Analyzing MediaTek Baseband Firmware Images

Unpacking the Update File

To prepare the image for the analysis in Ghidra, we first require two files from from the firmware update.

Given a CP_A415FXX*_user_low_ship_MULTI_CERT.tar.md5 file, we need:

1. md1rom: The binary ROM image which contains the actual firmware code
2. md1_dbginfo.csv: A CSV-based export of the debug infos which are shipped as part of the firmware update

Both of these files are obtained from the the firmware update using the script unpack_mtk_cp_update.py, e.g.:

python3 unpack_mtk_cp_update.py CP_A415FXXU1ATE1_CP15883562_CL18317596_QB31188168_REV00_user_low_ship_MULTI_CERT.tar.md5

The script will create the following directory: CP_A415FXXU1ATE1_CP15883562_CL18317596_QB31188168_REV00_user_low_ship_MULTI_CERT

The directory will contain all files contained within the firmware update, including the two required files md1rom and md1_dbginfo.csv.

Loading the Firmware Image Into Ghidra

Given the two files md1rom and md1_dbginfo.csv, we can start loading the Mediatek Firmware image into Ghidra.

To achieve this, take the following steps:

1. First, import the md1rom into Ghidra using File->import file... (hotkey: i)
2. As loading options, choose Format: Raw Binary, Language: MIPS:LE:32:default:default (MIPS default 32 little default)
3. Confirm, and when prompted for the initial auto analysis, decline (make sure the initial analysis is not performed)
4. Within the script manager (Window->Script Manager), choose analyze_mtk_image.py within the FirmWire category.
5. In case you are prompted for a debug file, choose md1_dbginfo.csv.
6. Wait for the analysis to finish. This will take a considerable amount of time (in the order of 60 minutes).

Ghidra Software Reverse Engineering Framework

Ghidra is a software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate. This framework includes a suite of full-featured, high-end software analysis tools that enable users to analyze compiled code on a variety of platforms including Windows, macOS, and Linux. Capabilities include disassembly, assembly, decompilation, graphing, and scripting, along with hundreds of other features. Ghidra supports a wide variety of processor instruction sets and executable formats and can be run in both user-interactive and automated modes. Users may also develop their own Ghidra extension components and/or scripts using Java or Python.

In support of NSA's Cybersecurity mission, Ghidra was built to solve scaling and teaming problems on complex SRE efforts, and to provide a customizable and extensible SRE research platform. NSA has applied Ghidra SRE capabilities to a variety of problems that involve analyzing malicious code and generating deep insights for SRE analysts who seek a better understanding of potential vulnerabilities in networks and systems.

If you are a U.S. citizen interested in projects like this, to develop Ghidra and other cybersecurity tools for NSA to help protect our nation and its allies, consider applying for a career with us.

Security Warning

WARNING: There are known security vulnerabilities within certain versions of Ghidra. Before proceeding, please read through Ghidra's Security Advisories for a better understanding of how you might be impacted.

Install

To install an official pre-built multi-platform Ghidra release:

• Install JDK 11 64-bit
• Download a Ghidra release file
• Extract the Ghidra release file
• Launch Ghidra: ./ghidraRun (or ghidraRun.bat for Windows)

For additional information and troubleshooting tips about installing and running a Ghidra release, please refer to docs/InstallationGuide.html which can be found in your extracted Ghidra release directory.

Build

To create the latest development build for your platform from this source repository:

Install build tools:

• JDK 11 64-bit
• Gradle 6.8+ or 7.x
• make, gcc, and g++ (Linux/macOS-only)
• Microsoft Visual Studio (Windows-only)

Download and extract the source:

Download from GitHub

$ unzip ghidra-master
$ cd ghidra-master

NOTE: Instead of downloading the compressed source, you may instead want to clone the GitHub repository: git clone https://github.com/NationalSecurityAgency/ghidra.git

Download additional build dependencies into source repository:

$ gradle -I gradle/support/fetchDependencies.gradle init

Create development build:

$ gradle buildGhidra

The compressed development build will be located at build/dist/.

For more detailed information on building Ghidra, please read the Developer Guide.

Develop

User Scripts and Extensions

Ghidra installations support users writing custom scripts and extensions via the GhidraDev plugin for Eclipse. The plugin and its corresponding instructions can be found within a Ghidra release at Extensions/Eclipse/GhidraDev/.

Advanced Development

To develop the Ghidra tool itself, it is highly recommended to use Eclipse, which the Ghidra development process has been highly customized for.

Install build and development tools:

• Follow the above build instructions so the build completes without errors
• Install Eclipse IDE for Java Developers

Prepare the development environment:

$ gradle prepdev eclipse buildNatives

Import Ghidra projects into Eclipse:

• File -> Import...
• General | Existing Projects into Workspace
• Select root directory to be your downloaded or cloned ghidra source repository
• Check Search for nested projects
• Click Finish

When Eclipse finishes building the projects, Ghidra can be launched and debugged with the provided Ghidra Eclipse run configuration.

For more detailed information on developing Ghidra, please read the Developer Guide.

Contribute

If you would like to contribute bug fixes, improvements, and new features back to Ghidra, please take a look at our Contributor Guide to see how you can participate in this open source project.