Determining Image Base of ARM Firmware Based on Matching String Addresses

Firmware is the soul of an embedded system, and disassembly is a necessary step to understand the operational mechanism or detect the vulnerabilities of the firmware. When disassembling a firmware, it should first determine the processor type of running environment and the image base of firmware. In general, the processor type can be got by tearing down the device or consulting the product manual. However, at present there is still no automated tool that can be used to obtain the image base of firmware. Since the processors of majority embedded systems are ARM architecture, in this paper we focus on the firmwares in ARM and propose an automated method to determine the base address. Firstly, by studying the storage rule and loading mode of the string we present two algorithms to calculate the string offset and the string address loaded by LDR instruction. Then with these information, we proposed a DBMAS (Determining image Base by Matching Addresses of Strings) algorithm to determine the image base. Experimental results indicate the proposed method can successfully determine the image base of firmware that uses the LDR instruction to load string address.