Dealing with embedded ELF files in Binary Ninja

Welcome again to my humble corner. Today I will share a story how I managed to deal with embedded ELF files using Binary Ninja.

I was reversing an ARM firmware for fun (unfortunately not for profit!) and run into the following issue. The firmware itself is comprised of three sections, a header, an ELF file and data after the ELF. Attempting to parse the firmware “as-is” using Binary Ninja, resulted in a Mapped View. While I was able to cross-reference header offsets within the disassembled/IL output, I was missing a lot of the ELF parsing functionality that comes out of the box.

Extracting the ELF itself, gave a much better view of the disassembly/IL but I was missing the cross-references to the header, something that is crucial for my reversing efforts. Unfortunately, Binary Ninja, wonderful and affordable piece of software it is, has the following Github issue open for quite some time: “Container formats Support” (PSA: Please go and UPVOTE! this issue). After digging around, talking to some members of the community (thanks Nick!) and experimenting, I found the following workaround.

I started by splitting the firmware into two pieces: the header and the ELF file. This can be done with dd or with a tiny snippet of Python. I “fed” the ELF to Binary Ninja, BN performed its analysis and signature matching and then:

  1. I opened the python console, as usual.
  2. Read the header file into memory (we are talking a few bytes here), let’s say into a variable called hdr
  3. Using bv.parent_view found the length of the ELF file.
  4. Appended the file read in step 2 to the END of the parent_view, using something along the lines of bv.parent_view.write(hdr,0xe55f63)
  5. Once this was done, I created a user segment with the following arguments: bv.add_user_segment(0,LENGTH_OF_hdr,0x0xe55f63,LENGTH_OF_hdr,8) – the last 8, in case you are wondering where it came from, is a SegmentFlag SegmentContainsData = 8
  6. At the top of the linear disassembly view, the following appeared: — 0x00000000-LENGTH_OF_hdr {Data}
  7. Applied the custom type that I have worked out aaaaaaaaaaaaand …
  8. ELF View with cross-references to the header fields ready for our perusal.

I hope this workaround helps other people out there, frustrated with the Github issue. Until next time, happy reversing!

Leave a comment

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

%d bloggers like this: