{"id":13538680,"url":"https://github.com/ucsb-seclab/bootstomp","last_synced_at":"2025-04-02T05:31:37.927Z","repository":{"id":24028047,"uuid":"100426946","full_name":"ucsb-seclab/BootStomp","owner":"ucsb-seclab","description":"BootStomp: a bootloader vulnerability finder","archived":false,"fork":false,"pushed_at":"2022-01-10T09:29:30.000Z","size":3758,"stargazers_count":379,"open_issues_count":1,"forks_count":69,"subscribers_count":36,"default_branch":"master","last_synced_at":"2024-11-03T03:31:51.236Z","etag":null,"topics":["android","binary-analysis","bootloader","cve","decompilation","vulnerability-detection"],"latest_commit_sha":null,"homepage":"https://seclab.cs.ucsb.edu/academic/publishing/#bootstomp-security-bootloaders-mobile-devices-2017","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-2-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ucsb-seclab.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-08-15T23:18:16.000Z","updated_at":"2024-10-09T09:18:20.000Z","dependencies_parsed_at":"2022-07-27T04:32:01.101Z","dependency_job_id":null,"html_url":"https://github.com/ucsb-seclab/BootStomp","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ucsb-seclab%2FBootStomp","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ucsb-seclab%2FBootStomp/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ucsb-seclab%2FBootStomp/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ucsb-seclab%2FBootStomp/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ucsb-seclab","download_url":"https://codeload.github.com/ucsb-seclab/BootStomp/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246763805,"owners_count":20829795,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["android","binary-analysis","bootloader","cve","decompilation","vulnerability-detection"],"created_at":"2024-08-01T09:01:14.777Z","updated_at":"2025-04-02T05:31:32.916Z","avatar_url":"https://github.com/ucsb-seclab.png","language":"Python","funding_links":[],"categories":["\u003ca id=\"683b645c2162a1fce5f24ac2abfa1973\"\u003e\u003c/a\u003e漏洞\u0026\u0026漏洞管理\u0026\u0026漏洞发现/挖掘\u0026\u0026漏洞开发\u0026\u0026漏洞利用\u0026\u0026Fuzzing"],"sub_categories":["\u003ca id=\"9d1ce4a40c660c0ce15aec6daf7f56dd\"\u003e\u003c/a\u003e未分类-Vul"],"readme":"BootStomp\n===================\n\n[![License](https://img.shields.io/github/license/angr/angr.svg)](https://github.com/ucsb-seclab/BootStomp/blob/master/LICENSE)\n\nBootStomp is a boot-loader bug finder. It looks for two different class of bugs: memory corruption and state storage vulnerabilities. For more info please refer to the BootStomp paper at https://seclab.cs.ucsb.edu/academic/publishing/#bootstomp-security-bootloaders-mobile-devices-2017 \n\nTo run BootStomp's analyses, please read the following instructions. Note that BootStomp works with boot-loaders compiled for ARM architectures (32 and 64 bits both) and that results might slightly vary depending on angr and Z3's versions. This is because of the time angr takes to analyze basic blocks and to Z3's expression concretization results.\n\n\n----------\n\nDirectory structure\n--\n* **analysis**: Contains analysis results (Ex: IDA idbs etc)  of boot images of different devices.\n* **tools**: Contains tools that can be used to work with various images.\n\nPre-requisites\n--\n\n* angr (http://angr.io/)\n\u003e$ pip install angr\n\n* IDA PRO (https://www.hex-rays.com/products/ida/)\n* IDA Decompiler (https://www.hex-rays.com/products/decompiler/)\n\nHow to run it\n--\n## Run BootStomp using docker\nThe easiest way to use BootStomp is to run it in a docker container.\nThe folder `docker` contains an appropriate `Dockerfile`.\nThese are the commands to use it.\n```bash\ncd docker\n# build the docker image\ndocker build -t bootstomp .\n# run the docker image (if you need, use proper options to have persistent changes or shared files)\ndocker run -it bootstomp\n\n# now you are inside a docker container\ncd BootStomp\n# run BootStomp's taint analysis on one of the examples\n# this will take about 30 minutes\npython taint_analysis/bootloadertaint.py config/config.huawei\n# the last line of the output will be something like:\n# INFO    | 2017-10-14 01:54:10,617 | _CoreTaint | Results in /tmp/BootloaderTaint_fastboot.img_.out\n\n# you can then \"pretty print\" the results using:\npython taint_analysis/result_pretty_print.py /tmp/BootloaderTaint_fastboot.img_.out\n```\nThe output should be something like this:\n```\n...\n17)\n===================== Start Info path =====================\nDereference address at: 0x5319cL\nReason: at location 0x5319cL a tainted variable is dereferenced and used as address.\n...\nTainted Path \n----------------\n0x52f3cL -\u003e 0x52f78L -\u003e 0x52f8cL -\u003e 0x52fb8L -\u003e 0x52fc8L -\u003e 0x52fecL -\u003e 0x53000L -\u003e 0x53014L -\u003e 0x5301cL -\u003e 0x53030L -\u003e 0x53044L -\u003e 0x53050L -\u003e 0x5305cL -\u003e 0x53068L\n===================== End Info path =====================\n# Total sinks related alerts: 5\n# Total loop related alerts: 8\n# Total dereference related alerts: 4\n```\n\n## Run BootStomp manually\n### Automatic detection of taint sources and sinks\n\n1. Load the boot-loader binary in IDA (we used v6.95). Depending on the CPU architecture of the phone it has been extracted from, 32 bit or 64 bit IDA is needed. \n2. From the menu-bar, run File =\u003e Script file =\u003e `find_taint.py`\n3. Output will appear in the file `taint_source_sink.txt` under the same directory as the boot-loader itself.\n\n### Configuration file\nCreate a JSON configuration file for the boot-loader binary (see examples in `config/`), where:\n\n* **bootloader**: boot-loader file path\n* **info_path**: boot-loader source/sink info file path  (i.e., taint_source_sink.txt )\n* **arch**: architecture's number of bits (available options are 32 and 64)\n* **enable_thumb**: consider thumb mode (when needed) during the analysis \n* **start_with_thumb**: starts the analysis with thumb mode enabled  \n* **exit_on_dec_error**: stop the analysis if some instructions cannot be decoded\n* **unlock_addr**: unlocking function address. This field is necessary only for finding insecure state storage vulnerabilities.\n\n### Finding memory corruption vulnerabilities\nRun\n\n \u003e python bootloadertaint.py config-file-path\n \n Results will be stored in `/tmp/BootloaderTaint_[boot-loader].out`, where `[boot-loader]` is the name of the analyzed boot-loader. Note that paths involving loops might appear more than once.\n\n### Finding insecure state storage vulnerability\nRun\n \u003e python unlock_checker.py config-file-path\n\n Results will be stored in `/tmp/UnlockChecker_[boot-loader].out`, where `[boot-loader]` is the name of the analyzed boot-loader. Note that paths involving loops might appear more than once.\n\n### Checking results\nTo check BootStomp results, use the script `result_pretty_print.py`, as follows:\n \u003e python result_pretty_print.py results_file\n\n#### [Exploit for CVE-2017-2729](https://github.com/ucsb-seclab/BootStomp/tree/master/tools/huawei_tools#oeminfo_exploitpy)\n\nOther references\n-------------\n* [Kernel and lk source for MediaTek MT65x2](https://github.com/ariafan/MT65x2_kernel_lk)\n* [MediaTek details: Partitions and Preloader](https://sturmflut.github.io/mediatek/2015/07/04/mediatek-details-partitions-and-preloader)\n* [Reverse Engineering Android's Aboot](http://newandroidbook.com/Articles/aboot.html)\n* [(L)ittle (K)ernel based Android bootloader](https://www.codeaurora.org/blogs/little-kernel-based-android-bootloader)\n* [Little Kernel Boot Loader Overview by Qualcomm](https://developer.qualcomm.com/qfile/28821/lm80-p0436-1_little_kernel_boot_loader_overview.pdf)\n* [android: arm: bootloader: how (L)ittle (K)ernel loads boot.img](https://chengyihe.wordpress.com/2015/09/22/android-arm-bootloader-how-little-kernel-loads-boot-img)\n* [BootUnlocker for Nexus Devices](https://github.com/osm0sis/boot-unlocker/blob/wiki/HowItWorks.md)\n* [Verifying Boot](https://source.android.com/security/verifiedboot/verified-boot.html)\n* [Freeing my tablet (Android hacking, SW and HW)](https://www.thanassis.space/android.html)\n* [How to lock the samsung download mode using an undocumented feature of aboot](https://ge0n0sis.github.io/posts/2016/05/how-to-lock-the-samsung-download-mode-using-an-undocumented-feature-of-aboot/)\n* [BIOS and Secure Boot Attacks Uncovered](http://www.intelsecurity.com/resources/pr-bios-secure-boot-attacks-uncovered.pdf)\n* [Apple IOS Security](https://www.apple.com/business/docs/iOS_Security_Guide.pdf)\n* [Debugging HTC phone boot-laoders](http://archive.hack.lu/2013/hacklu2013_hbootdbg.pdf)\n* [Debugger for HBOOT](https://github.com/sogeti-esec-lab/hbootdbg)\n* [Analysing HBOOT](http://tjworld.net/wiki/android/htc/vision/hbootanalysis)\n\n \n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fucsb-seclab%2Fbootstomp","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fucsb-seclab%2Fbootstomp","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fucsb-seclab%2Fbootstomp/lists"}