Knogin
[Developers]

Firmware Analysis: FKIE FACT Deep Analysis

A military procurement team is evaluating tactical radio equipment from a commercial vendor. Before accepting delivery of 200 units, they submit the device firmware to FKIE FACT. The recursive unpacking traces through a

Back to All Modules
Category: ModulesLast Updated: Mar 18, 2026
modulesblockchaingeospatial

Overview#

A military procurement team is evaluating tactical radio equipment from a commercial vendor. Before accepting delivery of 200 units, they submit the device firmware to FKIE FACT. The recursive unpacking traces through a uImage wrapper into a SquashFS filesystem and into dozens of embedded binaries. The password detection plugin finds a hardcoded root credential in a startup script. The software bill of materials identifies an OpenSSL version with three known CVEs, one rated critical. The crypto constants plugin flags a non-standard cryptographic implementation in the VPN component. None of this was disclosed in the vendor documentation. The procurement team returns the findings to the vendor for remediation before any unit is accepted into service.

FKIE FACT (Firmware Analysis and Comparison Tool) is the open-source firmware analysis framework developed by Fraunhofer FKIE, the German research institute for communication, information processing, and ergonomics. FACT unpacks firmware images through a recursive extraction pipeline, analyses every identified binary and script within the unpacked firmware, runs specialized analysis plugins, and produces structured reports. Argus integrates FKIE FACT to receive firmware analysis submissions and track results within security operations and supply chain security workflows.

Open Standards#

  • CVE / NVD (MITRE CVE, NIST National Vulnerability Database): The cve_lookup plugin maps every identified software component against CVE identifiers and NVD severity ratings; the integration surfaces cve_count and high_severity_cve_count fields derived directly from the NVD-scored cve_list.
  • CVSS (Common Vulnerability Scoring System): Severity classification thresholds (HIGH and CRITICAL) applied to CVE results follow the CVSS scoring standard, which is stored per vulnerability record and used to prioritise remediation.
  • YARA: Community and custom YARA rules are applied by the YARA Rules plugin to every binary extracted from the firmware image, enabling signature-based detection of malware, backdoors, and known-bad patterns.
  • MIME Type (RFC 2045 / RFC 2046): The file_type analysis plugin classifies every file at each extraction layer by its MIME type, allowing the pipeline to route binaries, scripts, and archives to appropriate downstream analysers.
  • GraphQL: All integration operations, firmware submission, result refresh, and analysis listing, are exposed via a typed GraphQL API (submitFirmware, refreshFirmwareAnalysis, firmwareAnalysisList mutations and queries).
  • JSON (ECMA-404 / RFC 8259): All communication with the FKIE FACT REST API uses JSON payloads for firmware upload requests and analysis result responses, including the structured cve_list, crypto_material, and known_vulnerabilities result objects.
  • OAuth 2.0 Bearer Token (RFC 6750): Optional API key authentication to the FKIE FACT server is transmitted as a Bearer token in the HTTP Authorization header, following RFC 6750.

Last Reviewed: 2026-03-18 Last Updated: 2026-04-14

Key Features#

Firmware Submission to FACT#

Submit firmware binary images for deep analysis via submitFirmware, providing the raw binary (as hex), file name, device name, device class, firmware version, and vendor. Argus calls FkieFactClient.upload_firmware, which uploads the binary to the FACT REST API and returns a task UID for result polling. Submission details are immediately persisted to PostgreSQL to avoid losing track of in-progress analyses during long-running extraction jobs.

Multi-Layer Unpacking#

FKIE FACT recursively unpacks firmware containers. A single firmware image may contain a uImage wrapping a SquashFS filesystem containing a BusyBox binary containing embedded shell scripts. FACT traces this full extraction tree, running analysis plugins at every layer. The resulting analysis captures every identified binary, its file type, paths, MIME type, and plugin results.

Plugin-Based Analysis Results#

Analysis results from FKIE FACT plugins are persisted per firmware submission. Core plugins cover:

  • Software Bill of Materials: Identifies all binaries and libraries with version strings, enabling CVE lookup.
  • Crypto Constants: Detects hardcoded cryptographic constants indicating encryption implementation or misimplementation.
  • Passwords and Credentials: Flags password hash files, hardcoded default credentials, and cleartext passwords.
  • YARA Rules: Applies custom and community YARA rules to every extracted binary.
  • Known Vulnerabilities: CVE matches for identified components via NVD lookup.

Device and Vendor Tracking#

Firmware images are tagged with device name, device class (router, switch, PLC, camera, NAS, etc.), and vendor. This supports fleet-level firmware auditing: querying all firmware submissions for a specific vendor or device class to track vulnerability remediation status across a product line over time.

Clearance-Level Analysis Isolation#

Firmware analysis records carry secrecy_level tags. Firmware from classified systems, including military communications equipment and classified network switches, can be analysed under appropriate classification controls with results restricted to cleared personnel.

Use Cases#

  • Defence Procurement Supply Chain Security: Before accepting military communications hardware, submit vendor firmware to FKIE FACT to verify the software bill of materials, confirm no unexpected remote access components, and check all identified libraries against CVE databases.
  • Critical Infrastructure OT Firmware Review: Analyse firmware updates intended for deployment to power grid SCADA systems, checking for credential exposure, known vulnerable OpenSSL versions, or suspicious crypto constants before applying updates.
  • Backdoor Discovery: FKIE FACT's password and crypto constant detection plugins have found dozens of vendor backdoors in commercial routers and IoT devices. Run it against any new device type entering a sensitive network.
  • Zero-Day Research Support: Software bill of materials output identifies exact library versions in firmware, enabling security researchers to map which devices are affected by newly disclosed vulnerabilities before vendor patches are available.

Integration#

Available via GraphQL: firmwareAnalysisList (query); submitFirmware, refreshFirmwareAnalysis (mutations). All operations require authentication and organisation scoping.

Works alongside Binwalk (initial extraction triage before FACT deep analysis), YARA Engine (custom detection rules applied to extracted binaries), and the Vulnerability domain (CVE-to-device mapping and remediation tracking).

Ready to Build?

Get started with our APIs or contact our integration team for support.