Firmware Analysis: FKIE FACT Deep Analysis

Overview#

FKIE FACT (Firmware Analysis and Comparison Tool) is the open-source firmware analysis framework developed by Fraunhofer FKIE (the German research institute for communication, information processing and ergonomics). FACT unpacks firmware images through a recursive extraction pipeline, analyses every identified binary and script within the unpacked firmware, runs specialised analysis plugins (software bill of materials, vulnerability scoring, password file detection, crypto constant detection, string extraction, YARA matching), and produces structured analysis reports. Argus integrates FKIE FACT to receive firmware analysis submissions and track results within the security operations and supply chain security workflows.

Key Features#

Firmware Submission to FACT#

Submit firmware binary images for deep analysis via

submitFkieFactFirmware

FkieFactClient.upload_firmware

Multi-Layer Unpacking#

FKIE FACT recursively unpacks firmware containers -- a single firmware image may contain a uImage wrapping a squashfs filesystem containing a BusyBox binary containing embedded shell scripts. FACT traces this full extraction tree, running analysis plugins at every layer. The resulting analysis JSON captures every identified binary, its file type, paths, MIME type, and plugin results.

Plugin-Based Analysis Results#

Analysis results from FKIE FACT plugins are persisted per firmware submission. Core plugins cover:

• Software Bill of Materials: Identifies all binaries and libraries with version strings, enabling CVE lookup
• Crypto Constants: Detects hardcoded cryptographic constants indicating encryption implementation (or misimplementation)
• Passwords and Credentials: Flags password hash files, hardcoded default credentials, and cleartext passwords
• YARA Rules: Applies custom and community YARA rules to every extracted binary
• Known Vulnerabilities: CVE matches for identified components via NVD lookup

Device and Vendor Tracking#

Firmwares are tagged with device name, device class (router, switch, PLC, camera, NAS, etc.), and vendor. This supports fleet-level firmware auditing -- querying all firmware submissions for a specific vendor or device class to track vulnerability remediation status across a product line.

Clearance-Level Analysis Isolation#

Firmware analysis records carry

secrecy_level

Use Cases#

• Defence Procurement Supply Chain Security: Before accepting military communications hardware, submit vendor firmware to FKIE FACT to verify the software bill of materials, confirm no unexpected remote access components, and check all identified libraries against CVE databases.
• Critical Infrastructure OT Firmware Review: Analyse firmware updates intended for deployment to power grid SCADA systems, checking for credential exposure, known vulnerable OpenSSL versions, or suspicious crypto constants before applying updates.
• Backdoor Discovery: FKIE FACT's password and crypto constant detection plugins have found dozens of vendor backdoors in commercial routers and IoT devices -- run it against any new device type entering a sensitive network.
• Zero-Day Research Support: Software bill of materials output identifies exact library versions in firmware, enabling security researchers to map which devices are affected by newly disclosed vulnerabilities before vendor patches are available.

Integration#

Available via GraphQL:

fkieFactFirmwares

fkieFactStats

submitFkieFactFirmware

fetchFkieFactResult

Works alongside Binwalk (initial extraction triage before FACT deep analysis), YARA Engine (custom detection rules), and the Vulnerability domain (CVE-to-device mapping).

Last Reviewed: 2026-03-18