Version identifiers, Arch check in installer, diff updates

config/bin_version_strings.cfg

@@ -29,6 +29,7 @@ acpi;;unknown;"acpi\ [0-9](\.[0-9]+)+?$";"sed -r 's/acpi\ ([0-9](\.[0-9]+)+?)$/a
 acpid;;unknown;"acpid-[0-9](\.[0-9]+)+?$";"sed -r 's/acpid-([0-9](\.[0-9]+)+?)$/acpid:\1/'";
 afpd;;unknown;"^afpd\ [0-9](\.[0-9]+)+?\ -\ Apple\ Filing\ Protocol\ \(AFP\)\ daemon\ of\ Netatalk$";"sed -r 's/afpd\ ([0-9](\.[0-9]+)+?)\ .*\ Netatalk$/netatalk:afpd:\1/'";
 afpd;live;unknown;"^Netatalk\ [0-9](\.[0-9]+)+?\ \(name:\ .*\)$";"sed -r 's/Netatalk\ ([0-9](\.[0-9]+)+?)\ .*/netatalk:afpd:\1/'";
+agesa;;unknown;"AGESA\ Ontar2PIV[0-9](\.[0-9]+)+?$";"sed -r 's/AGESA\ Ontar2PIV([0-9](\.[0-9]+)+?)/agesa:\1/'";
 aircrack-ng;;gplv2;"^\ \ Air[a-z]*-ng\ [0-9](\.[0-9]+)+?\ -\ \(C\)\ ";"sed -r 's/\ \ Air[a-z]*-ng\ ([0-9](\.[0-9]+)+?)\ .*/aircrack-ng:\1/'";
 aircrack-ng;;gplv2;"^\ \ ivsTools\ [0-9](\.[0-9]+)+?\ -\ \(C\)\ ";"sed -r 's/\ \ ivsTools\ ([0-9](\.[0-9]+)+?)\ .*/aircrack-ng:\1/'";
 aircrack-ng;;gplv2;"^\ \ makeivs-ng\ [0-9](\.[0-9]+)+?\ -\ \(C\)\ ";"sed -r 's/\ \ makeivs-ng\ ([0-9](\.[0-9]+)+?)\ .*/aircrack-ng:\1/'";
@@ -94,6 +95,8 @@ clear_console;;unknown;"^clear_console:\ Version\ [0-9]+(\.[0-9]+)+?$";"sed -r '
 comgt;;unknown;"comgt\ version\ [0-9](\.[0-9]+)+?";"sed -r 's/comgt\ version\ ([0-9](\.[0-9]+)+?).*/comgt:\1/'";
 conntrack;;unknown;"conntrack\ v[0-9](\.[0-9]+)+?\ \(conntrack-tools\)";"sed -r 's/conntrack\ v([0-9](\.[0-9]+)+?).*/conntrack-tools:\1/'";
 coreutils;;gplv3;"\(GNU\ coreutils\)\ [0-9](\.[0-9]+)+?$";"sed -r 's/\(GNU\ coreutils\)\ ([0-9](\.[0-9]+)+?)$/gnu:coreutils:\1/'";
+coreboot;;gplv2;"coreboot\ toolchain\ v[0-9]{4}-[0-9]{2}-[0-9]{2}_[0-9a-z]+";"sed -r 's/coreboot\ toolchain\ v([0-9]{4}-[0-9]{2}-[0-9]{2}_[0-9a-z]+)/coreboot:\1/'";
+coreboot;;gplv2;"COREBOOT_VERSION: [0-9]\.[0-9]+?(-[0-9]+)?(-[0-9a-z]+)?(-dirty)?";"sed -r 's/COREBOOT_VERSION: ([0-9]\.[0-9]+?(-[0-9]+)?(-[0-9a-z]+)?(-dirty)?)/coreboot:\1/'"
 coova;;gplv3;"^coova-chilli\ [0-9](\.[0-9]+)+?$";"sed -r 's/coova-chilli\ ([0-9](\.[0-9]+)+?)$/:coova-chilli:\1/'";
 cp443-1;;proprietary;"^\@\(\#1\)\ CP443-1\ GX20\ V\ [0-9](\.[0-9]+)+?\ ";"sed -r 's/\@\(\#1\)\ CP443-1\ GX20\ v\ ([0-9]\.[0-9]\.[0-9]).*/simatic_cp443-1_firmware \1/'";
 cp443-1;;proprietary;"^\ Firmware\ Update\ V[0-9](\.[0-9]+)+?\ for\ the\ communication\ processor\ CP443-1$";"sed -r 's/Firmware\ Update\ V([0-9]\.[0-9]\.[0-9]+)\ for\ the\ communication\ processor\ CP443-1/simatic_cp443-1_firmware \1/'";
@@ -258,6 +261,7 @@ info-zip;;bsd-style;"ZipInfo\ [0-9](\.[0-9]+)+?\ of\ .*\ by\ Greg\ Roelofs\ and\
 info-zip;;bsd-style;"ZipNote\ [0-9](\.[0-9]+)+?\ .*,\ by Info-ZIP";"sed -r 's/ZipNote\ ([0-9](\.[0-9]+)+?).*/info-zip:zipnote:\1/'";
 inotifywatch;;unknown;"^inotifywatch\ [0-9](\.[0-9]+)+?$";"sed -r 's/inotifywatch\ ([0-9](\.[0-9]+)+?)$/inotify-tools:\1/'";
 inotifywait;;unknown;"^inotifywait\ [0-9](\.[0-9]+)+?$";"sed -r 's/inotifywait\ ([0-9](\.[0-9]+)+?)$/inotify-tools:\1/'";
+intel_trusted_device_setup;;unknown;"^Intel\(R\)\ Trusted\ Device\ Setup\ Extension\ Version\ [0-9]+(\.[0-9]+)+?$";"sed -r 's/Intel\(R\)\ Trusted\ Device\ Setup\ Extension\ Version\ ([0-9]+(\.[0-9]+)+?)/intel:trusted_device_setup:\1/'";
 nichestack;;proprietary;^Interniche\ Stack\ v[0-9](\.[0-9]+)+$";"sed -r 's/Interniche\ Stack\ v([0-9](\.[0-9]+)+?)$/hcc-embedded:nichestack:\1/'";
 io-control;;unknown;"FUSE\ library\ version:\ [0-9](\.[0-9]+)+?";"sed -r 's/FUSE\ library\ version:\ ([0-9](\.[0-9]+)+?).*/fuse:\1/'";
 iotgoat;;mit;"^iotgoat\ v[0-9]\.[0-9]$";"sed -r 's/iotgoat\ v([0-9](\.[0-9]+)+?)$/iotgoat:\1/'";
@@ -452,6 +456,7 @@ nano;;gplv3;"GNU\ nano,\ version\ [0-9](\.[0-9]+)+?\ \(compiled\ .*\)$";"sed -r
 nbtscan;;unknown;"^NBTscan\ version\ [0-9](\.[0-9]+)+?\.\ Copyright\ \(C\)\ 1999-200[0-9]\ Alla\ Bezroutchko\.$";"sed -r 's/NBTscan\ version\ ([0-9](\.[0-9]+)+?).*/nbtscan:\1/'";
 nc.traditional;strict;unknown;"\[v[0-9]\.[0-9]+-[0-9]+\]$";"sed -r 's/\[v([0-9](\.[0-9]+)+?(-[0-9]+)?)\]$/nc.traditional:\1/'";
 ncurses;;mit-x11;"ncurses\ [0-9](\.[0-9]+)+?";"sed -r 's/ncurses\ ([0-9](\.[0-9]+)+?).*/gnu:ncurses:\1/'";
+nero_boot_loader;;unknown;"^Nero\ Boot-Loader\ V[0-9]+\.[0-9]+$";"sed -r 's/Nero\ Boot-Loader\ V([0-9]+\.[0-9]+)/nero:boot_loader:\1/'";
 netatalk;;bsd;"^cnid_dbd\ \(Netatalk\ [0-9](\.[0-9]+)+?\)$";"sed -r 's/cnid_dbd\ \(Netatalk\ ([0-9](\.[0-9]+)+?)\)$/netatalk:\1/'";
 ndppd;;gplv3;"ndppd\ \(NDP\ Proxy\ Daemon\)\ version\ [0-9](\.[0-9]+)+?";"sed -r 's/ndppd\ \(NDP\ Proxy\ Daemon\)\ version\ ([0-9](\.[0-9]+)+?).*/ndppd:\1/'";
 #netgear_facebook_captive_portal;;unknown;"NETGEAR\ Facebook\ Captive\ Portal\ version\ [0-9](\.[0-9]+)?";"NA";
@@ -677,6 +682,10 @@ udhcp_client;;unknown;"info,\ udhcp\ client\ \(v[0-9](\.[0-9]+)+?\)\ started";"s
 udhcpc;;unknown;"udhcpcd,\ version\ [0-9](\.[0-9]+)+?";"sed -r 's/udhcpcd,\ version\ ([0-9](\.[0-9]+)+?).*/udhcpc:\1/'";
 udhcpc;;unknown;"udhcpc\ \(v[0-9](\.[0-9]+)+?(-pre)?\)\ started$";"sed -r 's/udhcpc\ \(v([0-9](\.[0-9]+)+?)(-pre)?\)\ .*/udhcpc:\1/'";
 udhcp;;unknown;"udhcp\ [0-9](\.[0-9]+)+?$";"sed -r 's/udhcp\ ([0-9](\.[0-9]+)+?)$/udhcp:\1/'";
+uefi_shell;;bsd;"\*\*\*\ UEFI\ Shell\ v[0-9]+\.[0-9]+,\ release\ [0-9]+[A-Z][0-9]+\ \*\*\*";"sed -r 's/\*\*\*\ UEFI\ Shell\ v([0-9]+\.[0-9]+),\ release\ ([0-9]+[A-Z][0-9]+)\ \*\*\*/uefi_shell:\1:\2/'";
+uefi_shell;;bsd;"\*\*\*\ UEFI\ Shell\ v[0-9]+\.[0-9]+,\ release\ [0-9]+\.[0-9]+\ \*\*\*";"sed -r 's/\*\*\*\ UEFI\ Shell\ v([0-9]+\.[0-9]+),\ release\ ([0-9]+\.[0-9]+)\ \*\*\*/uefi_shell:\1:\2/'";
+uefi_shell;;bsd;"UEFI\ SHELL\ [0-9]+\.[0-9]+\ [0-9]+[A-Z][0-9]+\ ";"sed -r 's/UEFI\ SHELL\ ([0-9]+\.[0-9]+)\ ([0-9]+[A-Z][0-9]+)\ /uefi_shell:\1:\2/'";
+uefi_shell;;bsd;"UEFI\ SHELL\ [0-9]+\.[0-9]+\ [0-9]+\.[0-9]+\ ";"sed -r 's/UEFI\ SHELL\ ([0-9]+\.[0-9]+)\ ([0-9]+\.[0-9]+)\ /uefi_shell:\1:\2/'";
 ulogd;;unknown;"^ulogd\ Version\ [0-9](\.[0-9]+)+?$";"sed -r 's/ulogd\ Version\ ([0-9](\.[0-9]+)+?)/ulogd:\1/'";
 ultravnc_linux_repeater;;unknown;"^UltraVnc\ Linux\ Repeater\ version\ [0-9](\.[0-9]+)+?$";"sed -r 's/UltraVnc\ Linux\ Repeater\ version\ ([0-9](\.[0-9]+)+?)$/ultravnc:repeater:\1/'";
 xlink-ult;;unknown;"XLINK\ v[0-9]+(\.[0-9]+)+?\ ";"sed -r 's/XLINK\ v([0-9]+(\.[0-9]+)+?)\ .*/xlink:\1/'";

helpers/helpers_emba_prepare.sh

@@ -341,11 +341,9 @@ architecture_check()
         export ARCH
       fi
     else
-      print_output "$(indent "$(red "No architecture in firmware found")")"
+      print_output "$(indent "$(red "Based on binary identification no architecture was detected.")")"
       if [[ -n "${ARCH}" ]] ; then
         print_output "[*] Your set architecture (""${ARCH}"") will be used."
-      else
-        print_output "[!] Since no architecture could be detected, you should set one."
       fi
     fi
     backup_var "ARCH" "${ARCH}"

installer.sh

@@ -200,6 +200,11 @@ else
   UBUNTU_OS=0
 fi
 
+if ! uname -m | grep -q "x86_64" 2>/dev/null; then
+  echo -e "\n${ORANGE}WARNING: Architecture probably unsupported!${NC}"
+  read -p "If you know what you are doing you can press any key to continue ..." -n1 -s -r
+fi
+
 if ! [[ $EUID -eq 0 ]] && [[ $LIST_DEP -eq 0 ]] ; then
   echo -e "\\n""$RED""Run EMBA installation script with root permissions!""$NC\\n"
   print_help

modules/D10_firmware_diffing.sh

@@ -23,6 +23,8 @@ D10_firmware_diffing() {
   module_log_init "${FUNCNAME[0]}"
   module_title "Firmware diff analysis"
   local NEG_LOG=0
+  # we only look at files ranking lt 95 in ssdeep - probably we need to adjust this in the future
+  local SSDEEP_MIN_RANK=95
 
   if ! command -v ssdeep > /dev/null ; then
     print_output "[-] Missing ssdeep installation"
@@ -75,6 +77,13 @@ D10_firmware_diffing() {
     FW_FILE1="${OUTPUT_DIR_UNBLOB1}""${FW_FILE1#.}"
 
     FW_FILE_NAME1=$(basename "${FW_FILE1}")
+    # From extraction process we often get a huge amount of files called "gzip.uncompressed"
+    # Currently we just skip them. In the future we probably need to respect the directory name right before:
+    #   /lib/modules/4.19.163/kernel/net/netfilter/xt_LOG.ko.gz_extract/gzip.uncompressed
+    #   -> the name that we need to take care of is xt_LOG.ko.gz
+    if [[ "${FW_FILE_NAME1}" == "gzip.uncompressed" ]]; then
+      continue
+    fi
     # print_output "[*] Testing $FW_FILE1"
 
     # find the file in OUTPUT_DIR_UNBLOB2
@@ -98,8 +107,7 @@ D10_firmware_diffing() {
 
           ! [[ -d "${LOG_PATH_MODULE_SUB}" ]] && mkdir "${LOG_PATH_MODULE_SUB}"
 
-          # we only look at files ranking lt 90 in ssdeep - probably we need to adjust this in the future
-          if [[ "${SSDEEP_RANK}" -lt 90 ]]; then
+          if [[ "${SSDEEP_RANK}" -lt "${SSDEEP_MIN_RANK}" ]]; then
             print_ln "no_log"
             if [[ "$(file "${FW_FILE1}")" == *"text"* ]]; then
               print_output "[+] Found modified ASCII file ${ORANGE}${FW_FILE_NAME1}${GREEN} in 2nd firmware directory - Ranking ${ORANGE}${SSDEEP_RANK}${NC}" "" "${LOG_FILE_DETAILS}"
@@ -151,9 +159,11 @@ D10_firmware_diffing() {
               write_log "[*] Non matching functions in ${ORANGE}$(basename "${FW_FILE1}")${NC}:" "${LOG_FILE_DETAILS}"
               print_output "[*] Non matching functions in ${ORANGE}$(basename "${FW_FILE1}")${NC} logged to ${ORANGE}${LOG_PATH_MODULE_SUB}/r2_diff_fct_${FW_FILE_NAME1}_${FW_FILE_NAME1}.txt${NC}" "no_log"
               # get the functions which are different with radiff2:
-              radiff2 -AC "${FW_FILE1}" "${FW_FILE2}" 2>/dev/null | grep UNMATCH > "${LOG_PATH_MODULE_SUB}"/r2_diff_fct_"${FW_FILE_NAME1}"_"${FW_FILE_NAME1}".txt
-              cat "${LOG_PATH_MODULE_SUB}"/r2_diff_fct_"${FW_FILE_NAME1}"_"${FW_FILE_NAME1}".txt >> "${LOG_FILE_DETAILS}"
-              mapfile -t UNMATCHED_FCTs < <(awk '{print $1}' "${LOG_PATH_MODULE_SUB}"/r2_diff_fct_"${FW_FILE_NAME1}"_"${FW_FILE_NAME1}".txt | sort -u)
+              radiff2 -AC "${FW_FILE1}" "${FW_FILE2}" 2>/dev/null | grep UNMATCH > "${LOG_PATH_MODULE_SUB}"/r2_diff_fct_"${FW_FILE_NAME1}"_"${FW_FILE_NAME1}".txt || true
+              if [[ -f "${LOG_PATH_MODULE_SUB}"/r2_diff_fct_"${FW_FILE_NAME1}"_"${FW_FILE_NAME1}".txt ]]; then
+                cat "${LOG_PATH_MODULE_SUB}"/r2_diff_fct_"${FW_FILE_NAME1}"_"${FW_FILE_NAME1}".txt >> "${LOG_FILE_DETAILS}"
+                mapfile -t UNMATCHED_FCTs < <(awk '{print $1}' "${LOG_PATH_MODULE_SUB}"/r2_diff_fct_"${FW_FILE_NAME1}"_"${FW_FILE_NAME1}".txt | sort -u)
+              fi
               write_log "" "${LOG_FILE_DETAILS}"
 
               sub_module_title "R2 diff for binary file ${FW_FILE_NAME1}" "${LOG_FILE_DETAILS}"
@@ -179,8 +189,12 @@ D10_firmware_diffing() {
               for FCT in "${UNMATCHED_FCTs[@]}"; do
                 write_log "" "${LOG_FILE_DETAILS}"
                 radiff2 -e bin.cache=true -md -g "${FCT}" "${FW_FILE2}" "${FW_FILE1}" 2>/dev/null > "${LOG_PATH_MODULE}"/r2_fct_graphing/r2_fct_graph_"${FW_FILE_NAME1}"_"${FCT}".xdot
+                # we only print the graph if the log file was generated and has content and it has multiple addresses (0x) included
                 if [[ -s "${LOG_PATH_MODULE}"/r2_fct_graphing/r2_fct_graph_"${FW_FILE_NAME1}"_"${FCT}".xdot ]]; then
-                  dot -Tpng "${LOG_PATH_MODULE}"/r2_fct_graphing/r2_fct_graph_"${FW_FILE_NAME1}"_"${FCT}".xdot 2>/dev/null > "${LOG_PATH_MODULE}"/r2_fct_graphing/r2_fct_graph_"${FW_FILE_NAME1}"_"${FCT}".png || true
+                  if [[ "$(grep -c "0x" "${LOG_PATH_MODULE}"/r2_fct_graphing/r2_fct_graph_"${FW_FILE_NAME1}"_"${FCT}".xdot 2>/dev/null)" -gt 1 ]]; then
+                    print_output "[*] Generating png for function ${FCT} of binary ${FW_FILE_NAME1}" "no_log"
+                    dot -Tpng "${LOG_PATH_MODULE}"/r2_fct_graphing/r2_fct_graph_"${FW_FILE_NAME1}"_"${FCT}".xdot 2>/dev/null > "${LOG_PATH_MODULE}"/r2_fct_graphing/r2_fct_graph_"${FW_FILE_NAME1}"_"${FCT}".png || true
+                  fi
                 fi
                 if [[ -s "${LOG_PATH_MODULE}/r2_fct_graphing/r2_fct_graph_${FW_FILE_NAME1}_${FCT}.png" ]]; then
                   write_log "[*] Radare2 binary function diff for function ${ORANGE}${FCT}${NC} in binary ${ORANGE}${FW_FILE_NAME1}${NC}" "${LOG_FILE_DETAILS}"

modules/S09_firmware_base_version_check.sh

@@ -131,6 +131,17 @@ S09_firmware_base_version_check() {
         print_dot
       fi
 
+      if [[ $RTOS -eq 1 ]]; then
+        # in RTOS mode we also test the original firmware file
+        VERSION_FINDER=$(find "${FIRMWARE_PATH_BAK}" -xdev -type f -print0 2>/dev/null | xargs -0 strings | grep -o -a -E "${VERSION_IDENTIFIER}" | head -1 2>/dev/null || true)
+        if [[ -n $VERSION_FINDER ]]; then
+          print_ln "no_log"
+          print_output "[+] Version information found ${RED}""${VERSION_FINDER}""${NC}${GREEN} in original firmware file (license: ${ORANGE}${LIC}${GREEN}) (${ORANGE}static${GREEN})."
+          get_csv_rule "$VERSION_FINDER" "$CSV_REGEX"
+          write_csv_log "firmware" "$BIN_NAME" "$VERSION_FINDER" "$CSV_RULE" "$LIC" "$TYPE"
+        fi
+      fi
+
       if [[ "$THREADED" -eq 1 ]]; then
         # this will burn the CPU but in most cases the time of testing is cut into half
         bin_string_checker &
@@ -193,6 +204,8 @@ bin_string_checker() {
         fi
       fi
     else
+      # this is RTOS mode
+      # echo "Testing $BIN - $VERSION_IDENTIFIER"
       VERSION_FINDER="$(strings "$BIN" | grep -o -a -E "$VERSION_IDENTIFIER" | head -1 2> /dev/null || true)"
       if [[ -n $VERSION_FINDER ]]; then
         print_ln "no_log"