Determining image base of firmware files for ARM Devices

Ruijin Zhu, Yu An Tan, Quanxin Zhang, Fei Wu, Jun Zheng*, Yuan Xue

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

22 Citations (Scopus)

Abstract

Disassembly, as a principal reverse-engineering tool, is the process of recovering the equivalent assembly instructions of a program's machine code from its binary representation. However, when disassembling a firmware file, the disassembly process cannot be performed well if the image base is unknown. In this paper, we propose an innovative method to determine the image base of a firmware file with ARM/Thumb instruction set. First, based on the characteristics of the function entry table (FET) for an ARM processor, an algorithm called FIND-FET is proposed to identify the function entry tables. Second, by using the most common instructions of function prologue and FETs, the FIND-BASE algorithm is proposed to determine the candidate image base by counting the matched functions and then choose the one with maximal matched FETs as the final result. The algorithms are applied on some firmwares collected from the Internet, and results indicate that they can effectively find out the image base for the majority of example firmware files.

Original languageEnglish
Pages (from-to)351-359
Number of pages9
JournalIEICE Transactions on Information and Systems
VolumeE99D
Issue number2
DOIs
Publication statusPublished - Feb 2016

Keywords

  • Determining
  • Disassembly
  • Firmware
  • Image base
  • Reverse engineering

Fingerprint

Dive into the research topics of 'Determining image base of firmware files for ARM Devices'. Together they form a unique fingerprint.

Cite this