...

In the first part of the emulation process, Firmware Reviewer will use QEMU to us with a pre-built full Linux virtual machine running on the target architecture . We then with the same kernel level. Then transfer the firmware root file system into the VM and chroot into the root file system of the firmware, obtaining a working shell. 

With a working shell, Firmware Reviewer will automatically navigate to /etc/rc.d or /etc/init.d and run the appropriate RC script to kick off the userland services. Closely analyze the rc.d folder and inspect the scripts, and tweak the startup scripts to account for missing network interfaces, failing of NVRAM library call. This part of the emulation process is very much like dealing with encrypted firmware; each firmware will be a case of its own which is the very definition of research. In most cases Firmware Reviewer automatically choose to tweak the rcS scripts just enough to get the target service to run properly. This part of the process, if done manually, could take up weeks of investigation and additional work. Firmware Reviewer will do the job itself, supporting both MIPS and ARM as well as x86 processors. It will extract the root file system, infer network interfaces, and create the QEMU disk image for emulation. It also will attempt to emulate the NVRAM.

Applied Tests

Anyway, using Dynamic Analysis, a lot of information can be extracted even in case of encrypted images or encrypted file systems, without having the related AES or 3DES keys, like:

...