From 48d840d950f611eab187aae92fba8d855e9d1b96 Mon Sep 17 00:00:00 2001
From: m-1-k-3 <m1k3@s3cur1ty.de>
Date: Mon, 30 Jan 2023 19:11:12 +0100
Subject: [PATCH 1/3] s115 - hexagon support

---
 helpers/helpers_emba_system_emulation.sh | 47 ++++++++++++++++++++++++
 modules/S115_usermode_emulator.sh        |  2 +
 2 files changed, 49 insertions(+)
 create mode 100644 helpers/helpers_emba_system_emulation.sh

diff --git a/helpers/helpers_emba_system_emulation.sh b/helpers/helpers_emba_system_emulation.sh
new file mode 100644
index 000000000..e47429803
--- /dev/null
+++ b/helpers/helpers_emba_system_emulation.sh
@@ -0,0 +1,47 @@
+#!/bin/bash -p
+
+# EMBA - EMBEDDED LINUX ANALYZER
+#
+# Copyright 2020-2023 Siemens Energy AG
+#
+# EMBA comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+# welcome to redistribute it under the terms of the GNU General Public License.
+# See LICENSE file for usage of this software.
+#
+# EMBA is licensed under GPLv3
+#
+# Author(s): Michael Messner
+
+# Description:  Helper functions for system emulation
+
+restart_emulation() {
+  local IP_ADDRESS_="${1:-}"
+  local IMAGE_NAME_="${2:-}"
+
+  if ping -c 1 "$IP_ADDRESS_" &> /dev/null; then
+    print_output "[+] System with $ORANGE$IP_ADDRESS_$NC responding again - probably it recovered automatically."
+    return
+  fi
+
+  if ! [[ -f "$ARCHIVE_PATH"/run.sh ]]; then
+    print_output "[-] Warning: Auto-maintaining not possible - emulation archive not available"
+    return
+  fi
+
+  print_output "[!] Warning: System with $ORANGE$IP_ADDRESS_$MAGENTA not responding."
+  print_output "[*] Trying to auto-maintain emulated system now ..."
+
+  stopping_emulation_process "$IMAGE_NAME_"
+  reset_network_emulation 2
+
+  # what an ugly hack
+  "$ARCHIVE_PATH"/run.sh &
+
+  COUNTER=0
+  while ! ping -c 1 "$IP_ADDRESS_" &> /dev/null; do
+    print_output "[*] Waiting for restarted system ..."
+    ((COUNTER+=0))
+    [[ "$COUNTER" -gt 50 ]] && (print_output "[-] System not recovered" && return)
+    sleep 6
+  done
+}
diff --git a/modules/S115_usermode_emulator.sh b/modules/S115_usermode_emulator.sh
index 7d2664bbc..eafa17125 100755
--- a/modules/S115_usermode_emulator.sh
+++ b/modules/S115_usermode_emulator.sh
@@ -164,6 +164,8 @@ S115_usermode_emulator() {
               EMULATOR="qemu-ppc-static"
             elif ( file "$FULL_BIN_PATH" | grep -q "ELF 32-bit LSB executable, Altera Nios II" ) ; then
               EMULATOR="qemu-nios2-static"
+            elif ( file "$FULL_BIN_PATH" | grep -q "ELF 32-bit LSB shared object, QUALCOMM DSP6" ) ; then
+              EMULATOR="qemu-hexagon-static"
             else
               print_output "[-] No working emulator found for $BIN_"
               EMULATOR="NA"

From f077ccdb86fc1a8213ecbf6a3451f5f3e7d7d1bd Mon Sep 17 00:00:00 2001
From: m-1-k-3 <m1k3@s3cur1ty.de>
Date: Mon, 30 Jan 2023 19:21:01 +0100
Subject: [PATCH 2/3] clean it

---
 helpers/helpers_emba_system_emulation.sh | 47 ------------------------
 1 file changed, 47 deletions(-)
 delete mode 100644 helpers/helpers_emba_system_emulation.sh

diff --git a/helpers/helpers_emba_system_emulation.sh b/helpers/helpers_emba_system_emulation.sh
deleted file mode 100644
index e47429803..000000000
--- a/helpers/helpers_emba_system_emulation.sh
+++ /dev/null
@@ -1,47 +0,0 @@
-#!/bin/bash -p
-
-# EMBA - EMBEDDED LINUX ANALYZER
-#
-# Copyright 2020-2023 Siemens Energy AG
-#
-# EMBA comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
-# welcome to redistribute it under the terms of the GNU General Public License.
-# See LICENSE file for usage of this software.
-#
-# EMBA is licensed under GPLv3
-#
-# Author(s): Michael Messner
-
-# Description:  Helper functions for system emulation
-
-restart_emulation() {
-  local IP_ADDRESS_="${1:-}"
-  local IMAGE_NAME_="${2:-}"
-
-  if ping -c 1 "$IP_ADDRESS_" &> /dev/null; then
-    print_output "[+] System with $ORANGE$IP_ADDRESS_$NC responding again - probably it recovered automatically."
-    return
-  fi
-
-  if ! [[ -f "$ARCHIVE_PATH"/run.sh ]]; then
-    print_output "[-] Warning: Auto-maintaining not possible - emulation archive not available"
-    return
-  fi
-
-  print_output "[!] Warning: System with $ORANGE$IP_ADDRESS_$MAGENTA not responding."
-  print_output "[*] Trying to auto-maintain emulated system now ..."
-
-  stopping_emulation_process "$IMAGE_NAME_"
-  reset_network_emulation 2
-
-  # what an ugly hack
-  "$ARCHIVE_PATH"/run.sh &
-
-  COUNTER=0
-  while ! ping -c 1 "$IP_ADDRESS_" &> /dev/null; do
-    print_output "[*] Waiting for restarted system ..."
-    ((COUNTER+=0))
-    [[ "$COUNTER" -gt 50 ]] && (print_output "[-] System not recovered" && return)
-    sleep 6
-  done
-}

From a2fdc3c7ca1e5d373a56da50cbfc716cac05cd73 Mon Sep 17 00:00:00 2001
From: m-1-k-3 <m1k3@s3cur1ty.de>
Date: Tue, 31 Jan 2023 11:00:03 +0100
Subject: [PATCH 3/3] s14 hexagon support

---
 modules/S13_weak_func_check.sh        | 10 ++++--
 modules/S14_weak_func_radare_check.sh | 52 +++++++++++++++++++++++++--
 2 files changed, 56 insertions(+), 6 deletions(-)

diff --git a/modules/S13_weak_func_check.sh b/modules/S13_weak_func_check.sh
index 5d2b6811a..ab0080988 100755
--- a/modules/S13_weak_func_check.sh
+++ b/modules/S13_weak_func_check.sh
@@ -31,6 +31,8 @@ S13_weak_func_check()
   local BINARY=""
   local VULNERABLE_FUNCTIONS=()
   local VULNERABLE_FUNCTIONS_VAR=""
+  local ERR_PRINTED=0
+
   if [[ -n "$ARCH" ]] ; then
     # This module waits for S12 - binary protections
     # check emba.log for S12_binary_protection starting
@@ -105,9 +107,11 @@ S13_weak_func_check()
             function_check_NIOS2 "$BINARY" "${VULNERABLE_FUNCTIONS[@]}"
           fi
         elif ( file "$BINARY" | grep -q "QUALCOMM DSP6" ) ; then
-          print_output "[-] Qualcom DSP6 is currently not supported for further analysis"
-          print_output "[-] Tested binary: $ORANGE$BINARY$NC"
-          print_output "[-] Please check for updates: https://github.com/e-m-b-a/emba/issues/395"
+          if [[ "$ERR_PRINTED" -eq 0 ]]; then
+            print_output "[-] Qualcom DSP6 is currently not supported from objdump"
+            print_output "[-] The binaries will be analysed from radare2 module s14"
+            ERR_PRINTED=1
+          fi
         else
           print_output "[-] Something went wrong ... no supported architecture available"
           print_output "[-] Tested binary: $ORANGE$BINARY$NC"
diff --git a/modules/S14_weak_func_radare_check.sh b/modules/S14_weak_func_radare_check.sh
index 44aad63de..1b0bd6359 100755
--- a/modules/S14_weak_func_radare_check.sh
+++ b/modules/S14_weak_func_radare_check.sh
@@ -100,9 +100,13 @@ S14_weak_func_radare_check()
             radare_function_check_PPC32 "$BINARY" "${VULNERABLE_FUNCTIONS[@]}"
           fi
         elif ( file "$BINARY" | grep -q "QUALCOMM DSP6" ) ; then
-          print_output "[-] Qualcom DSP6 is currently not supported for further analysis"
-          print_output "[-] Tested binary: $ORANGE$BINARY$NC"
-          print_output "[-] Please check for updates: https://github.com/e-m-b-a/emba/issues/395"
+          if [[ "$THREADED" -eq 1 ]]; then
+            radare_function_check_hexagon "$BINARY" "${VULNERABLE_FUNCTIONS[@]}" &
+            WAIT_PIDS_S14+=( "$!" )
+          else
+            radare_function_check_hexagon "$BINARY" "${VULNERABLE_FUNCTIONS[@]}"
+          fi
+
         else
           print_output "[-] Something went wrong ... no supported architecture available"
           print_output "[-] Tested binary: $ORANGE$BINARY$NC"
@@ -297,6 +301,48 @@ radare_function_check_ARM32() {
   echo "$STRCPY_CNT" >> "$TMP_DIR"/S14_STRCPY_CNT.tmp
 }
 
+radare_function_check_hexagon() {
+  local BINARY_="${1:-}"
+  shift 1
+  local VULNERABLE_FUNCTIONS=("$@")
+  local NAME=""
+  NAME=$(basename "$BINARY_" 2> /dev/null)
+  local STRCPY_CNT=0
+  if ! [[ -f "$BINARY_" ]]; then
+    return
+  fi
+
+  NETWORKING=$(readelf -a "$BINARY_" --use-dynamic 2> /dev/null | grep -E "FUNC[[:space:]]+UND" | grep -c "\ bind\|\ socket\|\ accept\|\ recvfrom\|\ listen" 2> /dev/null || true)
+  for FUNCTION in "${VULNERABLE_FUNCTIONS[@]}" ; do
+    if ( readelf -s --use-dynamic "$BINARY_" | grep -q "$FUNCTION" 2> /dev/null ) ; then
+      FUNC_LOG="$LOG_PATH_MODULE""/vul_func_""$FUNCTION""-""$NAME"".txt"
+      radare_log_bin_hardening "$NAME" "$FUNCTION"
+      if [[ "$FUNCTION" == "mmap" ]] ; then
+        # For the mmap check we need the disasm after the call
+        r2 -e io.cache=true -e scr.color=false -q -c 'pI $s' "$BINARY_" | grep -E -A 20 "call.*$FUNCTION" 2> /dev/null >> "$FUNC_LOG" || true
+      else
+        r2 -e io.cache=true -e scr.color=false -q -c 'pI $s' "$BINARY_" | grep -E -A 2 -B 20 "call.*$FUNCTION" 2> /dev/null >> "$FUNC_LOG" || true
+      fi
+      if [[ -f "$FUNC_LOG" ]] && [[ $(wc -l "$FUNC_LOG" | awk '{print $1}') -gt 0 ]] ; then
+        radare_color_output "$FUNCTION"
+
+        COUNT_FUNC="$(grep -c -e "call.*$FUNCTION" "$FUNC_LOG"  2> /dev/null || true)"
+        if [[ "$FUNCTION" == "strcpy" ]] ; then
+          COUNT_STRLEN=$(grep -c "call.*strlen" "$FUNC_LOG"  2> /dev/null || true)
+          STRCPY_CNT=$((STRCPY_CNT+COUNT_FUNC))
+        elif [[ "$FUNCTION" == "mmap" ]] ; then
+          # Test source: https://www.golem.de/news/mmap-codeanalyse-mit-sechs-zeilen-bash-2006-148878-2.html
+          # TODO: check this in radare2
+          COUNT_MMAP_OK="NA"
+        fi
+        radare_log_func_footer "$NAME" "$FUNCTION"
+        radare_output_function_details "$BINARY_" "$FUNCTION"
+      fi
+    fi
+  done
+  echo "$STRCPY_CNT" >> "$TMP_DIR"/S14_STRCPY_CNT.tmp
+}
+
 radare_function_check_x86() {
   local BINARY_="${1:-}"
   shift 1