DUDE: Decryption, Unpacking, Deobfuscation, and Endian Conversion Framework for Embedded Devices Firmware

Commercial-Off-The-Shelf (COTS) embedded devices rely on vendor-specific firmware to perform essential tasks. These firmware have been under active analysis by researchers to check security features and identify possible vendor backdoors. However, consistently unpacking newly created filesystem formats has been exceptionally challenging. To thwart attempts at unpacking, vendors frequently use encryption and obfuscation methods. On the other hand, when handling encrypted, obfuscated, big endian cramfs, or custom filesystem formats found in firmware under test, the available literature and tools are insufficient. This study introduces DUDE, an automated framework that provides novel functionalities, outperforming cutting-edge tools in the decryption, unpacking, deobfuscation, and endian conversion of firmware. For big endian compressed romfs filesystem formats, DUDE supports endian conversion. It also supports deobfuscating obfuscated signatures for successful unpacking. Moreover, decryption support for encrypted binaries from the D-Link and MOXA series has also been added, allowing for easier analysis and access to the contents of these firmware files. Additionally, the framework offers unpacking assistance by supporting the extraction of special filesystem formats commonly found in firmware samples from various vendors. A remarkable 78% (1424 out of 1814) firmware binaries from different vendors were successfully unpacked using the suggested framework. This performance surpasses the capabilities of commercially available tools combined on a single platform.