Table of Contents


Firmanal is an automated firmware analysis tool based on Firmadyne, and it currently only works on Arch Linux.


After cloning this repository, edit the MAIN_DIR variable in the Then execute the, which will set up the environment.



All pre-built binaries (console, libnvram, kernels) have been included in this repository.

You may, if you want, compile those binaries by yourself using the ./scripts/


  1. Set MAIN_DIR in to point to the root of this repository.
  2. Download a firmware image, e.g. v2.0.3 for Netgear WNAP320.
    • wget
  3. Use the extractor to recover only the filesystem, no kernel (-nk), no parallel operation (-np), populating the image table in the SQL server at (-sql) with the Netgear brand (-b), and storing the tarball in images.
    • ./scripts/ -b Netgear -sql -np -nk "WNAP320 Firmware Version" images
  4. Load the contents of the filesystem for firmware 1 into the database, populating the object and object_to_image tables.
    • ./db/ -i 1 -f ./images/1.tar.gz
  5. Create the QEMU disk image for firmware 1.
    • sudo ./qemu/scripts/ 1
  6. Infer the network configuration for firmware 1. Kernel messages are logged to ./qemu/vm/1/qemu.initial.serial.log.
    • ./qemu/scripts/ 1
  7. Emulate firmware 1 with the inferred network configuration. This will modify the configuration of the host system by creating a TAP device and adding a route. Use Ctrl-a + x to terminate the guest.
    • ./qemu/vm/1/
  8. The system should be available over the network, and is ready for analysis. Kernel messages are logged to ./qemu/vm/1/
    • ./anal/dynamic/
    • ./anal/dynamic/ 1 log.txt
    • mkdir exploits && ./anal/metasploit/ -t -o exploits -e all (requires Metasploit Framework)
    • sudo nmap -O -sV
  9. The following scripts can be used to mount/unmount the filesystem of firmware 1. Ensure that the emulated firmware is not running, and remember to unmount before performing any other operations.
    • sudo ./qemu/scripts/ 1
    • sudo ./qemu/scripts/ 1
  10. To delete the firmware, use the
    • ./scripts/ 1


During development, the database was stored on a PostgreSQL server.


Below are descriptions of tables in the schema.

Column Description
id Primary key
name Brand name
Column Description
id Primary key
filename File name
brand_id Foreign key to brand
hash MD5
rootfs_extracted Whether the primary filesystem was extracted
kernel_extracted Whether the kernel was extracted
arch Hardware architecture
kernel_version Version of the extracted kernel
Column Description
id Primary key
hash MD5
Column Description
id Primary key
oid Foreign key to object
iid Foreign key to image
filename Full path to the file
regular_file Whether the file is regular
permissions File permissions in octal
uid Owner's user ID
gid Group's group ID
mime Mime type
score The score of analysis
Column Description
id Primary key
iid Foreign key to image
url Download URL
mib_filename Filename of the SNMP MIB
mib_hash MD5 of the SNP MIB
mib_url Download URL of the SNMP MIB
sdk_filename Filename of the source SDK
sdk_hash MD5 of the source SDK
sdk_url Download URL of the source SDK
product Product name
version Version string
build Build string
date Release date