIPS Router (Big Endian) [NEW!]
Trivision NC227WF Wireless IP Camera
Tenda AC15 Wi-Fi Router (Github Docs)
Archer C9 Wi-Fi Router

The following devices are not included with the public release, however they have been successfully emulated and used in training:

D-Link DIR-880L Wi-Fi Router
Netgear Nighthawk R6250 Wi-Fi Router
Netgear Nighthawk R6400 Wi-Fi Router
NEW! Netgear Nighthawk R6700v3 Wi-Fi Router
Cisco RV130 Wi-Fi Router
COMfortel 1200 VoIP Phone
Linksys EA9500 Wi-Fi Router

Precursors of EMUX have been used in Saumil Shah's popular ARM IoT Exploit Laboratory training classes where students have found ~~four~~ several 0-day vulnerabilities in various ARM/Linux IoT devices.

EMUX Architecture

EMUX is a collection of scripts, kernels and filesystems residing in the /emux directory. It uses qemu-system-arm, qemu-system-mips and qemu-system-mipsel to boot up virtual ARM and MIPS Linux environments. The /emux directory is exported over NFS to also make the contents available within the QEMU guest.

The host system running qemu-system-arm|mips|mipsel is assigned the IP address 192.168.100.1 and the QEMU guest is assigned 192.168.100.2 via tap0 interface.

EMUX is packaged as a Docker image. The diagram below shows how the docker container is organised:

The docker image consists of:

Volume harambe containing the /emux directory tree. (🦍 Harambe be praised!)
Container emux-docker.
Directory workspace on the host bind mounted as /home/r0/workspace in the container, to share files.
NFS server running inside the container serving the /emux directory tree to emulated images running under QEMU
Port forwarding from the host to QEMU running inside the container is done using socat.

The /emux directory

The /emux directory is organised as follows:

devices: This file contains device definitions, one per line.
devices-extra: Contains additional emulated devices not included in the general release. It is recommended that you add your own emulated devices to devices-extra.
qemuopts: Abstracted QEMU options definitions for various types of QEMU Machines.
run/: This folder contains scripts necessary to parse the device configuration, preload nvram contents and eventually invoke the userland processes of the device being emulated.
run/launcher: The main script. launcher parses the devices file and displays a menu of registered devices. Selecting one of the devices will in turn invoke qemu-system-arm with the pre-defined QEMU options, corresponding Linux kernel and extracted root file system registered with the device.
run/userspace: Start the userspace processes of an emulated device, once the kernel is booted up from the launcher.
debuglogs: If present, it indicates the location where EMUX debugging logs will be written to. Extremely helpful in troubleshooting while creating a new emulated device.
template/: Sample configuration and layout for a new device. Make a copy of the template when beginning to emulate a new IoT device.

The run/ directory also contains a few commands that can be used from the host to interact with processes running within an EMUX emulated device.

emuxhalt: Cleanly shut down the emulated device, and unmount all NFS mounts. Without a clean shutdown, there's always the risk of stale NFS handles.
emuxps: Remotely enumerate processes running within EMUX.
emuxmaps: Remotely dump the process memory layout of a process running within EMUX.
emuxnetstat: Enumerate network sockets within EMUX.
emuxkill: Remotely terminate a process running within EMUX.
emuxgdb: Attach gdb to a process running within EMUX.
monitor: Attach to the QEMU monitor.

emuxps, emuxmaps and emuxgdb are explained in detail in the Debugging With EMUX tutorial.

Contents of an emulated device

Each emulated device contains the following files/directories:

config: Contains the device's name and description, ASLR settings, location of its root file system and commands to issue after the kernel has booted up and transferred control to the userland.
nvram.ini: Contents of the device's non volatile memory, used for storing configuration settings. Contents of nvram.ini are preloaded into the emulated nvram before invoking the userland init scripts.
kernel/: Contains a Linux kernel compiled (mostly via Buildroot) to closely match the properties of the emulated device such as kernel version, CPU support, VM_SPLIT, supported peripherals, etc.
rootfs.tar.bz2: A compressed archive containing the Root File System extracted from the target device. The name rootfs.tar.bz2 is configurable from within the config file. EMUX will automatically unpack the Root File System the first time it is invoked.
flashmem/flash.tar.bz2: A compressed archive containing two 64MB memory dump files flash0.bin and flash1.bin. These will be visible as a unified 128MB MTD Flash device.

Running an emulated device in EMUX

The diagram below describes each stage of EMUX:

There are five steps in running an emulated device:

Launcher - choose from a list of available emulated devices
Select a device and boot its kernel and its hostfs
Userspace - choose from a list of available userspace actions
Start the devices' userspace processes
Optionally drop into the hostfs shell

Step 1: The Launcher

Invoke launcher.

This will display a menu as shown below. In this example, we select the Trivision TRI227WF Wireless IP Camera.

Step 2: Start a device

Selecting one of the devices will launch it under QEMU. The kernel which is included in the kernel/ directory of the Trivision IP Camera's device configuration, is booted in qemu-system-arm and uses a pre-built Buildroot filesystem, which is referred to as hostfs.ext2. Host and guest IP addresses are assigned to 192.168.100.1 and 192.168.100.2 respectively.

hostfs-arm.ext2, hostfs-mips.ext2 and hostfs-mipsel.ext2 contain several scripts and tools useful for running and dynamic analysis of the emulated device. The init scripts in hostfs mount the /emux directory over NFS. Thus, the contents of /emux are shared by both the host and the QEMU guest.

Step 3: Userspace

You will need to attach to the running emux-docker container and invoke the userspace command at the shell prompt.

Internally the userspace command simply connects to the QEMU guest using SSH ssh [email protected]. This brings up a menu as shown below:

Step 4: Start the userspace processes

Selecting the option to launch the userspace processes of the device results in run-init being invoked from the corresponding device configuration directory within /emux. First, the contents of nvram.ini are loaded into the kernel's emulated nvram driver. Next, a chroot jail is created using the rootfs of the device. Lastly, the registered initialisation commands are invoked in the newly chrooted rootfs, bringing up the device's services and init scripts.

Step 5: Device booted up and ready

Once the device has fully "booted up" in EMUX, it is available for testing and analysis. The image below shows the administration interface of the IP Camera loaded in a browser. Note, to access the internal ports on 192.168.100.2 we will rely on port forwarding performed by socat. By default, the following ports are forwarded:

localhost:20080 -> 192.168.100.2:80
localhost:20443 -> 192.168.100.2:443
localhost:28080 -> 192.168.100.2:8080

To access the web administration interface for the booted up device, open a browser and navigate to localhost:28000. This in turn will forward your request to 192.168.100.2:80 inside the emux-docker container.

Overriding the forwarded ports

EMUX port forwarding is controlled by the PORTFWD environment variable. It is a comma separated list containing FORWARDED_PORT:INTERNAL_PORT pairs. To override the default port forwarding, simply set the contents of PORTFWD before invoking run-emux-docker:

export PORTFWD="28000:8000,25800:5800"
./run-emux-docker

Creating your own emulated IoT Device

Before you begin to emulate an IoT device, you will need the following:

Detailed analysis of the IoT device
CPU (ARMv5/ARMv6/ARMv7/MIPS)
Linux Kernel version
Contents of the extracted flash memory (optional)
Extracted Root File System from the flash memory
Contents of nvram (optional)
Generate a compatible kernel using Buildroot or Linux Kernel sources
A week for troubleshooting!

The following diagram outlines the overall process of IoT device emulation.

Steps involved:

Copy the template directory to make a new device configuration.
Compile a matching kernel from source, and place it in the kernel/ directory. You may also symlink an existing kernel if you wish to.
Copy the extracted rootfs from the device's firmware into the rootfs/ directory. Typically these would be SquashFS or CramFS filesystems, uncompressed using binwalk or unsquashfs or cramfsck. Optionally you may also create a compressed tar.bz2 archive of the root file system.
Place the contents of extracted nvram in nvram.ini
If you wish to emulate MTD flash, dump the contents of your device's flash memory and create two 64MB files named flash0.bin and flash1.bin and place them in the flashmem/ directory. Optionally you may also compress them in a tar.bz2 archive. You will then need to define the MTD partition layout to be passed to the kernel in the mtdparts file.
Place any shared libraries that you wish to inject using LD_PRELOAD in the preload/ directory. Usually these shared libraries contain hooked functions necessary for certain emulated binaries to work properly.
Edit the config file with the newly populated device firmware contents.
Create a new device record in the devices-extra file. Pay close attention to QEMU command line options.

The following sample kernels are provided with the template.

zImage-2.6.39.4-vexpress ARMv7 CPU on a vexpress-a9 board.
zImage-2.6.31.14-realview-rv130-nothumb ARMv6 CPU on a realview-eb board.
zImage-2.6.31-versatile-nothumb ARMv5 CPU on a versatilepb board.
zImage-2.6.29.6-versatile ARMv5 CPU on a versatilepb board.
zImage-2.6.28-versatile-nothumb ARMv5 CPU on a versatilepb board.
vmlinux-3.18.109-malta-be MIPS32 CPU (big endian) on a malta board. [NEW!]
vmlinux-3.18.109-malta-le MIPS32 CPU (little endian) on a malta board. [NEW!]

However, it is encouraged to build a compatible kernel from source.

The EMUX Activity Log File

The June 2021 release of EMUX comes with a feature to enable activity logs. This comes in very handy in troubleshooting errors when adding a new device to EMUX. To enable logging, edit the /emux/debuglogs file:

# Uncomment logpath= to enable EMUX and QEMU console output logging.
# Only one logpath= should be uncommented.
#
logpath=/home/r0/workspace/logs/
#logpath=/emux/logs/

It is recommended to use /home/r0/workspace/logs since the workspace directory is shared between the container and the host.

EMUX (ARMX) In The Public

Presentation at Countermeasure 2019 on 7 November 2019. 👇

INSIDE EMUX - Countermeasure 2019 from Saumil Shah

Release presentation at HITB+Cyberweek on 16 October 2019. 👇

Introducing EMUX from Saumil Shah

Announcing EMUX Docker on 15 June 2021. 👇

Announcing EMUX Docker - DC11332 from Saumil Shah

The ARM IoT Firmware Laboratory - NEW TRAINING

An all new class where the ARM IoT EXPLOIT LABORATORY leaves off. The ARM IoT Firmware Laboratory dives into analysis, extraction and emulation of IoT device firmware, using a variety of techniques. Students shall be given ample hands on practice in emulating a variety of IoT devices. Lab exercises feature firmware extraction directly from the hardware, building a custom kernel and buildroot environment, extracting contents of nvram and emulating the device under EMUX. The class also goes on to fuzzing and exploit development exercises for the emulated devices.

Upcoming classes:

Ringzer0 #VirtualVegas August 2021, Online Remote Training: (4 day class) https://ringzer0.training/arm-iot-exploitlab.html

Downloads

The pre-built EMUX PREVIEW VM is now discontinued. You are encouraged to use EMUX on Docker

EMUX Code

Github: https://github.com/therealsaumil/emux/

EMUX Documentation

Tutorial: Debugging With EMUX (Github Doc)
Case Study: Emulating the Tenda AC15 Router (Github Doc)
Case Study: Extracting the Tenda AC15 Firmware (Github Doc)
NEW! Tutorial: Emulating the D-Link DCS-935L WiFi Camera - MIPS (Github Doc)
NEW! Install guide: Installing EMUX on Kali (Github Doc)

END

EMUX is licensed under the Mozilla Public License v2.0 (MPLv2).

v0.9 22-October-2019, Preview Release
v1.0 19-November-2019
v1.1 12-March-2020
v1.2 05-May-2020
v1.2 20-May-2020 (minor update)
v1.3 02-June-2020
v1.4 11-September-2020
v2.0 17-June-2021
v2.1 21-October-2021 Welcome, MIPS! ARMX -> EMUX
v2.2 29-April-2022

emux's People

Contributors

Stargazers

Watchers

Forkers

zenhumany seth1002 yangboyd killvxk crackercat threatintel-c jespinhara shalekesan goodday123 freemanzyq thurday virtualabs cryptographicturk elreydetoda superf0sh dyjakan scriptingxss santosomar v33ru keyman9848 tzvironen scarvell sprayman1999 ftly sekuryti n6210 vdajon imsebao amarjitghuman chung96vn ljp-tw booool gavz heybam c0d3nh4ck m-1-k-3 kevthehermit hev0x dark-lbp br3ign android-toolkits kr1tzy fdlucifer jorggonz2016 zzero00 k4k4 grng3r expandpi dhastings-wisper notkmhn superzerosec huahai111 hemrish 0xor0ne zclfly olivertechman p0wer0ff dr-kino ckudera techris45 1120161891 yikesoftware wizardsoftheinternet v3po-sb crispud gg-big-org h0w1tzr fabiorafaelcoutada syh4ck zmbcen embedded-hardware-security magnologan noorahsmith cjhackerz mengxipeng1122 orangejuicehu huanglei3 pa2sw0rd isiaon testitok mrcodechef uncr4ck4ble dguerri usd-earl andyzhou5168 one-shiny

emux's Issues

chown: invalid user: 'r0:r0'

I'm following the guide on emulating a DLINK DCS935, but it always gets stuck on this command:

sudo chown -R r0:r0 squashfs-root/

which I believe stops ./build-emux-volume from running - when I try that after skipping the step I get this:

error checking context: no permission to read from '/home/thom/emux/files/emux/CAMR/squashfs-root/dev/ppp''.

Any tips?

The Web management interface of Tenda AC15

It has been solved. please delete this issue.

NVRAM

Could you explain how to compile a custom nvram.ini.
Thanks in advanced.
VP

Inquiry regarding emulated NVRAM

Thank you for the software. Would like to check how the NVRAM implementation works.

I noticed that nvram.ini contains key-value pairs which is updated into the emulated NVRAM, however I am not sure how and where it is preloaded into. Is it by means of a custom shared object?

Additionally, I noticed that there are two flash0/1.bin files created as pflash device. Could I check if these are dummy files or critical to QEMU emulation?

Lastly, I noticed that the mtdparts file (specific to each machine) contains the nandsim kernel commands. May I know how the nandsim IDs are chosen, and if they should be partitioned?

Thank you!

Make the installation directory independent

Hi,
if I understood it correctly, the project relies on the installation within a root dir called "armx".

I think that it would be better to make it configurable, for example by using relative path in scripts or detect project root.
This last step could be made using bash path detection such as

PROJECT_ROOT_DIR="$(cd $(dirname $0) ; pwd)"

Are you interested in this enhancement?

Install capstone or ropper install failed

emux version: d21ad03

diff --git a/Dockerfile-emux b/Dockerfile-emux
index 1c348d3..1b61120 100644
--- a/Dockerfile-emux
+++ b/Dockerfile-emux
@@ -31,6 +31,7 @@ RUN apk add \
        socat \
        netcat-openbsd \
        busybox-extras \
+       capstone \
        --no-cache

 # Install Python packages

log:

$ ./build-emux-docker
[+] Building 116.3s (11/43)
 => [internal] load .dockerignore                                                                 0.0s
 => => transferring context: 109B                                                                 0.0s
 => [internal] load build definition from Dockerfile-emux                                         0.1s
 => => transferring dockerfile: 3.20kB                                                            0.0s
 => [internal] load metadata for docker.io/library/alpine:latest                                  4.1s
 => [internal] load build context                                                                 0.0s
 => => transferring context: 3.79MB                                                               0.0s
 => [1/39] FROM docker.io/library/alpine:latest@sha256:21a3deaa0d32a8057914f36584b5288d2e5ecc984  1.6s
 => => resolve docker.io/library/alpine:latest@sha256:21a3deaa0d32a8057914f36584b5288d2e5ecc9843  0.0s
 => => sha256:21a3deaa0d32a8057914f36584b5288d2e5ecc984380bc0118285c70fa8c9300 1.64kB / 1.64kB    0.0s
 => => sha256:e7d88de73db3d3fd9b2d63aa7f447a10fd0220b7cbf39803c803f2af9ba256b3 528B / 528B        0.0s
 => => sha256:c059bfaa849c4d8e4aecaeb3a10c2d9b3d85f5165c66ad3a4d937758128c4d18 1.47kB / 1.47kB    0.0s
 => => sha256:59bf1c3509f33515622619af21ed55bbe26d24913cedbca106468a5fb37a50c3 2.82MB / 2.82MB    1.2s
 => => extracting sha256:59bf1c3509f33515622619af21ed55bbe26d24913cedbca106468a5fb37a50c3         0.1s
 => [2/39] RUN apk update                                                                         2.2s
 => [3/39] RUN apk add  bash sudo pv tar dialog iptables curl wget tmux git  vim nano asciinema  93.2s
 => [4/39] RUN pip install --upgrade pip                                                          4.8s
 => [5/39] RUN pip install wheel                                                                  2.2s
 => [6/39] RUN pip install cstruct                                                                2.2s
 => ERROR [7/39] RUN pip install ropper                                                           5.8s
------
 > [7/39] RUN pip install ropper:
#10 1.395 Collecting ropper
#10 1.801   Downloading ropper-1.13.6.tar.gz (71 kB)
#10 2.035   Preparing metadata (setup.py): started
#10 2.248   Preparing metadata (setup.py): finished with status 'done'
#10 2.584 Collecting filebytes>=0.10.0
#10 2.693   Downloading filebytes-0.10.2.tar.gz (20 kB)
#10 2.719   Preparing metadata (setup.py): started
#10 2.925   Preparing metadata (setup.py): finished with status 'done'
#10 3.061 Collecting capstone
#10 3.181   Downloading capstone-4.0.2.tar.gz (2.0 MB)
#10 4.036   Preparing metadata (setup.py): started
#10 4.278   Preparing metadata (setup.py): finished with status 'done'
#10 4.283 Building wheels for collected packages: ropper, filebytes, capstone
#10 4.284   Building wheel for ropper (setup.py): started
#10 4.576   Building wheel for ropper (setup.py): finished with status 'done'
#10 4.577   Created wheel for ropper: filename=ropper-1.13.6-py3-none-any.whl size=99742 sha256=f86b56e139bebc81d6f0b05e2f90d6c78603f38855e027551117b9aab4edc531
#10 4.577   Stored in directory: /root/.cache/pip/wheels/77/a4/5d/a4bc1b653bdcce30a17b5cdda8f19da11444bb8640d03ab678
#10 4.580   Building wheel for filebytes (setup.py): started
#10 4.842   Building wheel for filebytes (setup.py): finished with status 'done'
#10 4.842   Created wheel for filebytes: filename=filebytes-0.10.2-py3-none-any.whl size=27853 sha256=20e412d7bbb7a6e1c6c969b24fb2d736607748e32bd93bfd97b001bd898c4950
#10 4.842   Stored in directory: /root/.cache/pip/wheels/c2/51/58/98925d75705ee4df10da42a098d956183bb70661698fd07753
#10 4.845   Building wheel for capstone (setup.py): started
#10 5.085   Building wheel for capstone (setup.py): finished with status 'error'
#10 5.085   ERROR: Command errored out with exit status 1:
#10 5.085    command: /usr/bin/python3 -u -c 'import io, os, sys, setuptools, tokenize; sys.argv[0] = '"'"'/tmp/pip-install-lf8tm_zk/capstone_06da014948bc46f5807200423450bfcb/setup.py'"'"'; __file__='"'"'/tmp/pip-install-lf8tm_zk/capstone_06da014948bc46f5807200423450bfcb/setup.py'"'"';f = getattr(tokenize, '"'"'open'"'"', open)(__file__) if os.path.exists(__file__) else io.StringIO('"'"'from setuptools import setup; setup()'"'"');code = f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, __file__, '"'"'exec'"'"'))' bdist_wheel -d /tmp/pip-wheel-nlsbbm44
#10 5.085        cwd: /tmp/pip-install-lf8tm_zk/capstone_06da014948bc46f5807200423450bfcb/
#10 5.085   Complete output (14 lines):
#10 5.085   running bdist_wheel
#10 5.085   running build
#10 5.085   Building C extensions
#10 5.085   make: uname: Operation not permitted
#10 5.085   make: uname: Operation not permitted
#10 5.085   make: /bin/sh: Operation not permitted
#10 5.085   make: /bin/sh: Operation not permitted
#10 5.085   make: /bin/sh: Operation not permitted
#10 5.085   make: /bin/sh: Operation not permitted
#10 5.085   make: /bin/sh: Operation not permitted
#10 5.085   make: /bin/sh: Operation not permitted
#10 5.085   make: mkdir: Operation not permitted
#10 5.085   make: *** [Makefile:492: cs.o] Error 127
#10 5.085   error: [Errno 2] No such file or directory: 'libcapstone.so.4'
#10 5.085   ----------------------------------------
#10 5.085   ERROR: Failed building wheel for capstone
#10 5.085   Running setup.py clean for capstone
#10 5.308 Successfully built ropper filebytes
#10 5.308 Failed to build capstone
#10 5.358 Installing collected packages: filebytes, capstone, ropper
#10 5.397     Running setup.py install for capstone: started
#10 5.630     Running setup.py install for capstone: finished with status 'error'
#10 5.630     ERROR: Command errored out with exit status 1:
#10 5.630      command: /usr/bin/python3 -u -c 'import io, os, sys, setuptools, tokenize; sys.argv[0] = '"'"'/tmp/pip-install-lf8tm_zk/capstone_06da014948bc46f5807200423450bfcb/setup.py'"'"'; __file__='"'"'/tmp/pip-install-lf8tm_zk/capstone_06da014948bc46f5807200423450bfcb/setup.py'"'"';f = getattr(tokenize, '"'"'open'"'"', open)(__file__) if os.path.exists(__file__) else io.StringIO('"'"'from setuptools import setup; setup()'"'"');code = f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, __file__, '"'"'exec'"'"'))' install --record /tmp/pip-record-hlsw6813/install-record.txt --single-version-externally-managed --compile --install-headers /usr/include/python3.9/capstone
#10 5.630          cwd: /tmp/pip-install-lf8tm_zk/capstone_06da014948bc46f5807200423450bfcb/
#10 5.630     Complete output (14 lines):
#10 5.630     running install
#10 5.630     running build
#10 5.630     Building C extensions
#10 5.630     make: uname: Operation not permitted
#10 5.630     make: uname: Operation not permitted
#10 5.630     make: /bin/sh: Operation not permitted
#10 5.630     make: /bin/sh: Operation not permitted
#10 5.630     make: /bin/sh: Operation not permitted
#10 5.630     make: /bin/sh: Operation not permitted
#10 5.630     make: /bin/sh: Operation not permitted
#10 5.630     make: /bin/sh: Operation not permitted
#10 5.630     make: mkdir: Operation not permitted
#10 5.630     make: *** [Makefile:492: cs.o] Error 127
#10 5.630     error: [Errno 2] No such file or directory: 'libcapstone.so.4'
#10 5.630     ----------------------------------------
#10 5.630 ERROR: Command errored out with exit status 1: /usr/bin/python3 -u -c 'import io, os, sys, setuptools, tokenize; sys.argv[0] = '"'"'/tmp/pip-install-lf8tm_zk/capstone_06da014948bc46f5807200423450bfcb/setup.py'"'"'; __file__='"'"'/tmp/pip-install-lf8tm_zk/capstone_06da014948bc46f5807200423450bfcb/setup.py'"'"';f = getattr(tokenize, '"'"'open'"'"', open)(__file__) if os.path.exists(__file__) else io.StringIO('"'"'from setuptools import setup; setup()'"'"');code = f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, __file__, '"'"'exec'"'"'))' install --record /tmp/pip-record-hlsw6813/install-record.txt --single-version-externally-managed --compile --install-headers /usr/include/python3.9/capstone Check the logs for full command output.
------
failed to solve with frontend dockerfile.v0: failed to build LLB: executor failed running [/bin/sh -c pip install ropper]: runc did not terminate sucessfully

broken link (minor)

This is a minor issue: in the README.md, this link is broken https://github.com/therealsaumil/emux/blob/master/docs/emulating-tenda-ac15.html. The link to the GitHub file works though :)

build-emux-docker fails to `apk update` with permission denied

./build-emux-docker
...
ERROR [ 2/39] RUN apk update 0.4s

[ 2/39] RUN apk update:
#5 0.247 ERROR: Unable to lock database: Permission denied
#5 0.250 ERROR: Failed to open apk database: Permission denied

executor failed running [/bin/sh -c apk update]: exit code: 99

After poking around the build script, I found that removing DOCKER_BUILDKIT=1 from the docker build command fixed the issues. This was found on up to date Fedora 35 running podman.

is there anyway to emulate another device, such as some latest netgear devices?

Tenda AC15 Emulation

Hi,

I am trying to run the emulation for Tenda AC15 in ArmX but is unable to connect to the ip address. Here are the errors shown when I ran both the userspace and the launcher.

Could it be an issue with the firmware? Or is it the steps I take to run it (Followed the "Running an emulated device in ArmX" mentioned in README)?

(P.S. I managed to run the other firmwares on my computer)

Launcher Console:

Userspace Console:

192.168.100.2 (input without https originally):

How to build all kernel images and library files

I want to compile some custom library files or kernel images, can you provide the buildroot configuration file?

Failed after mounting

Dear Saumil Shah,

I have one issue after running a script ./run-emux-docker:

"Starting EMUX mount: mounting 192.168.100.1:/emux on /emux failed: Connection refused"

Docker version 20.10.14, build a224086

Stuck when run apk add

While building docker using build-emux-docker, it stuck at isntalling software as below

share the other devices successfully emulated with ARMX

Hi, could you share the other devices successfully emulated with ARMX? especilly Netgear Nighthawk R6400 Wi-Fi Router
and Netgear Nighthawk R6700v3 Wi-Fi Router? Thanks!

tenda ac 15 password

what is password for tenda ac15？

Netgear Nighthawk R6400 Wi-Fi Router

Hello, could you please share Netgear Nighthawk R6400 Wifi Router config files and other necessary files? Because I can not see in VM and in other files?

Issue running Docker container on setup

Hi, thanks for your work in developing this environment!

I've found that on following quick install instructions, the NFS service is unable to start when running the container.

OS: Kali-Linux 2020.3, running on VMware workstation

Docker version: 20.10.5+dfsg1, build 55c4c88

Please let me know if there are any systems requirements or settings I may be missing out. Many thanks

There are no new devices in the list

I've created a new device directory and put everything I need there, then added the information for the new device to the Devices file. Then I run./run-emux-docker and launcher, but the list doesn't have any new devices I added. Is there anything else I need to do? Thanks.

Increase disk space

Hi, How can I increase prebuild vmware's disk size. Thanks :)

Asking for login

Hi! Once I start up a netgear xr500, it asks me for a login. I saw a previous post saying it was armx / ringzer0 but I can't seem to login with those creds.

Thanks!

Feature Netgear Nighthawk support?

Hi,

Wanted to know if you have any plans to support newer Nighthawks(R7000/R8000 etc..)?

Thanks & awesome project BTW!

Does mipsx branch support MIPS or MIPS-X architecture?

I have a question from the title: does the mipsx branch support MIPS, MIPS-X architecture, or both?

exportfs: /emux does not support NFS export

I installed emux in raspi 4B openwrt system，after “ ./run-emux-docker”，the result is above.

Set settings from telnet

Hello, I have Tenda AC6 with similar firmware. Is it possible to set settings from webinterface i e enable\disable wan ping(firewall.pingwan=1 parameter in default.cfg file) from internal router console connecting by telnet? I think must be a way to changing NVRAM directly executing some commands like on alternate firmware on other routers:

nvram set url_rulelist="<1>ALL>snbforums<1>ALL>porn"
nvram commit
service restart_firewall

From
https://www.snbforums.com/threads/asus-rt-ac68-nvram-commit-not-applying.71510/

But my "nvram show" output have not any ping or firewall string :(

NETGEAR, 2nd NIC

Trying to emulate a NETGEAR XR500, have the physical device as well so was able to get the firmware and nvram settings all copied over in to a template easily.

Mostly it's working,

Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:22222           0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:631             0.0.0.0:*               LISTEN      
tcp        0      0 192.168.100.2:22222     192.168.100.1:39488     ESTABLISHED 
tcp        0      0 192.168.100.2:22222     192.168.100.1:39484     ESTABLISHED 
tcp        0      0 192.168.100.2:747       192.168.100.1:2049      ESTABLISHED 
tcp        0      0 :::548                  :::*                    LISTEN      
tcp        0      0 :::22222                :::*                    LISTEN      
tcp        0      0 :::53                   :::*                    LISTEN      
udp        0      0 127.0.0.1:2313          0.0.0.0:*                           
udp        0      0 0.0.0.0:53              0.0.0.0:*                           
udp        0      0 127.0.0.1:46420         127.0.0.1:2313          ESTABLISHED 
udp        0      0 127.0.0.1:44405         127.0.0.1:2313          ESTABLISHED 
udp        0      0 127.0.0.1:47995         127.0.0.1:2313          ESTABLISHED 
udp        0      0 127.0.0.1:40326         127.0.0.1:53            ESTABLISHED 
udp        0      0 127.0.0.1:47831         127.0.0.1:2313          ESTABLISHED 
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           
udp        0      0 :::53                   :::*                                
udp        0      0 :::5353                 :::*

/ $ ps w
  PID  Uid     VmSize Stat Command
    1 root        116 S   init       
    2 root            SW  [kthreadd]
    3 root            SW  [ksoftirqd/0]
    5 root            SW< [kworker/0:0H]
    6 root            SW  [kworker/u2:0]
    7 root            SW  [rcu_sched]
    8 root            SW  [rcu_bh]
    9 root            SW  [migration/0]
   10 root            SW< [khelper]
   11 root            SW  [kdevtmpfs]
   12 root            SW  [kworker/u2:1]
   14 root            SW  [khungtaskd]
   17 root            SW< [writeback]
   18 root            SW< [kintegrityd]
   20 root            SW< [bioset]
   22 root            SW< [kblockd]
   23 root            SW< [ata_sff]
   25 root            SW  [khubd]
   32 root            SW< [rpciod]
   33 root            SW  [kworker/0:1]
   35 root            SW  [kswapd0]
   37 root            SW< [vmstat]
   39 root            SW  [fsnotify_mark]
   40 root            SW< [nfsiod]
  396 root            SW< [kpsmoused]
  550 root            SW  [kworker/0:2]
  552 root            SW  [mmcqd/0]
  565 root            SW< [ipv6_addrconf]
  568 root            SW< [deferwq]
  634 root        260 S   /sbin/klogd -n 
  656 root        612 S   dcron -L /dev/null 
  660 root        804 S   /usr/sbin/dropbear -p 22222 -R 
  664 root        164 S   /sbin/agetty -p -L ttyAMA0 115200 vt100 
 1069 root         68 S   /usr/sbin/dropbear -p 22222 -R 
 1070 root       1100 S   -sh 
 1093 root       1972 S   /bin/bash ./run-init 
 2415 root        340 S   /bin/sh /.armx/armxinit 
 2418 root        136 S   /bin/sh /etc/init.d/rcS S boot 
 2419 root        952 S   /bin/sh 
 2421 root        340 S   logger -s -p 6 -t sysinit 
 2443 root         84 S   klogd 
 2446 root        608 S   /bin/datalib 
 2479 root            SW  [kworker/0:0]
 2671 root        640 S   /sbin/hotplug2 --override --persistent --set-rules-file /etc/hotplug2.rules --set-coldplug-cmd /sbin/udevt
 3541 root        264 S   /sbin/ubusd 
 3585 root         52 S   /usr/bin/detcable 2 
 4543 root         60 S   /usr/sbin/ntpclient 
 4633 root         56 S   /usr/bin/hd-idle -i 1800 
 4714 root        296 S   /sbin/KC_BONJOUR 
 4715 root        316 S   /sbin/KC_PRINT 
 4834 root         68 S   /usr/sbin/ntgrddns -c /tmp/ntgrdns.conf 
 4851 root       1016 S   /bin/sh /etc/openvpn/client/ovpn_sync_configs.sh 
 4886 root       1928 S   curl -s --retry 5 https://http.fw.updates1.netgear.com/sw-apps/vpn-client/xr500/providerlist.json -o /tmp/
 4922 root         80 S   /usr/sbin/dnsmasq --except-interface=lo -u root -r /tmp/resolv.conf 
 5042 root         88 S   syslogd -m 0 -T GMT-0 -c 7679 
 5187 root       1028 S   /bin/sh /usr/sbin/netconn.sh 
 5443 root        344 S   /bin/sh /sbin/check_status.sh 
 5504 root        124 S   /usr/sbin/dbus-daemon --system 
 5542 root       1144 S   avahi-daemon: running [XR500.local]             
 5547 root        160 S   inetd 
 5636 root       1316 S   /usr/bin/lua /dumaos/ngcompat/main.lua 
 5663 root        280 S   /usr/bin/arpwatch -i -p 5640 -d 
 5685 root        492 S   atd 
 5829 root        172 S   /usr/sbin/ra_check 
 5999 root       1020 S   /bin/sh /sbin/11k_scan -f 
 6014 root       1760 S N /usr/sbin/afpd -F /etc/netatalk/afpd.conf -P /var/run/afpd.pid -c 7 
 6023 root        344 S   sleep 120 
 6037 root        344 S   /bin/sh /usr/sbin/check_time_machine 
 6039 root        344 S   sleep 60 
 6046 root       4552 S   lua /dumaos/api/cli.lua -p /dumaos/apps/system/com.netdumasoftware.procmanager backend 
 6120 root         68 S   /usr/sbin/dropbear -p 22222 -R 
 6121 root       1100 S   -sh 
 6143 root       1864 S   /bin/bash ./run-binsh 
 6155 root        344 S   /bin/sh /.armx/armxshell 
 6156 root        344 S   /bin/sh 
 6698 root       1716 S   /usr/bin/lua /dumaos/api/cli.lua -p /dumaos/apps/system//com.netdumasoftware.networkmonitor backend 
 6701 root       1644 S   /usr/bin/lua /dumaos/api/cli.lua -p /dumaos/apps/system//com.netdumasoftware.neighsync backend 
 6704 root       2916 S   /usr/bin/lua /dumaos/api/cli.lua -p /dumaos/apps/system//com.netdumasoftware.devicemanager backend 
 6707 root       1328 S   /usr/bin/lua /dumaos/api/cli.lua -p /dumaos/apps/system//com.netdumasoftware.neighwatch backend 
 6710 root       1328 S   /usr/bin/lua /dumaos/api/cli.lua -p /dumaos/apps/system//com.netdumasoftware.systeminfo backend 
 6719 root       3716 S   /usr/bin/lua /dumaos/api/cli.lua -p /dumaos/apps/system//com.netdumasoftware.desktop backend 
 6722 root       2716 S   /usr/bin/lua /dumaos/api/cli.lua -p /dumaos/apps/system//com.netdumasoftware.rappstore backend 
 6725 root       2832 S   /usr/bin/lua /dumaos/api/cli.lua -p /dumaos/apps/usr//com.netdumasoftware.hybridvpn backend 
 6769 root        344 S   /bin/sh -c opkg update 
 6772 root       2196 S   opkg update 
 7789 root        344 S   sleep 60 
 7817 root        260 S   /bin/sh -c sleep 10; /root/test-eth0.sh >/dev/null 2>&1 
 7818 root        260 S   /bin/sh -c sleep 20; /root/test-eth0.sh >/dev/null 2>&1 
 7819 root        260 S   /bin/sh -c sleep 30; /root/test-eth0.sh >/dev/null 2>&1 
 7820 root        260 S   /bin/sh -c sleep 40; /root/test-eth0.sh >/dev/null 2>&1 
 7821 root        260 S   /bin/sh -c sleep 50; /root/test-eth0.sh >/dev/null 2>&1 
 7822 root        260 S   sleep 40 
 7823 root        260 S   sleep 50 
 7824 root        260 S   sleep 10 
 7825 root        260 S   sleep 30 
 7826 root        260 S   sleep 20 
 7842 root         72 S   /usr/sbin/uhttpd -D -I ndindex.html -h /www -r XR500 -x /cgi-bin -l /apps -L /www/cgi-bin/url-routing.lua 
 7846 root         52 S   ntgrcryptwd 
 7851 root        344 S   sleep 3 
 7855 root        344 R   ps w

a lot of the services have started, however it looks like the device needs a 2nd NIC

RawEthLan=eth1
RawEthWan=eth0

ifconfig $RawEthLan hw ether $wandefmac
ifconfig $RawEthWan hw ether $wandefmac
ifconfig $BondEth hw ether $wandefmac
ifconfig $BondEth up
vconfig add $BondEth 1 && ifconfig $BondEth.1 down
vconfig add $BondEth 2 && ifconfig $BondEth.2 down
ip link set dev $BondEth.1 name ethlan
ip link set dev $BondEth.2 name ethwan

brctl addif br0 ethwan

Without it, br0 is never created and most network service like httpd are never started.

I think this is done by adding a new entry to qemuopts but can not figure it out.

Any advice?

Question on userspace / ssh command

Hi,

Can you please tell me a bit more about how the 'userspace' command runs a menu immediately after ssh connection? Is it a a bashrc script running on the emulated device or some other method used to display options and start it up?

Many thanks

Installation

Hi,
When i tried to setup ARM-X VM on Ubuntu 18.04 it is asking for armx login, could you please share the credentials.

Unable to resolve outgoing requests

I'm trying to demonstrate a reverse shell from emulated devices that have command injection vulnerabilities, and in the case of the Tenda, I'm get a no route to host error when injecting a wget request to my listener on the host machine. Where should I be directing payloads in this situation? Is there some additional configuration I have to do to make this work?

Installation failes when running apk update

Following the installation instructions, I got to the point when I have to run build-emux-docker but it fails on the apk update step due to permissions missing. Tried on Ubuntu 20.04 LTS and Fedora 35

Here's the log:

[flyinpancake@SnowCake emux-pg]$ ./build-emux-docker -help 
[+] Building 0.6s (6/43)                                                                                                                                                                                                                                     
 => [internal] load build definition from Dockerfile-emux                                                                                                                                                                                               0.0s
 => => transferring dockerfile: 102B                                                                                                                                                                                                                    0.0s
 => [internal] load .dockerignore                                                                                                                                                                                                                       0.0s
 => => transferring context: 93B                                                                                                                                                                                                                        0.0s
 => [internal] load metadata for docker.io/library/alpine:latest                                                                                                                                                                                        0.2s
 => [internal] load build context                                                                                                                                                                                                                       0.0s
 => => transferring context: 3.20kB                                                                                                                                                                                                                     0.0s
 => CACHED [ 1/39] FROM docker.io/library/alpine:latest@sha256:21a3deaa0d32a8057914f36584b5288d2e5ecc984380bc0118285c70fa8c9300                                                                                                                         0.0s
 => ERROR [ 2/39] RUN apk update                                                                                                                                                                                                                        0.2s
------
 > [ 2/39] RUN apk update:
#5 0.229 standard_init_linux.go:228: exec user process caused: permission denied

Thanks for the help in advance 😄

Emulating Netgear R8000 issue

I have managed to get the router launching when using ./run-emux-docker, running launcher and then selecting my newly created Netgear R8000 device.

I have an issue when I run the emux-docker-shell command, run userspace and then select /bin/sh. I get the following error:

[emux-docker 🐚] ~$ userspace
Entering Netgear R8000 Wi-Fi Router CONSOLE (/bin/sh)
mount: mounting /proc on /emux/R8000/rootfs/proc failed: No such file or directory
mount: mounting /sys on /emux/R8000/rootfs/sys failed: No such file or directory
[+] chroot /emux/R8000/rootfs /.emux/emuxshell
chroot: can't execute '/.emux/emuxshell': No such file or directory
Connection to 192.168.100.2 closed.

What else am I meant to do to be able to get this running?

Config

# Sample device configuration file
#
id=R8000
nvram=nvram.ini
rootfs=rootfs
randomize_va_space=0
#ld_preload=preload
initcommands="/sbin/preinit;/bin/sh"

Device Information

R8000,qemu-system-arm-6.0.0,vexpress-a9,,,256M,zImage-2.6.39.4-vexpress,VEXPRESS2,Netgear R8000 Wi-Fi Router

File System
The file system is taken from the extracted firmware and then compressed into a .tar.bz2.

Unable to start docker container

When trying to run run-armx-docker receiving this error.

[+] Starting tun0
[+] Starting NFS
   program version netid     address                service    owner
    100000    4    tcp6      ::.0.111               -          superuser
    100000    3    tcp6      ::.0.111               -          superuser
    100000    4    udp6      ::.0.111               -          superuser
    100000    3    udp6      ::.0.111               -          superuser
    100000    4    tcp       0.0.0.0.0.111          -          superuser
    100000    3    tcp       0.0.0.0.0.111          -          superuser
    100000    2    tcp       0.0.0.0.0.111          -          superuser
    100000    4    udp       0.0.0.0.0.111          -          superuser
    100000    3    udp       0.0.0.0.0.111          -          superuser
    100000    2    udp       0.0.0.0.0.111          -          superuser
    100000    4    local     /var/run/rpcbind.sock  -          superuser
    100000    3    local     /var/run/rpcbind.sock  -          superuser
rpc.nfsd: Unable to access /proc/fs/nfsd errno 2 (No such file or directory).
Please try, as root, 'mount -t nfsd nfsd /proc/fs/nfsd' and then restart rpc.nfsd to correct the problem

And, after checking my system found that nfs is already installed. So, it was not the issue of my system.
After browsing through the internet found that docker container need to run in privilege mode to use nfs service.