firmwareninja module¶

`binaryninja.firmwareninja.FirmwareNinja`(view)	`class FirmwareNinja` is a class that aids in analysis of embedded firmware images.
`binaryninja.firmwareninja.FirmwareNinjaDevice`(...)	`class FirmwareNinjaDevice` is a class that stores information about a hardware device, including the device name, start address, size, and information about the device.
`binaryninja.firmwareninja.FirmwareNinjaDeviceAccesses`(...)	`class FirmwareNinjaDeviceAccesses` is a class that stores information on the number of accesses to hardware devices for each board that is compatible with the current architecture.
`binaryninja.firmwareninja.FirmwareNinjaFunctionMemoryAccesses`(...)	`class FirmwareNinjaFunctionMemoryAccesses` is a class that stores information on accesses made by a function to memory regions that are not file-backed, such as memory-mapped I/O and RAM.
`binaryninja.firmwareninja.FirmwareNinjaMemoryAccess`(...)	`class FirmwareNinjaMemoryAccess` is a class that stores information on instructions that access regions of memory that are not file-backed, such as memory-mapped I/O and RAM.
`binaryninja.firmwareninja.FirmwareNinjaSection`(...)	`class FirmwareNinjaSection` is a class that stores information about a section identified with Firmware Ninja analysis, including the section type, start address, size, and entropy of the section.

class FirmwareNinja(view: BinaryView)[source]¶

Bases: object

class FirmwareNinja is a class that aids in analysis of embedded firmware images. This class is only available in the Ultimate Edition of Binary Ninja.

Example:

>>> from binaryninja import *
>>> view = load("path/to/firmware.bin", options={"loader.imageBase": 0x100000})
>>> fwn = FirmwareNinja(view)
>>> fwn.get_function_memory_accesses()[0].accesses[0].mem_address
<const ptr 0x40090028>

Parameters:

view (BinaryView) –

find_sections(high_code_entropy_threshold: float = 0.91, low_code_entropy_threshold: float = 0.5, block_size: int = 4096, mode: FirmwareNinjaSectionAnalysisMode = FirmwareNinjaSectionAnalysisMode.DetectStringsSectionAnalysisMode) → list[FirmwareNinjaSection][source]¶

find_sections finds sections with Firmware Ninja entropy analysis and heuristics

Example:

>>> fwn = FirmwareNinja(bv)
>>> fwn.find_sections(block_size=2048)[0].entropy
0.48716872930526733
>>> fwn.find_sections(block_size=2048)[0].type
<FirmwareNinjaSectionType.DataSectionType: 1>

Parameters:

high_code_entropy_threshold (float) – High code entropy threshold
low_code_entropy_threshold (float) – Low code entropy threshold
block_size (int) – Block size
mode (str) – Analysis mode

Returns:

List of sections

Return type:

list[FirmwareNinjaSection]

get_board_device_accesses(fma: list[FirmwareNinjaFunctionMemoryAccesses]) → list[FirmwareNinjaDeviceAccesses][source]¶

get_board_device_accesses counts accesses made to memory-mapped hardware devices for each board that is compatible with the current architecture. This function can be used to help identify a board.

Example:

>>> fwn = FirmwareNinja(bv)
>>> fma = fwn.get_function_memory_accesses()
>>> fwn.get_board_device_accesses(fma)[0]
FirmwareNinjaDeviceAccesses(board_name='stm32mp157c-dhcom-picoitx', total=414, unique=2)

Parameters:

fma (list[FirmwareNinjaFunctionMemoryAccesses]) – List of function memory accesses objects

Returns:

List of device accesses objects

Return type:

list[FirmwareNinjaDeviceAccesses]

get_function_memory_accesses(progress_func: Callable | None = None) → list[FirmwareNinjaFunctionMemoryAccesses][source]¶

get_function_memory_accesses runs analysis to find accesses to memory regions that are not file-backed, such as memory-mapped I/O and RAM.

Parameters:: progress_func (callback) – optional function to be called with the current progress and total count.
Returns:: List of function memory accesses objects
Return type:: list[FirmwareNinjaFunctionMemoryAccesses]

query_board_names() → list[str][source]¶

query_board_names queries the name of all boards that are compatible with the current architecture

Returns:: List of board names
Return type:: list[str]

query_custom_devices() → list[FirmwareNinjaDevice][source]¶

query_custom_devices queries user-defined Firmware Ninja devices from the binary view metadata

Returns:: List of Firmware Ninja device objects
Return type:: list[FirmwareNinjaDevice]

query_devices_by_board_name(name: str) → list[FirmwareNinjaDevice][source]¶

query_devices_by_board_name queries the hardware device information for a specific board

Example:

>>> fwn = FirmwareNinja(bv)
>>> fwn.query_devices_by_board_name(fwn.query_board_names()[0])[0]
FirmwareNinjaDevice(name='nand@12f', start=303, size=1024, info='marvell,orion-nand')

Parameters:

name (str) – Name of the board

Returns:

List of Firmware Ninja device objects

Return type:

list[FirmwareNinjaDevice]

query_function_memory_accesses() → list[FirmwareNinjaFunctionMemoryAccesses][source]¶

query_function_memory_accesses queries information on function memory accesses from binary view metadata

Returns:: List of function memory accesses objects
Return type:: list[FirmwareNinjaFunctionMemoryAccesses]

remove_custom_device(name: str) → bool[source]¶

remove_custom_device removes a user-defined Firmware Ninja device from the binary view metadata by device name

Parameters:: name (str) – Name of the device
Returns:: True on success, False on failure
Return type:: bool

store_custom_device(name: str, start: int, size: int, info: str) → bool[source]¶

store_custom_device store a user-defined Firmware Ninja device in the binary view metadata

Parameters:

name (str) – Name of the device
start (int) – Start address of the device
size (int) – Size of the device memory region
info (str) – Information about the device

Returns:

True on success, False on failure

Return type:

bool

store_function_memory_accesses(fma: list[FirmwareNinjaFunctionMemoryAccesses]) → None[source]¶

store_function_memory_accesses saves information on function memory accesses to binary view metadata

Example:

>>> fwn = FirmwareNinja(bv)
>>> fma = fwn.get_function_memory_accesses()
>>> fwn.store_function_memory_accesses(fma)

Parameters:

fma (list[FirmwareNinjaFunctionMemoryAccesses]) – List of function memory accesses objects

Returns:

None

Return type:

None

class FirmwareNinjaDevice(name: str, start: int, size: int, info: str)[source]¶

Bases: object

class FirmwareNinjaDevice is a class that stores information about a hardware device, including the device name, start address, size, and information about the device.

Parameters:

name (str) –
start (int) –
size (int) –
info (str) –

info: str¶

name: str¶

size: int¶

start: int¶

class FirmwareNinjaDeviceAccesses(board_name: str, total: int, unique: int)[source]¶

Bases: object

class FirmwareNinjaDeviceAccesses is a class that stores information on the number of accesses to hardware devices for each board that is compatible with the current architecture. This information can be used to identify a board based on the number of accesses to hardware devices.

Parameters:

board_name (str) –
total (int) –
unique (int) –

board_name: str¶

total: int¶

unique: int¶

class FirmwareNinjaFunctionMemoryAccesses(function: Function, accesses: list[FirmwareNinjaMemoryAccess])[source]¶

Bases: object

class FirmwareNinjaFunctionMemoryAccesses is a class that stores information on accesses made by a function to memory regions that are not file-backed, such as memory-mapped I/O and RAM.

Parameters:

function (Function) –
accesses (list[FirmwareNinjaMemoryAccess]) –

classmethod from_BNFirmwareNinjaFunctionMemoryAccesses(info: BNFirmwareNinjaFunctionMemoryAccesses, view: BinaryView) → FirmwareNinjaFunctionMemoryAccesses[source]¶

Parameters:

info (BNFirmwareNinjaFunctionMemoryAccesses) –
view (BinaryView) –

Return type:

FirmwareNinjaFunctionMemoryAccesses

accesses: list[FirmwareNinjaMemoryAccess]¶

function: Function¶

class FirmwareNinjaMemoryAccess(instr_address: int, mem_address: RegisterValue, heuristic: FirmwareNinjaMemoryHeuristic, type: FirmwareNinjaMemoryAccessType, value: RegisterValue)[source]¶

Bases: object

class FirmwareNinjaMemoryAccess is a class that stores information on instructions that access regions of memory that are not file-backed, such as memory-mapped I/O and RAM.

Parameters:

instr_address (int) –
mem_address (RegisterValue) –
heuristic (FirmwareNinjaMemoryHeuristic) –
type (FirmwareNinjaMemoryAccessType) –
value (RegisterValue) –

classmethod from_BNFirmwareNinjaMemoryAccess(access: BNFirmwareNinjaMemoryAccess) → FirmwareNinjaMemoryAccess[source]¶

Parameters:: access (BNFirmwareNinjaMemoryAccess) –
Return type:: FirmwareNinjaMemoryAccess

classmethod to_BNFirmwareNinjaMemoryAccess(access: FirmwareNinjaMemoryAccess) → BNFirmwareNinjaMemoryAccess[source]¶

Parameters:: access (FirmwareNinjaMemoryAccess) –
Return type:: BNFirmwareNinjaMemoryAccess

heuristic: FirmwareNinjaMemoryHeuristic¶

instr_address: int¶

mem_address: RegisterValue¶

type: FirmwareNinjaMemoryAccessType¶

value: RegisterValue¶

class FirmwareNinjaSection(type: FirmwareNinjaSectionType, start: int, size: int, entropy: float)[source]¶

Bases: object

class FirmwareNinjaSection is a class that stores information about a section identified with Firmware Ninja analysis, including the section type, start address, size, and entropy of the section.

Parameters:

type (FirmwareNinjaSectionType) –
start (int) –
size (int) –
entropy (float) –

entropy: float¶

size: int¶

start: int¶

type: FirmwareNinjaSectionType¶